Summary
Week 49 of 2025 continued the alarming trend of escalating ransomware attacks globally, with significant incidents reported across all major regions. The United States remained the primary target with a 149% year-over-year increase in attacks during early 2025. Europe is on track for a record-breaking year with an 80% increase in incidents. Critical infrastructure and operational technology (OT) systems faced growing threats, with CISA issuing urgent warnings about attacks on ICS/SCADA networks.
Key Statistics: - US: 378 attacks in the first five weeks of 2025 (149% YoY increase) - Europe: 2,100+ victims since January 2024; 288 attacks in Q3 2025 alone - Asia-Pacific: 1,887 cyber breaches in South Korea (H1 2025); 56 attacks until October 2025 - OT/ICS: 708 ransomware incidents in Q1 2025 (87% YoY increase in industrial sector)
1. RANSOMWARE INCIDENTS
1.1 United States
Major Incidents
FinCEN Ransomware Analysis Report (December 4, 2025) - The U.S. Department of the Treasury’s Financial Crimes Enforcement Network released a comprehensive analysis covering 2022-2024 - Total ransomware payments: $2.1 billion - 2024 saw 1,476 incidents with $734 million in aggregate payments - Decrease attributed to law enforcement disruption of high-profile ransomware groups - Source: FinCEN News Release
PowerSchool Breach (December 2024) - Education software provider confirmed ransomware attack affecting 62 million student records - Attack occurred in late December 2024 - Repeated extortion attempts reported - Impacts U.S. and Canadian students - Source: NordLayer Report
Avery Products Corporation (December 9, 2025) - Over 60,000 individuals impacted - Company became aware of network attack on December 9th - Personal information compromised - Source: Web search results
MetLife Latin America Division (December 31, 2024) - RansomHub claimed responsibility - 1TB of data allegedly exfiltrated - Targets Latin American operations of major insurance provider - Source: Web search results
Inotiv Pharmaceutical Company (August 2025, disclosed December 2025) - American pharmaceutical company notifying affected individuals - Attack occurred in August 2025 - Personal information of thousands stolen - Source: Bleeping Computer RSS Feed
Trends & Statistics
- 21% of global attacks target the U.S. (approximately 1,000 incidents)
- 52% of ransomware attacks occur on weekends or holidays
- 70%+ of encryption events happen before 8 AM or after 6 PM
- Over 50% of cases see deployment within 24 hours
- 10% of incidents see encryption within 5 hours
- Average ransom payment increased from $199,000 (2023) to $1.5 million (2024)
1.2 Europe
Overview
- Europe accounts for nearly 22% of global ransomware victims
- Second-largest target region after North America
- 2,100+ victims named on extortion leak sites since January 2024
- 80% increase in attacks during 2024
- 2025 on track to set a new record
- Source: CrowdStrike 2025 European Threat Landscape Report
Major Incident
Barts Health NHS Trust (December 5, 2025) - UK healthcare organization data breach - Threat actors exploited Oracle E-Business Suite vulnerability - Attackers associated with Clop ransomware - Files accessed and stolen from organization database - Location: England, United Kingdom - Source: Bleeping Computer RSS Feed
Regional Statistics (Q3 2025)
- 288 attacks in Q3 2025
- 92% of cases involved both file encryption and data theft
- Attack speed increased 48% - average attack now takes just 24 hours
Most Targeted Countries: 1. United Kingdom 2. Germany 3. France 4. Italy 5. Spain
Most Targeted Sectors: - Manufacturing - Professional services - Technology - Industrial and engineering - Retail
Active Ransomware Groups
- Qilin: 65 victims (dominant group in Q3 2025)
- SafePay: Rapidly ascending to second place
- Akira
- LockBit
- RansomHub
- INC
- Lynx
- Sinobi
1.3 Asia
Regional Overview
- Aggressive pace of ransomware attacks continued into 2025
- Healthcare, transportation, and government services disrupted across Asia-Pacific
- Higher share of users affected due to rapid digital transformation
- Varying levels of cybersecurity maturity create vulnerabilities
- Source: Kaspersky State of Ransomware Report 2025
Country-Specific Incidents
South Korea - 1,887 cyber breaches in first half of 2025 - 56 attacks recorded until October 31, 2025 - Highest number of attacks in the past five years - Source: ASEC Report
Taiwan - Daily cyberattack attempts reaching into the millions - Frontline target in East Asia’s cyber conflict - Trend began in 2024, continued aggressively into 2025 - Source: CyberProof Analysis
Southeast Asia - Xepa-Soul Pattinson Sdn Bhd compromised by Lynx ransomware - Leading pharmaceutical manufacturing enterprise - 500GB of sensitive data exfiltrated - Source: Web search results
