In Q3 2025, Colonial Pipeline faced a devastating ransomware attack orchestrated by LockBit 5.0, which explicitly targeted critical infrastructure—a direct retaliation for past law enforcement interventions. The attack leveraged OT-aware ransomware loaders, bypassing traditional IT security measures to disrupt pipeline operations, exfiltrate sensitive operational data, and encrypt core systems. The incident caused a prolonged outage, halting fuel distribution across the Eastern U.S. and triggering regional supply shortages. Financial losses escalated due to ransom payments, operational downtime, and reputational damage, while the attack’s ripple effects threatened national energy security. LockBit’s affiliates exploited weak segmentation between IT and OT networks, executing a two-phase assault involving credential theft via social engineering (e.g., MFA bypass) followed by rapid encryption. The breach also exposed proprietary data, including pipeline control protocols, heightening risks of future sabotage. Regulatory scrutiny intensified, with federal agencies mandating stricter cybersecurity compliance for critical infrastructure operators.
Source: https://cyberpress.org/data-leak-sites-surge/
TPRM report: https://www.rankiteo.com/company/colonial-pipeline-company
"id": "col0632406100925",
"linkid": "colonial-pipeline-company",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['energy (nuclear/thermal/hydroelectric)',
'healthcare',
'professional/scientific/technical '
'services',
'manufacturing',
'construction'],
'location': ['global',
'Thailand (69% increase in listings)',
'regions with rapidly digitizing markets'],
'type': ['critical infrastructure operators',
'healthcare providers',
'professional/scientific/technical services',
'manufacturing',
'construction']}],
'attack_vector': ['social engineering (MFA-bypass phishing)',
'RaaS (Ransomware-as-a-Service) platforms',
'OT-aware ransomware loaders',
'data exfiltration + encryption (double extortion)',
'exploitation of legacy clinical networks',
'remote SMB encryption'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': ['high (healthcare, critical '
'infrastructure)'],
'type_of_data_compromised': ['PII (Personally Identifiable '
'Information)',
'clinical/healthcare data',
'operational technology (OT) '
'data',
'corporate data '
'(professional/scientific/technical '
'services)']},
'date_publicly_disclosed': '2025-09-03',
'description': 'Q3 2025 witnessed a record surge in ransomware activity, '
'driven by Scattered Spider’s announcement of its RaaS '
"platform 'ShinySp1d3r' and LockBit’s comeback with 'LockBit "
"5.0,' explicitly targeting critical infrastructure. The "
'quarter also saw an all-time high of 81 active data-leak '
'sites, with emerging groups expanding into new regions and '
'industries. Scattered Spider’s RaaS platform integrates '
'MFA-bypass phishing and rapid encryption, while LockBit 5.0 '
'introduces OT-aware ransomware loaders, evading traditional '
'IT security measures. The healthcare sector saw a 31% '
'increase in exposures, and Thai listings surged by 69% due to '
'groups like Devman2. The threat landscape is evolving with '
'double extortion, OT targeting, and localized campaigns in '
'under-defended regions.',
'impact': {'brand_reputation_impact': ['high (critical infrastructure and '
'healthcare sectors)'],
'data_compromised': True,
'identity_theft_risk': ['high (PII exposure in healthcare '
'breaches)'],
'legal_liabilities': ['potential regulatory violations for '
'critical infrastructure operators'],
'operational_impact': ['disruption of critical infrastructure '
'operations',
'compromised OT systems',
'increased double-extortion incidents'],
'systems_affected': ['critical infrastructure (nuclear, thermal, '
'hydroelectric)',
'healthcare (legacy clinical networks)',
'OT (Operational Technology) systems',
'SMB (Server Message Block) protocols',
'help-desk systems']},
'initial_access_broker': {'data_sold_on_dark_web': ['likely (given '
'double-extortion '
'tactics)'],
'entry_point': ['phishing (MFA bypass)',
'exploited help-desk protocols',
'legacy system vulnerabilities'],
'high_value_targets': ['critical infrastructure',
'healthcare data',
'OT systems']},
'investigation_status': 'ongoing (Q4 2025 trends anticipated)',
'lessons_learned': ['Emergence of independent RaaS platforms (e.g., Scattered '
'Spider’s ShinySp1d3r) signals a shift from reliance on '
'Russian-speaking affiliates.',
'Critical infrastructure is now explicitly targeted by '
'major ransomware groups, requiring OT-specific defenses.',
'Double extortion (data exfiltration + encryption) '
