The IT Nerd

The new attack surface management feature upgrade is designed to help combat alert fatigue by focusing on validated vulnerabilities, allowing security teams to cut through the noise and tackle critical issues first

As companies’ attack surfaces expand, security teams are finding it increasingly difficult to monitor all exposed assets and swiftly address critical vulnerabilities. To help security teams cut through the noise, NordStellar, a next-generation threat exposure management platform, has upgraded its attack surface management (ASM) feature to provide even more extensive coverage of exposed assets while prioritizing critical vulnerabilities first.

Companies’ attack surfaces are constantly expanding due to digital transformation, scaling, unmanaged devices, and user error. This growing complexity makes it challenging to monitor all exposed assets, often leading to alert fatigue as critical threats are buried under a flood of less urgent alerts.

ASM is a feature that automatically discovers security gaps by continuously monitoring and evaluating all of the organization’s internet-exposed assets. The upgraded feature now gives organizations an attacker’s view of their company, providing comprehensive coverage of their external perimeter and going beyond passive scans to actively test for exploitable vulnerabilities.

NordStellar’s ASM feature combines continuous asset discovery with active risk validation. NordStellar maps the organization’s infrastructure by identifying all internet-exposed assets, like web applications, network services, and DNS configurations, and performs “outsider-style” testing.

To ensure vulnerabilities are mitigated as soon as possible, each identified instance is accompanied by AI-powered insights that offer remediation guidance.

Key upgrades:

• Increased coverage. The enhanced ASM feature implements scans across all key vectors — web applications, network services, and DNS configurations — to provide complete external perimeter visibility and eliminate critical security blind spots.
• Heightened accuracy. ASM actively discovers and tests vulnerabilities across more sources, delivering prioritized alerts.
• Enhanced flexibility. The upgraded feature allows teams to run scans on demand for immediate insights or schedule them for automated monitoring.

The enhanced ASM feature is now available to all NordStellar users. More information here.

The AI agent OpenClaw’s popularity has skyrocketed over recent weeks, but so have concerns about its cybersecurity risks. New findings reveal that roughly 73% of OpenClaw servers exposed this week remain publicly accessible to this day, creating a significant threat to users and an even greater risk to businesses — a single employee using OpenClaw could potentially expose sensitive information or corporate credentials.

openclaw.ai (formerly Clawdbot or Moltbot) is a self-hosted AI agent and assistant created by developer Peter Steinberger. Recently, it took the internet by storm with the promise of an AI agent that not only responds but also takes independent action — OpenClaw can instantly execute commands, such as scheduling meetings, editing files, or browsing the internet, among many other use cases.

Although deemed revolutionary by some users, OpenClaw’s functionalities come with a hefty cost — with extensive access to local and web-based applications, passwords, and other sensitive information, the responsibility of securing the environment in which the AI agent is deployed falls on the user, and failure to do so poses a high risk of leaking data to the open web. Labeled as a “hobby project” by its creators, OpenClaw doesn’t sugarcoat its cybersecurity risks and recommends that users who are not familiar with basic security and access control avoid the AI agent or seek guidance from professionals.

A senior threat intelligence researcher from NordStellar, a threat exposure management platform, analyzed findings from network observability tools that revealed about 21,000 (21,356) servers running OpenClaw or its prerequisites were accessible on the public internet this week.

As of Thursday, February 5th, nearly 16,000 (15,578) of those servers were still accessible, highlighting that not only does OpenClaw pose significant cybersecurity risks, but users are slow to take the necessary security measures to make these servers inaccessible, leaving them publicly exposed, and further illustrating that the majority of them lack the technical knowledge to mitigate the security risks of deploying OpenClaw.

And that’s only part of the story — a recently documented high severity vulnerability in OpenClaw allows an attacker to gain remote code execution just by tricking a user into clicking a single malicious link. Users have also been flocking to GitHub to report vulnerabilities. While not all of them have been validated, the number of identified security issues has been growing rapidly and has already surpassed 100 reports.

Having already garnered over 145,000 GitHub stars and 20,000 forks, users are nevertheless quick to adopt the new agent. Andrius Buinovskis, a cybersecurity expert at NordLayer, a toggle-ready network security platform for businesses, warns that OpenClaw’s growing popularity should be a cause for concern among businesses.

“OpenClaw introduces significant security risks for users, but they’re even more dangerous for organizations. Businesses handle extremely sensitive data, and a single employee using OpenClaw could unknowingly jeopardize the organization’s security,” says Buinovskis.

He explains that the AI agent stores passwords, API keys, and OAuth tokens in plaintext — without encryption — so leaked corporate credentials will be easily accessible and usable by anyone who manages to get their hands on them. This sensitive data, along with chat history with the AI bot, is stored on a local web server that could accidentally be exposed to the public internet.

