The State of Ransomware: October 2025

October marked a record-breaking month for ransomware activity, with 86 publicly disclosed incidents, the highest October since we began tracking in 2020. The healthcare sector bore the brunt of these attacks, accounting for 28% of all incidents. A total of 28 ransomware groups were active during the month, with Qilin leading the pack with eight confirmed attacks. Notably, 41% of publicly reported incidents remain unattributed to any known ransomware group.

1. California mortgage lender Intelliloan started sending out breach notification letters to its customers about a March cyberattack that exposed reams of sensitive data. The notice stated that personal information such as names, government issued IDs and financial information was accessed during the incident.

2. The Job Shop confirmed that a cybercriminal group gained access to one of its servers earlier this year. An investigation found unauthorized access to a remote desktop server around mid-June, compromising completed Forms W-2 for 2018, 2019 and 2020, raising concerns that names, addresses and Social Security numbers may have been exfiltrated. PEAR claimed responsibility for the attack, allegedly stealing 135 GB of data during the incident.

3. Red Hat confirmed that an unauthorized actor gained access to one of its self-managed GitLab instances used by its Consulting division. Crimson Collective claimed to have exfiltrated about 570 GB of compressed data from over 28,000 internal repositories including “Customer Engagement Reports” (CERs) that reportedly contain detailed infrastructure designs, authentication tokens, database connection strings and other sensitive configuration data belonging to major enterprises. Red Hat says it has no reason to believe its broader product supply-chain or other services were impacted.

4. In Israel, Shamir Medical Center was targeted by a ransomware attack claimed by Qilin. The ransomware group claimed access to the hospital’s entire IT systems, exfiltrating about 8 TB of sensitive data including patient records, internal communications, and critical operations files. The healthcare facility was given a 72-hour ultimatum for ransom payment with a threat to publish the stolen data if demands weren’t met. While hospital operations reportedly continued without major disruption, the breach still triggered a full investigation by Israel’s National Cyber Directorate to determine the extent of the leak and to remediate the damage.

5. J Group claimed responsibility for a cyberattack on Dimensional Control Systems (DCS), a U.S.–based software provider that works with major manufacturers including Boeing, Volkswagen, Samsung and Siemens. The attackers allege they exfiltrated around 11 GB of highly sensitive files, including proprietary software architecture documents, configuration files for CAE/PLM integrations, internal audit-trail data, and legal/insurance records. While DCS has not publicly confirmed the breach, the exposed documentation, if genuine, poses serious risks to intellectual property, vendor trust and the global manufacturing supply chain.

6. Accounting firm Sheheen, Hancock & Godwin recently confirmed it notified 42,077 people of an April 2025 cyberattack which compromised confidential information. The majority of victims are in South Carolina, but five states in total have confirmed victims associated with the breach. Ransomware group Lynx took credit for the attack, claiming to have stolen 10 GB of data from the organization.

7. Lynx claimed TriMed, a subsidiary of Henry Schein as a victim on its dark web leak site. The attackers exfiltrated a wide variety of sensitive files including executive communications, personal documents, and intellectual property. Samples of data included personal documents and an email exchange between executives detailing high-level financial dealings. TriMed confirmed that it had fallen victim to a cyberattack, taking systems offline to contain the impact.

8. The Friendlies Society Dispensary, a pharmacy in Queensland, reported that its IT systems were compromised by a cyberattack. Upon discovering the incident, the organization promptly worked to secure systems and establish a clear picture of what happened. Government cybersecurity authorities have initiated a joint investigation into the breach. It is not yet known what data has been compromised as a result of the attack. DragonForce claimed responsibility, allegedly stealing 35.82 GB of data.

9. Banco Hipotecario del Uruguay (BHU) suffered a “devastating” ransomware attack orchestrated by the group Crypto24. The attackers demanded an undisclosed ransom, and after the bank failed to comply within the ten-day deadline, the group released over 700 GB of stolen data. The leaked information reportedly included personal details, financial records, legal agreements, property documents, credit risk assessments, and technical information about the bank’s infrastructure.

10. The Fort Wayne Medical Education Program confirmed it notified 29,485 people of a December 2024 cyberattack which resulted in personal information of its employees and their dependents being compromised. INC took responsibility for the attack in December 2024, claiming to have stolen 66 GB of data from FWMEP. An image of a file directory was posted as proof of claims.

