August 5, 2025 • 11 mins
This report from **Byer-Nichols** provides a **cyber threat brief** for the second half of July 2025, outlining **key trends** in ransomware, malware, and adversary activities. It details the **top ransomware strains** like Qilin and INC Ransom, noting that **small businesses** are overwhelmingly the most frequent victims. The brief also identifies **trending threat actors** such as the re-emerging Scattered Spider and the potentially linked ShinyHunters, alongside **critical active vulnerabilities** in widely used software like Microsoft SharePoint and Cisco Identity Services Engine. Finally, it highlights significant **cybersecurity news**, including state-sponsored attacks and law enforcement actions against cybercrime.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome back to Digital Rage. I'm Jeff the producer here at Byer Company. This is the second episode of the Byer-Nichols Threat Brief. We are breaking down the current active ransomware malware threats and
(00:13):
adversaries so you can be better informed.
Byer Co is a digital marketing agency specializing in cyber security. We assemble this brief twice a month using data from cyber security experts for your consumption and distribution. So please share with a friend and here we go.
Okay, let's unpack this. Today we are diving deep into the Byer-Nichols Threat Brief for July 2025. Our mission here really is to cut through all the digital noise.
(00:40):
You know and get straight to the most crucial and sometimes frankly surprising insight about what's happening in cyber threats right now. What's really going on out there and more importantly what does it mean for you?
Yeah, and what's compelling about this particular brief is the methodology behind it is pretty rigorous. It's not just grabbing headlines. They synthesize open source intelligence, osent, right from all sorts of places.
(01:03):
Threat feeds vendor bulletins blogs then and the key they cross reference at all with the CISIA known exploited vulnerability catalog. CISA that's a cyber security and infrastructure security agency.
Their list is basically the vulnerabilities attackers are using like right now. And they even add details from ransomware leak sites. So it gives this really comprehensive view.
(01:24):
It's kind of a shortcut for you to get genuinely well informed on the big stuff happening recently.
A shortcut I like that and when you say insights well get ready for some some pretty stark realities folks we're going to explore why small businesses are just overwhelmingly the main target.
It's kind of shocking plus the like the sheer speed of some attacks it's startling. And we'll look at new players new strategies popping up in the cyber underworld.
(01:47):
So yeah, what are the key ransomware types which sectors are getting hit hardest and who are the adversaries you need to have on your radar right now.
Okay, so looking at the top ransomware families, Quilin and I.N.C. ransom they're still dominating we're talking 13.0% for Quilin 11.51% for I.N.C.
Pretty consistent there. Acura is also up there at 9.92% and safe pay at 9.52% but here's the interesting bit beast. It's new to the top five landing at 6.35%.
(02:17):
It's a rapid rise suggests a new player really getting traction beast. Okay, that's definitely a name to watch.
Especially climbing that fast and speaking of victims where are these attacks actually hitting geographically. I mean in which industries are suffering most well no huge surprise the USA is still the primary target by a long shot.
It accounts for a frankly staggering 50% of all victims half after that drops off significantly the UK's next at 4.37% then Italy at 3.97% Canada and Germany are tied around 3.57%.
(02:48):
But yeah, that US concentration is it's really telling 50% just in the US that's not just a big number is it it feels like strategic targeting.
What do you think is behind that is it just more targets or are there like specific economic reasons maybe geopolitical factors making US organizations more attractive or maybe more vulnerable.
That's a great question and it's likely a mix of things you've got the sheer density of valuable IP here right intellectual property plus highly interconnected supply chains.
(03:17):
And maybe just maybe a perception that security maturity in some small to medium businesses isn't quite as high as say their European counterparts who face different regulations.
So it's not just more targets. It's the quality and maybe the accessibility of those targets often a better potential pay off for the attackers sector wise construction is actually leading the pack 16.27% of victims followed really closely by retail at 15.40%
(03:43):
and manufacturing right there to a 15.08% financial services technology they round out the top five which is a really broad impact.
Okay, so we've covered the what the ransomware in the who in terms of general targets.
But there's this one finding the brief that just keeps jumping out and it it really highlights what feels like a huge blind spot and how we think about defense about the breakdown by company size what's the report saying there.
