Weekly Ransomware & Breach Recap (Oct 27–02, 2025)
5 min read
Discover ransomware attacks and breaches from Oct 27–02, 2025, targeting governments, energy, research, and enterprises, with escalating multi-TB data leaks.
Cyber Threat Intelligence Weekly Report
• Period: 27 Oct – 2 Nov 2025
• Scope: Ransomware claims (user feed); traditional breaches & stealer packs not supplied for this set
📊 Headline Metrics
| Indicator | Volume | Δ vs prior week |
|---|---|---|
| Ransomware victims | High (triple-digit) | ~flat vs last week’s high activity |
| Traditional breaches | Not provided in this batch | — |
| Infostealer packages | Not provided in this batch | — |
| Avg. exfil volume | Varies; often undisclosed | — |
| Most-targeted regions | 🇺🇸 US 🇪🇸 ES 🇫🇷 FR 🇩🇪 DE 🇨🇦 CA 🇬🇧 UK 🇯🇵 JP | — |
| Leading crews (by listings) | Qilin · Akira · Medusa · Clop · Play · Sinobi · Everest · BlackShrantac · Incransom · Lynx | — |
Spotlight incidents (business impact)
| Date | Actor | Victim / Context | Sector | Geo | Why it matters |
|---|---|---|---|---|---|
| 27–31 Oct | Clop | HARVARD.EDU; WITS.AC.ZA; PANAMERICANSILVER.COM; LKQCORP.COM; CSCGLOBAL.COM; HRSD.COM; AUSENCO.COM; COXENTERPRISES.COM; MILGARD.COM; COPELAND.COM; DAVIDYURMAN.COM | Higher-ed, mining, mfg, legal, utilities, retail | 🌍 | High-profile domain roster → reputational pressure & third-party risk reviews. |
| 28–31 Oct | Akira | Engineered Profiles; Buffalo Games/Edaron/Ceaco; Econo-Pak; BK Technologies; Bridgehead I.T.; Wright-Gardner Insurance; Architectural Systems; RPI Roofing; The Gerson | Industrial, CPG, electronics, MSP, insurance | 🇺🇸/🇩🇪 | Deep supply-chain touchpoints; potential ops impact. |
| 27–30 Oct | Qilin | Deco Dental; Suarez & Menéndez; Disseny Dental; Price & Ramey Insurance; Truro Cannabis; Microbix Biosystems; Enessance Holdings; Malibu Boats AU; Lorber Greenfield & Polito; Halifax (K-12) VA | Healthcare/dental, legal, insurance, cannabis, biotech, education | 🇺🇸🇪🇸🇨🇦🇯🇵🇦🇺 | PHI/PII exposure + regulatory notifications; education sector risk. |
| 27–30 Oct | Everest | AT&T Careers (db claim); Dublin Airport (sale claim); MotorsportMarkt.de; ANIA KRUK | Telecom, aviation, auto, retail | 🇺🇸🇮🇪🇩🇪🇵🇱 | Even “data-only” claims can drive ops/comms issues; aviation sensitivity. |
| 30–31 Oct | WorldLeaks / Obscura | Lidera Network (ES); Kobayashi (JP); Central Plate Services (UK); New Toyo Int’l (SG) | ISP/tech, industrial, packaging | 🌍 | Cross-region exposure; check supplier dependencies. |
| 29–31 Oct | BlackShrantac | CCI Tax Pros; The Matlusky Firm; TENAX Law Group; CyPark Resources Berhad; Eligibility Tracking Calculators | Tax/legal; energy | 🇺🇸🇲🇾 | Legal/financial data sensitivity and trust erosion. |
| 28–29 Oct | Rhysida | Gemini Group; Bellflower USD; Spindletop Center; Abilene Family Medical | Manufacturing; education; behavioral health | 🇺🇸 | Education & healthcare records risk; mandated reporting windows. |
| 31 Oct – 2 Nov | Nova / Devman | Castilla (dup listings); masked gov/edu/health domains; “juntalocal.cdmx.gob.mx” | Gov / municipal | 🇲🇽 | Public-sector exposure—citizen data, legal deadlines. |
Actor activity (this batch)
| Crew | Notable victims | Themes observed |
