Weekly Ransomware & Breach Recap (Nov 07–16, 2025)
5 min read
Report on cyberattacks from Nov 7–16, 2025: surge in breaches, sustained ransomware activity, and expanding infostealers hitting health, education, and industry.
Cyber Threat Intelligence Weekly Report
• Period: 7 – 16 Nov 2025
• Scope: Ransomware listings + Traditional breaches: 206 + Infostealer packages: 219 (dataset supplied)
📊 Headline Metrics
| Indicator | Volume | Δ vs prior comparable window |
|---|---|---|
| Traditional breaches (reported) | 206 | Large surge (dataset) |
| Infostealer packages (reported) | 219 | Significant — broadening stealer ecosystem |
| Ransomware listings | High (multiple hundreds in feed) | Sustained high tempo |
| Avg. exfil volume (observed) | Varies — many undisclosed | — |
| Most-targeted regions (by count) | 🇺🇸 United States · 🇨🇦 Canada · 🇬🇧 United Kingdom · 🇮🇹 Italy · 🇸🇪 Sweden · 🇲🇽 Mexico · 🇯🇵 Japan | — |
| Leading crews (by volume/listings) | Qilin · Clop · Akira · Everest · Incransom · Medusa · Play · Nova · BlackShrantac · SpaceBears | — |
Spotlight incidents (selected high-impact claims)
Selected from the supplied feed; dates are the feed timestamps.
| Date | Actor | Victim / Context | Sector | Geo | Why it matters |
|---|---|---|---|---|---|
| 13–15 Nov | Clop | DARTMOUTH.EDU; FLUKE.COM; VITAMIX.COM; NHS.UK; GLOBALLOGIC.COM; MARITZ.COM | Higher Ed, industrial devices, consumer brands, national health | 🇺🇸 🇬🇧 🇩🇪 | High-profile corporate & public-sector domains → reputational & supply-chain risk; potential regulator scrutiny. |
| 11 Nov | Everest | Dublin Airport – DB sold; Collins Aerospace / RTX.com – DB leaked | Aviation, aerospace | 🇮🇪 🇺🇸 | Aviation/aerospace data leaks risk operational, safety, and 3rd-party exposure. |
| 13–16 Nov | Qilin | Maresa Logística; Trigg Laboratories; Microbix / medical; Fundidora de Cananea; Gullco International; Hitzinger | Logistics, labs, manufacturing, mining | 🇪🇸 🇺🇸 🇲🇽 🇦🇹 🇨🇦 | Logistics & industrial systems repeatedly targeted — potential supply-chain disruptions. |
| 10–14 Nov | Akira / Play | Aero Precision; BK Precision; Buffalo Games/Edaron/Ceaco; Engineered Profiles; Ami Bearings | Manufacturing, precision engineering | 🇺🇸 | Manufacturing exposure could cause production/fulfillment delays and IP risk. |
| 11–15 Nov | Incransom / BlackShrantac / Nova | Forensic labs, schools, tax/legal firms, multinational service providers | Education, legal/tax, healthcare | 🇺🇸 🇦🇺 🇨🇦 🇸🇬 | High distribution of PII/PHI and third-party provider risk. |
| 12–15 Nov | WorldLeaks / TheGentlemen / Brotherhood / SpaceBears | UNOde50, United Enterprise Fund, multiple SMBs and retailers | Retail, financial, SMBs | 🌍 | Broad-based victim set indicates opportunistic scanning + mass exploitation. |
Actor behaviour & notable patterns
• Clop: Continues domain-level pressure with notable enterprise and public-sector targets (education, consumer brands, industrial vendors). • Qilin: Heavy on healthcare/dental/labs, logistics, SMB industrials — consistent with prior observations of opportunistic lateral access into supply chains. • Akira / Play: Focus on manufacturers, tooling, and local service providers — suggests targeting of OT-adjacent environments and compensation-driven extortion. • Everest: High-visibility claims against aviation/critical infrastructure — useful for noise campaigns to drive negotiation leverage. • Infostealer surge (219 packages): Rapid commoditization of credential/host-stealing capabilities — increases downstream access brokers and tailoring of phishing campaigns.
Sector roll-up (impact snapshot)
| Sector | Examples (from feed) | Primary risks |
|---|---|---|
| Healthcare / Medical labs | Trigg Laboratories; Middlesex Endodontics; Heart South Cardiovascular; forensicmed.com | PHI exposure → breach notifications, regulatory fines, patient trust erosion |
| Education / Public sector | Dartmouth, Dublin Airport DB effects, schools (killinglyschools, Clackamas CC) | Student/staff data exposure; service disruption; public scrutiny |
| Manufacturing & Industrial | Aero Precision; BK Precision; Econo-Pak; Ami Bearings; Marine Turbine | Production downtime; IP theft; supply-chain ripple effects |
| Aviation / Transport / Logistics | Dublin Airport, Collins Aerospace, Spark Power, Stark Shipping | Operational risk; partner cascade impacts |
| Legal / Finance / Insurance | Kaan Cronenberg & Partners; Valley Banks; MultistateTax Inc | Privileged data, financial records, compliance exposure |
| Retail / Consumer | UNOde50; VITAMIX.COM; FullBeauty Brands | Brand risk, customer PII, chargeback fraud risk |
Recommended 72-hour operational playbook
| Priority | Action | Why |
|---|---|---|
| P1 — Containment & Attribution | Triage inbound IOCs from this feed (domains, IPs, hashes). Block known C2/paste hosts at perimeter and ingest into EDR/XDR. | Immediately reduce lateral movement and data exfil channels. |
| P1 — Critical identity controls | Enforce passwordless/FIDO2, enable conditional access (device posture, IP rules), revoke stale OAuth tokens and service principals. | Most infestations start with credentials and stale tokens. |
| P1 — Third-party / supply chain checks | Contact key suppliers (MSPs, logistics, legal, labs) for attestations: incident status, EDR deployed, MFA status, recent patches. | Attackers exploit partner trust; early supplier confirmation limits blast radius. |
| P2 — Data protection & detection | Apply DLP rules on exports of archives (zips/7z/rar) and to unusual cloud destinations; tune alerts for large DB exports and unusual SQL dumps. | Mitigates stealer + exfilster campaigns. |
| P2 — IR preparedness | Prepare sector-specific regulator notification templates (healthcare/education/finance), takedown contacts, and customer comms. | Speeds legal/comms response if breach confirmed. |
| P3 — Recovery & resilience | Validate immutable backups, run restore tests for critical systems, and test recovery runbooks for OT/ICS if applicable. | Ensures RTO/RPO targets can be met if encryption occurs. |
| P3 — Hunting & intel | Hunt for Cobalt Strike, Kerberoasting, shadow admin accounts, and newly created admin accounts in the past 90 days. | Proactive detection reduces dwell time. |
cybersecurity, ransomware, data breach, cyber threat intelligence, infostealers, ransomware report, cyberattacks 2025, security incidents, threat actors, data leaks, CTI report, enterprise security, critical infrastructure attacks, hacking trends, malware activity