(04:04):
Yeah, this trend is just undeniable now it's become a clear pattern the overwhelming majority of victims.
There's still small businesses we're talking 500 employees or less and the number jumped it was around 80.6% before now it's 84.52% in this July report.
That's not just a small uptick it feels like a fundamental shift in focus from the attackers it really confirms that smaller organizations you know often with fewer resources for really robust cybersecurity they're the main battleground now 84% wow that's not just a statistic right there's like a whole segment of the economy basically under siege.
(04:39):
It really makes you wonder if our current security thinking our defense strategies are actually doing enough to address that vulnerability especially when you think about how devastating just one breach can be for a small company precisely it just underscores how vulnerable they are I mean a single breach can very realistically put a small business out of business entirely exactly so okay given who's being targeted these smaller guys and how vulnerable they are let's connect that to the attackers themselves.
(05:05):
The brief mentions of mix right some familiar names some reemerging ones who should you be watching out for and are they using any new tricks.
It's a fascinating mix actually established groups and some returning players APT 41 for instance that's an advanced persistent threat group state sponsored China based known for espionage they've been quiet for almost a year but they're back and now seem to be specifically targeting governments in Africa.
(05:30):
Then there's fire and this one's a really stealthy cyber espionage campaign they're exploiting vulnerabilities in ESXi and V Center okay hold on ESX ENV Center for the listeners who might not live in that world every day maybe network or app security folks can you quickly explain what those are and why hitting them is such a big deal for attackers.
Oh absolutely good point think of ESX is like the foundational layer it's the operating system that runs lots of virtual machines virtual servers directly on the hardware it's a bare metal hypervisor and V Center that's the central command console it manages all those virtual environments.
(06:06):
So if an attacker gets in the V Center it's like getting the master key to the whole data center basically gives the massive control often lets them deploy ransomware super fast across everything virtualized it's yeah it's a gold mine for them we also see no name 0 5 7 16 that's a pro Russian activist group they focus on DOS attacks distributed denial of service just flooding systems with traffic to knock them offline they're mostly hitting government and public sector targets especially active during Russian business hours it seems.
(06:35):
Right and then scattered spider you heard about some arrests thought maybe they'd gone quiet but apparently not their activity sounds incredibly impactful yeah the scattered spider situation is concerning despite those arrests they are definitely active again recent campaigns have heavily focused on compromising those VM where ESXi environments we just talked about Google's threat until group reported they got into V Center server appliances and age old SSH that secure remote access and then installed persistent back.
(07:04):
All the calls like teleport and they're not just sitting there they're pulling out active direct read databases that's got all the critical user info and deploying ransomware directly onto the hypervisors which means they can encrypt entire virtual servers at once but the really striking thing it's the sheer velocity how fast they operate from getting into encrypting everything it's remarkably quick that speed that velocity you mentioned it's a huge concern it really feels like attackers are just operating on a top
(07:33):
operating on a totally different time scale than a lot of defenders can react to and the report mentions a possible connection to shiny hunters what's the thinking there and what does that linkage imply yeah it's now pretty widely believed that shiny hunters might be the group behind some recent big breaches involving sales force data companies like quantus alliance life LVM H adidas and yes there's definitely growing suspicion that shiny hunters might have direct links to scattered spider now they still seem like distinct groups but there could be a lot of people.
(08:02):
Maybe tactics it's an important development to watch it's suggest some more complex maybe more interconnected threat landscape than we thought we also have storm 2603 mentioned a newer threat actor tied to something called the tool shell campaign their tactics look like a dangerous mix sort of a PT lake that advanced persistent style but combined with financially motivated ransomware it's a hybrid approach makes them particularly dangerous.
(08:28):
Okay, all right, let's pivot to immediate actions. Yeah, for organizations listening right now what are the absolute must patch vulnerabilities this is critical absolutely critical. Okay, so multiple vulnerabilities in Microsoft SharePoint server specifically CVE 2025 4 9704 CVE 2025 4 9706 and CVE 2025 53770 these are being actively exploited right now in the wild.