11. Prominent gaming company Brightstar Global Solutions Corporation reported a data security breach that exposed sensitive personal information of 103,879 individuals. The company stated that it identified unauthorized activity within its internal systems and immediately launched an investigation to determine the nature and scope of the incident. Compromised data included names, contact information, government IDs, financial account information and more. No known hacker group has claimed responsibility for the attack.

12. Kill ransomware group claim to have breached Vanan Online Services, a US-based language service provider. The group posted the claim on its dark web leak site, adding images of stolen data as proof of claims. The proof pack included screenshots of passports, birth certificates, invoices, signed legal documents and other forms of PII. Vanan Online Services has not yet publicly acknowledged these claims.

13. Qilin claimed responsibility for a September ransomware attack on Mecklenburg County Public Schools (MCPS). The group stated that it had stolen 305 GB of sensitive data including financial records, grant documents, budgets, and children’s medical files. The attack had forced teachers offline in late September, with internet services restored about a week later. The school district confirmed that Qilin was behind the attack but stated that it is still assessing the extent of the breach.

14. It was revealed that 13,234 individuals were impacted by a cyberattack on Treasure Coast Hospice in September 2024. A detailed review of the incident was completed in July this year, revealing that various types of information was accessed or copied by hackers. Exposed data varied by individuals and could include PII, health insurance information, financial data, and medical information.

15. The Institute of Culinary Education confirmed it notified 33,342 people of an April 2025 data breach that compromised personal information. The Institute issued a notice to victims stating that an investigation into the attack determined that an unauthorized actor gained access to certain systems and copied files from those systems. Ransomware group Payouts King took credit for the attack in June, stating that it had stolen 1.5 TB of data during the attack.

16. Qilin allegedly breached the California Golf Club of San Francisco, one of the US’ most exclusive members-only golf clubs. The group claimed to have stolen 10 GB of data consisting of about 12,000 files. A post on the group’s dark web leak site contained samples of 23 files, including an alleged database exposing a trove of personal data on its members.

17. Electronic components distributor Avnet confirmed that it had suffered a data breach affecting systems used in its EMEA operations. Unauthorized actors gained access to externally hosted cloud storage supporting an internal sales tool. An unnamed threat actor claims to have stolen 1.3 TB of compressed data including operational information from the EMEA region. Some leaked files contained plaintext records including personally identifiable information.

18. Florida-based Doctors Imagine Group revealed that it experienced a data security incident that compromised the sensitive personal information of more than 170,000 individuals. The healthcare provider suffered a network disruption impacting critical systems, with an investigation revealing that the network had been accessed by an unauthorized actor over a six-day period. Compromised data includes PII, financial account information, medical records, insurance data and other medical information. No known hacker group has claimed responsibility for the cyberattack.

19. Telstra, one of Australia’s leading telecoms providers, denied claims of a data breach reported by the Scattered Lapsus$ Hunters group. In response to the claims of 19 million entries of PII being compromised, the company denied any compromise of its internal systems, stating that the data had been scraped from public sources. The threat actors had made claims that 100 GB of PII had been stolen, giving the organization a ransom deadline of mid-October.

20. The city of Sugar Land Texas announced it had experienced a significant ransomware attack that disrupted several of its online services. Affecting functions like utility bill payment, permit and inspection scheduling, and building applications, the incident left residents unable to access these digital city services while emergency 911 and public safety operations remained fully operational. The breach has triggered an ongoing investigation involving local, state, and federal law-enforcement agencies, with city officials emphasizing the priority of restoring services safely and securely. Qilin claimed responsibility for the attack, allegedly stealing 800 GB from the city’s systems.

21. Officials in Michigan City confirmed that the network disruption experienced in late September was a ransomware attack. Upon discovering the incident, immediate actions were taken to secure systems, including taking parts of the network offline. The disruption affected a portion of the city’s data and impacted municipal employees’ online and telephone access. An investigation is ongoing, limiting information about the attack being publicly shared. Ransomware group Obscura took credit for the attack, claiming to have stolen 450 GB of data.

22. Hacking group Crimson Collective claimed it had successfully hacked Nintendo. The threat actors allegedly exfiltrated folders of Nintendo data including production assets, developer files, and backups. The Japanese gaming giant is yet to make a statement about the attack.

