The State of Ransomware: September 2025

In September, 85 publicly disclosed ransomware attacks were recorded, marking a 27% rise from the same month in 2024. Healthcare was the hardest-hit sector, accounting for 26 incidents, followed by manufacturing with ten. Nearly half (47%) of the attacks remain unclaimed, but among those claimed, Everest and Qilin emerged as the most active groups.

Find out who made ransomware headlines in September:

1. Carter Credit Union confirmed that it suffered a data security incident in July that compromised the sensitive personal information of nearly 70,000 customers. Upon discovering suspicious activity in its network, the financial organization immediately launched an investigation to determine the nature and scope of the incident. At the time, no known hacker group claimed responsibility for the cyberattack.
2. The University of Iowa Health Care announced a cybersecurity incident which took place in July this year. Immediate action was taken to contain the threat, and systems were restored within one business day. A forensic investigation determined that data belonging to 211,000 individuals had been exfiltrated by the cybercriminals. No ransomware group has claimed responsibility so far.
3. Details emerged relating to the August ransomware attack on the City of Middletown, Ohio. The incident disrupted numerous municipal systems including public records, health department operations and utility billing. Services have partially resumed, with the full impact of the incident still under investigation. Safepay took credit for the attack, adding the city to its dark web leak site in mid-September.
4. An investigation revealed that NBC Holdings, LLC, experienced suspicious activity in its computer network, which resulted in certain files being accessed by an unauthorized user. The breach affected a total of 9,476 individuals and exposed confidential information. Cactus took responsibility for the attack, claiming to have exfiltrated 455 GB of company data.
5. In Australia, Loyola College confirmed that it was actively investigating a cyber incident after Interlock listed the school as a victim on its dark web site. The college stated that its information technology system had been compromised by an unauthorized third party, and that an investigation into the extent of personal information that had been accessed had been initiated. The ransomware group claims to have exfiltrated 591 GB of data consisting of more than 430,000 files in over 35,000 folders. The data has since been published in full on the dark web.
6. Absolute Dental completed its investigation of a February 2025 cyberattack and has confirmed that more than 1.2 million individuals had some of their personal and protected health information exposed. A third-party forensic investigation revealed that initial access to the network occurred when a malicious version of legitimate software was downloaded by an account linked to the company’s managed service provider. It is not yet clear who is responsible for the incident.
7.  Jaguar Land Rover (JLR) suffered a ransomware attack that forced it to shut down systems and halt UK production for weeks, with the outage expected to last into October. Attackers accessed company data, though the extent remains under investigation. The disruption has heavily impacted JLR’s suppliers, while hacker groups including Scattered Spider/LAPSUS$ Hunters claimed responsibility and leaked internal screenshots. JLR faces significant financial and reputational fallout, compounded by reports it lacks cyber insurance to cover the losses.
8. South Korea’s data protection watchdog launched an investigation into a cyberattack at Lotte Card. Lotte Card confirmed that hackers accessed a wide range of customer data in mid-August, with information including financial details being compromised. The breach exposed personal data belonging to around 3 million customers. An investigation into the full scope of the breach and the data protection law violations involved remains ongoing.
9. The American Association of Critical-Care Nurses (AACN) disclosed a data breach that affected 57,526 individuals. AACN determined that its website payment system was accessed by an unauthorized third party who was able to view/exfiltrate payment card information. At this time, it is not clear whose payment information was accessed, with notification letters sent to all those who may have been impacted.
10. Assisted Living Pharmacy Service LLC (ALPS) announced a cyberattack that was identified in late-June. An investigation confirmed unauthorized access to its network over a two-day period, during which certain data was either accessed or acquired. Qilin claimed responsibility for the attack, adding ALPS to its leak site in mid-August. The dark web listing includes examples of stolen files, but the data has not yet been published in full.
11. Keys Pathology and other clients of Genesis Billing Services were notified of the potential data leaked during a cyberattack which took place in May 2025. An unauthorized party gained access to Genesis’ server and deployed ransomware after downloading all of the data from the server. Data potentially stolen varies from individual to individual but contains both personal and health information.
12. 4,799 individuals were impacted by a data breach involving Reimagine Network, a California-based provider of disability services. The network disruption took place in July, with an investigation confirming that unauthorized network access had led to the potential exfiltration of sensitive patient data. No ransomware group has stepped forward to claim responsibility for this incident.
