Listen to this Post

In a troubling development for cloud-based enterprise solutions, the LockBit5 ransomware group has reportedly added Collins Computing, a prominent Acumatica Cloud ERP and Dynamics GP migration partner based in California, to its growing list of victims. The attack, detected on December 31, 2025, by the ThreatMon Threat Intelligence Team, highlights the persistent and evolving threat ransomware poses to mid-sized enterprises that rely heavily on cloud infrastructure for daily operations. With businesses increasingly migrating critical workflows to cloud ERP platforms, the exposure to sophisticated cybercriminals has never been higher.
Collins Computing, known for empowering businesses with Acumatica Cloud ERP solutions and Dynamics GP support, now faces a potentially severe disruption. According to ThreatMon, the attack involved indicators of compromise (IOC) and command-and-control (C2) data, hinting at a targeted approach by LockBit5. The timing—on the final day of 2025—adds to the urgency, as companies often operate on reduced staff during holidays, potentially delaying incident response.
LockBit5 has emerged as one of the most aggressive ransomware operators in recent years, known for encrypting critical systems and demanding high-profile ransoms. The group’s choice of Collins Computing suggests a deliberate targeting of businesses that manage other organizations’ enterprise resource planning (ERP) data. Mid-sized companies, often considered less fortified than Fortune 500 firms, are increasingly attractive to ransomware actors because they typically have valuable client information but may lack robust cybersecurity measures.
The attack also underscores the importance of end-to-end threat intelligence platforms like ThreatMon, which provide crucial visibility into emerging threats. By tracking IOC and C2 data, such platforms enable early detection and mitigation, though the speed of ransomware evolution often challenges even the most sophisticated defenses. Collins Computing’s situation is a cautionary tale for other ERP migration and cloud solution providers, emphasizing the need for proactive security audits, robust backup strategies, and employee training to prevent or minimize the impact of similar attacks.
What Undercode Say:
LockBit5’s targeting of Collins Computing is emblematic of a broader trend in ransomware operations: focusing on niche service providers who act as linchpins in client IT ecosystems. By compromising an ERP migration partner, LockBit5 gains potential access not only to the company’s internal data but also to a network of client organizations that rely on its services. This amplifies the risk far beyond a single victim.
The attack also illustrates the increasingly sophisticated operational security of ransomware groups. LockBit5 is not merely encrypting files; it is leveraging intelligence about its targets’ operational calendars, potentially choosing holidays or weekends when response teams are understaffed. This reflects a shift from opportunistic attacks to highly strategic campaigns designed to maximize disruption and leverage ransom negotiations.
From a technical standpoint, Collins Computing’s reliance on Acumatica Cloud ERP and Dynamics GP suggests that attackers might exploit vulnerabilities in cloud configurations, weak remote access policies, or insufficient patch management. Ransomware groups now combine traditional malware deployment with reconnaissance that identifies critical assets and backup weaknesses, making mitigation challenging.
Moreover, the incident highlights a worrying trend in cyber insurance and regulatory pressure. Companies affected by ransomware increasingly face not only operational downtime but also potential legal and financial repercussions if client data is exfiltrated or compromised. Mid-sized ERP providers must now balance innovation and client growth with rigorous cybersecurity hygiene, or risk becoming the next high-profile victim.
The role of intelligence platforms such as ThreatMon cannot be understated. They offer early warnings and actionable insights by monitoring ransomware chatter across the dark web, but the effectiveness depends on internal response readiness. Organizations must integrate threat intelligence with incident response playbooks, regular penetration testing, and layered security measures to prevent the initial breach.
LockBit5’s approach also emphasizes psychological leverage. Publishing victim lists and drawing attention to attacks puts additional pressure on companies to pay ransoms quickly, potentially normalizing compliance with extortion. This creates a dangerous cycle, incentivizing ransomware groups to continue targeting service providers in critical operational niches.
Collins Computing’s attack should serve as a case study for other mid-sized cloud ERP firms. The implications extend beyond immediate operational loss: reputational damage, client trust erosion, and long-term cybersecurity investments are now unavoidable considerations. Companies in similar sectors must re-evaluate not just their technical defenses, but also governance, employee awareness, and contractual obligations to clients.
As ransomware evolves, attackers like LockBit5 are increasingly blending automation with human-led decision-making. This hybrid model allows precise targeting, reducing collateral damage while maximizing leverage. Enterprises that ignore this evolution risk underestimating their threat landscape, potentially exposing themselves to higher ransom demands or prolonged service interruptions.
For IT teams, the Collins Computing incident reinforces the importance of assuming breach scenarios. Continuous monitoring, immutable backups, and segmentation of critical systems are not optional—they are essential in minimizing operational risk. Companies must also anticipate legal scrutiny, as ransomware incidents involving client data could trigger compliance investigations under various data protection regulations.
Finally, the industry-wide implications are profound. Service providers that manage ERP migrations or cloud implementations now operate in a high-stakes environment where cyber resilience can directly impact their business continuity and client relationships. The Collins Computing case exemplifies the urgent need for collective cybersecurity awareness and cross-industry collaboration to anticipate and neutralize threats before they escalate into crises.
Fact Checker Results:
✅ LockBit5 added Collins Computing to its victim list on Dec 31, 2025.
✅ The attack targeted a mid-sized ERP migration and cloud services provider.
❌ No public confirmation yet of ransom payment or data leak.
Prediction:
💡 Expect increased targeting of ERP and cloud service providers in early 2026 as ransomware groups continue exploiting mid-sized companies with high client dependencies. Companies that strengthen intelligence integration and proactive defenses may avoid becoming the next high-profile victim.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




