The State of Ransomware: November 2025

We tracked 84 publicly disclosed ransomware incidents in November, marking another intense month of activity. For the first time this year, the services sector overtook healthcare as the most targeted industry, reporting 18 attacks, while retail also saw a noticeable uptick. 25 ransomware groups claimed victims throughout the month, with Akira leading at seven, followed closely by Everest and INC with six each. Notably, 35% of cases remain unattributed, pointing to persistent gaps in visibility across the ransomware landscape. 17 countries reported attacks, with the United States accounting for 55% of all incidents and Australia following at 13%.

Keep reading to see which organizations made ransomware headlines in November.

1. Devman ransomware group claimed responsibility for a ransomware attack on the Local Conciliation and Arbitration Board (JLCA) in Mexico City. The institution’s portal was out of service for a number of days as a result of the attack. Devman demanded a ransom of $300,000 in exchange for 60 GB of stolen sensitive information.
2. U.S.-based equine sports-equipment manufacturer Professional’s Choice Sports Medicine Products, Inc. was listed as a victim by the Play ransomware group. According to the group, they exfiltrated sensitive data including payroll and finance records, personal and client documents, tax files, and other confidential information. The organization is yet to publicly address these claims.
3. Paterson & Dowding Family Lawyers, a Western Australia family law firm, confirmed they had suffered a cyberattack after Anubis publicly claimed responsibility. According to the firm, unusual activity on their systems triggered an immediate response: they engaged external experts, contained the breach, and launched an urgent investigation. Anubis detailed the data stolen during the attack, which consisted of client financial data, client business data, and personal data, as well as posting data samples as proof of claims.
4. A review into a June 2025 ransomware attack on Oglethorpe was completed, confirming that patient information had been exfiltrated from its network. Data including names, SSNs, driver’s license numbers, and medical information, was among the file types stolen. It has been reported that 92,332 individuals were impacted by the breach.
5. The Apache Software Foundation rejected claims made by Akira that its OpenOffice project suffered a cyberattack. Akira listed the organization on its leak site, alleging that it had stolen 23GB of data including employee and financial information, internal reports, and other confidential material. The Apache Software Foundation stated that no ransom had been demanded and that it found no basis for the claims.
6. Central Jersey Medical Center started notifying dental patients about a recent ransomware attack. Sinobi gained access to the clinic’s dental server’s network and used ransomware to encrypt and exfiltrate files. The group claim to have stolen 930GB of data during the attack. Health insurance information, treatment history and billing information were among the types of data compromised.
7. David A. Nover, M.D., P.C., a psychiatry and psychotherapy practice in Pennsylvania began notifying patients of a cybersecurity incident that exposed patient information. Unusual activity in the practice’s computer network was identified in June 2025, prompting an investigation into the nature and scope of the intrusion. The investigation revealed that patient information had been copied from the network by an unauthorized party. Both PHI and PII was accessed as a result of the attack.
8. According to breach notification letters, an unknown actor gained access to a data storage environment resulting in the compromise of highly sensitive patient information at Goglia Nutrition , a California-based health and wellness company specializing in nutrition plans and weight management and trading as FuturHealth, Inc. No known ransomware group has stepped forward to claim this incident.
9. Qilin claimed responsibility for a cyberattack on Habib Bank AG Zurich, publicly posting that it had stolen over 5 TB of data, consisting of nearly 2 million files.The stolen data allegedly includes deeply sensitive information: customer passport numbers, account balances, transaction histories and payment notifications, as well as internal banking-tool source code. In response, the bank confirmed unauthorized external access to its corporate network, stating that while banking services remain operational, it has launched a forensic investigation and notified relevant regulators.
10. Interlock took responsibility for an October 2025 cyberattack targeting Shelbyville Police Department in Kentucky. The Police Chief announced that the cyberattack had disrupted the department’s computer network. Interlock claims to have stolen 208 GB of data, including police camera recordings. To prove its claim, Interlock posted images of stolen files on its dark web leak site.
11. Akira ransomware group claimed responsibility for an attack on RUAG’s U.S. subsidiary, RUAG LLC, alleging it stole around 24 GB of company data. The group says the haul includes employee records (such as SSNs, passports and licence details), confidential internal documents and files tied to military-aircraft servicing contracts. RUAG has confirmed a security incident at its Virginia liaison office but says the affected systems are isolated from its Swiss operations and that there is currently no evidence of impact on Swiss employee data. The incident remains under investigation.