“With the ability to automate some everyday work tasks, it’s understandable why employees could be eager to deploy OpenClaw. The software is primarily designed for a more tech-savvy audience, such as developers and vibe-coders. However, the sheer number of exposed servers proves that even experienced users overlook basic security hygiene when a tool is easy to misconfigure,” says Buinovskis.

Mitigating OpenClaw security risks in a business environment

According to Buinovskis, while there are many cybersecurity concerns surrounding OpenClaw, businesses can take key preventive measures to mitigate some of the main risks. He highlights that full system access, autonomy, and complex setups are key risks security teams should keep in mind and aim to address.

“The first key objective is to mitigate the shadow IT problem OpenClaw poses for organizations by avoiding uncontrolled and decentralized deployments,” says Buinovskis. “This calls for clear policies surrounding approved software enforcement mechanisms, like endpoint detection, to prevent employees from running unapproved instances in the first place.”

He highlights that while OpenClaw is dangerous, security teams would benefit from getting ahead of the problem. Since employees might go rogue and use it anyway, it’s better for them to do so in a secure, controlled environment.

“In reality, even extensive cybersecurity awareness training does not guarantee that users will refrain from risky behaviour, despite knowing the threats that may follow. While it might seem counterintuitive, allowing employees who are interested in using OpenClaw to deploy it centrally would eliminate any risks that could arise from poor misconfiguration,” says Buinovskis.

He explains that centralized deployment provides a single point of control for security teams, allowing them to configure a single instance correctly rather than relying on numerous employees to do it right. This approach also establishes consistent security settings throughout — ensuring that authentication, firewalls, and encryption are applied, and allowing easier monitoring of logs and access attempts.

“Even if OpenClaw is deployed centrally, users still need a safe way to access it. For this, they need a secure, encrypted tunnel that they could access with authorization,” says Buinovskis. “Secure tunnels ensure that the server containing sensitive data is isolated from the public internet, and setting up a VPN or private network allows only authorized users to have access to OpenClaw.”

Bunovskis continues that creating remote access via secure tunnels prevents the server containing sensitive data from becoming publicly accessible, safeguarding it from attackers. This approach also encrypts the traffic, mitigating the risk of data exposure during transit.

Ransomware attacks soared in 2025, with 9,251 recorded cases compared to 6,395 cases in 2024

The latest findings from NordStellar, a threat exposure management platform, reveal that the number of ransomware incidents in 2025 soared compared to 2024. The data shows that in 2025, 9,251 ransomware cases were recorded on the dark web, marking a significant 45% increase compared to 6,395 cases recorded in 2024.

The number of ransomware cases rose significantly in the last quarter of 2025. December set a two‑year record, with a substantial 1,004 recorded incidents.

“In the last quarter of 2025, ransomware groups deliberately exploited end-of-year cybersecurity gaps caused by reduced staffing and monitoring,” says Vakaris Noreika, cybersecurity expert at NordStellar. “However, there has been an upward trajectory the whole year. Ransomware actors are growing increasingly aggressive — given the surge in 2025, the number of ransomware incidents in 2026 is likely to exceed 12,000.”

According to Noreika, the number of ransomware groups has also been increasing. The recorded ransomware incidents in 2025 could be traced back to 134 different groups — a 30% increase from the 103 groups linked to recorded ransomware incidents in 2024.

SMBs in the US were affected the most

Companies in the US remained the primary targets, with 3,255 recorded ransomware cases in 2025 (a 28% increase from 2,544 incidents in 2024), accounting for 64% of all cases. The US was followed by Canada with 352 cases (a 46% increase from 2024), then Germany with 270 cases (a 97% increase), the United Kingdom with 233 cases (a 2% increase), and France with 155 cases (a 46% increase).

Small and medium-sized businesses (SMBs) with up to 200 employees and revenues up to $25 million experienced the most ransomware attacks. This data aligns with th

“SMBs are attractive targets for ransomware attacks because they often lack security staff and tools and operate within limited cybersecurity budgets — all of which are essential to safeguard their systems,” says Noreika. “Smaller organizations are also more likely to rely on outdated software, have limited security monitoring, and  rely on external vendors for IT support. Consequently, when attacked, they’re more likely to pay ransoms quickly to avoid business disruptions, which is why ransomware groups keep targeting them.”

The most-targeted ransomware-victim company profile in 2025

As in 2024, companies in the manufacturing industry continued to bear the brunt of ransomware attacks, with 1,156 incidents in 2025 (a 32% increase from the previous year), accounting for 19.3% of all cases (a 0.3% increase from 2024). 

The manufacturing industry was followed by the IT industry, with 524 recorded cases (a 35% increase from 2024), professional, scientific, and technical services (494 incidents, a 30% increase), the construction industry (443 incidents, a 24% increase), and healthcare, with 339 attacks (a 6% decrease from 2024).

