Global surge in cyberattacks (Oct 5–13, 2025)
4 min read
Global Cyber Threat Intelligence Summary
• Period: 05–13 Oct 2025
• Scope: Ransomware feed + traditional breaches (331) + infostealer packages (146)
📊 Headline Metrics
| Indicator | Volume | Δ vs. previous week |
|---|---|---|
| Ransomware victims | >120 | ↑ +18% |
| Traditional breaches | 331 | ↑ +102% |
| Infostealer packages | 146 | ↑ +42% |
| Average leak size | 0.9 TB | ↑ steady |
| Most targeted regions | 🇺🇸 US, 🇫🇷 FR, 🇨🇦 CA, 🇪🇸 ES, 🇯🇵 JP | |
| Top active crews | Qilin, Akira, Sinobi, Incransom, Medusa, Obscura, CoinBaseCartel, DragonForce |
Ransomware Highlights
Critical & High-Impact Cases
| Victim | Group | Country | Sector | Leak Size / Notes |
|---|---|---|---|---|
| Ministerio de Salud (AR) | Nova | 🇦🇷 | Government / Healthcare | 2M+ patient records (vaccine data) |
| North Stonington Elementary School (US) | Interlock | 🇺🇸 | Education | ~3 TB of student data exposed |
| Undefasa (ES) | BlackNevas | 🇪🇸 | Industrial / Ceramics | 2.3 TB leak |
| Furuno Electric (JP) | Rhysida | 🇯🇵 | Maritime / Electronics | Corporate R&D, HR data |
| DSV (DK) | CoinBaseCartel | 🇩🇰 | Logistics / Transport | Global logistics provider hit |
| Kuehne + Nagel (CH) | CoinBaseCartel | 🇨🇭 | Logistics | 82,000 employees, 1,300 sites impacted |
| Borrowell (CA) | CoinBaseCartel | 🇨🇦 | Financial | Consumer credit firm |
| Ministry of Education, France (hautsdefrance.fr) | Qilin | 🇫🇷 | Government / Education | Passport & school incident reports |
| T. Choithram & Sons (UAE) | BlackNevas | 🇦🇪 | Retail / Food Distribution | IT staff docs, SQL data, passports |
| Shape Corp (US) | Nova | 🇺🇸 | Automotive Manufacturing | Engineering data, CAD files, OEM vendors |
| Balfour Beatty (US) | Incransom | 🇺🇸 | Construction / Infrastructure | Corporate files & contracts |
| Lux Actuaries (AE) | Medusa | 🇦🇪 | Financial / Insurance | 928 GB leak across multiple countries |
| Termotasajero (CO) | Sinobi | 🇨🇴 | Energy | Power generation, employee data |
| ROXU Group (ES) | SpaceBears | 🇪🇸 | Construction / Heavy Industry | Industrial & financial data |
| Mandom Corp (JP) | WorldLeaks | 🇯🇵 | Manufacturing / Cosmetics | Confidential brand & HR data |
| Mercante Tubos (BR) | AlphaLocker | 🇧🇷 | Industrial / Steel | Manufacturing & supply data |
| SourceOne Corporation (US) | Qilin | 🇺🇸 | Infrastructure / Fiber | OSP & ISP project data |
| Telstra (AU) | ShinyHunters | 🇦🇺 | Telecom | National data leak |
| Red Hat (US) | ShinyHunters | 🇺🇸 | Software / IT | Corporate repo exposure (unverified) |
| Qantas Airways (AU) | ShinyHunters | 🇦🇺 | Aviation | Flight & customer data exposure |
Continent Activity Summary
| Continent | % Victims | Dominant Groups | Top Sectors |
|---|---|---|---|
| North America | 44% | Akira, Sinobi, Incransom | Healthcare, Education, Manufacturing |
| Europe | 29% | Qilin, DragonForce, Obscura | Industrial, Legal, Logistics |
| Asia | 17% | Handala, Medusa, Nova | Energy, Finance, Government |
| South America | 6% | Nova, Sinobi | Healthcare, Industrial |
| Africa | 3% | Brotherhood, Sinobi | Government, Logistics |
| Oceania | 1% | Akira, ShinyHunters | Legal, Aviation |
Observed Trends
1. CoinBaseCartel emerges — coordinated leaks targeting global logistics firms (DSV, Kuehne + Nagel, PLC Trans).
2. Obscura posts 7 new small-to-mid-size victims (US, DK, PT, MY).
3. Handala escalates ideological campaigns with RedWanted leaks (Israel-related targets).
4. Sinobi dominates healthcare & construction sectors with >20 US victims.
5. ShinyHunters posts high-profile claims (Red Hat, Telstra, Qantas, Albertsons).
6. Akira maintains steady industrial & legal-sector targeting pattern.
7. Data volumes ballooning: 5 cases >1TB; 30+ between 100–800GB.
Traditional Breaches & Infostealer Surge
• 331 non-ransomware breaches, primarily credential-stuffing and exposed S3/cloud buckets.
• 146 new infostealer packages, focusing on RedLine, Lumma, Vidar forks, targeting:
- Crypto & finance platforms
- SMB Office 365 tenants
- Developer environments (GitHub, Jira, Slack tokens)
Near-Term Risks
• Credential replay surge from stealer logs; expect rise in BEC & lateral phishing.
• Fake “breach alert” phishing leveraging ShinyHunters brand names.
• Supply chain compromise through shared ERP/CRM vendors in logistics sector.
• Healthcare & education remain prime ransomware targets.
Recommended Defenses
1. Reset & revoke credentials found in stealer datasets (focus on O365, VPN, AWS).
2. Strengthen DLP for exfiltration of patient or student data.
3. Geofencing + conditional access for administrative logins.
4. Vendor risk alerts for logistics, education, healthcare suppliers.
5. Incident tabletop for ransomware communication & regulator notification readiness.