23. Beast ransomware group claimed to have successfully attacked the Methodist Church of Southern Africa (MCSA). The attack resulted in the exfiltration of 150GB of data. Sample data provided by the group included financial and audit information, as well as various expenditure statements. No details belonging to individual church members were included in the samples.

24. UK trade union Prospect confirmed that member data was stolen during a June cyberattack. Unknown attackers compromised Prospect’s systems and exfiltrated individuals’ PII, bank account information and other confidential data. An investigation into the intrusion remains ongoing.

25. It was reported that Alert Medical Alarms experienced a ransomware attack orchestrated by Qilin. According to the organization’s official notice posted on its website, the attackers gained unauthorized access to its internal systems which resulted in the exfiltration of sensitive customer data. The breach exposed a range of PII and PHI.

26. Brotherhood ransomware group claimed to have breached Western Australia-based trade supplier Kevmor Trade Supplies. The threat actors claimed to have exfiltrated 45 GB of data from the organization, including sales and payment documents, spreadsheets and more. Within the listing on the dark web was a sample of stolen data containing passport scans, driver’s licenses, an invoice and an Excel spreadsheet screenshot. Kevmor Trade Supplies has not yet made a public comment in response to these claims.

27. Space Coast Vascular in Florida recently announced that it was subject to a cyberattack in January 2025. An investigation determined that patients’ protected health information had been exposed during the incident. The types of data vary from individual to individual and may include names, medical treatment information, and financial account information.

28. Regency Specialist Hospital detected unauthorized access to part of its IT systems in mid-October. Upon identifying the access, immediate action was taken to secure the network, contain the incident and an investigation was launched supported by cybersecurity and legal experts. Preliminary investigation findings indicate that certain personal data stored on specific internal servers may have been affected. Nova took credit for the attack, claiming to have stolen 550 GB of data from the healthcare provider.

29. INC ransomware group listed Australian landscaping and recycling firm Benedict on its darknet leak site. The group claims to have stolen 270 GB of company data including extensive backups of user data, HR information, Salesforce files, and detailed workplace incident reports. No ransom demand was listed by hackers. Benedict confirmed that it had recently experienced a cyber incident that had resulted in the exposure of a subset of employee personal information. The organization also stated that it is aware of the allegations made by INC and is currently conducting an active investigation into those claims.

30. Life insurance provider Generali Central Insurance Company Limited fell victim to a Medusa ransomware attack. Though the company has not received a direct communication from the ransomware group seeking a ransom, the group’s dark web posting demanded $500,000 to download the stolen data, and another $500,000 to delete it. The company ran an internal check on its database in response to the dark web claims, which revealed instances of unauthorized entry to its systems. An investigation into the incident has since been launched.

31. A ransomware attack targeting MuniOS disrupted state and local borrowers’ ability to post debt documents on the $4.3 trillion municipal-bond market’s main distribution platform. The service was offline for several days as a result of the cyberattack. Further information, including those responsible for the attack has not yet been made public.

32. Sierra Vista Hospital & Clinics concluded an investigation into a January 2025, which resulted in the exposure of sensitive patient data. The healthcare provider confirmed that unauthorized access was identified on January 29, 2025, and that an investigation into the incident was immediately launched. Information including names, medical information and health insurance information was compromised during the attack. It is not known who is responsible for the incident.

33. Rockhill Women’s Care started notifying patients about a security incident that affected its IT systems and exposed patient information. Suspicious activity was identified in February, and third-party cybersecurity experts were engaged to investigate. A file review, which concluded in August this year, confirmed that patient information including PII and PHI had been compromised.

34. Interlock took credit for a cyberattack on Kearney Public Schools in Nebraska. The attack caused limited issues, with services being restored over a two-day period. Interlock claimed to have stolen 354 GB of data including personal security data, financial documents and information belonging to third parties, such as students’ relatives. A number of sample images were posted as proof of claims. A spokesperson stated that Kearney Public Schools’ investigation was still ongoing and that a ransom was not demanded. It has since been reported that a camera server, phone and voicemail server and potentially some staff shared drives were compromised during the attack.