Experts from NordStellar analyzed the ransomware attacks on companies in the manufacturing industry. They found that SMBs (those with up to 200 employees and $25M in revenue) operating in the general manufacturing industry were the most targeted. They were followed by other smaller businesses operating in the machinery manufacturing sector (10% of all attacks on the manufacturing industry), and SMBs operating in the appliances, electrical, and electronics manufacturing sector, accounting for 9.9% of all ransomware attacks on the manufacturing industry.

“Cybercriminals prioritize choosing targets that offer the biggest payoff for the least amount of effort, and SMBs in the manufacturing industry fit this perfectly — they generate enough revenue to pay large ransoms but usually don’t have the capacity to implement strong security measures or fast recovery options,” says Noreika.

According to Noreika, manufacturing companies are in a difficult position — their production lines can’t stop for long periods, so even short disruptions can cause significant financial losses. Consequently, they’re pressured to do anything it takes to continue their operations — even if it means giving in to the attackers’ demands.

“Machinery and industrial equipment manufacturers were also heavily targeted — this could be the result of expanded digitalization and remote connectivity in production environments,” says Noreika. “Meanwhile, appliance and electronics manufacturers are facing a higher risk of experiencing a cyberattack due to complex supplier integration and cloud-based operations.”

According to Noreika, interconnected environments increase the likelihood of lateral compromise, which can occur through shared networks or third‑party access.

The ransomware group landscape: Qilin takes the lead

Data reveals that the ransomware group Qilin carried out the most attacks in 2025, with 1,066 cases (a 408% increase compared to 2024). It was followed closely by Akira, with 947 recorded ransomware cases (a 125% increase), then the-remerged Cl0p leaks (594 cases, a 525% increase), the relatively new, rapidly growing ransomware threat actor Safepay (464 cases, a 775% increase), and INC ransom, with 442 recorded cases (an 83% increase compared to 2024).

“The changes in the ransomware threat actor landscape reflect how competitive the ransomware-as-a-service world has become,” says Noreika. “Groups like Qilin experienced significant growth because many affiliates joined their operations after other platforms were shut down or became less profitable. Affiliates choose which ransomware to use based on better payment structure, support, the reliability of the tools provided, or reputation of success.”

He underscores that Akira could have expanded for similar reasons. According to Noreika, the emergence of new ransomware names suggests that groups often rebrand or start fresh operations when facing law‑enforcement pressure. He notes that the activity of LockBit, one of the most active groups in 2024, witnessed a significant decline in 2025 due to successful law enforcement operations. 

Incidents peak, but targets remain the same: What’s next?

According to the findings, the number of ransomware cases peaked in the last quarter of 2025, with 2,910 recorded incidents, marking a 38% increase compared to the same period in 2024 (2,102 cases) and a 49% increase from the number of incidents recorded in the July-September period of 2025 (1,954 cases).

The data from the final quarter of 2025 mirrored the findings from throughout the year — small and medium-sized manufacturers remained the primary target. For more details on the findings on ransomware cases in 2025 Q4, read here.

“The success of end-of-year attacks is concerning — this will likely motivate the ransomware groups to repeat these timing patterns at the end of 2026 as well,” says Noreika. “Businesses, especially SMBs and those operating in industries where operational downtime is unacceptable, or that handle high-value data, should be on high alert and reassess their preparedness to combat ransomware.”

To increase their resilience against ransomware attacks, Noreika advises companies to strengthen their basic security hygiene. This includes updating and patching systems and applications, using multifactor authentication, implementing password management policies, and enforcing the zero trust framework to prevent malware from spreading laterally.

“For early threat prevention and detection, intelligence is key — it enables businesses to patch critical vulnerabilities and detect indicators of compromise as soon as possible,” says Noreika. “Data leaked onto the dark web may expose credentials or sensitive details that attackers can exploit to gain unauthorized access. An early alert enables organizations to reset passwords, revoke access keys, disable compromised accounts, and support faster incident response.”

Noreika explains that having a ransomware incident-response plan is crucial for reducing the scope of damage from an attack as soon as possible. He also emphasizes the importance of having a recovery plan as well as backing up critical data to minimize operational downtime.

Disclaimer: While the total number of 9,251 ransomware attacks in 2025 is accurate, the figures presented for each category (industry, company size, and country) may be slightly higher. This is because a number of incidents were missing data needed for categorization and thus were omitted.

Cybercriminals can use malicious insiders as a direct means to access sensitive company resources, stealing confidential data or using the access to deploy a devastating cyberattack. Experts from NordStellar, a threat exposure management platform, have discovered that dark web actors are actively seeking insiders from specific organizations to recruit for their operations.

