Ransomware attacks hit their second-highest levels on record in November, as the number of attacks rose for the seventh consecutive month. 

The 640 ransomware attacks recorded by Cyble in November 2025 are second only to February 2025’s record totals (chart below). 

Ransomware groups are increasingly targeting software supply chain vulnerabilities, which has contributed to a doubling of supply chain attacks since April 2025. Cyble dark web researchers documented 38 supply chain attacks in November, just below the record set the previous month (chart below). Ransomware groups claimed 22 of those attacks, or 58%, down from 73% in October. 

Despite CL0P’s mass exploitation of Oracle E-Business Suite vulnerabilities, Qilin once again led all ransomware groups in claimed attacks with 127, followed by Akira at 103. CL0P, INC Ransom and Play rounded out the top five (chart below). 

The U.S. remains by far the most attacked country, its 356 ransomware attacks 10 times higher than second-place Canada, followed by the UK, Germany, India, and Italy (chart below). 

Construction, Professional Services, and Manufacturing were the most attacked sectors in November, followed by Healthcare, Energy & Utilities, and IT (chart below). 

Major Ransomware Incidents in November 

November was noteworthy for the number of ransomware attacks targeting critical sectors and the IT supply chain, with several groups claiming exfiltration of sensitive documents such as project and technical documentation. 

Below are some of the more concerning incidents recorded by Cyble in November. 

INC Ransom claimed responsibility for breaching a U.S.-based emergency alert system, including exfiltrating approximately 1.15 TB of data before deploying encryption. To substantiate their claims, INC Ransom published several samples, including CSV files with client-related data. The group also released two screenshots allegedly showing unsuccessful negotiation attempts. 

The Akira ransomware group claimed responsibility for a cyberattack targeting a major South Korea–based manufacturer of lithium-ion batteries for electric vehicles, energy storage systems, mobility platforms, and consumer electronics. According to the group, the stolen data includes 1.67TB of corporate documents and 46GB of SQL databases. In addition to extensive employee personal information, Akira also claimed to possess confidential project documentation, NDAs, financial records, client and partner information, and a wide range of contractual materials. 

The Everest ransomware group claimed an attack on a major South American energy company as well as a U.S.-based provider of geophysical data acquisition services for the oil and gas industry. Everest published sample files showing access to survey reports and geophysical operational data. Based on the nature and context of the leaked samples, it appears possible that the U.S. company may have been the primary compromised entity. 

Akira claimed a cyberattack targeting a U.S.-based manufacturer of high-density, modular, and rugged embedded computing systems, servers, and switches used across defense, aerospace, and other industrial sectors. According to the group’s statement, they allegedly exfiltrated a range of corporate and client documents, including detailed project information, financial data, and confidential military-related materials. 

Akira also claimed responsibility for a cyberattack on a U.S.-based industrial services and contracting company that provides construction, maintenance, and engineering solutions to the energy, marine, and industrial sectors. Akira allegedly stole a large volume of corporate and employee data, including contracts, non-disclosure agreements (NDAs), client information, technical drawings, and operational data. 

Other alleged Akira victims included two U.S.-based construction and infrastructure companies, one of them an engineering and project-management firm supporting railway signaling, train control, and transportation infrastructure projects from which Akira claimed to have exfiltrated NDAs, contracts and agreements, and project documentation. 

Akira also claimed to have exfiltrated confidential technical documentation and other sensitive data from a U.S.-based electric cooperative that provides power distribution, grid maintenance, and energy services to residential and commercial customers in Mississippi. 

Qilin claimed responsibility for attacks targeting water management authorities in Florida and California, and a Canada-based provider of high-precision GNSS positioning technologies, navigation systems, and geospatial solutions used across autonomous systems, aerospace, agriculture, and surveying. 

Qilin also claimed to have stolen sensitive data from the European subsidiary of a Japan-based construction, engineering, and real estate development company. 

Another Qilin attack allegedly targeted a U.S.-based company that provides remote power management, network monitoring, and out-of-band control technologies used across data centers, telecommunications, industrial operations, and critical infrastructure environments. The ransomware group published several sample files showing alleged access to financial documents, customer digital key letters, nondisclosure agreements, and additional internal corporate materials, suggesting exposure of both sensitive business information and potentially downstream client environments. 

Qilin also claimed an attack on a Florida regional airport. Sample files showed access to scanned employee IDs, aviation alerts and notices, airport blueprints, internal operational documents, financial records, and additional employee-related data. 

The Devman ransomware group claimed responsibility for breaching a Georgia entity responsible for maintaining court records, real estate filings, and critical legal documentation services across the U.S. state. Shared samples suggest potential access to internal applications supporting electronic filings, payment systems, certification systems, and core data warehouses. 

The DragonForce ransomware group claimed an attack on a major telecom services provider in the United Arab Emirates, exfiltrating more than 44 GB of data. 

The Sinobi ransomware group claimed responsibility for a cyberattack targeting an India-based company that provides IT services, digital engineering, cloud transformation, data analytics, product engineering, and managed services for global enterprise clients across sectors such as finance, healthcare, manufacturing, and retail. According to the group, approximately 450GB of data were allegedly stolen, including confidential documents, contracts, customer data, and financial records. 

The Anubis ransomware group leaked more than 1TB of data allegedly stolen from a U.S.-based automotive manufacturer that provides interior systems, molded components, and engineering solutions to major automakers worldwide. The group published sample materials on its leak site, including blueprints, internal documents labeled as “confidential,” email correspondence, and various corporate records 

A newly observed ransomware group calling itself Benzona surfaced with an onion data-leak site, claiming five victims. Samples of the group’s encryptor have been identified in the wild, with compromised files that included a “.benzona” extension. A ransom note titled RECOVERY_INFO.txt is left on affected systems, directing victims to communicate via an onion-based chat portal. The initial set of victims included four Romanian automotive dealerships and one Ivory Coast–based NGO focused on healthcare aid. 

Conclusion 

The alarming number of ransomware attacks targeting critical and sensitive sectors – including the theft of sensitive project and technical data – highlights the need for security teams to respond with vigilance equal to the threat. Basic cybersecurity best practices that can help protect against a wide range of cyber threats include:  

• Prioritizing vulnerabilities based on risk.  

• Protecting web-facing assets.  

• Segmenting networks and critical assets.  

• Hardening endpoints and infrastructure.  

• Strong access controls, allowing no more access than is required, with frequent verification.  

• A strong source of user identity and authentication, including multi-factor authentication and biometrics, as well as machine authentication with device compliance and health checks.  

• Encryption of data at rest and in transit.  

• Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible.  

• Honeypots that lure attackers to fake assets for early breach detection.  

• Proper configuration of APIs and cloud service connections.  

• Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools.  

• Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests.  

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.