Emerging Threats
FunkSec Ransomware Group - Emerged in late 2024 - Surpassed established groups like Cl0p and RansomHub - Multiple victims claimed in December 2025 - Operates under Ransomware-as-a-Service (RaaS) model - Targets: Government, technology, finance, education sectors - Active in Europe and Asia
1.4 Other Regions
Latin America - MetLife Latin American division targeted (December 31, 2024) - RansomHub claimed 1TB data exfiltration
Canada - PowerSchool breach affected Canadian students alongside U.S. victims - 62 million student records compromised
2. CYBER-PHYSICAL SYSTEMS (CPS) & INDUSTRIAL CONTROL SYSTEMS (ICS/SCADA)
2.1 United States
CISA Warning (December 2025)
Oil & Natural Gas Sector Alert - CISA issued urgent warning about emerging threats to SCADA/ICS networks - Unsophisticated actors increasingly attempting to infiltrate OT environments - Attacks exploit well-known vulnerabilities and poor cyber hygiene - Techniques: weak password exploitation, phishing - Despite basic techniques, potential consequences are severe - Source: CISA Alert via GBHackers
Industry Trends
SANS Institute 2025 Survey - Rising OT cybersecurity incidents - Ransomware and remote access risks growing - 22% of organizations reported cybersecurity incident in past year - 40% caused operational disruption - Nearly 20% took more than a month to remediate - 75% of OT attacks begin as IT breaches - Source: Industrial Cyber Report
Dragos Q1 2025 Analysis - 708 ransomware incidents impacting industrial entities worldwide - Increase from approximately 600 incidents in Q4 2024 - 87% year-over-year increase in industrial sector ransomware attacks (2024) - 60% uptick in ransomware groups impacting OT/ICS (2024) - Source: Dragos Blog
Attack Sophistication
- Ransomware operators specializing attacks beyond IT
- Direct targeting of plant floor control functions (OT side)
- Manufacturing confirmed as most common target sector
- Source: Rockwell Automation Blog
2.2 Europe
State-Sponsored Threats
Russia-Nexus Actors - Continued targeting of Ukraine - Activities: credential phishing, intelligence collection, destructive operations - Targets: government, military, energy, telecom, utilities - Source: CrowdStrike European Threat Report
North Korea-Nexus Actors - Expanded targeting of European defense institutions - Also targeting diplomatic and financial institutions - Source: CrowdStrike European Threat Report
VoltTyphoon APT Activity
- APT linked to China
- “Living-off-the-land” attacks using valid credentials
- Avoids traditional malware detection
- Gained notoriety in 2025
- Source: Web search results
2.3 Asia
Cisco Device Exploitation Campaign
- Timeframe: December 4, 2024 - January 23, 2025
- Attempted exploitation of 1,000+ Cisco devices globally
- Source: Web search results
2.4 Canada
Recent ICS Incidents (Canadian Cyber Centre Report)
Water Facility Incident - Internet-accessible ICS compromised - Water pressure values tampered - Source: Canadian Centre for Cyber Security Alert
Oil and Gas Company - Automated Tank Gauge manipulated - Canadian company affected
Agricultural Sector - Grain drying silo on Canadian farm compromised - Temperature and humidity levels manipulated
Threat Analysis - Organizations may not be direct targets but become victims of opportunity - Hacktivists exploiting internet-accessible ICS devices for media attention - Aim to discredit organizations and undermine Canada’s reputation
2.5 CISA ICS Advisories (December 1-8, 2025)
Critical vulnerabilities disclosed affecting industrial control systems:
December 4, 2025:
- Johnson Controls iSTAR - Certificate expiration validation flaw (CVE-2025-61736, CVSS 7.1)
- Mitsubishi Electric GX Works2 - Plaintext credential storage (CVE-2025-3784, CVSS 6.8)
- Advantech iView - SQL injection in SNMP trap processing (CVE-2025-13373, CVSS 8.7)
- Sunbird DCIM dcTrack and Power IQ - Authentication bypass and hardcoded credentials (CVE-2025-66238, CVE-2025-66237, CVSS 8.4)
- Johnson Controls OpenBlue Mobile - Direct request/forced browsing vulnerability (CVE-2025-26381, CVSS 6.5)
- MAXHUB Pivot - Weak password recovery mechanism (CVE-2025-53704, CVSS 8.7)
- SolisCloud Monitoring Platform - Insecure Direct Object Reference (CVE-2025-13932, CVSS 8.3)
December 2, 2025:
- Iskra iHUB and iHUB Lite - Missing authentication on management interface (CVE-2025-13510, CVSS 9.3)
- Industrial Video & Control Longwatch - Code injection vulnerability (CVE-2025-13658, CVSS 9.3)
Source: CISA ICS Advisories Feed
3. ADDITIONAL RANSOMWARE NEWS
3.1 Attack Speed and Timing Intelligence