Researchers at NordStellar found 25 unique dark web posts from users who claim that they are searching for employees from specific organizations over the past year. A significant part of these posts focuses explicitly on insiders who work for social media or cryptocurrency platforms.

Real‑world incidents highlight how these threats can translate into actual breaches — for instance, in 2025, the cryptocurrency exchange platform Coinbase revealed that cybercriminals bribed its employees to leak user information.

“Employees can grant cybercriminals access to critical data, such as personal customer information and confidential business agreements,” says Vakaris Noreika, cybersecurity expert at NordStellar. “This data can be utilized to deploy ransomware attacks, sell intel on  business agreements to competitors, or to  carry out sophisticated phishing scams on unsuspecting victims whose personal data they managed to get their hands on.”

According to Noreika, insider threats can be challenging to spot and, therefore, may go undetected by security teams for a significant amount of time. Employees are trusted members of the organization and have legitimate access to company resources. Consequently, it can be challenging to pinpoint any anomalies in their behavior.

“Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers,” says Noreika. “Insiders are also familiar with the organization’s internal security policies and weaknesses, allowing them to adjust their actions to avoid suspicion.”

Direct insider recruitment

Noreika emphasizes that although some cybercriminals are searching for insiders on the dark web, the recruitment process is usually carried out privately. Bad actors target specific employees within the organization, especially those with technical capabilities that aid in their operations or have access to highly sensitive company data.

Mantas Sabeckis, a senior threat intelligence researcher at Nord Security, home to NordStellar and other advanced cybersecurity solutions, shares that he has been contacted by cybercriminals for possible recruitment opportunities numerous times. He explains that in the past, bad actors have reached out to him on LinkedIn, most likely intrigued by his experience in cybersecurity, and notes that the process of cybercriminals recruiting insiders likely follows the same playbook.

“In my experience, after the first few messages, bad actors try to direct the communication to a different channel, such as Telegram or WhatsApp,” says Sabeckis. “One time, I was contacted by a recruitment specialist from Singapore searching for a candidate for a role in a large organization. She did not name the specific organization and asked to continue our conversation on WhatsApp, which is not an unusual request in itself, as different messaging platforms are popular in different countries.”

According to Sabeckis, after their conversation moved to WhatsApp, the recruiter started sharing more details — she explained that she was looking to recruit an individual to work for a wealthy and influential family in Singapore, without disclosing which one.

“The statement definitely raised red flags, but I was curious to hear what exactly they were looking for,” says Sabeckis. “She continued to explain that the role would be similar to a bug bounty. When asked for more details, the recruiter finally divulged that they were looking for an individual to take down websites containing very sensitive and illegal material, offering to provide compensation in cryptocurrency.”

Sabeckis explains that, by its nature, the role fell into a “gray area,” which is a common tactic used by bad actors to recruit individuals. After the recruited individuals have their foot in the door, the tasks eventually become more demanding. Evidence of the individuals completing the tasks is later used as leverage to blackmail the person into carrying out illegal activity or risk being compromised.

Safeguarding against insider threats

Noreika emphasizes that high observability into system and data usage is the foundation of an insider threat-resistant cybersecurity strategy. He explains that any unexpected system behavior or access patterns must be flagged, reported, and thoroughly examined.

“Patterns of unusual behaviour are the first indicator that the user might be an insider,” says Noreika. “Security teams should keep an eye out for employees who are frequently accessing sensitive information and make sure that they have the proper authorization. Data exfiltration to external parties or devices is another major red flag to look out for.”

He explains that data loss prevention tools are essential for reducing the possibility of data theft and transfer from within. Proper network segmentation and the implementation of strong access controls to prevent privilege drift, the accumulation of excess access rights, are other necessary security measures to stop insiders and attackers who have already infiltrated the network from acquiring sensitive data.

“Dark web monitoring for information leaks or posts looking for insiders at the company is also crucial,” says Noreika. “It can be the first warning sign that a company might be at greater risk of being exposed. After flagging such activity, it’s necessary to stay on high alert and ensure that all of the precautionary measures, as well as a recovery plan, are in place.”

According to Noreika, an incident recovery plan is a significant requisite in minimizing the fallout of a cyberattack caused by insider threats. An effective recovery plan should cover incident detection and outline the key steps the organization should take to contain the threat and mitigate damage.

These steps may include removing the malicious employee’s access to sensitive data and ensuring that an external attacker who has been working with the insider connection to the network has been terminated.

ABOUT NORDSTELLAR

NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. It includes solutions like dark web and data breach monitoring, helping to prevent account takeovers, session hijacking, and other threats. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com

New findings from the dark web reveal that cybercriminals are selling insider data-backed services

Malicious employees, also known as insider threats, can cause significant harm to businesses by leaking or selling sensitive data, altering systems, or collaborating with cybercriminals to launch large-scale cyberattacks. New findings from NordStellar, a threat exposure management platform, reveal that bad actors are now advertising and selling insider data-backed services on the dark web — profiting from employees of industry giants who have decided to go rogue.