35. Methodist Homes of Alabama and Northwest Florida disclosed a data breach involving unauthorized access to the personal and protected health information of almost 26,000 residents, employees and other individuals. An investigation confirmed that an unauthorized actor had access to its network in October 2024, resulting in the compromise of sensitive data. The group behind the attack is unknown.

36. In South Florida, MyCardiologist alerted patients about a cyberattack involving the theft of data from its network. The attack was detected in June, when suspicious activity was observed within its email system. Third-party investigators determined that the threat actor had copied data from the cardiologist practice’s environment. Notification letters are currently being sent to affected individuals.

37. Seafood processing and distribution company Dulcich confirmed that a data security incident it suffered last year compromised the sensitive personal information of more than 400,000 individuals. Investigations revealed that an unauthorized party had gained access to Dulcich’s network in June 2024, accessing and acquiring certain files containing personal information. Compromised data included names and other personal identifiers including SSNs. No known hacker group has claimed responsibility for the attack.

38. Connecticut-based Waveny LifeCare Network revealed that it experienced a cyberattack in May 2025 that disrupted its network systems. Upon discovering the intrusion immediate action was taken to contain the incident. An investigation and file review are ongoing, but it has been confirmed that data including PII and PHI were compromised. It is not clear who was responsible for the attack.

39. In Illinois, Aunt Martha’s Health and Wellness confirmed that it had fallen victim to a ransomware attack in August. A forensic investigation confirmed that a threat actor had gained access to the health services provider’s computer network, exfiltrated sensitive data, and deployed malware that encrypted files. The attack was rapidly contained, and systems and data were restored from backups. Compromised data includes personal identifiers, diagnosis and treatment information, and health insurance information.

40. Lynx claimed responsibility for a major data breach involving information belonging to the UK’s Ministry of Defense. The group alleges that stolen data, estimated at around 4 TB, was exfiltrated from Dodd Group, which handles various operational tasks for the military. Among the stolen information were contractor names, contact details, and MoD personnel information including names, email address and some physical addresses.

41. Grand Traverse County confirmed that 782 people have been notified of a June 2024 breach that compromised their names and Social Security numbers. The county discovered unauthorized activity in its network environment, with forensic investigations determining that personal information contained in compromised network locations had been impacted. No ransomware groups have publicly claimed responsibility for the breach.

42. Volkswagen Group France was added to Qilin’s leak site in mid-October, with the group claiming to have exfiltrated 2,000 files. The 150 GB of data consists of sensitive client, employee, and business information. A sample of documents was added to the dark web post as proof of claims. These samples included owners’ personal details such as names, address, and detailed vehicle information.

43. Cheung Sha Wan Vegetable Wholesale Market suffered a ransomware attack on its computer systems. After the breach was discovered, systems were immediately suspended to prevent further intrusions. Preliminary investigation findings indicate that the incident involved the company’s gate and accounting systems. An investigation is being conducted to assess whether personal data has been leaked.

44. Melbourne software firm VETtrak disclosed that a cyber incident caused an outage that impacted multiple services. The VETtrak student management platform was isolated as a precautionary measure. Technical teams are still actively investigating the nature and cause of the incident which has not yet been claimed by a ransomware group.

45. One of the world’s largest art and jewelry brokers Sotheby’s confirmed a data breach following unauthorized access to its internal systems. The company said it detected the incident in late July and launched an investigation with assistance from third-party specialists. Exposed data included clients’ names, SSNs, and financial account information. The company did not disclose how attackers gained entry or whether specific vulnerabilities were exploited. No ransomware group has claimed responsibility for the attack, and stolen data has yet to appear on known dark web leak sites.

46. Australian National Broadband Network provider Vocus disclosed that it had detected suspicious activity on its network, leading to email services being suspended. A spokesperson confirmed that unauthorized access led to approximately 1,600 email addresses being compromised. Unauthorized SIM swaps on 34 Dodo Mobile accounts were observed as a result of the compromise of email addresses.

47. Aussie Fluid Power confirmed it is investigating claims of a data breach made by Anubis ransomware group. The security incident involved unauthorized access by a third party to a limited number of the company’s IT systems. A spokesperson stated that the investigation is ongoing, but it appears that certain employee, customer and supplier information was compromised. Anubis claimed responsibility for the attack, adding screenshots of file directories, company documents, and several contracts to its dark web leak site.