12. RansomHouse claimed responsibility for a ransomware attack on Vicchem, an Australian agricultural and industrial chemicals manufacturer. According to the group, the breach occurred on October 23, 2025, and resulted in the encryption of Vicchem’s systems, and the exfiltration of confidential data and project documents. Although evidence was added to the group’s dark web post, Vicchem is yet to publicly address these claims.
13. The National Accident Health General Agency (NAHGA) Claims Servicers notified state attorneys general about a security incident involving unauthorized access to its computer network. Suspicious network activity was identified on April 13, 2025, and third-party cybersecurity experts were engaged to investigate the activity. The investigation revealed that its computer network had been accessed by an unauthorized third party between April 8, 2025, and April 10, 2025, during which time certain files on its network may have been acquired. A review was conducted to determine the types of information compromised in the incident, and that process was completed in October.
14. Hyundai AutoEver America confirmed that an IT services breach in March impacted approximately 2,000 individuals. After alerting law enforcement and bringing in outside cybersecurity investigators, it was determined the hackers had breached HAEA networks on February 22nd and were able to maintain unauthorized access to systems until March 2nd. Stolen data primarily belonged to current and former Hyundai AutoEver America and Hyundai Motor America employment-related individuals.
15. Radon, a Russian nuclear-waste management facility operated by Rosatom, has reportedly suffered a serious cyber breach, with attackers claiming to have stolen its “entire database,” including highly sensitive personnel and testing data.The leaked information allegedly includes names of testers, test results, user IDs, email addresses, phone numbers, client company names, and safety-compliance reports. Radon has not yet publicly acknowledged these claims.
16. Rhysida has reportedly leaked nearly 2 TB of data stolen from U.S. automotive supplier Gemini Groupafter ransom negotiations allegedly broke down. The threat group claims to have published more than 1.7 million files containing highly sensitive information, including employee personal data (such as names, addresses, Social Security numbers, birthdates), payroll and benefits records, internal communications, customer lists, invoices, purchasing reports, and detailed operational and production documents.
17. Tri Century Eye Care, P.C., in Pennsylvania, recently started notifying patients about a September 2025 data security incident involving the theft of files containing sensitive data. Suspicious network activity was identified on September 3, 2025, and immediate steps were taken to secure its network. Third-party cybersecurity specialists were engaged to investigate and determine the nature and scope of the activity. Tri Century Eye Care learned that an unknown actor had accessed its network and acquired files, although there was no unauthorized access to its electronic medical record system. The files were reviewed and found to contain personal and protected health information of patients and employees.
18. Akira has claimed responsibility for a cyberattack on high-end restaurant chain Nobu Restaurants, claiming to have obtained around 71 GB of data which they threatened to publish unless its demands are met.The alleged treasure trove of data includes sensitive records such as owner and employee identification, detailed financial files, NDAs, and other confidential internal documents.
19. Haileybury College in Victoria has disclosed it was the victim of a cyberattack in October after an unknown attacker gained limited access to the school’s network. No known ransomware group has claimed responsibility for the incident, and it is not yet known what data was accessed.
20. The Superior Court of California for the County of San Joaquin disclosed that it found an “unauthorized person” had gained access to the court’s computer network in October last year. That breach included individuals’ sensitive information, including Social Security, driver’s license and credit card numbers, the court said in a press release. The Superior Court did not report how many files were involved or how many individuals were impacted. It is not known who is responsible for the incident.
21. Rhysida has claimed responsibility for a cyberattack on KISS FM, a major Spanish radio station, saying it stole nearly two million files from internal systems and is demanding a ransom of about three BTC (around $300,000) to prevent public release of the data.According to the group’s leak post, the stolen material reportedly includes internal correspondence, audience-ratings reports, advertising contracts, invoices, and financial communications, although there is no definitive public confirmation that personal user or employee data was included.
22. Morton Drug Company started notifying individuals whose personal information may have been involved in a recent cyberattack. The organization discovered a network security incident in August which impacted its IT systems. The investigation into the incident concluded in late October, which identified the exposure of patient information. Akira claimed responsibility for the attack in late November.