The team at NordStellar has found 35 dark web posts claiming to sell services based on insider data so far this year. Some of the services for sale on the dark web claim to have direct connections to insiders from such well-known companies as Facebook, Instagram, and Amazon.

“The majority of the posts discovered by NordStellar’s team offer various look-up services, exposing sensitive user information, such as IP addresses,  full names, email addresses, phone numbers, and even physical addresses,” says Vakaris Noreika, a cybersecurity expert at NordStellar. “Aside from violating the user’s privacy, this information can be used to launch highly targeted phishing scams or to commit fraud — or even identity theft.”

The posts reveal that look-up services can start at $500, offering the user’s phone number and linked email address. Advanced packages, which contain even more sensitive user information, such as IP addresses, physical addresses, date of birth, and other confidential details, can be purchased for $1,000 or more.

“Other popular services include account recovery and unbanning. The former can be especially damaging to the brand because users are often banned for violating the company’s policies or engaging in fraudulent activity,” says Noreika. “As a result, individuals who have been using the company’s services for scams can continue to do so, acquiring more victims and damaging the brand’s reputation in the process.”

Spotting and stopping insider threats

Noreika explains that insider threats are complex, and to safeguard against malicious employees, companies must have a comprehensive cybersecurity strategy in place. He emphasizes high observability and behavioural analysis as the two main pillars for resilience.

“The first key step is to ensure high observability into user actions — once security teams achieve visibility, they can look for anomalies in employee behavior, triggering the first alarms about potential malicious activity,” Noreika says. “Security teams should assess whether there’s any potentially dangerous patterns in activity, for example, if a user is accessing sensitive information without justification or if there are any signs of them exfiltrating that information to external sources, like their own personal devices, accounts, or third parties.”

He underscores the importance of proper network segmentation and the principle of least privilege in general to prevent users from accessing sensitive information that isn’t necessary for their work. According to Noreika, to prevent employees from sharing and downloading unauthorized files, data loss prevention tools are also required.

“Consistent monitoring is another key asset — if prior security measures failed to stop the user from retrieving and exfiltrating the data, it’s crucial to mitigate the threat before it can escalate further,” says Noreika. “Monitoring the dark web for posts mentioning the company, especially those claiming to sell services fueled by insider data, should be prioritized. Once the potential threat is spotted, security teams can inspect its validity and, if the claims turn out to be legitimate, stop the employee from doing further damage and inform affected users to be on high alert before cybercriminals can deploy their attacks.”

To effectively mitigate the damage inflicted by malicious insiders, Noreika advises companies to prepare an incident response plan in advance. The plan should outline the detection and investigation process, as well as the steps for containing the threat, eradicating the user’s access to company data and recovering systems if attackers compromise them in the process.

ABOUT NORDSTELLAR

NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. It includes solutions like dark web and data breach monitoring, helping to prevent account takeovers, session hijacking, and other threats. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com

Bad actors use fraud and impersonation tactics to trick customers into handing over their money or sensitive data while posing as trusted brands. NordStellar has introduced its new brand protection service that monitors the web, social media, and app stores for fraudulent activity, providing brands with actionable insights into fraud and impersonation cases to safeguard their reputation and protect their customers.

Earlier this year, NordStellar introduced its cybersquatting detection feature to help companies combat bad actors that use fake domain names to profit from trademarks belonging to legitimate businesses. The brand protection service takes it a step further by monitoring the publicly available internet to detect fraudulent websites and phishing sites, fake profiles and impersonators on social media platforms, as well as cloned or malicious apps on app stores. Once an incident of fraud or impersonation is detected, NordStellar initiates takedown processes to remove the threats.

How it works:

• Continuously monitors the web, social media, and app stores for any fraudulent activity.
• Analyzes the available data to detect anomalies, suspicious activity, or inputs from unauthorized sources.
• Initiates takedown processes for detected fake websites, social media scams, app store counterfeits, and other forms of brand abuse.
• Offers detailed monthly performance reports that provide businesses with a complete summary of all detected, resolved, and removed threats.

The brand protection service is now available to all NordStellar users. More information here.

Ransomware attacks continue to rise in 2025, with 6,330 cases recorded so far, underscoring escalating risks for small and medium-sized businesses

The latest data analyzed by NordStellar, a threat exposure management platform, reveals that the number of ransomware incidents in 2025 is continuing to grow. Between January and September 2025, 6,330 ransomware cases were exposed on the dark web, representing a 47% increase compared to the 4,293 cases recorded in the same period last year.