48. Not for profit organization CBS Tasmania was listed on the dark web leak site of Lynx ransomware group. CBS confirmed that it has recently suffered a cyber incident, which was contained before it had any impact on its operations. The organization is currently reviewing the data involved and has identified that the data primarily relates to employees and a very limited number of clients. Lynx posted sample data containing documents such as employee detail forms, tax invoices and IDs.

49. Askul, a major Japanese e-commerce and logistics provider, was hit by a ransomware attack that forced it to suspend order intake, shipping and numerous online services across its platforms (including Askul, Lohaco and Soloel Arena). Askul publicly stated it is investigating the full scope of the impact, including whether any personal or customer data was exfiltrated, and has not yet disclosed a timeline for when all services will be restored. RansomHouse claimed responsibility for the attack.

50. Major high-end golf apparel and sportswear manufacturer Summit Golf Brands was hit by a ransomware attack orchestrated by INC. The group claimed to have stolen 47 GB of data from the brand’s systems. INC provided no data samples, but the dark web post did display a 48-hour countdown timer. Summit Golf Brands has yet to acknowledge INC’s claims.

51. Dekalb County became aware of a cyberattack last month which impacted the county’s ability to log into workstations. An investigation into the incident remains ongoing, limiting the details which can be made publicly available. Lynx ransomware group claimed responsibility for the attack.

52. The Tennessee city of La Vergne stated that it is investigating a network incident that disrupted computer systems used by government officials. City officials announced that the system used to pay utilities and property taxes was taken down by the cyberattack, forcing the city’s residents to pay through check or money order.

53. Patron Insurance Services confirmed a data breach after detecting suspicious activity within its network in late May 2025. An internal investigation revealed that an unauthorized actor had gained access to files containing personally identifiable information and protected health information of an undisclosed number of individuals. Akira claimed the attack in June, stating that it had obtained nearly 7 GB of Patron’s data, which it claimed included personal records, financial information, contracts, agreements, and non-disclosure agreements.

54. Oregon-based fencing and pet solutions provider Jewett-Cameron Company was targeted by a cyberattack that led to disruption and the theft of sensitive information. The company determined that hackers deployed encryption and monitoring software on its corporate IT systems. Current analysis indicates that exfiltrated data primarily relates to IT and financial information. The company stated that threat actors have threatened to release the stolen data unless an undisclosed ransom is paid. It is not known who is behind the attack.

55. Elmcrest Children’s Center disclosed a data breach following a ransomware attack that compromised sensitive personal and medical information. An investigation confirmed that the not for profit’s network was subject to unauthorized access over a four-month period, during which a threat actor accessed and copied files containing confidential information. Interlock, the group behind the attack claimed to have obtained 448 GB of data, including more than 627,000 files.

56. Kaufman County suffered a cyberattack which affected a number of public services and forced county officials to notify state and federal agencies. The Sheriff’s Office and emergency services were not impacted by the attack. It was acknowledged that personal information maintained by the county may have been accessed during the incident.

57. River City Eye Care started the process of notifying patients about a data breach that exposed sensitive personal information following unauthorized access to its computer system. After discovering unusual activity in early September, the practice immediately launched an investigation to determine the cause and extent of the incident. Genesis claimed responsibility, alleging that it exfiltrated 200 GB from company management hosts and file servers.

58. BlackShrantac claimed responsibility for a ransomware attack targeting SK Shieldus, a security company based in South Korea. The threat actors claim to have stolen 24 GB of internal data and posted 42 pieces of evidence on the dark web. The leaked data consists of business proposals and reference documents. SK Shieldus has acknowledged a cybersecurity issue but claim that further details cannot be disclosed due to cooperation with regulatory authorities.

59. Bun, the largest Albert Heijn franchisee, fell victim to a ransomware attack which exposed the sensitive information of 3,462 current and former employees. A sample on the dark web included names, addresses, SSNs, bank account numbers, and medical information. ThreeAM claimed responsibility stating that it has published around 20% of the stolen information, with the threat of publishing more if demands are not met.

60. A lawsuit has brought to light information of a cyberattack which hit OYO Las Vegas in January this year. The incident allegedly exposed the sensitive data of about 4,700 guests, employees and business partners. OYO did not officially report the breach to the relevant authorities until September. LockBit claimed the attack, allegedly stealing 30 GB of data including personal and financial records, internal financial statements, and casino operations documents.