(08:52):
Same story for Cisco identity services engine ISE that CVE 2025 2281 and CVE 2025 2337 both Microsoft and Cisco have put out updates applying them immediately is just it's non-negotiable for defense at this point got it patch SharePoint patch Cisco isu top priority beyond those specific CVEs though the whole landscape just keep changing so fast doesn't it looking at the other top news items in the brief this month with their one or two that really stood out to you maybe things that showed deeper trans we should be aware of yeah definitely two things kind of jumped out illustrating.
(09:21):
These broader shifts first the constant evolution of ransomware like the gunner ransomware moving to target Linux systems now it just signals that attackers are adapting moving beyond just traditional windows environments our defenses need to cover everything be platform agnostic second thing the return of malware like the Luma info stealer even after law enforcement took it down for it just highlights how resilient these criminal operations are it's a constant cat and mask game right and they're learning they bounce back faster they redesigned their tools
(09:50):
these examples really hammer home how adaptable the attackers are and why defenders just have to keep evolving constantly so a summing up the July 2025 fire Nichols threat brief it really drives home how fast and dynamic this whole cyber threat landscape is the big takeaways for you listening are pretty clear I think one small businesses are massively the primary target now that 84.52% numbers huge to the incredible speed we're seeing from groups like scattered spider
(10:17):
it underlines the need for much faster detection faster response and three obviously the critical need to patch those active vulnerabilities immediately especially make a structure point it's go I see don't wait right so what is all this actually mean for your approach your proactive security thinking
it really emphasizes that staying informed isn't just you know reading headlines it's about understanding the patterns underneath the implications and the report highlights this truly fascinating statistic one that could really shift how we think about threat intelligence get this spikes in malicious activity before a vulnerability is publicly announced that happens in 80% of cases 80% malicious activity comes first and that raises a really important maybe even provocative question for you to mull over
(11:04):
if malicious activity often predicts new vulnerabilities if attackers are finding and using flaws before they're even officially known before the cv e exists how does that change how we think about proactive cyber defense what should we be doing differently what is it really suggest about this never ending race between attackers and defenders feels like it's accelerating right and maybe most importantly what fresh questions does this pattern raise for your own approach to security to gathering intelligence to staying ahead
(11:34):
reach out to us at jbuyer.com for comments and questions follow us at buyer company on social media and if you'd be so kind please rate and review us in your podcast app
Welcome back to Digital Rage. I'm Jeff the producer here at Byer Company. This is the second episode of the Byer-Nichols Threat Brief. We are breaking down the current active ransomware malware threats and
(00:13):
adversaries so you can be better informed.
Byer Co is a digital marketing agency specializing in cyber security. We assemble this brief twice a month using data from cyber security experts for your consumption and distribution. So please share with a friend and here we go.
Okay, let's unpack this. Today we are diving deep into the Byer-Nichols Threat Brief for July 2025. Our mission here really is to cut through all the digital noise.
(00:40):
You know and get straight to the most crucial and sometimes frankly surprising insight about what's happening in cyber threats right now. What's really going on out there and more importantly what does it mean for you?
Yeah, and what's compelling about this particular brief is the methodology behind it is pretty rigorous. It's not just grabbing headlines. They synthesize open source intelligence, osent, right from all sorts of places.
(01:03):
Threat feeds vendor bulletins blogs then and the key they cross reference at all with the CISIA known exploited vulnerability catalog. CISA that's a cyber security and infrastructure security agency.
Their list is basically the vulnerabilities attackers are using like right now. And they even add details from ransomware leak sites. So it gives this really comprehensive view.
(01:24):
It's kind of a shortcut for you to get genuinely well informed on the big stuff happening recently.
A shortcut I like that and when you say insights well get ready for some some pretty stark realities folks we're going to explore why small businesses are just overwhelmingly the main target.
It's kind of shocking plus the like the sheer speed of some attacks it's startling. And we'll look at new players new strategies popping up in the cyber underworld.
(01:47):
So yeah, what are the key ransomware types which sectors are getting hit hardest and who are the adversaries you need to have on your radar right now.
Okay, so looking at the top ransomware families, Quilin and I.N.C. ransom they're still dominating we're talking 13.0% for Quilin 11.51% for I.N.C.
