December 20, 2025
Week 51 of 2025 saw continued escalation in ransomware attacks globally, with Clop ransomware dominating headlines through its exploitation of Oracle E-Business Suite and Gladinet CentreStack vulnerabilities. The United States experienced multiple municipal government attacks, while Europe dealt with healthcare sector breaches. Critical infrastructure remains under threat from pro-Russia hacktivists targeting OT/ICS systems. The automotive sector faces increasing cyber risks with a 39% rise in incidents, and medical device security continues to be a concern with FDA recalls and new regulatory guidance.
Key Statistics: - Global: 4,701 confirmed ransomware incidents (Jan-Sept 2025), 34-50% YoY increase - US: Multiple municipal governments attacked this week (Kaufman County TX, La Vergne TN) - Europe: 288 attacks in Q3 2025; Qilin most active group with 65 victims - Automotive: 409 incidents in 2024 (39% increase); 148 incidents in Q1 2025 alone - Medical Devices: 53% of networked devices have known critical vulnerabilities
Clop - Oracle E-Business Suite Campaign (Ongoing) - Over 100 organizations breached via CVE-2025-61882 zero-day - LKQ Corporation: 9,000+ individuals’ data stolen (SSNs, EINs exposed) - Other confirmed victims: Harvard University, University of Pennsylvania, The Washington Post, Logitech, Schneider Electric, Emerson, GlobalLogic, Envoy Air - $10 million US bounty for information linking Clop to nation-state - Source: SecurityWeek
Clop - Gladinet CentreStack Campaign (December 2025) - 200+ potential targets identified via port scans - 9 organizations impacted by Dec 10, 2 new incidents on Dec 15 - CVE-2025-14611 added to CISA KEV on December 15 - Healthcare and technology sectors affected - Source: Bleeping Computer
React2Shell Vulnerability Exploitation (December 2025) - CVE-2025-55182 (CVSS 10.0) actively exploited since Dec 3 - Weaxor ransomware deployed - Attack confirmed on Dec 5 with encryption in under 1 minute - Source: SC Media
Kaufman County, Texas (December 16, 2025) - Attack discovered Monday, multiple county systems down - 200,000 residents affected - Sheriff’s Office and emergency services unaffected - Source: The Record
La Vergne, Tennessee (December 2025) - City offices closed since attack discovery - Water bill and property tax systems offline - 40,000+ residents forced to pay by check/money order - Source: The Record
Village of Golf Manor, Ohio (December 2025) - Council authorized $2,000 ransom payment - Source: DataBreaches.net
Ireland HSE - Second Attack Disclosed (December 10, 2025) - Second ransomware attack targeting third-party processor (occurred February 2025) - Following 2021 attack that cost €102 million - Source: DataBreaches.net
Collins Aerospace Attack (September 2025 - Ongoing Impact) - HardBit ransomware variant encrypted Domain Controllers - Airports affected: London Heathrow, Brussels, Berlin, Dublin - MUSE check-in platform compromised - One arrest made; ENISA classified as ransomware - 600% increase in aviation cyber-attacks 2024-2025 - Source: Security Affairs
Most Active Groups in Europe: 1. Qilin (65 victims in Q3 2025) 2. SafePay (rapidly ascending) 3. Akira 4. LockBit 5. RansomHub
Source: Cyble Europe Q3 2025 Report
Asahi Group (Japan) (Ongoing since September 2025) - Qilin ransomware claimed 27GB stolen - 1.9 million individuals’ data potentially exposed - Attack still unresolved; fiscal results delayed - Source: Security Brief Asia
Askul (Japan) (Disclosed December 14, 2025) - Ransomhouse group responsible - 740,000 data sets breached (customers, corporate clients, employees) - Attack discovered October 2025 - Source: DataBreaches.net
Coupang (South Korea) (June-November 2025) - 33 million customers’ data stolen - CEO resigned following breach - Often called “Asia’s Amazon” - Source: TechCrunch
Ingram Micro (2025) - SafePay ransomware - 3.5TB data stolen - $136 million daily revenue loss - Global IT distributor