61. A listing on Everest’s dark web leak site claims it is in possession of 576,686 personal records linked to AT&T Careers. The group gave the organization four days to meet demands, or the data would be publicly released. The company is “instructed” to follow instructions to access a password protected portion of the listing. AT&T has not yet publicly addressed these claims.

62. Toys “R” Us Canada notified customers of a data breach which may have compromised their personal information. The toy retailer learned that an unknown group posted information on the dark web, claiming that it had stolen information from the business databases. No group has publicly claimed responsibility for the attack.

63. 21,000 members of Unigym Gatineau received notification that a breach in early October may have compromised their personal and financial data. It took the gym’s web provider three days to discover the breach, and another week to notify Unigym Gatineau. Compromised data includes names, contact information, health insurance numbers, banking information and credit card details.

64. Everest claim to be in possession of 280 GB of information stolen from Svenska kraftnät, Sweden’s power grid operator. The organization confirmed that it was subject to a data breach, but that no disruption was caused to the power system. The attack has been reported to the relevant authorities. Everest gave Svenska kraftnät a number of days to meet undisclosed demands. It is not clear what types of data have been stolen by the ransomware group.

65. The German professional video-surveillance systems provider Xortec, based in Frankfurt and operating across the DACH region, was targeted by the Safepay ransomware group. The attackers listed Xortec on their data leak site and set a ransom payment deadline of October 27, 2025. No further information relating to the attack is currently available.

66. The City of Gloversville was hit by a ransomware attack which impacted its computer systems and compromised the personal information of current and former employees. The intrusion was discovered when a ransom note was found on the server. The unnamed threat actors stole employees’ personal information, including all payroll records and account numbers. The city hired consultants to negotiate the $300,000 ransom demand, resulting in the council approving the payment of $150,000 in exchange for the stolen information.

67. Right at Home experienced a data breach, detected on September 3, 2025, when the company noticed unusual activity within its systems. An internal investigation revealed that certain files were access and acquired without authorization. Sinobi ransomware group claimed to have stolen 50 GB of data including customer information and contracts.

68. Everest claims to be in possession of personal details belonging to more than 18,000 Air Arabia employees. No other information or sample data has been provided by the group. The group gave the low-cost airline six days to get in contact before the stolen data is released online.

69. Everest added Dublin Airport to its leak site, claiming to have stolen approximately 1.5 million personal records, including passenger data. The listing shared by the group showed data fields with detailed passenger and flight-related information that could be used to identify travellers and their travel activity. Dublin Airport is yet to publicly address the claims made by Everest.

70. North Stonington Public Schools notified students and faculty of a September 2025 data breach that compromised sensitive personal information. Former and current student information such as academic records, personal information and residency verifications was breached. Employment records and personnel files were also compromised. Interlock took credit for the breach, claiming to have stolen 3 TB of the school district’s data. To prove its claim, Interlock posted sample images of the stolen documents.

71. Plastic surgeon Michael R. Schwartz notified the California Attorney General’s Office that it had become aware of unauthorized access to its network in August. Investigators found that an unauthorized party had accessed patient files over an eight-month period. The number of patients impacted has not been disclosed but compromised information is believed to include PII, photographs, and medical record numbers. No group has publicly claimed responsibility for the attack.

72. ModMed notified state attorney general about a July 2025 ransomware attack involving the theft of data from its systems. An investigation determined that unauthorized access was gained in early-July, during which files containing sensitive data was copied from the servers. Affected files were reviewed and were found to contain personal and protected health information.

73. Sensitive personal and financial information of customers was exposed during a significant data security breach impacting Canadian Tire Corporation. Suspicious activity within the company’s internal network was identified in early October, with an investigation immediately launched to determine the nature and scope of the incident. Compromised data includes names, addresses, email addresses, year of birth, encrypted passwords and partial credit card numbers. No known hacker group has claimed responsibility for the attack on CTC.

74. Qilin claimed to have breached MedImpact, one of the largest independent pharmacy benefit managers and healthcare solution providers in the US. MedImpact acknowledged that it had identified ransomware on certain systems and had begun implementing containment and mitigation measures. The group claimed to have exfiltrated 160 GB of data from the organization, posting a few images as proof of claims.

