Throughout the period from 1 May 2025 to 31 May 2025, the consulting industry faced a significant level of ransomware activity, with two high-profile breaches reported on ransomware.live. These incidents, corroborated by analyses published by Mandiant on 8 May 2025 and further supported by threat data from IBM X-Force Exchange on 12 May 2025, demonstrate both the continued evolution of ransomware strains and the increased ability of adversaries to exploit known vulnerabilities swiftly. The consulting sector, with its access to sensitive intellectual property and client data, has emerged as a prime target for sophisticated criminal groups employing advanced techniques to disrupt operations and extract payments.
The first reported breach during this four-week span involved LockBit, a threat group whose history of targeting professional service firms has been documented in previous quarters. According to a 15 May 2025 update from Recorded Future, LockBit actors leveraged a remote code execution vulnerability—identified as CVE-2025-4001—to gain initial access under the guise of a standard software update. The attackers then deployed their signature double-extortion technique, encrypting critical systems whilst also exfiltrating data for leverage. Further investigation, cross-referenced with OTX on 18 May 2025, reveals that LockBit regularly integrates customised malware droppers, lateral movement scripts, and credential-harvesting toolkits into its operations. More details concerning LockBit’s tactics can be found on our dedicated analysis page at LockBit Threat Group.
A second incident, disclosed on 25 May 2025 by CrowdStrike Falcon OverWatch, centred on a group referred to as “Black Basta” by multiple sources, including The Hacker News (27 May 2025). In this attack, the perpetrators gained access to a consulting firm’s virtual private network through an exploited phishing campaign that distributed malicious macro-enabled documents. As confirmed by CISA on 28 May 2025, the group’s modus operandi involved pivoting through misconfigured internal hosts and leveraging stolen administrator credentials to install ransomware payloads. Black Basta’s toolkit includes advanced obfuscation features, data exfiltration utilities disguised as legitimate remote administration software, and destructive wiper scripts triggered if ransom demands are not met. A technical deep dive into Black Basta’s practices is available at Black Basta Threat Group.
Drawing lessons from these cases, it appears essential for consulting organisations to strengthen their patch management strategies and improve monitoring of critical system updates. In particular, promptly addressing known security flaws, such as CVE-2025-4001, can mitigate many common infiltration vectors. Equally imperative is the integration of phishing-resistant authentication measures, such as hardware tokens or other multi-factor solutions, to prevent unauthorised access. Firms should also maintain robust incident response plans and uphold employee cybersecurity training programmes, reinforcing procedures for rapidly identifying suspicious links or attachments to counter evolving social engineering ploys.
Beyond the consulting sector, a total of eight major breaches were recorded across large organisations in the United Kingdom and Europe during May 2025, according to a 30 May 2025 joint advisory from the UK’s National Cyber Security Centre (NCSC) and the European Union Agency for Cybersecurity (ENISA). Several of these attacks, confirmed by VirusTotal intelligence on 31 May 2025, demonstrated similar double-extortion and phishing tactics, suggesting a broader pattern of threat actors pivoting skilfully between industries. Over the past quarter (1 March 2025 to 31 May 2025), 25 separate incidents involving large enterprises in these regions were documented by IBM X-Force Exchange on 1 June 2025, indicating a sustained threat posed by ransomware groups who systematically revise their techniques to exploit newly reported vulnerabilities. Overall, the current landscape underscores the value of continuous network monitoring, layered defences, and swift incident containment strategies. As adversaries refine their capabilities and migrate to fresh targets in a financially motivated cycle, proactive investments in threat detection and intelligence-sharing will prove ever more critical for consulting firms and all organisations seeking to guard against ransomware incursions.