23. In Australia, IKAD Engineering was recently hit by a ransomware attack orchestrated by J Group, who claimed to have exfiltrated more than 800 GB of data after exploiting an outdated VPN and remaining inside the network for months. The attackers alleged the theft included defense-contract files, engineering designs, financial documents, and employee and vendor records, though IKAD states that only parts of its IT environment were accessed and that the compromised material appears limited to non-sensitive contract and HR data. IKAD is working with external specialists and government agencies, notifying affected parties, and strengthening security measures to prevent future incidents.
24. Sinobi claim to have stolen 350 GB of highly sensitive data from Cohen’s Fashion Optical, LLC. The stolen data reportedly includes personal and medical information belonging to Cohen’s Fashion Optical’s customers and patients. The organization has not yet publicly confirmed the claims made by Sinobi.
25. SpaceBears ransomware group has published data allegedly belonging to Dovern Import, a Moroccan-based wine and champagne import company, on its dark web leak portal. According to the dark web post, the compromised data includes personal information of employees and clients, as well as financial documents. The threat actors claim the breach has already been published, with the data reportedly available for download.
26. Oscars Group, a major Australian hospitality operator, was hit by a Medusa ransomware attack, with the group claiming to have exfiltrated over 130,000 files from the company. A ransom demand of $100,000 was issued by the group, who gave the organization 20 days to pay before the stolen data is leaked. Data samples appear to include invoices, staff timesheets, event-schedules, financial records, scanned IDs. employee addresses and tax file numbers, and various other documents.
27. Everest ransomware group claimed to have stolen 159 GB of data from the SIAD Group, one of Italy’s largest industrial gas producers. The post on the group’s dark web leak site includes a time, showing that the company had eight days to contact the cybercriminals before the stolen data was released. 18 screenshots were released by the group as proof of claims, including operational and project data. The organization made a brief statement regarding the claims, confirming that unauthorized access to parts of its IT systems had been detected.
28. Brooklyn-based medical supplies manufacturer Dealmed Medical Supplies announced a data security incident that was identified in early July 2025. An investigation into the incident confirmed that an unauthorized third party had accessed the company’s network and may have viewed or obtained sensitive data. DragonForce took credit for the attack, claiming to have exfiltrated almost 106GB of data.
29. A data breach notice was added to Wakefield & Associates’ website, announcing a security incident that was identified in January 2025. The notice stated that suspicious activity was identified within its computer systems, and that a forensic investigation confirmed unauthorized access to files containing patients’ protected health information. The information potentially compromised varies for each individual, with some compromised records containing IDs and financial account information. Akira took credit the attack in February, claiming to have stolen 13 GB of data.
30. Almost two years after a ransomware attack, Alpha Omega Winery in California notified individuals who data was impacted by the incident. According to the organization’s notification, the types of information that may have been compromised included names, SSNs, government identification, health insurance policy numbers, and medical information. No further information relating to this incident has been made public.
31. Relatively new ransomware group Kazu claimed to have breached Doctor Alliance, a U.S.–based healthcare technology firm that provides billing and document management services for thousands of patients.According to the attackers, they exfiltrated roughly 353 GB of data, around 24 million filesincluding highly sensitive patient information such as names, addresses, medical record numbers, diagnoses, treatment plans, prescriptions, billing/insurance data and more. The group initially demanded a ransom of $200,000 for deletion of the files but when the company allegedly failed to meet the demand, the attackers later claimed a second breach and upgraded the ransom to $500,000.
32. RansomHouse infiltrated Fulgar’s IT systems and reportedly exfiltrated sensitive internal data, including financial records, invoices, communications, contracts, and production documentation. The company publicly confirmed on 3 November 2025 that it had suffered a cyberattack and shut down its Italian systems as a precaution. While it acknowledged the possibility of data exposure, Fulgar stated it had not yet identified those individuals who may have been impacted.RansomHouse listed Fulgar on its dark web leak site, threatening to publish the stolen data unless demands were met. The group has already shared sample documents to back its claim.
33. In Texas, Valley View Independent School District suffered a cybersecurity incident that disrupted parts of its computer and phone systems but the incident did not impact lessons. INC added the school district to its leak site in late November. No further information linked to this attack has yet been disclosed to the public as investigations remain ongoing.
34. Morocco’s largest retail company Marjane Group fell victim to a ransomware attack by the Stormous group who publicly claimed responsibility and threatened to publish the full leak unless a company representative made contact with them. It is not known what types of data were stolen by the threat actors.
