Daily Ransomware Report – 11/26/2025
Estimated reading time: 4 minutes
Key Takeaways
- Ransomware activity remains elevated in Q4, with Qilin, Akira, and BenZona as the most active groups.
- Critical infrastructure and government entities, such as emergency alert systems and legal record authorities, are persistent targets.
- Supply chain compromises continue to be a significant initial access vector for ransomware operations.
- The emergence of AI-driven tools like WormGPT 4 and KawaiiGPT is lowering the technical barrier for threat actors, enabling rapid script generation and automated social engineering.
- The Professional Services sector consistently experiences the highest number of reported incidents across multiple ransomware groups.
Table of Contents
- Statistical Overview
- Introduction
- Ransomware Summary Table
- Victim Distribution
- Ransomware News
- Technical Takeaways
- About PurpleOps
- FAQ
Statistical Overview
Victim Totals
- This day (24h): 38
- This month: 641
- This quarter: 1431
- Year-to-date: 6855
Quarterly Breakdown
- Q1: 2295
- Q2: 1511
- Q3: 1640
- Q4: 1431
Ransomware activity remains elevated in Q4, with the current quarter’s victim count already surpassing Q2 and approaching Q3 totals. This sustained pressure is largely driven by groups like Qilin, Akira, and BenZona.
Introduction
The past 24 hours observed 38 new ransomware victims added to leak sites, indicating persistent global activity. Qilin, Akira, and BenZona were the most active groups, collectively accounting for over half of the reported incidents. Primary targets included professional services, legal, and automotive sectors, with the United States and Canada experiencing the highest concentration of attacks.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Top Geos | Top Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 12 | Arabia holding, Biopharma services, Burnham brown | United States, Canada | Professional Services, Real Estate |
| 2 | Akira | 9 | Bergeson, Dobco, Fineline architectural millwork | United States, Canada | Professional Services, Legal |
| 3 | BenZona | 5 | Dacia-ploiesti.ro, Mazda-ploiesti.ro, Poliserv.ro | Romania, Côte d’Ivoire | Automotive, Nonprofit |
| 4 | 2 | Cigam software corporativo ltda, Kewaunee scientific | Brazil, United States | Technology / Software, Manufacturing | |
| 5 | DragonForce | 2 | Emond publishing, Healthcare retroactive audits | Canada, United States | Professional Services, Healthcare |
| 6 | 1 | Allervie health | United States | Healthcare | |
| 7 | CyphBit | 1 | Church of the ascension anglican | Canada | Professional Services |
| 8 | 1 | National money mart company | Canada | Financial Services | |
| 9 | INC_Ransom | 1 | – | – | – |
| 10 | LeakedData | 1 | Carlton fields | United States | Legal |
| 11 | Play News | 1 | Adc aerospace | Australia | Professional Services |
| 12 | Rhysida | 1 | Ags | United States | Transportation & Logistics |
Qilin leads in reported victim counts, demonstrating a broad targeting scope across professional services and real estate in North America. Akira continues its focus on professional services and legal entities, predominantly in the United States and Canada. BenZona shows activity in the automotive sector within Romania and Côte d’Ivoire. Notably, the Professional Services sector remains a consistent target across multiple groups.
Notable targeting today includes the Georgia Superior Court Clerks’ Cooperative Authority (GSCCCA) by Devman, indicating a focus on public-sector institutions managing sensitive legal and real estate records. Additionally, the OnSolve CodeRED platform, a provider of emergency alert systems, was compromised by INC Ransom, underscoring persistent pressure on critical infrastructure.
Victim Distribution
By Country
| Country | Victims |
|---|---|
| United States | 20 |
| Canada | 7 |
| Romania | 4 |
| Germany | 2 |
| Australia | 1 |
By Industry
| Industry | Victims |
|---|---|
| Professional Services | 10 |
| Automotive | 4 |
| Legal | 4 |
| Manufacturing | 4 |
| Technology / Software | 4 |
The United States continues to be the primary geographic target, followed by Canada and Romania. Industry-wise, professional services firms consistently experience the highest number of reported incidents, suggesting a focus on organizations handling diverse client data or intellectual property.
