Wednesday War Room – 10/28/2025

The past three days have been a fascinating study in contrasts: while ransomware payments are hitting historic lows, the number of attacks is surging.

Author

J.W. Croley
October 29, 2025

In partnership with

Read newsletters, not spam

Tired of newsletters vanishing into Gmail’s promotion tab — or worse, being buried under ad spam?

Proton Mail keeps your subscriptions organized without tracking or filtering tricks. No hidden tabs. No data profiling. Just the content you signed up for, delivered where you can actually read it.

Built for privacy and clarity, Proton Mail is a better inbox for newsletter lovers and information seekers alike.

Welcome back to another edition of "Why We Can't Have Nice Things." It seems attackers are opting for a quantity-over-quality approach, which is just delightful. We've also seen the debunking of a massive (and thankfully, fake) Gmail breach, and the continued exploitation of a critical Oracle vulnerability. Let's dive in.

September Ransomware Attacks Surge 28%

Risk Level: Critical

Business Impact: Increased operational risk, heightened probability of business disruption, significant financial losses

What You Need to Know: After a six-month decline, ransomware attacks roared back in September with a 28% increase, totaling 421 incidents, according to NCC Group. The industrials sector was the most targeted (29%), followed by consumer discretionary and financial services. North America and Europe accounted for 75% of all attacks.

Why This Matters:

  • The sudden spike suggests that the recent lull in ransomware activity is over, and attackers are ramping up for the holiday season.

  • The focus on industrial and financial sectors indicates a strategic targeting of organizations with low-risk tolerance and high-value data.

  • The trend reversal is a wake-up call for organizations that may have become complacent during the recent decline.

Executive Actions:

📊 Review and update your organization's risk assessment to reflect the escalating threat landscape.

🛡️ Ensure your security controls are optimized to defend against the latest ransomware TTPs.

🆘 Validate your incident response and business continuity plans with a ransomware-specific tabletop exercise.

🤝 Enhance threat intelligence sharing with industry peers and government partners.

Ransomware Payments Hit Historic Low, But There’s a Catch

Risk Level: High

Business Impact: Shift in attacker strategy, increased focus on data exfiltration, evolving extortion tactics

What You Need to Know: While the number of attacks is up, ransomware payment rates have plummeted to a historic low of 23%, a report from Coveware reveals. The average payment has also dropped 66% to $376,941. However, this isn’t all good news. Attackers are now focusing on data exfiltration as their primary leverage, with 76% of incidents involving data theft.

Why This Matters: 

  • The decline in payments is forcing a strategic evolution in the ransomware business model.

  • Data exfiltration is now the main event, not a sideshow. This increases the risk of regulatory fines and reputational damage.

  • The shift in tactics requires a corresponding shift in defensive strategies, with a greater emphasis on data protection and leak prevention.

Executive Actions: 

🔍 Re-evaluate your data protection strategy to focus on preventing unauthorized exfiltration.

🛡️ Implement robust data loss prevention (DLP) controls and monitor for unusual data movement.

📜 Review and update your incident response plan to address data extortion scenarios.

🤝 Engage with legal and PR teams to prepare for the potential public disclosure of sensitive data.

That "183 Million Gmail Passwords" Breach? It's Not Real.

Risk Level: Medium

Business Impact: Wasted resources responding to false alarms, potential for security fatigue, erosion of trust in threat intelligence

What You Need to Know: Reports of a massive data breach exposing 183 million Gmail passwords have been thoroughly debunked by cybersecurity experts. The claims grossly misrepresented the nature of stealer logs and credential lists, which are collections of previously compromised passwords from various sources, not a direct breach of Google's systems.

Why This Matters: 

  • This incident is a textbook case of cybersecurity misinformation going viral.

  • It highlights the critical need for organizations to rely on verified threat intelligence from trusted sources.

  • The spread of false information can lead to unnecessary panic and divert valuable security resources.

Executive Actions: 

📚 Educate your employees on how to identify and report cybersecurity misinformation.

Establish a clear process for vetting and validating threat intelligence before taking action.

📢 Develop a communication plan to address cybersecurity rumors and FUD (Fear, Uncertainty, and Doubt).

🤝 Partner with a reputable threat intelligence provider to ensure you are receiving accurate and timely information.

Leadership Insight:

The theme of the past three days is adaptation. 

The threat landscape is not static; it is a dynamic and constantly evolving ecosystem.

Our adversaries are adapting their tactics in response to our defenses.

We must be equally adaptive. We must be able to anticipate, and not just react to, the next evolution in the threat landscape. This requires a level of agility and intelligence that many organizations still lack.

