Ransomware

Check Point’s October 27, 2025 weekly report flags two things we should treat as priority hunts: a fresh LockBit 5.0 build with cross-platform encryptors and faster runtime, and active abuse of Magento’s SessionReaper (CVE-2025-54236) to hijack sessions and drop PHP webshells via the REST API. Their write-up aligns with Trend Micro’s technical analysis of the LockBit 5.0 binaries and Adobe/Sansec guidance on SessionReaper exploitation in the wild. (Check Point report; Check Point blog on the comeback; Trend Micro analysis; Adobe APSB25-88; Sansec). (research.checkpoint.com)

Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on-premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public-facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post-exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi-actor abuse of new SharePoint bugs (CVE-2025-53770, CVE-2025-53771) related to earlier July CVEs (CVE-2025-49704, CVE-2025-49706), and stresses that only on-prem servers are affected-not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE-2025-53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).