75. Anubis listed Paterson & Dowding Family Lawyers on its dark web leak site, detailing data it claims to have stolen from the law firm. The sample data posted by the ransomware group was split into three categories: client financial data, client business data, and personal data. It is unclear how many clients were impacted by the incident, and Anubis has yet to publicly set a ransom payment amount. Paterson & Dowding confirmed that it had fallen victim to a cyberattack and that data had been accessed and exfiltrated.

76. Akira took credit for a September 2025 data breach at BK Technologies, a manufacturer of wireless communication devices. BK Technologies confirmed an unauthorized party accessed its systems in mid-September. A limited number of non-critical systems suffered minor disruption as a result of the incident. Akira claims to have stolen 25 GB of data including employee info, accounting documents, confidential agreements, military contracts, NDAs, and payment info.

77. Sinobi listed Australian business Cavalry Consulting on its darknet leak site and is threatening to publish 20 GB of data it allegedly exfiltrated during a recent cyberattack. Sinobi has not listed its ransom demand, nor provided any evidence of the hack. The ransomware group has instructed the organization to start negotiations in order to keep the stolen data private.

78. Family Health West in Colorado confirmed it was the target of a cyberattack that forced it to shut down its IT systems. The attack did not disrupt patient care at the facility. Family Health West has stated that there is no evidence that patient data was accessed, encrypted or otherwise taken offsite. An investigation into the incident is still ongoing. Devman ransomware group has claimed responsibility, allegedly stealing 120 GB of data and demanding a $700,000 ransom payment.

79. Sedgebrook, a retirement village in Illinois, announced a ransomware attack that involved unauthorized access to files containing individuals’ personal and protected health information. The attack took place in May this year, during which ransomware encrypted files and data was exfiltrated. Exposed files include protected health information.

80. Japan-based Dentsu disclosed a data breach impacting systems of its subsidiary Merkle. The discovery of abnormal activity on Merkle’s network forced the shutdown of some of its systems. Dentsu has admitted that the hackers had taken certain files from the Merkle network, including ones containing information related to some suppliers, clients, and current and former employees. No known cybercrime group has taken credit for an attack on Merkle or Dentsu.

81. OB-GYN Associates in Nevada confirmed it notified 62,238 people of an August 2025 data breach that compromised patients’ names, Social Security numbers, driver’s license numbers, medical info, bank account numbers, and routing numbers. INC claimed responsibility but provided little detail about the attack on its dark web post. The healthcare provider confirmed that it had fallen victim to a cyberattack and that data had subsequently been exfiltrated.

82. Malibu Boats Australia was listed on Qilin’s dark web leak site, with the group claiming to have exfiltrated 160 GB of data, comprising of 148,538 files. Malibu Boats Australia has not publicly addressed the claims made by the ransomware group.

83. George E. Weems Memorial Hospital in Florida began notifying patients affected by a recent security incident involving unauthorized access to two employee email accounts. The email accounts were reviewed, and on September 22, 2025, the hospital learned that the accounts contained patients’ protected health information. It is not clear who is responsible for the attack.

84. California-based biopharmaceutical company, Travere Therapeutics, notified the Massachusetts Attorney General about a security incident in which sensitive patient data may have been stolen. The notification letter does not include details of the incident, such as when it was detected, how long the unauthorized access lasted, or how many individuals have been impacted, only that the information potentially compromised in the incident included names, addresses, phone numbers, email addresses, and SSNs.

85. Point Lonsdale Medical Group (PLMG) said that the organization’s email account suffered unauthorized access after phishing emails were identified as being sent from that email. The company said that its own systems and patient database had not been breached, but that, based on the investigation of external forensics experts, a small number of emails contained in the mailbox were accessed. It also said that there is currently no evidence to suggest the data was exfiltrated.

86. Yale New Haven Health disclosed a data security incident that compromised the protected health information of up to 5,556,702 individuals. The healthcare provider identified anomalous activity within its IT systems on March 8, 2025. Immediate containment measures were taken, and an investigation was launched to determine the scope of the intrusion. The organization emphasized that its electronic medical record system was not accessed, and no financial information was compromised. However, the stolen data included personally identifiable and medical details.