Weekend and Holiday Targeting (Not found in RSS feeds) - 52% of ransomware attacks occur on weekends or holidays - Security teams stretched thin during off-hours - Response times lag significantly - Source: Help Net Security, Dark Reading
Time-of-Day Patterns (Not found in RSS feeds) - 70%+ of encryption events occur before 8 AM or after 6 PM - 30% of ransomware encryptions start over the weekend - 50%+ of cases see deployment within 24 hours - 10% of incidents see encryption within 5 hours - Source: Web search results
3.2 Ransomware-as-a-Service Evolution
RansomHub Activities (Not found in RSS feeds) - Claimed responsibility for MetLife breach - Also striking industrial control systems - Among most active groups in late 2024/early 2025 - Source: The Cyber Express
Emerging Groups (Not found in RSS feeds) - FunkSec surpassed established groups like Cl0p and RansomHub - SafePay rapidly ascending in Europe - Increased specialization in OT/ICS targeting - Sources: Web search results
3.3 Financial Impact Analysis
Ransom Payment Trends (Not found in RSS feeds) - Average payments rose from $199,000 (2023) to $1.5 million (2024) - 653% increase in average ransom payment - Manufacturing sector most commonly targeted - Source: Web search results
3.4 State-Sponsored Activity
China-Linked APT Activity (Not found in RSS feeds) - VoltTyphoon using “living-off-the-land” techniques - Exploitation of valid credentials instead of malware - Difficult to detect and attribute - Source: Web search results
React2Shell Vulnerability Exploitation (Mentioned in The Record RSS, not detailed) - Chinese hackers exploiting newly disclosed React2Shell vulnerability - Actively exploited in early December 2025 - Source: The Hacker News
3.5 Critical Infrastructure Sectors
Manufacturing Dominance (Not found in RSS feeds) - Confirmed as most common ransomware target - Half of 2025 ransomware attacks hit critical sectors - Manufacturing, healthcare, and energy top global targets - Source: Industrial Cyber Report
3.6 Geographic Analysis
U.S. Surge Data (Not found in RSS feeds) - 378 attacks in first five weeks of 2025 - 149% year-over-year increase - U.S. accounts for ~21% of global attacks (~1,000 incidents) - Source: Cyble Blog
Europe Record-Breaking Year (Not found in RSS feeds) - 80% increase during 2024 - 2025 on track for worst year on record - Attack deployment speed increased 48% - Average attack now takes just 24 hours (down from longer periods) - Sources: CrowdStrike Report, Dark Reading
5. KEY TAKEAWAYS
For Security Teams:
- Weekend/Holiday Vigilance: 52% of attacks occur during off-hours; maintain adequate staffing
- Rapid Response Critical: 50% of ransomware deploys within 24 hours; detection speed is essential
- IT/OT Convergence: 75% of OT attacks start in IT networks; secure the entire attack surface
- Manufacturing at Risk: Industry confirmed as #1 target; prioritize OT security investments
For Strategic Planning:
- Escalating Financial Impact: Average ransoms increased 653% to $1.5M; plan for business continuity
- Geographic Trends: U.S. +149% YoY, Europe worst year on record, Asia-Pacific rising rapidly
- State-Sponsored Overlap: APT groups using ransomware for espionage cover; attribution challenging
- ICS Vulnerabilities: 9 critical ICS advisories in one week; patch management is critical
For Threat Intelligence:
- Emerging Groups: FunkSec, SafePay rising rapidly; monitor new RaaS operations
- Living-off-the-Land: VoltTyphoon and similar APTs avoid malware; credential security paramount
- Specialized OT Targeting: Groups developing OT-specific capabilities; industrial sector at high risk
- Hacktivist Opportunism: Internet-accessible ICS being exploited for media attention
Sources
Web Search Sources:
- Help Net Security - Week in Review
- BlackFog - State of Ransomware 2025
- NordLayer - Biggest Ransomware Attacks 2025
- Dark Reading - Ransomware Holiday Bind
- Kaspersky ICS CERT - APT and Financial Attacks Q3 2025
- FinCEN - Ransomware Financial Trend Analysis
- Gridinsoft - Ransomware 2025 Statistics
- Industrial Cyber - Critical Sectors Targeted
- Cyble - U.S. Ransomware Surge
- CrowdStrike - European Threat Landscape 2025
- Industrial Cyber - CrowdStrike European Report
- Dark Reading - Europe Ransomware Increase
- Cyble - Europe Q3 2025 Analysis
- Check Point - Global Cyber Attacks Q2 2025
- CyberProof - East Asia State-backed Attacks
- ASEC - 2025 Ransomware Threat Landscape Korea
- Kaspersky - State of Ransomware Report 2025
- The Hacker News - React2Shell Vulnerability
- GBHackers - CISA SCADA Warning
- The Cyber Express - RansomHub ICS Attacks
- Canadian Centre for Cyber Security - ICS Alert
- Industrial Cyber - SANS 2025 OT Survey
- Fortinet - State of OT Cybersecurity 2025
- Rockwell Automation - OT Ransomware 2025
- Dragos - Industrial Ransomware Q1 2025