Threat Briefing: December 12, 2025

Ransomware remains a significant threat, with over $4.5 billion in U.S. payments since 2013 and a sharp rise in attacks from 2022–2024, particularly in financial services, manufacturing, and healthcare. Emerging risks include deepfake-enabled fraud, expanded insurance coverage for synthetic media attacks, and an urgent CISA warning to patch the critical React2Shell vulnerability (CVSS 10.0).

Threat actors are also advancing phishing via OAuth-based MFA bypass tools like ConsentFix, while new research shows AI tools such as Microsoft Copilot can be manipulated to expose sensitive data.

• Over $4.5 Billion in Ransomware Payments Identified by U.S. Since 2013 – U.S. authorities have identified more than $4.5 billion in ransomware payments since 2013, according to a FinCEN report, with over $2.1 billion tied to 4,194 incidents between 2022 and 2024. Median ransom demands rose sharply from 2022 to 2023 before dipping slightly in 2024. Financial services, manufacturing, and healthcare were the most impacted sectors, with Akira and ALPHV/BlackCat dominating attacks, and Bitcoin remaining the primary payment method. SecurityWeek
• Cyber Insurance Now Covers Deepfake Fraud – Coalition has expanded its cyber insurance policies to cover deepfake-related fraud, addressing the growing use of synthetic media to impersonate individuals and deceive organizations. The coverage includes reputational harm and response services like forensics and legal support, reflecting rising concern that increasingly realistic deepfakes can bypass even well-trained employees as AI adoption accelerates. CyberScoop
• React2Shell Vulnerability Under Active Exploitation – CISA has issued an urgent warning to patch the critical React2Shell flaw (CVE-2025-55182, CVSS 10.0) by December 12, 2025, following widespread attacks. The vulnerability in React Server Components Flight allows unauthenticated JavaScript execution, with threat actors targeting frameworks like Next.js. Over 137,200 exposed IPs, mostly in the U.S., are at risk, prompting CISA to accelerate the patch deadline. The Hacker News
• ConsentFix Phishing Exploit Bypasses MFA – ConsentFix, a new variant of ClickFix, uses OAuth tokens to bypass passwords and multi-factor authentication. Operating entirely in the browser, it tricks victims via fake CAPTCHAs and fraudulent Microsoft login pages, giving attackers unauthorized access to accounts. CSO Online
• Copilot AI Agents Vulnerable to Data Leaks – Tenable reports that Microsoft Copilot’s no-code AI agents can be manipulated through prompt injection to reveal sensitive corporate information. While designed to simplify AI deployment without coding, these agents can inadvertently expose private data even with security measures in place, underscoring growing risks as organizations adopt AI tools. Dark Reading