Pretty consistent there. Acura is also up there at 9.92% and safe pay at 9.52% but here's the interesting bit beast. It's new to the top five landing at 6.35%.
(02:17):
It's a rapid rise suggests a new player really getting traction beast. Okay, that's definitely a name to watch.
Especially climbing that fast and speaking of victims where are these attacks actually hitting geographically. I mean in which industries are suffering most well no huge surprise the USA is still the primary target by a long shot.
It accounts for a frankly staggering 50% of all victims half after that drops off significantly the UK's next at 4.37% then Italy at 3.97% Canada and Germany are tied around 3.57%.
(02:48):
But yeah, that US concentration is it's really telling 50% just in the US that's not just a big number is it it feels like strategic targeting.
What do you think is behind that is it just more targets or are there like specific economic reasons maybe geopolitical factors making US organizations more attractive or maybe more vulnerable.
That's a great question and it's likely a mix of things you've got the sheer density of valuable IP here right intellectual property plus highly interconnected supply chains.
(03:17):
And maybe just maybe a perception that security maturity in some small to medium businesses isn't quite as high as say their European counterparts who face different regulations.
So it's not just more targets. It's the quality and maybe the accessibility of those targets often a better potential pay off for the attackers sector wise construction is actually leading the pack 16.27% of victims followed really closely by retail at 15.40%
(03:43):
and manufacturing right there to a 15.08% financial services technology they round out the top five which is a really broad impact.
Okay, so we've covered the what the ransomware in the who in terms of general targets.
But there's this one finding the brief that just keeps jumping out and it it really highlights what feels like a huge blind spot and how we think about defense about the breakdown by company size what's the report saying there.
(04:04):
Yeah, this trend is just undeniable now it's become a clear pattern the overwhelming majority of victims.
There's still small businesses we're talking 500 employees or less and the number jumped it was around 80.6% before now it's 84.52% in this July report.
That's not just a small uptick it feels like a fundamental shift in focus from the attackers it really confirms that smaller organizations you know often with fewer resources for really robust cybersecurity they're the main battleground now 84% wow that's not just a statistic right there's like a whole segment of the economy basically under siege.
(04:39):
It really makes you wonder if our current security thinking our defense strategies are actually doing enough to address that vulnerability especially when you think about how devastating just one breach can be for a small company precisely it just underscores how vulnerable they are I mean a single breach can very realistically put a small business out of business entirely exactly so okay given who's being targeted these smaller guys and how vulnerable they are let's connect that to the attackers themselves.
(05:05):
The brief mentions of mix right some familiar names some reemerging ones who should you be watching out for and are they using any new tricks.
It's a fascinating mix actually established groups and some returning players APT 41 for instance that's an advanced persistent threat group state sponsored China based known for espionage they've been quiet for almost a year but they're back and now seem to be specifically targeting governments in Africa.
(05:30):
Then there's fire and this one's a really stealthy cyber espionage campaign they're exploiting vulnerabilities in ESXi and V Center okay hold on ESX ENV Center for the listeners who might not live in that world every day maybe network or app security folks can you quickly explain what those are and why hitting them is such a big deal for attackers.
Oh absolutely good point think of ESX is like the foundational layer it's the operating system that runs lots of virtual machines virtual servers directly on the hardware it's a bare metal hypervisor and V Center that's the central command console it manages all those virtual environments.
(06:06):
So if an attacker gets in the V Center it's like getting the master key to the whole data center basically gives the massive control often lets them deploy ransomware super fast across everything virtualized it's yeah it's a gold mine for them we also see no name 0 5 7 16 that's a pro Russian activist group they focus on DOS attacks distributed denial of service just flooding systems with traffic to knock them offline they're mostly hitting government and public sector targets especially active during Russian business hours it seems.
(06:35):
Right and then scattered spider you heard about some arrests thought maybe they'd gone quiet but apparently not their activity sounds incredibly impactful yeah the scattered spider situation is concerning despite those arrests they are definitely active again recent campaigns have heavily focused on compromising those VM where ESXi environments we just talked about Google's threat until group reported they got into V Center server appliances and age old SSH that secure remote access and then installed persistent back.