13. Safepay added Waterford Surgical Center to its dark web leak site, claiming to have hacked the healthcare provider’s network and stolen sensitive personal patient and employee information. The post did not contain any further details relating to the attack, but did contain a countdown timer, giving the organization 48 hours to contact the gang.
14. Pittsburgh Gastroenterology Associates was claimed as a victim of Sinobi ransomware group. The gang listed the practice on its dark web leak site, claiming to have gained unauthorized access to the organization’s systems and exfiltrated sensitive data. Further information about this incident has not yet been made public.
15. Ransomware group INC took credit for an August 2025 ransomware attack on the University of St. Thomas in Houston, Texas. The university reported a cyberattack that caused a nine-day outage but at the time of the incident, it said there was no evidence of compromised information. INC claims to have stolen 1.8 TB of data, adding sample images to its dark web posting as proof of claims. The University of St. Thomas is yet to comment on or verify INC’s claim.
16. Bridgestone Americas confirmed that it had suffered a “limited cyber incident” which impacted some of its manufacturing facilities. A forensic analysis is ongoing, but the company believe that no customer data or interfaces were compromised during the incident. The company has not yet disclosed key details about the incident. No ransomware group has yet taken credit for the attack.
17. The Orleans Parish Sheriff’s Office (OPSO) was hit by a ransomware attack that disrupted administrative systems, including the “DocketMaster” platform used for inmate transfers, court dockets, and bond processing, but spared the jail’s security systems. Qilin ransomware group claimed the attack and leaked roughly 842 GB of data containing contracts, financial records, and inmate management documents. OPSO officials say they have not paid a ransom and are working with cybersecurity teams and law enforcement to restore systems, isolate compromises, and assess the full breach impact.
18. The K Club resort in Ireland was recently hit by a ransomware attack, attributed to SafePay, just days before it was due to host the Irish Open. Attackers reportedly breached its network via a vulnerable VPN, exfiltrated financial, IT, and administrative records, and encrypted parts of the IT infrastructure. The K Club stated that no guest or client personal data appears to have been accessed, and that it did not pay a ransom. Authorities in Ireland, including the Data Protection Commission and the Gardaí, have been notified and are investigating.
19. Canadian financial services company Wealthsimple confirmed that the personal data of a small percentage of its customers was compromised after malicious actors jacked a third-party software provider. The incident was detected in late August, with the security team able to sever unauthorized access within a few hours. Information such as contact details, government IDs, and financial details were compromised.
20. Online chess platform Chess.com suffered a significant data breach after threat actors gained unauthorized access to a third-party file transfer application the platform uses to manage data. An investigation determined that data belonging to 0.003% of users was impacted. Compromised data includes names and other personal identifiers, however, no financial data was affected.
21. Vietnam’s Credit Institute of Vietnam (CIC), which operates the country’s National Credit Information Center, was breached in a major cyberattack that reportedly exfiltrated over 160 million records of sensitive personal and financial data. The hacker group ShinyHunters claimed responsibility and listed the full database for sale, citing stolen data including identities, credit histories, debt, tax IDs, and other profile details. CIC, with support from Vietnam’s State Bank and cybersecurity authorities, is investigating the breach. According to CIC, its core services remain operational, and it reported no disruption to date, though the full scope and damage are still under review.
22. American furniture brand Lovesac announced that it had suffered a data breach impacting an undisclosed number of individuals. The incident took place in February 2025, during which hackers gained unauthorized access to the company’s internal systems and stole data hosted on those systems. RansomHub claimed responsibility for the attack back in March but did not provide further details of the incident on its dark web site.
23. Venture capital firm Insight Partners notified more than 12,600 people that their personal information was stolen in a ransomware attack earlier this year. A formal data breach notification revealed that hackers broke into the company’s HR system in October 2024, with the encryption and exfiltration of data beginning in January 2025. It is believed that exfiltrated data includes information about certain Insight Partners’ funds, management companies and portfolio companies, alongside banking and tax information.
24. Beech Acres Parenting Center in Ohio notified 19,315 individuals about a November 2024 cybersecurity incident. Unusual activity was identified on its network, prompting immediate action to contain the incident. A forensic investigation confirmed that the incident resulted in the exfiltration of sensitive information. Personal data, banking information and medical information were among the types of files stolen.
