Daily Ransomware Report – 10/15/2025
Estimated reading time: 4 minutes
Key Takeaways
- The Qilin ransomware group continues to dominate daily activity, accounting for a significant majority of new victims.
- The United States and France remain primary geographic targets, with the “Other” and Manufacturing sectors broadly affected.
- Major data breach disclosures, record regulatory fines, and critical vulnerability patches underscore the persistent and evolving threat landscape.
- Healthcare and Education sectors face ongoing targeting, leading to notable data exposures and regulatory actions.
- Initial access vectors like vishing and the exploitation of widely used software, alongside malicious development environment extensions, highlight varied attack surfaces.
Table of Contents
- Statistical Overview
- Introduction
- Ransomware Summary Table
- Victim Distribution
- Ransomware News
- Technical Takeaways
- About PurpleOps
- FAQs
Statistical Overview
Victim Totals
- This day (24h): 68
- This month: 403
- This quarter: 403
- Year-to-date: 5834
Quarterly Breakdown
- Q1: 2295
- Q2: 1511
- Q3: 1640
- Q4: 403
Ransomware activity shows a consistent trend into Q4, with the current quarter’s total matching the monthly figure. Today’s surge is notably driven by Qilin operations, which accounted for the vast majority of new victims.
Introduction
The past 24 hours recorded a significant volume of ransomware activity, with 68 new victims posted to leak sites. The Qilin group was overwhelmingly the most active, accounting for 56 of these incidents. Other groups like Akira, DragonForce, and Interlock also registered new victims. Primary targeting focused on entities in the United States and France, with the “Other” and Manufacturing sectors bearing the brunt of these attacks.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Top Geos | Top Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 56 | Addis, All truck transportation co., inc., Alqueria | United States, France | Other, Manufacturing |
| 2 | Akira | 2 | Art guild, Ostrolenk faber | United States | Other |
| 3 | DragonForce | 2 | Autorotor, The law offices of michael c george | Italy, United States | Manufacturing, Legal |
| 4 | Interlock | 2 | Kearney public schools, The north stonington school district | United States | Education |
| 5 | CoinbaseCartel | 1 | Championx | United States | Other |
| 6 | INC_Ransom | 1 | – | – | – |
| 7 | Lynx | 1 | www.cbsaust.org.au | Australia | Other |
| 8 | PEAR | 1 | Navigator business solutions | United States | Technology / Software |
| 9 | Sarcoma | 1 | Unimed do brasil | Brazil | Healthcare |
| 10 | 1 | – | – | – |
Qilin continues its dominant operational tempo, affecting 56 organizations primarily in the United States and France across diverse sectors including “Other” and Manufacturing. Other active groups, while less prolific, show varied targeting; Akira and DragonForce focused on the United States and Italy, respectively, while Interlock notably targeted the Education sector in the United States. Notable targeting today includes Kearney Public Schools and The North Stonington School District by Interlock, underscoring ongoing pressure on public education institutions in the US.
Victim Distribution
By Country
- United States – 36
- France – 11
- Canada – 3
- Spain – 3
- Colombia – 2
By Industry
- Other – 25
- Manufacturing – 7
- Healthcare – 5
- Construction & Engineering – 4
- Legal – 4
The United States remains the primary target geography, with France experiencing a notable concentration of attacks. Industrially, the “Other” category continues to be broadly affected, while Manufacturing and Healthcare sectors demonstrate persistent vulnerability, indicating a widespread and opportunistic targeting approach by ransomware groups.
Ransomware News
Topline:
The past 24 hours saw significant ransomware-related developments, including major data breach disclosures, a record regulatory fine, and patches for critical vulnerabilities.
Campaigns & Operations:
Medusa activity was linked to a breach at SimonMed Imaging affecting 1.28 million patients, while Integris Health settled a 2023 class action for $30 million following direct patient extortion. Capita received a record £14 million fine from the ICO for security failures enabling a 2023 breach that exposed 6.6 million individuals, involving Qakbot and Cobalt Strike. BlackSuit ransomware employed vishing for initial access, followed by DCSync, lateral movement via RDP/SMB, and Ansible for ESXi encryption. TigerJack continues to distribute malicious VSCode extensions like C++ Playground and HTTP Format, capable of code exfiltration and crypto-mining. Qantas confirmed data exfiltration by Scattered LAPSUS$ Hunters after a July breach. Further public sector disruptions included Shelbyville, KY police, and a data breach at the University of St. Thomas, Houston.
Vulnerabilities & TTPs:
Microsoft’s October Patch Tuesday addressed 172 vulnerabilities, including four zero-days, two of which are actively exploited: CVE-2025-2884 (TPM2.0) and CVE-2025-47827 (Secure Boot bypass), alongside critical RCEs in Office/Excel (CVE-2025-59234, CVE-2025-59236) and WSUS RCE (CVE-2025-59287). Critical file-parsing vulnerabilities CVE-2025-11001 and CVE-2025-11002 in 7-Zip enable remote code execution via malicious ZIP files.
Analyst Note:
The continuing convergence of nation-state and financially motivated tactics, coupled with exploitation of widely used software and supply chain vulnerabilities, underscores the persistent and evolving threat landscape.
Technical Takeaways
- Qilin continues to demonstrate high operational volume, accounting for a significant majority of new victims.
- The Healthcare and Education sectors remain consistently targeted, leading to major data exposures and regulatory actions.
- Initial access vectors include vishing and exploitation of widely used software, demonstrating continued reliance on social engineering and known vulnerabilities.
- Critical vulnerabilities in 7-Zip (CVE-2025-11001, CVE-2025-11002) and multiple zero-days in Microsoft products (CVE-2025-2884, CVE-2025-47827) are being actively patched, highlighting the importance of timely updates.
- Threat actors like TigerJack are leveraging malicious development environment extensions for crypto-mining and data exfiltration, indicating a broader attack surface beyond traditional enterprise systems.