(07:04):
All the calls like teleport and they're not just sitting there they're pulling out active direct read databases that's got all the critical user info and deploying ransomware directly onto the hypervisors which means they can encrypt entire virtual servers at once but the really striking thing it's the sheer velocity how fast they operate from getting into encrypting everything it's remarkably quick that speed that velocity you mentioned it's a huge concern it really feels like attackers are just operating on a top
(07:33):
operating on a totally different time scale than a lot of defenders can react to and the report mentions a possible connection to shiny hunters what's the thinking there and what does that linkage imply yeah it's now pretty widely believed that shiny hunters might be the group behind some recent big breaches involving sales force data companies like quantus alliance life LVM H adidas and yes there's definitely growing suspicion that shiny hunters might have direct links to scattered spider now they still seem like distinct groups but there could be a lot of people.
(08:02):
Maybe tactics it's an important development to watch it's suggest some more complex maybe more interconnected threat landscape than we thought we also have storm 2603 mentioned a newer threat actor tied to something called the tool shell campaign their tactics look like a dangerous mix sort of a PT lake that advanced persistent style but combined with financially motivated ransomware it's a hybrid approach makes them particularly dangerous.
(08:28):
Okay, all right, let's pivot to immediate actions. Yeah, for organizations listening right now what are the absolute must patch vulnerabilities this is critical absolutely critical. Okay, so multiple vulnerabilities in Microsoft SharePoint server specifically CVE 2025 4 9704 CVE 2025 4 9706 and CVE 2025 53770 these are being actively exploited right now in the wild.
(08:52):
Same story for Cisco identity services engine ISE that CVE 2025 2281 and CVE 2025 2337 both Microsoft and Cisco have put out updates applying them immediately is just it's non-negotiable for defense at this point got it patch SharePoint patch Cisco isu top priority beyond those specific CVEs though the whole landscape just keep changing so fast doesn't it looking at the other top news items in the brief this month with their one or two that really stood out to you maybe things that showed deeper trans we should be aware of yeah definitely two things kind of jumped out illustrating.
(09:21):
These broader shifts first the constant evolution of ransomware like the gunner ransomware moving to target Linux systems now it just signals that attackers are adapting moving beyond just traditional windows environments our defenses need to cover everything be platform agnostic second thing the return of malware like the Luma info stealer even after law enforcement took it down for it just highlights how resilient these criminal operations are it's a constant cat and mask game right and they're learning they bounce back faster they redesigned their tools
(09:50):
these examples really hammer home how adaptable the attackers are and why defenders just have to keep evolving constantly so a summing up the July 2025 fire Nichols threat brief it really drives home how fast and dynamic this whole cyber threat landscape is the big takeaways for you listening are pretty clear I think one small businesses are massively the primary target now that 84.52% numbers huge to the incredible speed we're seeing from groups like scattered spider
(10:17):
it underlines the need for much faster detection faster response and three obviously the critical need to patch those active vulnerabilities immediately especially make a structure point it's go I see don't wait right so what is all this actually mean for your approach your proactive security thinking
it really emphasizes that staying informed isn't just you know reading headlines it's about understanding the patterns underneath the implications and the report highlights this truly fascinating statistic one that could really shift how we think about threat intelligence get this spikes in malicious activity before a vulnerability is publicly announced that happens in 80% of cases 80% malicious activity comes first and that raises a really important maybe even provocative question for you to mull over
(11:04):
if malicious activity often predicts new vulnerabilities if attackers are finding and using flaws before they're even officially known before the cv e exists how does that change how we think about proactive cyber defense what should we be doing differently what is it really suggest about this never ending race between attackers and defenders feels like it's accelerating right and maybe most importantly what fresh questions does this pattern raise for your own approach to security to gathering intelligence to staying ahead
(11:34):
reach out to us at jbuyer.com for comments and questions follow us at buyer company on social media and if you'd be so kind please rate and review us in your podcast app
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Herd with Colin Cowherd
The Herd with Colin Cowherd is a thought-provoking, opinionated, and topic-driven journey through the top sports stories of the day.