25. Anchorage Neighborhood Health Clinic confirmed that it is investigating a claim relating to unauthorized access to the personal and health information of 10,000 patients. In late August, the clinic experienced technical difficulties with its computer systems, preventing appointment scheduling. The investigation is still ongoing, and the extend of data theft has yet to be confirmed. The name of the hacker has not been made public by the clinic.
26. A forensic investigation confirmed that a range of patient data had been exposed during a cyberattack targeting Pediatric Otolaryngology Head & Neck Surgery Associates (POHNS) in Florida. The February 2025 breach involved the exfiltration of sensitive information, including medical diagnoses and treatment details, health insurance records, and financial account data.
27. Multiple sources indicate that the City of St Joseph in Missouri suffered a significant cyberattack in early June that crippled network services and potentially exposed the personal data of thousands of residents. The city has been forced to spend more than $1 million on extensive upgrades to its cybersecurity and technology infrastructure.
28. Cornwell Quality Tools confirmed it notified 103,782 people of a December 2024 data breach that compromised SSNs, medical info, and financial account information. Cactus took responsibility for the attack in February 2025, claiming to have stolen 4.6 TB of data from the organization. Cactus posted sample images of the stolen data which included driver’s license scans, tax documents, and credit applications. Cornwell has not verified the claims made by the ransomware gang.
29. Everest ransomware group added EasyCredit, a subsidiary of Germany’s second-largest bank, to its leak site on the dark web. The gang claimed to be in possession of internal documents and posted data samples attached to the victim listing. The data appears to contain PII including contact information. A spokesperson from the bank stated that an investigation had found no unauthorized access to user data.
30. Major U.S. egg producer Rose Acre Farms allegedly had its systems compromised by Lynx ransomware gang. According to Lynx, the infiltration of the organization’s networks allowed the encryption of data. Rose Acre Farms has not yet acknowledged Lynx’s claims.
31. US HealthConnect announced a cybersecurity incident that was identified in January 2025 and resulted in the exfiltration of sensitive information. Suspicious activity was identified within its computer network and third-party specialists were engaged to investigate the nature and scope of the activity. Information obtained from the affected systems includes names and SSNs.
32. Panama’s Ministry of Economy and Finance (MEF) disclosed that it had been targeted by a ransomware attack claimed by the INC Ransom group. The attackers alleged they had exfiltrated over 1.5 TB of data including internal emails, financial documents, and budgeting records, and posted sample files to their leak site as proof of the breach. The MEF maintains that core systems and platforms were not compromised, and that security protocols were activated immediately to contain the incident.
33.  Automated Business Solutions (ABS) reported that it had experienced a data breach in which sensitive personally identifiable information in its systems may have been compromised. An investigation confirmed that data including names, SSNs, and bank account information had been accessed by an unauthorized third-party in July 2025. Akira has claimed responsibility for the incident, claiming to have exfiltrated 93 GB of data from the organization.
34. Twin Cities Pain Clinic disclosed an email security incident that exposed patient data. A digital forensics firm confirmed that an unauthorized user had accessed an email account and a limited number of files stored within SharePoint. Exposed data includes names, addresses, medical and health information, alongside some financial data.
35. 246,711 individuals were impacted by a cyberattack on Medical Associates of Brevard earlier this year. Third-party experts were brought in to investigate the incident and review files on the compromised parts of its network. The review revealed that compromised data included names, medical treatment information, SSNs, and some financial account information. BianLian claimed responsibility for the attack in January, claiming to be in possession of confidential stolen data, which it threatened to leak unless ransom demands were met.
36. Northwest Medical Specialties started notifying patients of a recent cybersecurity incident that potentially involved unauthorized access to some protected health information. NWMS was contacted by an unidentified third party in August, claiming to have accessed its network and sensitive data. Digital forensics specialists were brought in to investigate the breach and concluded that patient data had potentially been copied without authorization. It is believed that 3,846 individuals were impacted by the incident.
37. 811 people were notified of an August 2025 data breach involving the town of Vienna in Virginia. An investigation revealed that malicious actors had accessed the town’s network and deployed ransomware to encrypt portions of the network. Stolen data includes SSNs, financial account info, and passport numbers. Ransomware group Cephalus took credit for the breach but did not provide detailed information of the attack itself.