Jaguar Land Rover (UK) (September 2025) - Production stalled for months - £1.5 billion UK government bailout - Most economically devastating automotive cyber incident in British history - Source: Breached Company
Pro-Russia Hacktivists Targeting Critical Infrastructure - Joint advisory from CISA, FBI, NSA, DOE, EPA, and international partners - Groups: Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), Sector16 - Exploiting unsecured internet-facing VNC connections to OT systems - Targeted sectors: Energy, Food and Agriculture, Water and Wastewater - Source: CISA Alert
Recommended Mitigations: 1. Reduce internet exposure of OT assets 2. Implement mature asset management with data flow mapping 3. Enforce robust authentication on all OT assets 4. Segment OT from IT networks 5. Establish continuous network monitoring
Netherlands Critical Infrastructure (August 2025) - Hackers exploited flaws in application delivery and remote access systems - Thousands of systems potentially affected globally
Spain/Portugal Power Grid (April 2025) - Millions without power - Investigation ongoing: cyberattack vs technical failure
Spain Bioenergy Plant - RansomHub targeted ICS - SCADA exploitation attempted - Source: The Cyber Express
2025 Statistics: - 409 documented incidents in 2024 (39% increase from 295 in 2023) - 148 publicly disclosed incidents in Q1 2025 alone - Incidents affecting millions of vehicles tripled: 5% (2023) to 19% (2024) - 85,000+ vulnerable devices exposed worldwide - Source: Upstream 2025 Global Automotive Cybersecurity Report
2025 AV Security Breaches: - Three sophisticated cyberattacks compromised AV security systems in 2025 - Attack vectors: LiDAR spoofing, firmware weaknesses, network segmentation failures - Unauthorized control of self-driving vehicles demonstrated - Source: CyberPath
Key Statistics: - 99% of hospitals manage IoMT devices with known exploited vulnerabilities - 53% of networked medical devices have at least one critical vulnerability (FBI) - 1 in 5 connected medical devices run on unsupported operating systems - 1.2 million internet-connected healthcare devices publicly accessible (August 2025) - 93% of organizations experienced at least one cyberattack (avg 43 attacks/org) - 75% increased security budgets, but only 17% feel confident in detection/containment - Source: C2A Security Statistics
St. Jude Medical Pacemakers (Abbott Laboratories) - First FDA cybersecurity-related medical device recall - ~465,000 devices affected in US - Firmware update required via physician visit - Source: Cisco Healthcare Blog
Medtronic MiniMed Insulin Pumps - Class I medical device recall - MiniMed 508 and Paradigm series affected - ~4,000 US patients using affected pumps - Vulnerability in wireless communication between pumps and glucose monitors - Source: FDA Recall
Medtronic Carelink Programmers - Cardiac implantable device programmers affected - Vulnerability in internet connection for software updates - Source: FDA Brief
June 2025 Final Guidance: - Title: “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” - Requirements since March 2023: - Evidence of cybersecurity in new device submissions - Software Bill of Materials (SBOM) required - Post-market vulnerability monitoring plan - NIST FIPS 140-3 cryptography guidelines recommended - All communication interfaces must be disclosed - Source: C2A Security Analysis
2025 Healthcare Ransomware Statistics: - 293 attacks on hospitals/clinics/direct care providers (Jan-Sept 2025) - 130 attacks on healthcare businesses (30% increase) - Data encryption dropped to 34% (lowest in 5 years, down from 74% in 2024) - Extortion-only attacks tripled to 12% - 58% recovered within a week (up from 21%) - 36% paid ransom (down from 61% in 2022)
Most Active Groups Targeting Healthcare: 1. INC (39 attacks) 2. Qilin (34 attacks) 3. SafePay (21 attacks) 4. RansomHub (13 attacks) 5. Medusa (13 attacks)
Source: Sophos State of Ransomware in Healthcare 2025