Consistent with the second half of 2025, Akira continues to dominate the ransomware landscape. In December, the group was responsible for over a third of all ransomware and extortion engagements observed by Arete. Akira was also responsible for 10% more ransomware attacks than second and third most active groups, Qilin and INC Ransom, combined. Collectively, the top three most active threat groups in December comprised about 57% of all activity Arete observed during the month.
Throughout the month of December, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:
- In addition to Akira, Qilin, and INC, there has recently been an uptick in engagements attributed to RansomHouse, a group that Arete had not observed since early 2024. Reporting from December 2025 indicated that the group updated its encryption code to make it more efficient, which could partly explain the increase in RansomHouse engagements observed in November and December.
- In early December, a maximum-severity flaw was reported in the widely used JavaScript library React that allows unauthenticated remote attackers to execute malicious code on vulnerable instances. The vulnerability, tracked as CVE-2025-55182, also known as React2Shell, was assigned a maximum CVSS severity rating of 10.0, with an estimated 39% of cloud environments affected at the time the vulnerability was disclosed. Organizations should prioritize immediate patching to address the React2Shell (CVE-2025-55182) vulnerability and ensure all internet-facing applications are updated to the vendor-recommended versions.
- In late December 2025, a high-severity, pre-authentication memory vulnerability was disclosed that affects MongoDB versions 3.6 and later. Referred to as MongoBleed (CVE-2025-14847), the vulnerability enables unauthenticated attackers to send malformed network messages, thereby leaking uninitialized server memory that contains sensitive data, such as credentials, tokens, and API keys. While the flaw does not allow for remote code execution and no ransomware campaigns have been confirmed, researchers have linked it to real-world abuse, including a suspected Ubisoft Rainbow Six Siege backend compromise. Data leaked from these incidents could enable follow-on attacks, including ransomware. Organizations with publicly exposed MongoDB servers affected by the vulnerability should immediately patch to the latest version.
Sources:
Arete Internal
Related Resources
![]()
An Apple A (Zero) Day
Apple released patches for two WebKit zero-day vulnerabilities exploited in sophisticated attacks. Users should update devices immediately to stay secure.
Read more![]()
Max-Severity React2Shell Vulnerability
React2Shell CVE-2025-55182 patch guidance: CVSS 10 flaw in React/Next.js enables unauthenticated RCE. Patch now and monitor suspicious Node.js activity.
Read more![]()
Ransomware Trends & Data Insights: November 2025
Get the latest Ransomware Trends Data Insights November 2025. November saw the dominance of Akira and Qilin, the rise of 18 unique groups, and AI-augmented attacks.
Read more