Ransomware News
A dynamic threat landscape marks the past 24 hours, with critical infrastructure, government services, and supply chains under pressure while new AI tools lower entry barriers for cybercrime.
The Devman ransomware operation targeted the Georgia Superior Court Clerks’ Cooperative Authority (GSCCCA), forcing websites offline and claiming 500 GB of data exfiltration with a $400,000 ransom demand. Concurrently, the INC Ransom gang claimed responsibility for a cyberattack on OnSolve CodeRED, disrupting emergency notification systems and allegedly exfiltrating user data including clear-text passwords. CoinbaseCartel named Amcor, a global packaging firm, as a victim. Beast ransomware, also known as Gigakick, claimed to have stolen 150GB of patient data from Outback Pharmacies in Australia, including treatment plans and prescribed medicines. Qilin ransomware leveraged a South Korean MSP breach into a “Korean Leaks” data heist, impacting 28 financial-sector victims and exfiltrating over 2 TB of data. Separately, Scattered LAPSUS$ Hunters (SLSH) exploited Gainsight-linked Salesforce access via stolen OAuth tokens tied to a Salesloft Drift supply-chain attack, impacting an estimated 1,500 victims.
November 2025 featured a surge of multi-stage loaders and fileless campaigns, with XWorm delivering an in-memory loader via obfuscated JavaScript, and JSGuLdr delivering PhantomStealer through a three-stage chain. Phoenix Backdoor also appeared in targeted email campaigns. The emergence of WormGPT 4 and KawaiiGPT demonstrates a growing trend of AI-driven tools democratizing the generation of ransomware-capable PowerShell scripts and automating spear-phishing.
The confluence of direct critical infrastructure targeting, sophisticated supply-chain attacks, and the increasing accessibility of advanced attack tools through AI platforms represents a significant escalation in the threat landscape.
Technical Takeaways
- Persistent targeting of critical infrastructure and government entities continues, as evidenced by attacks on emergency alert systems (OnSolve CodeRED) and statewide legal/real estate record authorities (GSCCCA).
- Supply chain compromises remain a significant initial access vector, with incidents involving a South Korean MSP leading to clustered Qilin victimization and a Salesforce supply-chain attack impacting Gainsight.
- The proliferation of AI-driven tools like WormGPT 4 and KawaiiGPT lowers the technical barrier for threat actors, enabling rapid generation of ransomware scripts and automated social engineering.
- Multi-stage loaders and fileless execution chains, exemplified by XWorm and JSGuLdr, indicate a continued focus on stealthy and complex infection methods to evade detection.
About PurpleOps
PurpleOps operates at the intersection of cyber threat intelligence, ransomware tracking, and dark web research. Our Platform delivers real-time insights into ransomware operations, emerging CVEs, and underground economy dynamics.
Learn how we help organizations detect, prevent, and respond to ransomware threats:
- Cyber Threat Intelligence
- Dark Web Monitoring
- Protect Against Ransomware
- Penetration Testing
- Supply-Chain Security
FAQ
Q: What were the most active ransomware groups in the last 24 hours?
A: The most active ransomware groups reported in the last 24 hours were Qilin, Akira, and BenZona, collectively responsible for over half of the new incidents.
Q: Which sectors were primarily targeted by ransomware attacks recently?
A: Primary targets included professional services, legal, and automotive sectors. The professional services sector consistently shows the highest number of reported incidents.
Q: How has AI influenced the current ransomware threat landscape?
A: The emergence of AI-driven tools such as WormGPT 4 and KawaiiGPT is lowering the technical barrier for threat actors, enabling them to rapidly generate ransomware-capable PowerShell scripts and automate spear-phishing campaigns.
Q: What types of critical infrastructure were impacted by ransomware in this report?
A: Critical infrastructure targets included the Georgia Superior Court Clerks’ Cooperative Authority (GSCCCA), which manages sensitive legal and real estate records, and OnSolve CodeRED, an emergency alert system provider.
Q: How does PurpleOps help organizations combat ransomware?
A: PurpleOps provides services such as Cyber Threat Intelligence, Dark Web Monitoring, Protect Against Ransomware solutions, Penetration Testing, and Supply-Chain Security to help organizations detect, prevent, and respond to ransomware threats.