 “So far this year’s results are highlighting a worrying trend — the number of ransomware cases continues to grow steadily,” says Vakaris Noreika, cybersecurity expert at NordStellar. “The majority of the growth we’re witnessing right now is most likely a direct result of the increase in ransomware-as-a-service (RaaS) that allows cybercriminals to scale their attacks and has lowered the entry barrier for bad actors. Another key factor is the significant increase in the number of active ransomware groups, which has reached an all-time high.”

Noreika explains that the number of active ransomware groups has been consistently increasing over the past five years. In September alone, NordStellar traced back the ransomware incidents to 66 different groups.

Prime targets in Q3 2025: The US, SMBs, and the manufacturing industry

In July-September 2025, 1,943 ransomware cases were exposed on the dark web, a 31% increase compared to the same period in 2024 (1,484 cases). US businesses were the most targeted, accounting for 54% of the 1,274 cases that could be traced to specific victim countries. Canada holds the second spot with 62 incidents, followed closely by Germany (60), the United Kingdom (54), and France (35).

“The findings mirror the results we have been seeing all year,” explains Noreika. “The US is home to numerous profitable public businesses, and this, coupled with strict regulations, makes them an attractive target for cybercriminals. Their potential for high profitability, combined with a higher likelihood of meeting ransomware demands to resolve incidents quickly, increases the chances of success for attackers.”

Ransomware data from July to September 2025 revealed that the manufacturing industry was the most affected by ransomware, with 245 cases, mirroring the results of the previous quarters. It was followed by professional, scientific, and technical services (107), information technology (103), construction (91), and financial services (69).

“Companies operating in the manufacturing industry experience high operational downtime costs, making them more inclined to give in to ransomware demands to resolve the incident as soon as possible. They also often rely on outdated or unpatched software and systems and are more likely to experience supply chain vulnerabilities due to reliance on third-party vendors, partners, and logistics providers,” says Noreika.

He explains that companies operating in the professional, scientific, and technical services industry often work with confidential customer data, intellectual property, and critical business tools, making them an attractive target for ransomware actors. According to Noreika, businesses in the information technology industry are targeted because they handle large volumes of valuable data and are key components of the supply chain. This means that attacking them can spread ransomware to multiple businesses simultaneously.

Small and medium-sized businesses (SMBs) were the most affected. The data revealed that organizations with up to 200 employees and revenues of up to $25 million experienced the most attacks.

“As in the first half of 2025, SMBs continue to remain the primary targets for ransomware. Ransomware actors usually perceive smaller businesses as lower-risk targets because they might lack a sophisticated IT infrastructure, operate on low cybersecurity budgets, and not have the means to investigate or report attacks to authorities,” says Noreika.

He adds that smaller revenue companies may also be more likely to meet attackers’ demands since the cost of downtime, data loss, or reputational damage from a full-blown ransomware attack could devastate the business financially. As a result, many of them could view paying the ransom as the only option, making them a higher success target for ransomware attackers. 

Old players take the lead

The ransomware group Qilin was responsible for the most attacks in Q3 2025, with 241 incidents, and continues to hold the number one spot from the previous quarter. It’s followed by Akira (190), INC Ransom (146), Play (102), and Safepay (92). 

“Qilin, Akira, and Play are more experienced players, active from 2022-2023, and are known for their double extortion models and large victim scope. They are also more likely to keep their operations in-house, without utilizing or offering RaaS, so as not to compromise their operations,” says Noreika. “Safepay is the youngest group, first detected in the fall of last year, but so far has been consistently among the top perpetrators this year. INC Ransom was first discovered in late 2023 and is generally lesser-known. However, this year, they have been quite consistent with their attacks as well.”

According to Noreika, ransomware groups are highly organized. He explains that business leaders are not always fully aware of the danger they pose — for example, that they often seek out top talent in cybersecurity or might even recruit insiders to carry out a targeted attack against an organization, making them a threat that companies cannot afford to underestimate.

Main mistakes that make a business more vulnerable to ransomware

Noreika explains that the first step in making a company ransomware-resistant is prevention. He highlights cybersecurity hygiene as the primary foundation.

“Most attacks happen due to user error. As a result, raising cybersecurity awareness and increasing training, as well as promoting good cybersecurity hygiene, is the basic first step,” says Noreika.

He continues by saying that employees who can recognize phishing scams, understand the importance of proper password management, and recognize the necessity and importance of utilizing tools like multi-factor authentication or a VPN are less likely to open the company’s network to cyber intruders.

“Another important factor is monitoring and addressing unknown cybersecurity gaps. With more businesses embracing hybrid or remote work models, introducing unmanaged devices and relying on third-party vendors, the attack surface is expanding, and any endpoint can be exploited,” says Noreika.

