Daily Ransomware Report – 10/15/2025

Estimated reading time: 4 minutes

Key Takeaways

  • The Qilin ransomware group continues to dominate daily activity, accounting for a significant majority of new victims.
  • The United States and France remain primary geographic targets, with the “Other” and Manufacturing sectors broadly affected.
  • Major data breach disclosures, record regulatory fines, and critical vulnerability patches underscore the persistent and evolving threat landscape.
  • Healthcare and Education sectors face ongoing targeting, leading to notable data exposures and regulatory actions.
  • Initial access vectors like vishing and the exploitation of widely used software, alongside malicious development environment extensions, highlight varied attack surfaces.

Table of Contents

Statistical Overview

Victim Totals

  • This day (24h): 68
  • This month: 403
  • This quarter: 403
  • Year-to-date: 5834

Quarterly Breakdown

  • Q1: 2295
  • Q2: 1511
  • Q3: 1640
  • Q4: 403

Ransomware activity shows a consistent trend into Q4, with the current quarter’s total matching the monthly figure. Today’s surge is notably driven by Qilin operations, which accounted for the vast majority of new victims.

Introduction

The past 24 hours recorded a significant volume of ransomware activity, with 68 new victims posted to leak sites. The Qilin group was overwhelmingly the most active, accounting for 56 of these incidents. Other groups like Akira, DragonForce, and Interlock also registered new victims. Primary targeting focused on entities in the United States and France, with the “Other” and Manufacturing sectors bearing the brunt of these attacks.

Ransomware Summary Table

# Group Victims (24h) Sample Victims Top Geos Top Sectors
1 Qilin 56 Addis, All truck transportation co., inc., Alqueria United States, France Other, Manufacturing
2 Akira 2 Art guild, Ostrolenk faber United States Other
3 DragonForce 2 Autorotor, The law offices of michael c george Italy, United States Manufacturing, Legal
4 Interlock 2 Kearney public schools, The north stonington school district United States Education
5 CoinbaseCartel 1 Championx United States Other
6 INC_Ransom 1
7 Lynx 1 www.cbsaust.org.au Australia Other
8 PEAR 1 Navigator business solutions United States Technology / Software
9 Sarcoma 1 Unimed do brasil Brazil Healthcare
10 1

Qilin continues its dominant operational tempo, affecting 56 organizations primarily in the United States and France across diverse sectors including “Other” and Manufacturing. Other active groups, while less prolific, show varied targeting; Akira and DragonForce focused on the United States and Italy, respectively, while Interlock notably targeted the Education sector in the United States. Notable targeting today includes Kearney Public Schools and The North Stonington School District by Interlock, underscoring ongoing pressure on public education institutions in the US.

Victim Distribution

By Country

  • United States – 36
  • France – 11
  • Canada – 3
  • Spain – 3
  • Colombia – 2

By Industry

  • Other – 25
  • Manufacturing – 7
  • Healthcare – 5
  • Construction & Engineering – 4
  • Legal – 4

The United States remains the primary target geography, with France experiencing a notable concentration of attacks. Industrially, the “Other” category continues to be broadly affected, while Manufacturing and Healthcare sectors demonstrate persistent vulnerability, indicating a widespread and opportunistic targeting approach by ransomware groups.

Ransomware News

Topline:

The past 24 hours saw significant ransomware-related developments, including major data breach disclosures, a record regulatory fine, and patches for critical vulnerabilities.

Campaigns & Operations:

Medusa activity was linked to a breach at SimonMed Imaging affecting 1.28 million patients, while Integris Health settled a 2023 class action for $30 million following direct patient extortion. Capita received a record £14 million fine from the ICO for security failures enabling a 2023 breach that exposed 6.6 million individuals, involving Qakbot and Cobalt Strike. BlackSuit ransomware employed vishing for initial access, followed by DCSync, lateral movement via RDP/SMB, and Ansible for ESXi encryption. TigerJack continues to distribute malicious VSCode extensions like C++ Playground and HTTP Format, capable of code exfiltration and crypto-mining. Qantas confirmed data exfiltration by Scattered LAPSUS$ Hunters after a July breach. Further public sector disruptions included Shelbyville, KY police, and a data breach at the University of St. Thomas, Houston.

Vulnerabilities & TTPs:

Microsoft’s October Patch Tuesday addressed 172 vulnerabilities, including four zero-days, two of which are actively exploited: CVE-2025-2884 (TPM2.0) and CVE-2025-47827 (Secure Boot bypass), alongside critical RCEs in Office/Excel (CVE-2025-59234, CVE-2025-59236) and WSUS RCE (CVE-2025-59287). Critical file-parsing vulnerabilities CVE-2025-11001 and CVE-2025-11002 in 7-Zip enable remote code execution via malicious ZIP files.

Analyst Note:

The continuing convergence of nation-state and financially motivated tactics, coupled with exploitation of widely used software and supply chain vulnerabilities, underscores the persistent and evolving threat landscape.

Technical Takeaways

  • Qilin continues to demonstrate high operational volume, accounting for a significant majority of new victims.
  • The Healthcare and Education sectors remain consistently targeted, leading to major data exposures and regulatory actions.
  • Initial access vectors include vishing and exploitation of widely used software, demonstrating continued reliance on social engineering and known vulnerabilities.
  • Critical vulnerabilities in 7-Zip (CVE-2025-11001, CVE-2025-11002) and multiple zero-days in Microsoft products (CVE-2025-2884, CVE-2025-47827) are being actively patched, highlighting the importance of timely updates.
  • Threat actors like TigerJack are leveraging malicious development environment extensions for crypto-mining and data exfiltration, indicating a broader attack surface beyond traditional enterprise systems.