35. The Eastern Cape Department of Human Settlements recently suffered a ransomware attack claimed by NightSpire, who reportedly exfiltrated around 20 GB of data including housing application records, government project files, and contractor financial information. The intrusion occurred on November 9, 2025, and went undetected for nearly two hours, raising concerns about potential identity theft and fraud affecting vulnerable beneficiaries. The Department stated that once unauthorized access was identified, security protocols were activated, systems were secured, and an investigation launched, while urging affected individuals to remain vigilant against suspicious communications.
36. INC ransomware group claimed responsibility for a cyberattack on LatamLex, alleging that it exfiltrated a “significant amount” of internal data from the Latin American law firm.As of now, the nature of the compromised data and the number of affected clients or individuals have not been disclosed, and the firm has not issued a public statement confirming the breach.
37. Space Bears claimed responsibility for a cyberattack against The Foot Doctor, a podiatry clinic based in Wyoming. According to Space Bears, the allegedly compromised data includes personal information of employee and clients, alongside other confidential documents.
38. Food delivery platform DoorDash suffered a cyberattack which saw it lose data belonging to an undisclosed number of users. The breach occurred after one of the employees fell for a social engineering scam and granted attackers access to the platform. Compromised data includes names, addresses, phone numbers, and email addresses, with the company stating that no sensitive information was accessed. No known ransomware group has yet claimed responsibility for this attack.
39. The City of Mundelein in Illinois began notifying victims of a January 2025 data breach which resulted in personal information being compromised. Medical, health insurance and financial account information was among the data types stolen. Medusa took credit for the attack, claiming to have stolen 118 GB of data. The dark web listing showed a ransom demand of $400,000, with an updated made to the post one month later showing a lesser ransom demand of $250,000.
40. Shiny Hunters reportedly stole 380 million records from Millicom, a telecommunication company based in Luxembourg and Florida. Stolen information includes customers’ full names, email addresses, account numbers, IP addresses, masked credit card info, and financial/transactional data. After ransom negotiations, initially demanding 15 BTC, Millicom allegedly attempted to pay by offering a monthly instalment plan instead of a full lump sum.The group, however, rejected the offer and instead posted the data for sale, taunting the company with the message: “Should’ve paid the ransom ;)”.
41. Cornerstone Staffing Services allegedly fell victim to a Qilin ransomware attack, with the organization being added to the group’s dark web leak site in mid-November. Qilin claims to have exfiltrated 300 GB of sensitive information from the organization, including the employment resumes of 120,000 individuals. The resumes are part of a stolen cache of roughly 1 million files, which is also said to contain nearly 24 million pieces of personal information.
42. Global payment service provider com disclosed a data breach after a known ransomware group attempted to extort them. The incident involved a legacy, third-party cloud file storage system, and did not affect its payment processing platform. Shiny Hunters was the group behind the extortion attempt. Checkout made a statement in response to the attack, stating that it will not be extorted by criminals and it will not pay the demanded ransom.
43. Amazing Charts announced that it had been affected by a security incident at one of its vendors. The organization identified unusual activity within a third-party management system in mid-June. An investigation into the incident confirmed unauthorized access to the network, with the potential that certain data files had been compromised.
44. Eurofiber France was hit by a cyberattack in which hackers exploited a software vulnerability in its ticket-management platform and ATE customer-portal.The attackers exfiltrated data from the company’s internal systems, reportedly including support ticket records, internal messages, configuration files, credentials, and other privileged operational data tied to hundreds of customers. Although Eurofiber said banking or highly sensitive financial information was stored elsewhere and not compromised, the breadth of the exposed infrastructure data is alarming.
45. Qilin listed Spark Power, a Canada-based electrical services company, as a victim on its dark web leak site. The threat actors claim to be in possession of 222 GB of the company’s data but have not yet provided any data samples to back up the claims. Spark Power has not yet publicly confirmed the cybersecurity incident.
46. In mid-November 2025, ransomware group Everest claimed to have breached Under Armour , exfiltrating approximately 343 GB of data which allegedly included “millions” of customers’ and employee’ records.According to the group’s leak site, the haul reportedly contains customer PII (email addresses, physical addresses, phone numbers), purchase histories, order and transaction data, along with internal company documents, employee contact information, and perhaps passport or identity data. Everest gave Under Armour a seven-day ultimatum to make contact, threatening to make the full data public if demands were not met. As of now, Under Armour has not publicly confirmed the breach.