38. Kill ransomware group claimed responsibility for a cyberattack against MedicSolution, a Brazilian healthcare software provider, threatening to release stolen data if negotiations were not initiated. The incident reportedly stemmed from data exfiltration via an unsecured AWS S3 bucket. The stolen data amounts to over 34 GB, made up of 94,818 files, including laboratory test results, medical assessments, X-rays, patient photos and personal information.
39. Allegis Group, a U.S. based multinational talent management company, has allegedly had its internal corporate files compromised by the Everest ransomware gang. In a data leak post, Everest claimed to have stolen extensive client information, supported by two screenshots showing files with 135,000 and 426,000 lines of client names and details. The group also claimed to hold a “huge variety of personal documents,” though these were not published.
40. Monterey Mushrooms, LLC was hit by a cyberattack, during which an unauthorized actor accessed its servers. The intruded files reportedly contained personally identifiable information such as names, Social Security numbers, and in limited cases, driver’s license or passport numbers. INC ransomware group claimed responsibility and posted stolen data details to their dark web site around Sep 5, 2025. Monterey Mushrooms responded by securing its network, launching an investigation, notifying individuals, and offering credit monitoring services to those affected.
41. A recent cyber incident reportedly affected Cullen, Haskins, Nicholson & Menchetti, P.C., a Chicago-area law firm, when it was added to PEAR’s data leak site on Sep 3, 2025.  The attackers claim to have exfiltrated approximately 540 GB of data, including financial records, HR materials, active and closed case files, client communications, and internal emails.  As of now, the firm has not publicly confirmed or commented on the breach.
42. Reynolds and Reynolds Company announced that subsidiary Motility Software Solutions experienced a data security incident in mid-August. Upon detection of suspicious activity, Motility took the impacted server offline to isolate the incident, investigate the cause, and conduct remediation activities. The investigation into the incident, that remains ongoing, revealed that personally identifiable information of approximately 760,000 consumers was accessed. PEAR took credit for the incident, claiming to be in possession of 4.2 TB of data.
43. The Caribbean Industrial Research Institute (CARIRI) in Trinidad and Tobago confirmed it had suffered a cyberthreat incident in early September. Medusa ransomware group claimed responsibility and listed approximately 678.3 GB of exfiltrated data on its leak site. CARIRI responded by isolating affected systems, invoking containment protocols, and engaging the National Cyber Security Incident Response Team to assess damage and begin system restoration.
44. A file review of files compromised in a cyberattack on Teamsters Union 25 Health Services & Insurance Plan was completed. The initial incident took place in August when suspicious activity was identified within the organization’s computer network. 19,231 individuals were impacted by the incident, with compromised data varying from individual to individual.
45. Notification letters were sent to those affected by a May ransomware attack on Huron Regional Medical Center in South Dakota. An investigation into the attack confirmed unauthorized access to the healthcare provider’s network, and exposed files were reviewed. Compromised files contain PII and PHI information. At this time, it is not clear who is responsible for the attack.
46. Patients of Radiology of San Luis Obispo in California are being notified of a cyber incident which involved certain employee email accounts. An investigation into the incident was launched and revealed that certain email accounts were accessed at various times in February and March this year. Protected health information of 13,158 individuals was compromised as a result of the attack.
47. Uvalde Consolidated Independent School District (CISD) in Texas was hit by a ransomware attack that disrupted critical infrastructure, including phones, HVAC controls, security cameras, and its Skyward payroll platform, leading the district to close campuses for three days. While the FBI and district cyber insurance teams are investigating the breach, officials stated that thus far no evidence indicates sensitive or personal data were accessed. No ransomware group has yet claimed responsibility for this attack.
48. Kering, the parent group of luxury brands such as Gucci, Balenciaga, and Alexander McQueen, disclosed a cyberattack in which customer data was accessed. The hacker group ShinyHunters claimed responsibility, stating it obtained data tied to some 7.4 million unique email addresses and leaked samples of names, contact details, addresses, and purchase histories. Kering said no financial information, such as credit card numbers or bank account details, was compromised. In its response, the company affirmed that it alerted relevant data protection authorities, notified customers in accordance with local laws, and secured affected systems. Logs provided by Shiny Hunters show that Kering and the ransomware group were in negotiations, with Kering agreeing to pay a ransom of €500,000, before going silent and not making the payment.
49. U.S. real estate investment and development firm The Moinian Group was reportedly victim to a ransomware attack claimed by the Abyss group. According to Abyss’s leak site, approximately 4.7 TB of uncompressed data were exfiltrated, including tenant, employee, and business partner records containing personally identifiable information and confidential documents. To date, Moinian has not publicly confirmed the full scope of damage or issued detailed disclosures.
50. Clarins Group, the French luxury skincare and cosmetics firm, was reportedly hit by a cyberattack in which the Everest ransomware gang claimed responsibility. The attackers said they accessed and leaked data on over 600,000 of Clarins’ customers, including names, birth dates, addresses, email addresses, phone numbers, and purchase histories, but offered only screenshots as proof. Clarins has acknowledged notifying affected clients in certain regions and stated that no financial account or password data appears to have been exposed.
51. Heidelberg Golf Club in Australia was targeted by the Kairos ransomware group, who claimed to have exfiltrated about 26.4 GB of data from the club’s systems. It still remains unclear exactly which types of records were taken or whether the club has publicly confirmed the full extent of the breach. Heidelberg Golf Club are yet to publicly acknowledge the claims made by Kairos.
52. 153,000 patients of Retina Group of Florida were affected during a cyberattack. The healthcare provider has not yet publicly posted the breach notice, and further details on the attack are not yet known. Several law firms have issued public notices stating that they are investigating the Retina Group of Florida for potential class action litigation.
53. It was revealed that a breach earlier this year involving Black Hills Regional Eye Institute impacted 107,000 people. Suspicious activity was observed within its network in January, prompting BHREI to take steps to mitigate the threat, including taking some IT systems offline. Data compromised during the incident includes both PHI and PII. It is not known who is responsible for the attack.
54. South Lyon Community Schools in Michigan experienced a ransomware that forced the district to shut down for three days after a network disruption was detected on Sep 14, 2025. District officials say they took systems offline quickly, enlisted cybersecurity experts, and are investigating the full scope while restoring operations. No public attribution to a specific hacker group has been confirmed.
55. In Canada, Yellowknife suffered a cybersecurity incident that disrupted city email systems and some online services after authorities detected suspicious activity. The city’s IT team responded by isolating systems, taking affected services offline, and bringing in external cybersecurity experts to assist. Officials say there is currently no evidence that any personal data was compromised, and no ransom demand has been confirmed.
56. INC ransomware group claimed responsibility for a breach at Omega Bio-Tek, alleging the theft of sensitive data such as employee records, Social Security numbers, contact details, and bank statements. The leak also reportedly included personal information belonging to the CEO and other senior executives. To date, the company has not publicly confirmed or commented on these claims.
57. Termite ransomware group claimed responsibility for a cyberattack on News-Press & Gazette (NPG), alleging it stole a trove of sensitive data, ranging from financial and tax records to passports, employee contact details, and internal documents. The group published screenshots on its dark web site as proof, including what appears to be a U.S. passport belonging to a company principal. So far, NPG has not publicly acknowledged or confirmed these claims.
58. Chroma ATE Inc. reported that its information systems had been subjected to a cyberattack. The ransomware group Warlock claimed responsibility, threatening to release the company’s data unless a ransom is paid. Chroma stated that there is currently no confirmed leakage of personal or confidential information and that operational impact appears to be limited.
59. Everest ransomware group has claimed responsibility for an alleged breach of BMW, saying it exfiltrated tens to hundreds of thousands of lines of internal audit documents, financial records, and other sensitive files. The group posted BMW to its leak site with a countdown timer demanding contact within a short window or it would publish the stolen data. As of now, BMW has not publicly confirmed or denied the claim, and the authenticity of the data has not been independently verified.
60. Hampton Regional Medical Center disclosed a cybersecurity incident that may have compromised sensitive patient information. Suspicious activity was detected in its computer system in mid-July, with a subsequent investigation revealing that an unauthorized party gained access to certain systems, potentially exposing and copying patient data. It was confirmed that files accessed during the intrusion contained both PHI and PII, but it is not yet clear how many patients were affected.
61. The Brain Cipher ransomware gang has claimed responsibility for a major breach at Baltimore Medical System (BMS), a Maryland health network serving around 90,000 patients. According to the group’s dark web posts, several terabytes of data, including full server images, database backups, and user directories, were exfiltrated, with samples exceeding 800 GB made public. While BMS has yet to issue a full public statement confirming the scope or nature of the breach, the posted data dumps suggest that patient, administrative, and operational information may have been exposed.
62. Akira claimed responsibility for a cyberattack on Intellect Systems, a Perth Australian operational technology firm, alleging it exfiltrated around 10 GB of sensitive data including passports, driver’s licenses, medical and financial records, contracts, and project documents. Intellect Systems acknowledged the incident as unauthorized access to a limited part of its IT environment, saying it has contained the breach and is working with cyber professionals and regulators while assessing the impacted data.
63. According to reports, Lynx claimed responsibility for an attack on True World Group, the United States’ largest sushi and seafood supplier. The group posted images of financial documents, invoices, and employee records to its leak site as proof of its alleged access. True World has yet to publicly confirm or deny the breach claims.
64. Collins Aerospace was hit by a ransomware attack that disrupted its MUSE check-in and boarding systems across multiple major European airports. The breach led to widespread flight delays, the suspension of automated check-in and baggage drop services, and a manual fallback across affected hubs such as Heathrow, Brussels, Berlin and Dublin. Although some systems have been restored, investigations continue, and the precise attribution of the attack remains under scrutiny.
65. Play ransomware group recently claimed responsibility for a breach of GrammaTech, a U.S. cybersecurity research firm that works with agencies such as DARPA and NASA. Play posted GrammaTech to its dark-web leak site, alleging access to private and confidential data. However, GrammaTech has strongly denied the claim, stating that after a thorough internal review, it found no evidence of a breach or unauthorized access to its systems.
66. American Income Life (AIL) was allegedly breached in a cyberattack claimed by the INC ransomware group. The attackers say they accessed customer data such as names, dates of birth, addresses, contact details, and insurance policy information. At this time, AIL has not issued a public confirmation of the incident or verified the group’s claims.
67. 77,771 patients were impacted when Sturgis Hospital in Michigan suffered two security incidents in the past year. The first attack occurred in December 2024, with the more recent incident taking place in June 2025. In both incidents, patient and employee information may have been accessed or exfiltrated during periods of unauthorized access to the hospital’s computer network. Neither attack has been claimed by a ransomware group.
68. Madison Elementary School District 38 has started notifying 35,000 people of a data breach following a ransomware attack in April 2025. The notification states that the ransomware attack on the network was facilitated by social engineering. Interlock ransomware group took credit for the attack, claiming to have stolen 70 GB of data, which included nearly 49,000 files across 4,247 folders. The proof pack showed the names of these folders which included “Accounts Receivable,” “Gifts & Donations,” “Images,” and “Videos.” MESD has not confirmed these claims made by Interlock.
69. INC claimed responsibility for a breach at Cardinal Services, a human resources and workforce solutions firm. According to the claim, attackers gained unauthorized access to the network and encrypted data, threatening to dump sensitive personal and financial information, including names, addresses, Social Security numbers, and employment records, unless a ransom is paid. At this time, the full scope of the data exposure is not clear, and the company has not publicly detailed or confirmed the claims.
70. Coos County Family Health Services announced a data security event that was identified in July. Suspicious activity was observed on its servers and phone systems, which may have resulted in the exposure of sensitive data. It was confirmed that affected files contained patient information. Ransomware group RunSomeWares claimed responsibility for the incident, claiming to have exfiltrated data from the healthcare provider.
71. Details have been released regarding a breach of an email account of a UNC School of Medicine employee. An investigation revealed that an email account was accessed by an unauthorized third party following a response to a phishing email. The breach was remediated within 15 hours, however the attacker managed to acquire electronic PHI of patients. It is not clear at this time who is responsible for the incident.
72. Roush Fenway Keselowski Racing announced that it had fallen victim to a cyberattack in May which led to PHI of employees being exfiltrated. When files were reviewed in August, the company confirmed that exposed information includes names, SSNs, health insurance numbers, and financial account information.
73. Qilin added the Town of Waxhaw to its leak site after allegedly stealing 619 GB of data. Waxhaw confirmed that it had suffered a cyberattack on Sep 12, 2025. The incident caused “irregularities”, but the town assured residents that no emergency services were affected. Waxhaw also confirmed that cybercriminals were able to access the Town’s servers but stated that it did not have any confirmation that personal data was taken. A proof pack provided by Qilin contains a variety of data including internal reports, police reports and a copy of a passport.
