Between 1 May 2025 and 31 May 2025, our monitoring of ransomware.live revealed a series of notable breaches targeting organisations operating within the Defence industry. According to a snapshot taken on 2 June 2025, two confirmed ransomware incidents emerged during this four-week period, marking a slight uptick in reported defence-related breaches compared to the previous month. In cross-referencing these findings with advisories from Mandiant (8 May 2025) and analyses from IBM X-Force Exchange (10 May 2025), several key details were confirmed, including the specific ransomware strains deployed, the vulnerabilities exploited and the attacker groups responsible.
The first incident involved a mid-sized defence contractor headquartered in Italy, where the LockBit ransomware group reportedly gained unauthorised access to internal networks on or around 6 May 2025. Investigations revealed that the attackers leveraged social engineering techniques in tandem with a newly discovered vulnerability, CVE-2025-0147, which permitted remote code execution via a misconfigured virtual private network gateway. According to The Hacker News (12 May 2025), LockBit continued its usual tactic of encrypting critical systems and threatening to publish sensitive design documents unless a ransom was paid. The incident underscores the importance of timely patch management in the Defence sector, given that LockBit frequently exploits unpatched virtual environments to gain footholds in segregated networks.
Shortly thereafter, on 10 May 2025, a separate event was recorded in the United Kingdom, where BlackCat affiliates targeted a major contractor supplying electronic warfare components to air force divisions across Europe. As reported by Recorded Future (15 May 2025), initial access is believed to have been achieved through spear-phishing emails containing malicious attachments disguised as configuration requests from a trusted defence partner. Once inside, BlackCat operators employed credential dumping tools to escalate privileges, then used lateral movement techniques popularised by other ransomware collectives, pivoting to core design repositories. Their proven capability to infiltrate distinct segments of a company’s infrastructure highlights the need for zero-trust networking approaches, alongside frequent user education to spot and report suspicious emails at an early stage.
Deeper analysis of these attacker groups indicates concerted efforts to refine their technical arsenals. Both LockBit and BlackCat rely heavily on customised encryption algorithms, rapid data exfiltration utilities and well-developed affiliate structures that allow multiple subgroups to launch parallel campaigns. In comparing indicators of compromise published by CrowdStrike Falcon OverWatch on 18 May 2025 to samples obtained in the above breaches, it appears that these groups steadily update payloads to bypass endpoint detection, while also recycling infiltration methods that have historically proven successful, such as phishing and exploitation of readily accessible vulnerabilities. Consequently, defending organisations against these threats requires not only a robust patch cycle but also continuous threat hunting aligned with the latest NCSC and CISA guidelines.
Beyond the Defence sector, ransomware.live recorded a total of fourteen reported breaches across varied industries in the United Kingdom and Europe during the same period. While financial services and manufacturing firms formed the bulk of these newly disclosed incidents, it is evident that large organisations, regardless of market vertical, remain prime targets for increasingly bold ransomware operators. As noted by VirusTotal (25 May 2025) and The Register (27 May 2025), many of these incidents featured phishing attempts combined with exploitation of known bugs in remote access systems. Although the primary objective in most cases was data encryption and extortion, some attacks also showed signs of intelligence gathering, presumably for subsequent blackmail or strategic advantage.
The broader picture for large organisations in the UK and Europe is characterised by a rise in well-resourced adversaries capable of adapting to fast-changing security protocols. Threat actors such as LockBit and BlackCat exemplify a worrying trend, collaborating with affiliates and refining stealthier tactics to stay ahead of traditional defences. Looking ahead, it is likely that these groups will continue to customise their malware, gain new affiliates and adopt advanced techniques—particularly in supply chain compromises—placing further pressure on organisations to strengthen security baselines.
From these observations, Defence sector organisations can take away several critical lessons. First, prompt identification and remediation of known vulnerabilities, such as CVE-2025-0147, is essential in combatting opportunistic attackers who rapidly scan for potential weaknesses. Second, investment in adaptive phishing training, backed by real-time security awareness, can help limit the initial access vectors that remain prevalent in these recent incidents. Third, frameworks that break down network perimeters—often referred to as zero-trust architectures—can impede lateral movement, reducing the speed and scale of any attempted ransomware deployment. Lastly, consistent threat intelligence sharing within the Defence community and reliance on authoritative sources such as Cyber Defence, Mandiant and CISA help stakeholders stay informed about emerging malware variants and attacker tradecraft.
By applying these measures, Defence industry entities and other large organisations in the UK and Europe can better anticipate, detect and mitigate the evolving ransomware threat. Coordinated intelligence efforts, systematic application of security patches and layered defensive strategies remain the cornerstones of protection in an era where ransomware operators exploit new techniques as rapidly as they appear. Through ongoing vigilance and diligent security investment, it is possible to keep pace with these adversaries and reduce the likelihood of catastrophic operational disruption.
