7,655 ransomware claims

Of the leak postings CipherCue ingested, 4,970 entries included sector metadata and education was explicitly identified in 260 of those claims, with Qilin responsible for 50 education claims and INC Ransom, SafePay, and Interlock each posting 28, 20, and 20 education claims respectively. (ciphercue.com) CipherCue’s dataset shows Qilin posted 1,179 claims and had a footprint in 74 countries with 438 U.S. targets, Akira posted 706 claims with 403 (57%) in the U.S., and the top five groups together accounted for 3,027 claims (40% of the recorded postings). (ciphercue.com) Cisco Talos found attackers now “blend in” by using valid accounts across initial access, lateral movement, and execution, and reported that roughly 40% of initial access incidents observed involve phishing as the entry vector. (blog.talosintelligence.com) Talos and its incident reports show multi‑factor authentication (MFA) was implicated in about half of IR engagements in early 2025—issues ranged from lack of enrollment to misconfiguration—and adversaries increasingly use adversary‑in‑the‑middle reverse proxies and phishing‑as‑a‑service kits (Evilproxy/Tycoon variants) to steal session tokens and bypass MFA. (blog.talosintelligence.com) CipherCue also notes 2,685 postings (35% of its dataset) lacked sector attribution while manufacturing and technology were the most‑claimed sectors at 890 and 843 claims respectively, underscoring sectoral concentration beyond education. (ciphercue.com) Talos’ Year in Review explicitly recommends defenders maintain authoritative asset inventories, establish network behavior baselines, and run continuous anomaly detection while prioritizing identity hygiene and correctly deployed MFA to detect credential‑based intrusions that mimic normal user activity. (blog.talosintelligence.com)