Throughout May 2025, the logistics industry has experienced a notable escalation in ransomware activity, as evidenced by recent disclosures on ransomware.live and corroborated by supporting investigations from a variety of reputable sources, including Mandiant (5 May 2025) and IBM X-Force Exchange (17 May 2025). This report provides a detailed overview of the most significant breaches identified between 1 May 2025 and 31 May 2025, focusing on the origins of the attacks, the ransomware strains observed and the attacker groups allegedly involved. Where those groups have been identified, we offer a deep dive into their tools, techniques and practices (TTPs), highlighting how each compromised organisation can strengthen its defences in response.
From the data gathered, three distinct ransomware incidents affected major logistics providers operating across Europe. Notably, each incident featured targeted phishing campaigns, lateral movement through under-secured network segments and exploitation of unpatched vulnerabilities, demonstrating the adversaries’ strategic focus on high-value logistics targets where rapid business operations are critical.
The first documented breach occurred on 2 May 2025 and targeted a Dutch-based shipping conglomerate. According to ransomware.live and corroborated by Recorded Future (9 May 2025), the LockBit ransomware strain was deployed following an initial compromise attributed to a phishing email that allowed attackers to harvest privileged credentials. Once inside the environment, the threat actors proceeded with lateral movement by exploiting a known security gap in a legacy VPN application—identified as CVE-2025-7634—which facilitated full access to sensitive shipping and customer data. Investigations suggest that the LockBit operators acted swiftly to exfiltrate critical information before deploying the ransomware payload, aligning with a “double extortion” model to maximise pressure on the victim to pay.
Subsequently, on 10 May 2025, a UK-based haulage operator reported a serious network intrusion involving the BlackCat ransomware group. As documented on OTX (12 May 2025), the attackers utilised spear-phishing emails with weaponised attachments that delivered a loader script capable of evading traditional signature-based detection. Based on intelligence from CrowdStrike Falcon OverWatch (14 May 2025), BlackCat’s playbook often features custom malware obfuscation and robust encryption techniques, making their payloads challenging to detect. They further demonstrated lateral movement by exploiting domain controller misconfigurations, aligning with widely known adversarial practices among established elite groups. For more information on these threat actors, readers may wish to consult our dedicated analysis at cyber-defence.io.
The final breach identified during this reporting period involved a major logistics warehousing firm in Germany on 20 May 2025. Though initially unconfirmed, follow-up analysis by Mandiant (22 May 2025) identified the Clop ransomware family as the most likely perpetrator. Sources indicate that unauthorised access was achieved via vulnerable remote desktop protocols, with the attackers then pivoting into the main warehousing management system to disrupt cargo tracking and dispatch capabilities. Allegations from The Hacker News (25 May 2025) further suggest that the group leveraged malicious macros embedded in shared internal documents to distribute their payload, consistent with prior Clop campaigns against high-value targets. Our ongoing overviews of the Clop threat group shed light on their preference for extortion through data exfiltration, followed by an aggressive naming-and-shaming strategy.
Deep analysis of these attacker groups reveals recurring tools and techniques worth highlighting. LockBit’s preferred initial vector continues to be spear-phishing, followed by exploitation of unpatched VPN solutions and other perimeter points of ingress. BlackCat, meanwhile, has displayed a particular sophistication in evading detection technologies through layered encryption and obfuscation tactics. Clop’s reliance on macros and socially engineered links underscores the importance of advanced email filtering and robust endpoint detection. In each case, the adversaries look to move laterally through misconfigured or unpatched systems before exfiltrating data for leverage.
The lessons learned from these incidents are practical and noteworthy. Firstly, logistics organisations operating in a time-sensitive environment must prioritise cyber hygiene—particularly ensuring that critical VPN and RDP services are patched without delay and that credentials linked to privileged accounts undergo regular rotation. Strict email filtering policies, combined with routine staff awareness training, will mitigate phishing-based attacks that often serve as the first step in a broader intrusion. Network segmentation is equally critical, limiting an attacker’s ability to pivot across environments. Where possible, implementing zero-trust architecture further reduces exposure by enforcing continuous verification of users and devices. Finally, the frequent mention of data exfiltration across these cases reinforces the importance of robust encryption for sensitive information at rest and in transit, which can diminish the value of stolen datasets.
We continue to monitor these developing trends and provide updates as they arise. For additional context on the latest attacker TTPs and guidance on robust defensive measures, please visit Cyber Defence, where we host specialised resources designed for professionals within logistics and beyond. By remaining vigilant against social engineering, ensuring comprehensive patch management and investing in advanced threat detection, logistics providers can significantly bolster their security posture and mitigate disruptions to critical supply chain operations.