74. Okuma confirmed that its German subsidiary, Okuma Europe GmbH (OEG), suffered a ransomware attack. The company stated an unauthorized actor accessed a server, encrypted data, and that there is a possible risk of exfiltration of confidential information and personal data. Okuma is collaborating with external security experts, working to restore impacted systems, and has notified German authorities and police. No other Okuma group companies are currently reported to be affected.
75. J Group ransomware gang has claimed responsibility for a cyberattack on FAI Aviation Group, a German charter and air ambulance services firm. According to the group’s dark-web post, nearly 3 TB of files were stolen, including patient medical records, internal staff documents (e.g. CVs, passports), aircraft specifications, commercial and project files. So far, FAI has not publicly confirmed the full scope or veracity of the claims.
76. A ransomware group calling itself Radiant claimed responsibility for breaching Kido International, a nursery chain based in London, asserting it accessed data on over 8,000 children, including names, photos, addresses, and contact information. The group published sample profiles for ten children on their dark web leak site as proof and threatened to escalate the incident by releasing additional records tied to both children and employees. Kido has reportedly acknowledged a “cyber incident” and is working with forensic specialists and authorities, though it has yet to publicly confirm the full scale of the breach.
77. Boyd Gaming Corporation recently disclosed that it was the target of a cybersecurity breach in which attackers gained access to its internal IT systems and exfiltrated data including employee records and information related to a “limited number of other individuals.” The company states that its casino and hotel operations were not disrupted, and it does not expect a material financial impact from the incident. Boyd Gaming has neither confirmed any ransom demands nor acknowledged involvement of a specific ransomware group.
78. residents and employees of Union County in Ohio are being notified that their personal data had been compromised during a ransomware attack in May. The hackers stole names, SSNs, driver’s license numbers, financial account information, fingerprint data, medical information, and more. No ransomware gang has taken credit for the attack publicly.
79. Diamond Electric Holdings recently disclosed that its Thai subsidiary, Thai Diamond & Zebra Electric, was hit by a ransomware attack which led to the encryption of local servers and personal computers. Immediate measures were taken to contain the incident, including disconnecting affected systems. The company is now investigating the extent of the breach, including whether any confidential or personal data was exfiltrated. At this time, no other details relating to the incident have been released.
80. Asahi Group, one of Japan’s largest beverage producers, was hit by a severe cyberattack that brought operations in its domestic factories to a halt. The attack disabled critical systems such as ordering, delivery, and call center platforms, and forced Asahi to suspend shipments and production across some 30 plants. While the company insists no personal data leaks have been confirmed, it has not fully ruled out the possibility as investigations continue.
81. Gaylord Specialty Healthcare has started notifying patents about a December 2024 security incident that potentially involved unauthorized access to patient information. A file review confirmed unauthorized access to its network involved access to both PHI and PII of patients. It is not clear at this time who is responsible for the attack, or how many individuals were impacted.
82. Healthcare Interactive Inc announced that a July 2025 hacking incident involved the exfiltration of files from its network. Investigations confirmed that unauthorized access to its network and data exfiltration from its network took place over a four-day period in July this year. Exposed files contained protected health information such as diagnoses, prescriptions, medical images and health insurance claims.
83. Medusa ransomware group recently claimed responsibility for a breach of Comcast, alleging it exfiltrated 834.4 GB of corporate data and demanding a $1.2 million ransom to delete the files. To support its claim, Medusa posted 20 screenshots allegedly showing internal files, alongside a massive file listing of 167,121 entries. Comcast has not officially confirmed the breach or the group’s claims.
84. Albany Gastroenterology Consultants in New York confirmed that a data security breach in November 2024 exposed sensitive personal information of over 55,000 individuals. The incident involved unauthorized access within the healthcare provider’s internal network that disrupted access to certain critical systems. Compromised data includes names and other personal identifiers including SSNs. No known ransomware group has claimed responsibility for the attack.
85. Clients of billing service provider ApolloMD Business Services confirmed that patient data was exposed during a cyberattack on the third-party company. An investigation determined that an unauthorized actor accessed ApolloMD’s IT environment for one day in May, compromising sensitive information of thousands of individuals across multiple physician practices affiliated with ApolloMD.