To stay ahead of attackers, he advises companies to monitor for external vulnerabilities before they are exploited, as well as any potential data leaks on the dark web, to minimize the possibility of a more sophisticated attack. Noreika emphasizes that recovery plans and backing up critical data are among the essential steps to reduce the impact of a potential ransomware incident.   

Disclaimer: While the total number of 1,943 ransomware attacks in Q3 2025 is accurate, the figures presented for each category (industry, company size, and country) may be slightly higher. This is because a number of incidents were missing data needed for categorization and thus were omitted.

Cybersecurity experts explain why security teams are turning to the dark web to protect executives

Executives are the prime targets for cyberattacks. However, cybercrime is not the only threat lurking in the internet shadows for high-profile leaders. The dark web has become a hub for bad actors who are seeking to steal corporate leaders’ credentials for access to sensitive data and laying the groundwork for more sophisticated cyberattacks or even plotting assaults that threaten executives’ physical safety.

A study by GetApp, a business software directory, found that 72% of surveyed US executives have been targeted by cybercriminals at least once. Additionally, 69% of employees who work in companies that experienced previous attacks targeting leaders claim that cyberattacks against executives have increased.

According to Vakaris Noreika, a cybersecurity expert at NordStellar, a threat management platform, executive protection has become an even more relevant topic over the last few years. High-profile cases, such as the assassination of the UnitedHealthcare CEO Brian Thompson, have fueled existing concerns over executive safety — both online and offline.

“Corporate leaders are prime targets for cybercriminals because their credentials and personally identifiable data can grant cybercriminals access to sensitive resources or deploy sophisticated social engineering attacks to maximize the damage and profits,” says Noreika. “The dark web is filled with bad actors — many financially motivated, others driven by political or ideological goals — making it a hub for threats against executives, from cyberattacks to physical assaults.”

Growing concerns from physical security teams

According to Ron Zayas, an online privacy expert and CEO of Ironwall by Incogni, a privacy protection and data removal service, the company’s team noticed a growing interest in executive protection from businesses over the past eight months.  

“Multiple high-profile attacks, as well as abrupt political shifts that resulted from the change of administration in the U.S., have been the two main contributing factors fueling the rising interest in executive protection services,” says Zayas. “Physical security teams have shown the greatest interest. While most IT admins use dark web monitoring and consider executive protection a lower priority, physical security experts stress the need for additional measures.”

Zayas reveals that executives are frequently named as direct targets in dark web posts, with their credentials often appearing in data leaks alongside those of other employees. Some companies are explicitly targeted — bad actors disclose their aim to proactively penetrate the organization and obtain the credentials of its senior management.

“In our experience, physical security teams are most concerned about any information leaks disclosing the location of the executives because this would set the stage for a potential assault at home and away from the office,” says Zayas. “Aside from personally identifiable information leaks, they also look for any other dangerous activity posing a threat to physical security.” 

Main cyber threats targeting executives

According to Noreika, targeted cyberattacks are the most significant cybersecurity risk lurking for executives on the dark web. If a bad actor successfully obtains corporate leaders’ credentials, personally identifiable information, or other sensitive details, the likelihood of them infiltrating a company’s network, using that data to carry out more devastating attacks, or locating the executive is very high.

“In the most common cases, hackers use stolen credentials to infiltrate a network,” says Noreika. “However, they might also use personal information to launch phishing campaigns, tricking executives into downloading malware. They can also carry out business email compromise attacks, posing as corporate leaders to scam employees, partners, or vendors, or even use snippets of their voice for deepfakes. This enables them to steal company funds, fool third parties into payments, or leak sensitive data.”

Noreika explains that dark web monitoring is essential to detect these threats before they escalate. However, it’s important to note that once information is leaked on the dark web, there’s not much security teams can do to make it disappear. Companies must have a proper executive threat prevention, preparedness, and response plan to maximize the mitigation of security risks.

“Strict access controls, multi-factor authentication, proper network segmentation, and a comprehensive cybersecurity strategy are necessary to ensure that cybercriminals cannot successfully infiltrate a network. Robust physical security measures must also be in place to minimize the risk of endangerment to physical security,” says Noreika.” The response plan should contain swift step-by-step actions encompassing threat containment, incident reporting, and coordination with law enforcement and security teams to mitigate risks and ensure executive safety.”

Noreika emphasizes that cybersecurity training for corporate leaders should also be prioritized. Raising their cybersecurity awareness could significantly decrease the likelihood of their credentials or other personal data ending up in a data leak on the dark web.

ABOUT NORDSTELLAR

NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. NordStellar offers visibility into how threat actors work and what they do with compromised data. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com.

