November 2025 marked a notable shift in the ransomware landscape, showcasing evolving group activities and innovative attack methodologies. Although overall ransomware incidents dipped slightly from the peak in October, the emergence of new players such as Akira and INC Ransom indicates a changing dynamic, with these groups expanding their operational capabilities and utilizing advanced technologies like AI-driven tools, adaptive encryption, and cross-platform targeting.
Industries such as Manufacturing, Professional Services, IT, and Healthcare bore the brunt of these attacks, underscoring the attackers’ focus on sectors with high operational pressures and valuable data. The geographical target map prominently featured North America, followed by Western Europe and certain countries in the Asia-Pacific and Latin American regions. Noteworthy developments included the use of environment-aware encryption and AI-assisted malware creation, highlighting a significant evolution toward sophisticated and opportunistic attacks.
The November Ransomware Threat Report, designed to help organizations navigate the complex threat environment, emphasized key trends, tactics, and significant incidents. For instance, while group Qilin saw a steep decline in its activities from 181 to 105 incidents, Akira surged from 66 to 82, and Cl0p increased its presence from 94 to 101 attacks. A rise was also noted in the activities of INC Ransom and Play, suggesting a shift in operational prominence among ransomware actors.
Overall, November accounted for 11% of the year’s ransomware activity, slightly lower than October’s 12%, yet still above the average for the year, indicating sustained high-intensity operations. The Manufacturing sector led the list of affected industries with 87 incidents, followed closely by Consumer Goods & Services and Professional Services, which both experienced 77 attacks. This reflects the high data value and operational pressure in these sectors that attackers can exploit.
The report highlighted a troubling trend: rising attacks targeting critical public safety infrastructures. The major ransomware incident involving the Crisis24 OnSolve CodeRED platform disrupted emergency notification systems across the U.S. and was attributed to the INC Ransom gang. This incident not only affected local governments and emergency services but also compromised sensitive user data.
Looking ahead, the report alerts organizations to increasing risks from AI-driven threats, with malicious large language models like WormGPT 4 and KawaiiGPT automating phishing and ransomware activities. As these technologies lower barriers for attackers, the nature of cybercrime is expected to evolve rapidly, necessitating more robust and proactive cybersecurity measures from businesses.
In response to these rising threats, organizations are advised to strengthen their endpoint and network defenses, enhance threat intelligence and monitoring mechanisms, and improve backup and recovery strategies. Investing in user awareness training and incident response planning is essential to mitigate the growing ransomware risk. The November data positions ransomware as a complex and evolving threat, requiring readiness and adaptation to maintain cybersecurity resilience amid these challenges.