The highly-anticipated Cisco Talos Report has shown that public-facing applications are increasingly becoming a prime target for cybercriminals. A positive from the report is that ransomware attacks are down by 50% in the last quarter, but experts have warned that despite the drop ransomware remains one of the biggest threats to organisations.
Ransomware Trends
Cisco Talos’ Q3 2025 report reveals that ransomware incidents accounted for approximately 20% of cases in Q3 2025, down from 50% last quarter. Despite this decrease, Talos cautions that this drop does not necessarily signal a long-term downward trend, as ransomware remains one of the most persistent threats to organizations.
During the third quarter, Talos identified three new ransomware variants: Warlock, Babuk, and Kraken—alongside well-known threats like Qilin and LockBit. Qilin, which first appeared earlier this year, ramped up its attacks and is expected to remain a major risk through the end of 2025.
In one case, criminals executed their ransomware just two days after the initial breach. LockBit, one of the world’s most notorious ransomware groups, was also active.
One of the malware attacks investigated by Talos was attributed to Storm-2603, a group believed to operate from China. Notably, they utilized the legitimate security tool Velociraptor—a first in ransomware operations.
Velociraptor is designed for deep visibility into computers and networks, enabling attackers to collect data, monitor activity, and maintain control after breaking in.
Exploitation of Public-Facing Applications
Over 60% of incidents this quarter began with exploitation of public-facing applications — a dramatic rise from less than 10% last quarter. This spike is primarily linked to a wave of attacks exploiting newly disclosed vulnerabilities in on-premises Microsoft SharePoint servers via the ToolShell attack chain.
This quarter’s ToolShell activity highlights the importance of robust segmentation and rapid patching. The ToolShell attack wave also highlights how quickly cybercriminals mobilize once zero-day vulnerabilities are disclosed. The first known exploitation occurred a day before Microsoft’s advisory, with most incidents handled by Talos occurring within the next ten days.
“The Talos data shows how quickly attackers exploit newly disclosed vulnerabilities in public-facing applications,” said Fady Younes, Managing Director for Cybersecurity at Cisco Middle East, Africa, Türkiye, Romania and CIS. “For organizations in the UAE expanding digital and cloud services, exploit protection and strong network segmentation are critical to reducing the risk of disruptive attacks. We support customers by combining Talos threat intelligence with our security solutions to help them identify vulnerable systems faster and respond more effectively when attacks occur.”
Multi-Factor Authentication (MFA) Abuse on the Rise
Nearly one-third of incidents this quarter involved attackers bypassing or abusing multi-factor authentication (MFA), often through techniques like overwhelming users with repeated login requests (“MFA bombing”) or exploiting weaknesses in MFA set-ups. These findings highlight that simply enabling MFA is not enough—organizations also need to monitor for suspicious login activity and ensure their MFA policies are robust.