47. The protected health information of 6,679 individuals was exposed during a February 2025 cyberattack on Anthony Hospital in Illinois. Upon discovering unauthorized access to certain employees’ email accounts, cybersecurity experts were engaged to determine the nature and scope of the incident. The investigation confirmed that personal and protected health information of patients and staff members was compromised.
48. INC ransomware group has taken credit for an “IT and phone blackout” that impacted Kelly Legal in October. The law firm confirmed that it had fallen victim to a “hacking incident” and urged clients to be vigilant. INC claimed to have exfiltrated 447 GB of data, which includes contracts, financial and customer data, and HR information.
49. LG Energy Solution confirmed that one of its overseas battery manufacturing facilities was the target of a ransomware attack carried out by Akira.According to Akira’s claims, the group exfiltrated roughly 7 TBof data, including employee personal information, corporate documents, SQL databases, financial records, contracts, NDAs, and client/partner data. The company says the breach was contained to a single facility and that the impacted facility has since returned to normal operations, while a detailed investigation is ongoing.
50. Everest added Brazil’s petroleum giant Petrobras to its dark web leak site. The group gave the organization six days to make contact and discuss the ransom before data is publicly released. Everest claims to have stolen 90 GB of data including confidential operational and business information. Petrobras has stated that it has no record of unauthorized access to its internal systems, but that it had been made aware of an isolated incident relating to an exploration service provider.
51. Reports suggest that more than 700 banks and credit unions were impacted by a ransomware attack on Marquis Software Solutions. A notice from Community 1^st Credit Union, one of those affected, stated that Marquis paid a ransom demanded by unknown threat actors and that personal information relating to its members was compromised. Almost 280,000 individuals have reportedly been impacted, with more banking institutions emerging periodically with victim numbers.
52. Pajemploi, a French social security service, suffered a data breach that exposed personal information belonging to as many as 1.2 million individuals. The cyberattack was detected in mid-November and involved the theft of confidential data linked to employees working for private employers. No ransomware group has claimed responsibility for the attack.
53. 810 individuals had their personally identifiable information stolen during a cyberattack on the American Israel Public Affairs Committee. Attackers accessed information stored on AIPAC’s systems over an extended period of time, exfiltrating data containing personal identifiers, payment card details, and banking information.
54. VSK, one of Russia’s largest insurers, serving roughly 33 million people and hundreds of thousands of businesses, confirmed a large-scale cyberattack that disrupted its website, mobile app and major services.Many customers were left unable to buy or renew car insurance, amend policies, get guarantee letters or book medical appointments. Some medical providers reportedly refused to treat patients because they couldn’t verify insurance coverage. VSK said the attack affected only its IT infrastructure, claiming customer and partner data were “safe,” and noted its physical offices remained open.
55. Transportation provider WEL Companies confirmed it notified 122,960 people of a January 2025 data breach that compromised personal information. The company acknowledged that it had noted unusual activity on its network that led to data being accessed. RansomHub took credit for the attack, claiming to have stolen 189 GB of data. To prove its claim, the group posted sample images of documents stolen from WEL, including passports, 401K statements, and accident reports.
56. Pillsbury Winthrop Shaw Pittman faced two proposed federal class actions following a cyberattack in April. Pillsbury disclosed the intrusion earlier this month but did not issue public comment beyond its breach notification. The lawsuits state that the breach exposed PII and financial account information and asserted that the firm failed to adequately protect the data and did not notify affected individuals in a timely manner.
57. Personic Health disclosed a data breach involving a third-party software platform. The company was informed on Sep 1, 2025, that there had been unauthorized access to the platform, with an investigation later confirming that protected health information was stolen. It has been reported that up to 10,929 individuals have had personal information compromised as a result of the incident.
58. INC listed commercial design and construction contractor Facade Innovations to its darknet leak site. The amount of data exfiltrated by the group totals 80 GB and includes contracts, financial data, HR information, and customer data. A day after the original victim listing, the group published the entire dataset.
59. Ransomware group Brotherhood claimed responsibility for a cyberattack on Cera Stribley, an architecture and interior-design firm based in Australia. According to the claim, Brotherhood exfiltrated about 138 GBof data and threatened to post all stolen files unless their demands are met. The group published 2 GB of data as a “free sample.” As of now, there has been no public confirmation from Cera Stribley.
60. Nina’s Jewellery, a family-owned Australian jewellery business, was reportedly hit by a ransomware attack in mid-November, with the Brotherhood group claiming responsibility. According to the attackers, they obtained data and are threatening to publish it unless the company engages with them, though the exact volume and sensitivity of the stolen information have not been publicly disclosed. The business has not confirmed the breach.