'remains the dominant tactic, with healthcare and '
'digitizing markets as prime targets.',
'Legacy systems and poor segmentation (IT/OT) are key '
'vulnerabilities exploited in Q3 2025.',
'Social engineering (e.g., MFA-bypass phishing) is '
'increasingly sophisticated, necessitating help-desk '
'protocol hardening.'],
'motivation': ['financial gain (ransom demands)',
'retaliation against law enforcement (LockBit)',
'expansion into new regions/industries (emerging RaaS groups)',
'disruption of critical infrastructure'],
'post_incident_analysis': {'corrective_actions': ['Mandate IT/OT segmentation '
'using Purdue Model or '
'equivalent frameworks.',
'Deploy OT-aware endpoint '
'detection and response '
'(EDR) solutions.',
'Replace or isolate legacy '
'systems in critical '
'sectors.',
'Implement '
'phishing-resistant MFA '
'(e.g., FIDO2 tokens).',
'Enhance help-desk '
'authentication protocols '
'to prevent social '
'engineering.',
'Establish cross-sector '
'threat intelligence '
'sharing for RaaS trends.'],
'root_causes': ['Inadequate IT/OT segmentation',
'Over-reliance on legacy systems '
'(especially in healthcare)',
'Weak MFA implementations '
'vulnerable to phishing',
'Delayed patch management',
'Lack of OT-specific security '
'controls']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['LockBit 5.0', 'ShinySp1d3r (upcoming)']},
'recommendations': ['Enforce Purdue-Model segmentation to isolate IT and OT '
'networks.',
'Implement application whitelisting to block unauthorized '
'binary execution in OT environments.',
'Monitor data-leak sites proactively for early breach '
'detection.',
'Strengthen help-desk protocols to counter advanced '
'social engineering (e.g., Evilginx-based MFA bypass).',
'Prioritize patch management for legacy systems, '
'especially in healthcare and critical infrastructure.',
'Adopt robust file-containment policies to mitigate '
'remote SMB encryption risks.',
'Conduct red-team exercises simulating two-phase attacks '
'(credential harvesting + rapid encryption).',
'Fortify defenses in rapidly digitizing regions (e.g., '
'Thailand) where RaaS groups are expanding.'],
'references': [{'date_accessed': '2025-08',
'source': 'Telegram (Scattered Spider’s RaaS announcement)'},
{'date_accessed': '2025-09',
'source': 'DragonForce partnership announcement'},
{'date_accessed': '2025-09-03',
'source': 'LockBit 5.0 release notes'},
{'source': 'Q3 2025 Data-Leak Site Report'}],
'regulatory_compliance': {'regulatory_notifications': ['potential '
'notifications for '
'critical '
'infrastructure '
'breaches']},
'response': {'containment_measures': ['Purdue-Model segmentation for IT/OT',
'isolation of OT domains',
'application whitelisting',
'robust file-containment policies'],
'enhanced_monitoring': ['OT-focused detection',
'SMB encryption monitoring'],
'law_enforcement_notified': ['FBI (mentioned in LockBit’s '
'retaliation context)'],
'network_segmentation': ['enforced IT/OT segmentation'],
'remediation_measures': ['patch management',
'network segmentation (IT/OT)',
'proactive leak-site monitoring',
'fortified help-desk protocols']},
'stakeholder_advisories': ['Critical infrastructure operators should prepare '
'for LockBit 5.0 OT-targeted attacks.',
'Healthcare organizations must address legacy '
'system vulnerabilities amid a 31% increase in '
'exposures.',
'Companies in Thailand and similar digitizing '
'markets should expect heightened RaaS activity.'],
'threat_actor': [{'associated_groups': ['ShinySp1d3r (RaaS platform)'],
'name': 'Scattered Spider',
'tactics': ['MFA-bypass phishing',
'credential harvesting',
'rapid encryption',
'data exfiltration'],
'tools': ['Evilginx']},
{'associated_groups': ['LockBit 5.0',
'LockBit affiliate program'],
'motivation': 'retaliation against law enforcement '
'(post-Colonial Pipeline)',
'name': 'LockBit',
'tactics': ['critical infrastructure targeting',
'OT-aware ransomware',
'double extortion']},
{'associated_groups': ['Qilin', 'LockBit'],
'name': 'DragonForce',
'tactics': ['strategic alliances',
'data-leak site operations']},
{'name': 'Devman2',
'tactics': ['targeting digitizing markets (e.g., '
'Thailand)']},
{'name': 'The Gentlemen'},
{'name': 'Cephalus'}],
'title': 'Q3 2025 Surge in Ransomware Activity: Scattered Spider’s RaaS '
'Ambitions and LockBit 5.0 Critical Infrastructure Offensive',
'type': ['ransomware', 'data breach', 'critical infrastructure targeting'],
'vulnerability_exploited': ['weak MFA implementations (Evilginx tool)',
'poor network segmentation (IT/OT convergence)',
'legacy systems in healthcare and critical '
'infrastructure',
'unpatched systems',
'help-desk protocol vulnerabilities']}