Weekly Ransomware & Breach Recap (Oct 20–26, 2025)
4 min read
Global rise in cyber incidents (Oct 20–26, 2025): 160+ ransomware victims, 189 breaches & 193 credential leaks hitting government, healthcare & aviation.
Cyber Threat Intelligence Weekly Report
Period: 20 – 26 Oct 2025 Scope: Ransomware + Traditional Breaches (189) + Infostealer Packages (193)
Headline Metrics
| Indicator | Volume | Δ vs prior week |
|---|---|---|
| Ransomware victims | ≥160 (est.) | ↑ slight vs ~152 |
| Traditional breaches | 189 | ↓ 13% (vs 217) |
| Infostealer packages | 193 | ↑ 64% (vs 118) |
| Avg. exfil volume | ~0.8 TB | stable |
| Most-targeted regions | 🇺🇸 US 🇫🇷 FR 🇩🇪 DE 🇬🇧 UK 🇨🇦 CA 🇸🇪 SE 🇮🇪 IE | — |
| Leading crews (by listings) | Qilin · Medusa · Akira · Clop · Everest · Stormous · Lynx · Sinobi | — |
Spotlight incidents (business impact)
| Date | Actor | Victim / Context | Sector | Geo | Why it matters |
|---|---|---|---|---|---|
| 26 Oct | Stormous | French Government & francetravail.fr | Gov / Employment | 🇫🇷 | High public-sector sensitivity; likely data-extortion narrative—validate proofs. |
| 26 Oct | Stormous | Volkswagen | Automotive | 🇩🇪 | Tier-1 brand; potential IP/PII exposure and supply-chain ripple risk. |
| 26 Oct | Qilin | MedImpact Healthcare | PBM / Healthcare | 🇺🇸 | PHI & claims data risk → regulatory notification exposure. |
| 26 Oct | Clop | HARVARD.EDU, WITS.AC.ZA, PANAMERICANSILVER.COM, LKQCORP.COM, CSCGLOBAL.COM, HRSD.COM, AUSENCO.COM, MILGARD.COM, COXENTERPRISES.COM, COPELAND.COM | Higher-ed, mining, mfg, legal, utilities | 🌍 | Broad, high-profile domains—data listings/extortion posture; third-party risk. |
| 26 Oct | Everest | Dublin Airport | Aviation / Transport | 🇮🇪 | Operational sensitivity even if “data-only”; watch passenger ops & partners. |
| 25 Oct | Everest | Svenska Kraftnät | Energy / TSO | 🇸🇪 | Critical infrastructure visibility; regulator/media scrutiny. |
| 26 Oct | Akira | Engineered Profiles; Flegenheimer Intl.; SK group/Za Za Bazaar/TH UK & Ireland | Industrial / Logistics / Hospitality | 🇺🇸🇬🇧 | Operations & supplier data exposure across multiple verticals. |
| 20–26 Oct | Qilin | Mainetti UK; InfraCom Group; City of Sugar Land; Omrin; Zacho-Lind; multiple SMEs | Retail/packaging, MSP, local gov, waste, eng | 🇬🇧🇸🇪🇺🇸🇳🇱🇩🇰 | Extensive public-sector & supplier touchpoints → ripple risk. |
Actor activity (this batch)
| Crew | Notable victims | Themes |
|---|---|---|
| Qilin | MedImpact; Mainetti UK; InfraCom Group; City of Sugar Land; Omrin; Zacho-Lind; many SMEs | Public sector, healthcare, MSPs, industrial supply |
| Medusa | Imagicle (IT); Linxx Global Solutions (US); DALCANS (FR); Adore CFS (US); CE Farmacia (IT); Alissa Group (SA) | Software/UC, defense services, healthcare/pharmacy |
| Akira | Engineered Profiles; Flegenheimer Intl.; Precision Machined Products; Essential Cabinetry Group; MetroWest Community FCU | Manufacturing, logistics, finance |
| Clop | Harvard; WITS; Pan American Silver; LKQ; CSC Global; HRSD; Ausenco; Milgard; Cox Enterprises; Copeland | Higher-ed, mining, manufacturing, legal, utilities |
| Everest | Dublin Airport; Air Arabia; MotorsportMarkt.de; ANIA KRUK; Collins Aerospace narrative | Aviation, aerospace, retail |
| Stormous | French Government; France Travail; Volkswagen; multiple commerce sites | Government, automotive, e-commerce |
| Lynx / Sinobi / Play | Dozens of SMEs and regional entities (US/EU/ME) | Data-extortion & mixed encryption tactics |
Sector impact (roll-up)
| Sector | Examples | Primary risks |
|---|---|---|
| Public sector & education | French Gov / France Travail; Harvard; WITS; City of Sugar Land | PII disclosure, continuity impacts, regulatory actions |
| Healthcare & social services | MedImpact; Adore CFS; clinics (US/CA) | PHI exposure; HIPAA/GDPR notification |
| Aviation & transport | Dublin Airport; Air Arabia; Transdev Limocar (CA) | Ops disruption; partner & traveler data |
| Industrial & supply chain | Mainetti UK; Engineered Profiles; LKQ; Ausenco; Omrin | Production continuity; third-party dependencies |
| Energy/Utilities | Svenska Kraftnät; HRSD (US utilities on list) | Service reliability & compliance scrutiny |
Infostealers — 193 new packages
• What’s trending: big spikes in RedLine/Lumma/Vidar-style logs targeting O365/Entra ID, Okta/SSO, VPN portals. • Immediate risks: credential replay, MFA fatigue prompts, OAuth abuse → initial access resale. • Fast checks (today):
• Force reset for all privileged & service accounts; require phishing-resistant MFA (FIDO2/Passkeys). • Audit new OAuth app consents, legacy IMAP/POP, and anomalous geo-logins. • Block archive exfil (.zip/.7z) to personal clouds; tighten DLP on SaaS (SharePoint/Drive/Box).
Actions for the next 72 hours
| Priority | Action | Detail |
|---|---|---|
| P1 | Rotate secrets + enforce FIDO2 | Admins, vendors, break-glass; disable SMS/voice where possible; enable number-matching. |
| P1 | Third-party sweep | Ask key suppliers (MSPs, logistics, airports/airlines, healthcare processors) for latest IR/status, CIS hardening evidence, and SBOM/patch posture. |
| P2 | Close exposed mgmt planes | Remove public RDP/SMB/WinRM; lock Exchange/IIS modules; geo-restrict VPN/admin paths; just-in-time access. |
| P2 | Hunt for token/OAuth abuse | Query for new enterprise app grants, unusual refresh-token use, suspicious mail-rules/transport rules. |
| P3 | IR comms kits by vertical | Pre-approved statements + regulator timelines for gov/edu/health/aviation; press Q&A; breach-notice templates. |
cyber threat intelligence, ransomware report, data breaches, infostealer leaks, cybersecurity trends, threat actors, healthcare cybersecurity, government breach, aviation security, MFA security, supply chain attacks, weekly cyber report