61. The Cleveland County Sheriff’s Office reported that it was recently impacted by a ransomware attack that affected parts of its internal computer system. Officials stated that there was no interruption to public safety services. Further information relating to this attack is yet to be made publicly available.
62. Qilin added International Game Technology (IGT) to its leak blog, although the post provided limited information about the attack, the group claimed to have exfiltrated 10 GB of data. No proof samples were added to the post, instead an FTP link was provided that is believed to linked to a download of the alleged stolen cache.
63. London Women’s Clinic was compromised by Qilin ransomware gang. The IVF clinic stated that it is still investigating what happened with cybersecurity experts and assured patients that systems have been secured. Qilin allegedly exfiltrated around 520 GB of data from the clinic during the incident.
64. City officials in Attleboro, Massachusetts, started investigating a cybersecurity incident that forced several of the city’s information technology systems offline. Public safety services remained operational but all other phone lines to the City and Police Department were not functional. No ransomware group has publicly claimed responsibility for the attack.
65. INC claimed responsibility for a cyberattack against NAFFCO on November 20, 2025.According to the group, 1 TB of sensitive internal data was exfiltrated, including fiscal records, HR files, internal emails, employee ID copies, contract documents, budgets, and strategic-planning materials. The attackers posted screenshots as proof and threatened to leak or sell the data if demands aren’t met.
66. OnSolve CodeRED, the U.S. emergency-notification platform used by thousands of municipalities, police, fire and public-safety agencies, was hit by a ransomware attack.The INC ransomware group hijacked the legacy CodeRED environment and exfiltrated sensitive user information including names, physical addresses, email addresses, phone numbers, and account passwords. As a result, the operator Crisis24 permanently decommissioned the legacy platform and initiated rebuilding on a clean infrastructure, forcing local governments to migrate to the new system and warning users to reset their passwords.
67. SitusAMC, a major U.S.-based real-estate finance and services company, disclosed that it has suffered a cyberattack in which attackers accessed internal systems and stole corporate data tied to some of its clients and possibly information related to some clients’ customers. Several major banks, including JPMorgan Chase & Co., Citigroup and Morgan Stanley, have reportedly been notified that data tied to their dealings with SitusAMC may have been exposed.According to SitusAMC, the incident has been contained, its services remain operational, and an investigation is ongoing, with additional security measures put in place.
68. 2,680 individuals have been notified that their personal information was exposed during a cyberattack on Intercommunity Action. An investigation determined that an intruder gained unauthorized access to the organization’s computer network and removed files. The organization stated that some of the stolen information had potentially been made available online.
69. Almaviva, an Italian IT services provider, was compromised in a major cyberattack that led to the alleged theft of about 3 TB of data belonging to its client FS Italiane Group, Italy’s state-owned railway operator.The leaked material reportedly includes recent confidential internal documents, technical files, multi-company repositories, contracts with public entities, HR archives, accounting data, and possibly employee and passenger related data from multiple subsidiaries. In response, Almaviva confirmed that it detected and isolated the breach, activated its incident response procedures, and notified national authorities while insisting that critical services have remained operational.
70. Pittsburgh law firm Davies, McFarland & Carroll confirmed it notified 54,712 people of a May 2025 data breach that compromised personal information. The law firm confirmed that an unauthorized party gained access to its internal network, with an investigation revealing that certain files had been stolen. Lynx ransomware group took credit for the attack.
71. Air Miles España reportedly suffered a ransomware attack by the Everest ransomware group in late November, in which the attackers claim to have exfiltrated about 131 GB of data containing millions of customer records. Stolen data includes names, email addresses, account IDs, demographic details, loyalty account information, and marketing/transaction data.According to the attackers’ leak posting, the group encrypted internal systems and threatened to publish the stolen data publicly unless ransom demands are met. As of now, Air Miles España has not publicly confirmed the breach.
72. The Georgia Superior Court Clerks’ Cooperative Authority (GSCCCA) was hit by a ransomware attack. The Devman group who claimed to have exfiltrated about 500 GB of data , demanded a ransom of approximately $400,000. As a result, GSCCCA shut down its website and e-filing systems, triggering statewide disruptions. Electronic real estate filings, notary applications, UCC filings and court-document services were temporarily unavailable, forcing many counties to revert to paper-based processes. The authority says it activated defensive security protocols and is working to validate its systems before restoring service but has not publicly confirmed whether sensitive data was leaked or whether any ransom was paid.
