State of Ransomware: November 2025

Published 1 December 2025 · ThreatVectr Intelligence

700-9%
Claimed attacks
vs 772 the month before
61
Groups active
64
Countries affected
82
Busiest day
21 November

Ransomware groups claimed 700 attacks on organisations worldwide in November 2025, down 9% on the previous month's 772. 61 distinct groups posted at least one victim during the month, across 64 countries. The busiest single day was 21 November, with 82 victims listed.

Qilin was the most active operation of the month, claiming 106 victims — 15% of all listings. Cl0p (98) and Akira (70) followed. 5 groups appeared for the first time, including Benzona, Morpheus, Kazu, Reynolds.

Manufacturing bore the heaviest targeting, with 113 claimed victims, ahead of Technology (80) and Business Services (70). By geography, United States accounted for 338 claims — 48% of the month — with Canada (31) and Germany (25) next.

Claims per day — November 2025

Most active groups

  1. 1Qilin·106
  2. 2Cl0p1498
  3. 3Akira170
  4. 4INC Ransom144
  5. 5Play125
  6. 6DragonForce·24
  7. 7Payoutsking4123
  8. 8SafePay422
  9. 9Sinobi622
  10. 10The Gentlemen1817

First seen this month:Benzona, Morpheus, Kazu, Reynolds, Skira

Most-targeted sectors

  1. 1Manufacturing113
  2. 2Technology80
  3. 3Business Services70
  4. 4Healthcare62
  5. 5Construction47
  6. 6Consumer Services41
  7. 7Financial Services31
  8. 8Energy29
  9. 9Education27
  10. 10Public Sector24

Most-affected countries

  1. 1United States338
  2. 2Canada31
  3. 3Germany25
  4. 4United Kingdom22
  5. 5India16
  6. 6Spain14
  7. 7Brazil13
  8. 8Japan13
  9. 9Australia12
  10. 10Mexico12

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: November 2025”, https://threatvectr.com/ransomware-tracker/reports/november-2025

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr