Ransomware Attacks Surge 30% in Q4 2025, Targeting Critical Sectors and Supply Chains
Ransomware activity has spiked sharply, with attacks increasing by 30% in the last four months of 2025 compared to the first nine months of the year. Cybersecurity firm Cyble recorded 2,018 claimed attacks in Q4 2025 averaging 673 victims per month while January 2026 saw 679 attacks, maintaining the elevated pace.
Key Trends and Threat Actors
- Qilin led all ransomware groups in January with 115 attacks, followed by Akira (76), Sinobi, and The Gentlemen.
- CL0P resurfaced in late 2025, claiming victims in Australia, the U.S., and the UK, including 11 Australian companies across IT, finance, healthcare, and construction.
- The U.S. remained the most targeted country, accounting for nearly half of all attacks, while the UK and Australia saw heightened activity due to CL0P’s campaign.
Targeted Sectors
Ransomware groups continued to focus on construction, professional services, and manufacturing, likely due to vulnerabilities in their environments. IT firms also faced frequent attacks, given their access to downstream customer networks.
Notable January 2026 Attacks
- Everest breached a U.S. telecom equipment manufacturer, exfiltrating 11 GB of data, including engineering schematics, PCB layouts, and 3D designs.
- Qilin compromised a U.S. airport authority, exposing financial documents, telehealth reports, and internal emails.
- Sinobi claimed a breach of an India-based IT services firm, stealing 150 GB of data, including contracts, financial records, and customer data.
- Rhysida sold stolen data from a U.S. biotech instrumentation company, including engineering blueprints and NDAs.
- RansomHouse targeted a China-based electronics manufacturer, leaking CAD models, PCB designs, and proprietary production data.
- INC Ransom breached a Hong Kong precision components supplier, exfiltrating 200 GB of data linked to global tech and automotive brands.
- Nitrogen leaked 71 GB of data from a U.S. automotive components firm, including CAD drawings and financial records.
- Anubis compromised an Italian maritime port authority, exposing operational data, safety reports, and infrastructure layouts.
Emerging Ransomware Groups
- Green Blood launched a new operation, encrypting files with the “.tgbg” extension and targeting victims in India, Senegal, and Colombia.
- DataKeeper introduced a RaaS model with hybrid encryption (RSA-4096), in-memory execution, and TOR-based payment links.
- MonoLock debuted a Linux-compatible RaaS using Beacon Object Files (BoF) for stealthy execution, avoiding public leak sites to reduce law enforcement exposure.
The sustained rise in ransomware attacks, coupled with the emergence of new threat groups, underscores the evolving tactics of cybercriminals targeting critical infrastructure, supply chains, and high-value industries.
Source: https://cyble.com/blog/ransomware-groups-q4-2025-cyble-report/
Cyber Smart Limited cybersecurity rating report: https://www.rankiteo.com/company/cyber-smart-hong-kong
ITA - Italian Trade Agency cybersecurity rating report: https://www.rankiteo.com/company/itaitaliantradeagency
"id": "CYBITA1770216378",
"linkid": "cyber-smart-hong-kong, itaitaliantradeagency",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Telecommunications',
'location': 'United States',
'name': 'U.S. telecom equipment manufacturer',
'type': 'Corporation'},
{'industry': 'Transportation',
'location': 'United States',
'name': 'U.S. airport authority',
'type': 'Government'},
{'industry': 'Information Technology',
'location': 'India',
'name': 'India-based IT services firm',
'type': 'Corporation'},
{'industry': 'Biotechnology',
'location': 'United States',
'name': 'U.S. biotech instrumentation company',
'type': 'Corporation'},
{'industry': 'Electronics',
'location': 'China',
'name': 'China-based electronics manufacturer',
'type': 'Corporation'},
{'industry': 'Manufacturing',
'location': 'Hong Kong',
'name': 'Hong Kong precision components supplier',
'type': 'Corporation'},
{'industry': 'Automotive',
'location': 'United States',
'name': 'U.S. automotive components firm',
'type': 'Corporation'},
{'industry': 'Maritime',
'location': 'Italy',
'name': 'Italian maritime port authority',
'type': 'Government'},
{'industry': ['IT',
'Finance',
'Healthcare',
'Construction'],
'location': 'Australia',
'name': '11 Australian companies',
'type': 'Corporation'}],
'attack_vector': ['Phishing',
'Exploited Vulnerabilities',
'Supply Chain Compromise'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'file_types_exposed': ['CAD',
'PDF',
'Emails',
'Financial Records'],
'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Engineering schematics',
'PCB layouts',
'3D designs',
'Financial documents',
'Telehealth reports',
'Internal emails',
'Contracts',
'Customer data',
'CAD models',
'Proprietary production data',
'NDAs',
'Operational data',
'Safety reports',
'Infrastructure layouts']},
'date_publicly_disclosed': '2025-10-01',
'description': 'Ransomware activity has spiked sharply, with attacks '
'increasing by 30% in the last four months of 2025 compared to '
'the first nine months of the year. Cybersecurity firm Cyble '
'recorded 2,018 claimed attacks in Q4 2025, averaging 673 '
'victims per month, while January 2026 saw 679 attacks. Key '
'trends include the resurgence of CL0P, the dominance of '
'Qilin, and the emergence of new ransomware groups like Green '
'Blood, DataKeeper, and MonoLock targeting critical '
'infrastructure, supply chains, and high-value industries.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': ['Engineering schematics',
'PCB layouts',
'3D designs',
'Financial documents',
'Telehealth reports',
'Internal emails',
'Contracts',
'Customer data',
'CAD models',
'Proprietary production data',
'NDAs',
'Operational data',
'Safety reports',
'Infrastructure layouts'],
'identity_theft_risk': 'High',
'operational_impact': 'Disruption of critical infrastructure and '
'supply chains'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The sustained rise in ransomware attacks highlights the '
'need for enhanced cybersecurity measures, particularly in '
'critical infrastructure, supply chains, and high-value '
'industries. Organizations must prioritize vulnerability '
'management, employee training, and incident response '
'planning to mitigate risks.',
'motivation': ['Financial Gain', 'Data Exfiltration', 'Espionage'],
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['Qilin',
'Akira',
'CL0P',
'Everest',
'Rhysida',
'RansomHouse',
'INC Ransom',
'Nitrogen',
'Anubis',
'Green Blood',
'DataKeeper',
'MonoLock']},
'recommendations': ['Implement multi-factor authentication (MFA) across all '
'systems.',
'Regularly update and patch software to address '
'vulnerabilities.',
'Conduct employee training on phishing and social '
'engineering attacks.',
'Deploy advanced threat detection and response solutions.',
'Segment networks to limit lateral movement in case of a '
'breach.',
'Develop and test an incident response plan.',
'Monitor for unusual activity and data exfiltration.',
'Collaborate with law enforcement and cybersecurity firms '
'for threat intelligence.'],
'references': [{'date_accessed': '2026-01-31', 'source': 'Cyble'}],
'threat_actor': ['Qilin',
'Akira',
'Sinobi',
'The Gentlemen',
'CL0P',
'Everest',
'Rhysida',
'RansomHouse',
'INC Ransom',
'Nitrogen',
'Anubis',
'Green Blood',
'DataKeeper',
'MonoLock'],
'title': 'Ransomware Attacks Surge 30% in Q4 2025, Targeting Critical Sectors '
'and Supply Chains',
'type': 'Ransomware'}