The question is not whether you will be tested, but when... And how you have adapted will determine the outcome.

The Gold standard for AI news

AI will eliminate 300 million jobs in the next 5 years.

Yours doesn't have to be one of them.

Here's how to future-proof your career:

  • Join the Superhuman AI newsletter - read by 1M+ professionals

  • Learn AI skills in 3 mins a day

  • Become the AI expert on your team

Oracle E-Business Suite Zero-Day Attacks Continue

Risk Level: Critical  

Business Impact: Significant operational disruption, data theft, financial loss

What You Need to Know: The Clop ransomware group continues to exploit a zero-day vulnerability in Oracle's E-Business Suite, with industrial giants Emerson and Schneider Electric among the latest victims. The ongoing campaign highlights the significant risk posed by vulnerabilities in widely used enterprise software.

Why This Matters:

  • This is a prime example of a sophisticated threat actor leveraging a zero-day vulnerability to target high-value organizations.

  • The focus on industrial companies underscores the growing threat to critical infrastructure and operational technology (OT) environments.

  • The continued success of this campaign indicates that many organizations are struggling to patch and protect their Oracle EBS instances.

Executive Actions: 

📦 If your organization uses Oracle E-Business Suite, take immediate action to patch the vulnerability.

🔐 Implement enhanced monitoring and security controls around your Oracle EBS environment.

📊 Conduct a thorough review of your organization's exposure to this threat.

🧪 Engage with your OT security team to ensure that your industrial control systems are adequately protected.

KillNet Targets Crimean Tatar Resource Center

Risk Level: High 

Business Impact: Geopolitical fallout, increased risk for non-profit and advocacy groups, potential for targeted harassment

What You Need to Know: The Russian-affiliated hacktivist group KillNet has claimed responsibility for a data breach of the Crimean Tatar Resource Center. The attack is part of a broader pattern of cyber operations targeting entities associated with Ukraine and its supporters.

Why This Matters: 

  • This incident is a clear example of cyber warfare being used as a tool of geopolitical pressure.

  • It highlights the significant risk faced by non-profit and advocacy groups that may be targeted for their political or ethnic affiliations.

  • The use of hacktivist groups as proxies allows nation-states to conduct disruptive cyber operations with a degree of plausible deniability.

Executive Actions:

🌍 If your organization operates in a geopolitically sensitive region, review and enhance your security posture accordingly.

🤝 Strengthen relationships with law enforcement and government agencies to facilitate information sharing and response.

🛡️ Implement enhanced monitoring for threats from hacktivist groups and other politically motivated actors.

📢 Develop a crisis communication plan to address potential geopolitical fallout from a cyberattack.

IBM Releases 2025 Cost of a Data Breach Report

Risk Level: Medium

Business Impact: Strategic planning, budget allocation, risk management

What You Need to Know: IBM has released its latest Cost of a Data Breach Report, providing valuable insights into the financial impact of security incidents. The report highlights the key factors that drive breach costs up or down, and offers guidance on where to focus security investments for the greatest ROI.

Why This Matters: 

  • The report provides a data-driven framework for understanding and communicating the business impact of cybersecurity risks.

  • It can be a powerful tool for justifying security investments and aligning security priorities with business objectives.

  • The findings underscore the importance of a holistic approach to security, encompassing people, processes, and technology.

Executive Actions:

📊 Use the report's findings to benchmark your organization's security posture and identify areas for improvement.

💰 Leverage the report's data to build a business case for strategic security investments.

📈 Share the report's key findings with your board of directors and executive leadership team.

🤝 Work with your CISO to develop a data-driven security strategy that is aligned with your organization's business objectives.

⚙️ Immediate Leadership Checklist ⚙️

🔄 Review Your Ransomware Playbook: Is it still relevant in a world where data exfiltration is the primary threat?

📦 Assess Your ERP Security: When was the last time you audited the security of your most critical business applications?

🧠 Evaluate Your Geopolitical Risk: Does your organization have a clear understanding of its geopolitical risk profile?

📊 Quantify Your Breach Cost: Do you know how much a data breach would cost your organization? If not, it's time to find out.

📜 Validate Your Threat Intelligence: Where are you getting your information? Is it reliable? Do you have a process for filtering out the noise?

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Go from AI overwhelmed to AI savvy professional

AI will eliminate 300 million jobs in the next 5 years.

Yours doesn't have to be one of them.

Here's how to future-proof your career:

  • Join the Superhuman AI newsletter - read by 1M+ professionals

  • Learn AI skills in 3 mins a day

  • Become the AI expert on your team