Last month, the number of ransomware attacks remained high with 659 recorded in total. This was a slight dip (-5%) from October’s total of 693.
Attacks on healthcare providers declined significantly last month, dropping by 44 percent from 57 attacks in October to 32 attacks last month. In sharp contrast, businesses operating in the healthcare sector (e.g. pharmaceutical companies, medical billing providers, and healthcare tech companies) saw the biggest increase of any sector. Here, attacks rose by 43 percent (from 14 to 20).
The manufacturing sector also saw yet another large increase (up 35 percent from 123 in October to 166 in November), as did the education sector (up 24 percent from 17 to 21).
Qilin continued to take the top spot for the number of claims (107) but Akira (100) and Clop (94) closed in on its lead throughout November. Clop’s attacked its victims through an Oracle zero-day vulnerability exploit.
Key findings for November 2025:
- 659 attacks in total — 38 confirmed attacks (confirmed by the entity involved)
- Of the 38 confirmed attacks:
- 22 were on businesses
- 10 were on government entities
- 2 were on healthcare companies
- 4 were on educational institutions
- Of the 621 unconfirmed attacks*:
- 544 were on businesses
- 18 were on government entities
- 30 were on healthcare companies
- 17 were on educational institutions
- The most prolific ransomware gangs were Qilin (107), Akira (100), and Clop (94)
- Qilin had the most confirmed attacks (5), followed by INC (3) and Akira, Clop, Everest, and Beast (2 each)
- Where hackers provided the data theft size (in 276 cases), over 31,200 TB of data was allegedly stolen. This huge figure stems primarily from Qilin’s claim on a US manufacturer where it alleged to have stolen “31,063,838.00 GB”.
- The US saw the most attacks (354), followed by Canada (34), the UK (17), and Germany and India (14 each)
*12 attacks were on unknown companies that couldn’t be attributed to a specific sector.
Ransomware attacks by sector
Healthcare
Attacks on healthcare providers decreased by 44 percent from October to November, dropping from 57 to 32. Two of November’s attacks have been confirmed so far.
On November 21, Outback Pharmacies in Australia confirmed its systems had been impacted in a ransomware attack. Stores were fully operational six days later. Beast claimed the attack on November 23 after allegedly stealing 150 GB of data.
Meanwhile, in the US, Columbia Medical Practice confirmed a cybersecurity incident on November 26. The attack resulted in a data breach that affected patient data, including medical records and Social Security numbers. Qilin claimed this attack on November 25.
So far this year (to the end of November), we’ve logged 115 confirmed attacks on healthcare companies and are monitoring a further 275 unconfirmed attacks.
Government
Attacks on government entities increased by four percent from October to November, rising from 27 to 28. Of the 28 attacks noted in November, 10 were confirmed.
Three of these confirmed attacks were carried out in the US. Cleveland County Sheriff’s Office and the Village of Golf Manor both confirmed attacks but these are yet to be claimed by the responsible hackers. Devman claimed an attack on the Georgia Superior Court Clerks’ Cooperative Authority, demanding $400,000 for 500 GB of data.
Unknown hackers also targeted Cámara de Diputados del Chaco in Argentina, Stadtwerke Detmold in Germany, and Gotemba City Board of Education in Japan.
The other confirmed attacks were:
- Estado de Guanajuato, Mexico – claimed by Tekir APT with 250 GB allegedly stolen
- Eastern Cape Department of Human Settlements, South Africa – claimed by NightSpire with 20 GB allegedly stolen
- Punjab Forensic Science Agency, Pakistan – claimed by Beast with 900 GB allegedly stolen
- Superintendencia Nacional de Fiscalización Laboral (Sunafil), Peru – claimed by BlackShrantac
Up to the end of November 2025, we’ve logged 176 confirmed attacks on government entities and are monitoring a further 160 unconfirmed attacks.
Education
Attacks on the education sector increased by 24 percent from October to November, rising from 17 to 21. Of the 21 attacks noted in November, four were confirmed.
Two of the confirmed attacks took place in the US:
- Lake Superior State University – claimed by Qilin
- Valley View Independent School District – claimed by INC with 68.03 allegedly stolen
Unknown hackers targeted the Japanese Center for Research on Women in Sport (Juntendo University), while SafePay claimed an attack on the Istituto Comprensivo di Cavaglià in Italy.
During the first 11 months of this year, we’ve logged 78 confirmed attacks and a further 141 unconfirmed attacks on schools, universities, and other educational institutions.
Businesses
Attacks on businesses decreased by four percent from October to November, falling from 591 to 566. 22 attacks have been confirmed on global businesses throughout November 2025.
Manufacturing remains the most targeted industry with nine confirmed attacks (and a further 157 unconfirmed attack claims). However, businesses operating in the healthcare sector saw the biggest influx in attacks in November (up 44% to 20 from 14 in October). None of the 20 attacks noted in November have been confirmed, however.
Other significant attacks include an incident that impacted the US emergency notification service CodeRED (operated by Crisis24, previously OnSolve). This attack disrupted emergency notifications across multiple state and local agencies and is thought to have exposed user data. INC claimed this attack.
Qilin claimed an attack on the Habib Bank AG Zurich in which over 2.5 TB of data was stolen, while Everest claimed an attack on the Spanish airline, Iberia. Everest said it had stolen nearly 600 GB of data and is reportedly demanding $6 million from the company.
Two German radio stations (Radio Arabella and Radio Nordseewelle) also confirmed attacks, as did Dutch broadcaster, RTV Noord. The hackers are unknown in all three cases.
Across 2025 so far (to November), we’ve logged 630 confirmed attacks on businesses, and we’re tracking a further 4,968 unconfirmed attack claims.
The most prolific ransomware strains in November 2025
As we’ve noted, two gangs (Akira and Clop) closed in on Qilin last month with 100 and 94 claims each, respectively. These totals were just behind Qilin’s total of 107 victims. Qilin did, however, have the most confirmed attacks with five in total.
As well as Habib Bank AG Zurich, Lake Superior State University, and Columbia Medical Practice, noted above, Qilin also claimed attacks on Swiss architecture firm, ERR AG, and Italian manufacturing company ILCA Targhe s.r.l.
INC had the second-highest number of confirmed attacks with three in total. These included CodeRED and Valley View Independent School District (noted above) and Dutch bike manufacturer, Woom GmbH.
Both of Akira’s two confirmed attacks were on manufacturers – Ruag LLC in the US and LG Energy Solution in South Korea. Clop’s attacks also hit manufacturers (both were breached as part of its Oracle exploit) – Canon, U.S.A., Inc. and Mazda Motor Corporation.
When it comes to the amount of data stolen, Qilin claimed the most (over 31,100 TB). This was due to a claim on US manufacturer, Sol Trading Co., which appeared to involve over 31,000 TB. This attack hasn’t been confirmed.
It was Qilin’s attack on Habib Bank AG Zurich that saw the highest volume of data breach in a confirmed attack (nearly 2.6 TB). This was followed by Akira’s attack on LG Energy Solution where the company confirmed 1.67 TB had been stolen.
November 2025 ransomware attacks by country
The vast majority of attacks in November occurred in the US with 354 in total, followed by Canada (34), the UK (17) and Germany and India (14 each). The US also saw the most confirmed attacks (9), followed by Japan (5) and Italy (4).
Attacks in Vietnam rose significantly last month, jumping from one in October to seven in November. None of these are confirmed, however.
In contrast, attacks in France dropped considerably (-83%) last month, falling from 29 in October to five in November.
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
You can view all attacks, from 2018 to present via our worldwide ransomware tracker here.