|---|---|---|
| Qilin | Deco Dental; Disseny Dental; Price & Ramey; Halifax K-12; Microbix; Enessance; Malibu Boats AU; legal/SMB mix | Persistent hits on healthcare/dental, SMBs, education, and insurance. |
| Akira | Engineered Profiles; Buffalo Games/Ceaco; Econo-Pak; BK Technologies; Bridgehead IT; RPI Roofing | Industrial & supply chain focus; MSPs as access multipliers. |
| Medusa | Adore Children & Family Services; CE Farmacia (IT); Alissa Group (SA); ATIRG | Social services / pharmacy / regional conglomerates. |
| Clop | Harvard; WITS; Pan American Silver; LKQ; Cox Enterprises; HRSD; Ausenco; CSC Global; Milgard; Copeland | High-leverage domain pressure; extortion via brand impact. |
| Play / Sinobi | Manufacturers, hospitality (Post Ranch Inn), retail/optical clinics | Mixed encryption + data-leak narratives. |
| Everest | Dublin Airport & Air Arabia sale claims; MotorsportMarkt.de; ANIA KRUK | Aviation and retail visibility plays; verify provenance. |
| BlackShrantac / Incransom / Lynx | Legal/finance; logistics; nationalcoatingsinc.com | Regional SMBs + infra suppliers. |
Sector roll-up
| Sector | Examples | Primary risks |
|---|---|---|
| Public sector & education | Halifax K-12; Bellflower USD; MX “juntalocal” | PII exposure, disruption of services, strict disclosure clocks. |
| Healthcare & dental | Deco Dental, clinics; Abilene Family Medical; Spindletop Center | PHI, HIPAA/GDPR notifications; downstream insurance impact. |
| Industrial & manufacturing | Engineered Profiles; Econo-Pak; Buffalo Games/Ceaco; Saxun (ES) | Production downtime; supplier data leakage; IP exposure. |
| Aviation/transport | Dublin Airport (claim); TMF Logistics; Bayu Buana Travel | Ops & safety comms, partner coordination. |
| Finance/legal | Law firms (TENAX, Matlusky, Riddell); Hometown CU; Price & Ramey | Legal privilege waivers, financial data compromise. |
72-hour action plan
| Priority | Action | Detail |
|---|---|---|
| P1 | Vendor exposure sweep | Contact MSPs, logistics/air, legal/tax partners for incident attestation, EDR coverage, patch status, and MFA/FIDO2 enforcement. |
| P1 | SaaS/OAuth audit | Review new app consents, transport rules, anomalous sign-ins; revoke stale tokens; disable legacy auth. |
| P1 | Geo/IP hardening | Geo-restrict admin planes (VPN, RDP, PAM); enforce just-in-time access and device posture checks. |
| P2 | Data-egress controls | DLP for archives to personal clouds; throttle outbound to paste/anon hosts; alert on large 7z/ZIP to new destinations. |
| P2 | IR comms kits | Pre-approved statements & regulator templates for edu/health/public verticals; media Q&A and takedown playbook. |
| P3 | Backups & recovery drills | Immutable backups tested for Akira/Qilin TTPs (dual-use exfil + encryption); validate RTO/RPO against crown-jewel systems. |
CyberSecurity, ThreatIntelligence, DataBreach, BreachHouse, CriticalInfrastructure, SupplyChainSecurity, ransomware attacks 2025, data breach report Sep 2025, cybersecurity weekly recap, government data leak, critical infrastructure cyber attack, Qilin, Incransom , Akira, Embargo, breach intelligence report, ransomware news, weekly cyber intelligence, ransomware trends 2025