From corporate insiders to elite professionals — cybersecurity expert reveals the alarming anatomy of ransomware groups and their growing threat

Ransomware attacks nearly doubled in the first half of 2025, revealing an alarming surge in cybercriminal activity and exposing widespread corporate security vulnerabilities. Vakaris Noreika, a cybersecurity expert at NordStellar, a threat exposure management platform, explains that these attacks are carried out by highly organized and structured organizations that often seek out the best talent — and underestimating this threat could cause a business’ downfall.

According to data from NordStellar, ransomware cases surged in the first half of 2025, with a 49% increase compared to the same period in 2024. US companies suffered the most, with small and medium-sized enterprises and those in manufacturing becoming prime targets for ransomware.

High requirements behind devastating attacks

According to Noreika, NordStellar has identified over 200 ransomware groups and currently, over 60 of them are active. In addition to the usual updates about successful attacks, they sometimes also publish recruitment announcements, and their high-level requirements should ring alarm bells.

“These groups are mostly looking for top talent in cybersecurity — their requirements tend to consist of wanting an individual with an experienced background in specific fields and a proven track record,” says Noreika. “According to them, cybercriminals must undergo meticulous screening before they can join the group, minimizing the risk of their being compromised, while some ransomware groups don’t accept outsiders in general, and members can only be invited by already established individuals.”

Screenshot from a ransomware group posting.

Scaling operations and maximizing profits

He explains that individuals unfamiliar with the inner workings of ransomware groups are often under the false impression that these hackers are just lone wolves or kids with some hacking skills following a get-rich-quick scheme. However, the opposite is true — the efficiency of ransomware attacks lies in the operation’s high organizational aspect.

“Ransomware groups are organized crime, and it’s extremely dangerous to underestimate how equipped they are to carry out their attacks. They function like a corporation, with different individuals assigned to specific tasks so that the operation runs smoothly,” says Noreika. “They also train their members, sharing knowledge and ensuring their expertise meets their requirements. Some even have insiders in the company they’re targeting, granting them easy access to sensitive resources.”

Screenshot from a ransomware group posting.

According to Noreika, besides new member recruitment, these groups also offer ransomware-as-a-service (RaaS). This model lowers the entry barrier to cybercrime, allowing even amateur hackers to partake.

“With RaaS, ransomware can scale even more exponentially, allowing more individuals to carry out ransomware attacks and maximizing the ransomware group’s profits. Some ransomware groups even use RaaS themselves as a means to scale their operations without the need for additional human resources,” says Noreika.

Primary targets — critical infrastructure

According to Noreika, ransomware groups have a strategic and calculated approach to selecting their targets. As a result, critical infrastructure organizations often become the prime targets.

“Companies in the healthcare sector cannot afford any downtime, and losing access to patient medical records can sometimes literally be a matter of life or death. As a result, they could be more inclined to give in to ransomware demands to restore their operations,” says Noreika. “On the other hand, manufacturing businesses operate on tight schedules, and setbacks could result in severe financial losses. Consequently, they could also be more predisposed to do whatever it takes to resume operations quickly.”

However, he emphasizes that any business could fall victim to ransomware. According to Noreika, relying on passwords as the only means for user authentication, using outdated systems and applications, and prior credential leaks on the dark web are some of the main cybersecurity gaps that make enterprises more vulnerable.

“Ransomware groups operate with meticulous organization and expertise, making any security gap a dangerous liability. Effective protection demands continuous monitoring of the company’s attack surface and prompt identification and patching of vulnerabilities. Anything less leaves your organization unnecessarily exposed,” says Noreika.

He emphasizes that promoting a cyber-aware culture also significantly reduces the risk of experiencing a successful ransomware attack. Employees who have received cybersecurity training are less likely to hand over their credentials to hackers, minimizing the possibility of them gaining access to the network due to user error.

ABOUT NORDSTELLAR

NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. NordStellar offers visibility into how threat actors work and what they do with compromised data. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com.

NordStellar has achieved SOC 2 Type II compliance, completing security certification across all Nord Security Business Suite products

The next-generation threat management platform NordStellar has announced that it achieved System and Organization Controls (SOC) 2 Type II compliance. It’s the third and final product of the Nord Security Business Suite to have successfully concluded this audit.

NordStellar enables businesses to detect and respond to cyber threats before they escalate, empowering them to stay ahead of threat actors. It was launched in 2024 and is the newest addition to the Nord Security Business Suite, alongside NordLayer, the toggle-ready platform for business, and NordPass, a password manager. Both are SOC 2 Type II compliant.

SOC 2 is a security framework developed by the American Institute of Certified Public Accountants (AICPA) to ensure service providers securely manage customer data. SOC 2 compliance is achieved by undergoing independent audits assessing data management based on five criteria: security, availability, processing integrity, confidentiality, and privacy.

All three Nord Security Business Suite products passed the SOC 2 Type II audit with no exceptions.