73. Pixtura, an Italy-based fine art printing and photography service provider, was reportedly breached in late November. Attackers claim to have exfiltrated thousands of customer records, including email addresses, full names, phone numbers, identity-document numbers, bank account IBANs, and hashed passwords.According to the leaked sample data, some users’ IBANs and ID numbers were exposed. As of now, Pixtura has stated it is investigating the claim but there’s no public confirmation whether the full dataset is genuine or whether all affected customers have been notified.
74. Global packaging company Amcor was targeted by the ransomware group CoinbaseCartel in late November. The group claims to have exfiltrated sensitive internal data, warning that the information could be exposed unless negotiations begin. In response, Amcor says it is aware of the claims and has engaged external forensic support to investigate.
75. Outback Pharmacies, a regional Australian pharmacy provider, was listed as a victim by the ransomware group Beast, who claimed to have stolen roughly 150 GB of data. The group did not share any details on their ransom demand but did post several documents stolen from the victim. These documents were largely medical in nature, including patient treatment plans and patient financial data. As of now, there has been no public confirmation about the full extent of the data compromised.
76. Iberia, Spain’s flag-carrier airline, disclosed a data security incident caused by a breach at one of its third-party suppliers, exposing customer names, email addresses and Iberia Club loyalty-card numbers. No passwords or payment data was affected. While Iberia activated its incident-response protocols and continues normal operations, Everest ransomware group separately claimed a far larger breach involving hundreds of gigabytes of internal files, booking data and emails, a claim the airline has not confirmed.
77. Akira claimed responsibility for a cyberattack against Rochester Philharmonic Orchestra.Stolen data includes musicians’ personal information, internal budgets, confidential corporate documents, and NDAs, and the group has threatened to publicly leak the files unless their demands are met. As of now, the size of the leak remains unverified, and it’s unclear whether RPO has confirmed the breach or engaged with the attackers.
78. Money Mart, the North American check-cashing and payday loan firm, was hit by the ransomware group Everest, who claims to have exfiltrated over 80,000 internal files containing customer and financial data, as well as employee personal information. According to the attackers, the haul includes transaction records, credit-card details, customers’ personal and identity information, loan data, and internal company documents.
79. Canadian scientific consulting service, JASCO Applied Sciences, started notifying US residents of a data breach following a cyberattack that started in July 2025. Rhysida claimed the attack in October, issuing a $1.22 million ransom demand to delete the stolen data. The ransomware group added various screenshots of identity documents as proof of claims. JASCO confirmed the unauthorized activity event, and an investigation revealed that some of the data held by the business was compromised.
80. Heritage Communities announced a breach of personal and protected health information of current and former residents. A network intrusion was identified in September, prompting an investigation into the incident. The investigation confirmed that an unauthorized actor gained access to a limited amount of information. Worldleaks claimed responsibility for the attack.
81. Enan Tech Private Limited, a Bengaluru-based IT services firm, was hit by a ransomware attack on November 21, 2025, during a server migration that encrypted its data and left systems inaccessible.A ransom note was discovered, and the incident triggered a formal complaint, with local police and India’s cyber-security authority now investigating the breach. As of the latest reports, Enan Tech is grappling with data loss and disruption of services while authorities work to determine the full extent and impact of the attack. No known ransomware group has publicly claimed the attack.
82. Dermatology Associates of Concord (DAC) notified the Massachusetts Attorney General about a security incident affecting a currently undisclosed number of individuals. Suspicious activity was identified within the healthcare provider’s computer systems in mid-September. Impacted files are being reviewed to determine the types of data involved and the individuals affected.
83. Qilin took credit for a ransomware attack on the City of Santa Paula in California. According to the group, municipal systems were compromised which affected the city’s email and internal services. Santa Paula reported network outages that disrupted key city services. Local officials have not publicly confirmed the full extent of the incident.
84. The Village of Golf Manor recently disclosed that it was hit by a ransomware attack, prompting a cybersecurity breach that disrupted municipal systems, forcing its administrators to evaluate whether to engage with ransom demands.At a recent council meeting, officials confirmed they had no intention of paying the ransom and instead were considering a resolution, pending modifications, to guide how the village responds with help from its insurer. The village has not yet publicly detailed the full scope of the damage or what data may have been compromised.