Ransomware Attacks Surge 30% in Q4 2025, Targeting Critical Sectors and Supply Chains Ransomware activity has spiked sharply, with attacks increasing by 30% in the last four months of 2025 compared to the first nine months of the year. Cybersecurity firm Cyble recorded 2,018 claimed attacks in Q4 2025 averaging 673 victims per month while January 2026 saw 679 attacks, maintaining the elevated pace. ### Key Trends and Threat Actors - Qilin led all ransomware groups in January with 115 attacks, followed by Akira (76), Sinobi, and The Gentlemen. - CL0P resurfaced in late 2025, claiming victims in Australia, the U.S., and the UK, including 11 Australian companies across IT, finance, healthcare, and construction. - The U.S. remained the most targeted country, accounting for nearly half of all attacks, while the UK and Australia saw heightened activity due to CL0P’s campaign. ### Targeted Sectors Ransomware groups continued to focus on construction, professional services, and manufacturing, likely due to vulnerabilities in their environments. IT firms also faced frequent attacks, given their access to downstream customer networks. ### Notable January 2026 Attacks - Everest breached a U.S. telecom equipment manufacturer, exfiltrating 11 GB of data, including engineering schematics, PCB layouts, and 3D designs. - Qilin compromised a U.S. airport authority, exposing financial documents, telehealth reports, and internal emails. - Sinobi claimed a breach of an India-based IT services firm, stealing 150 GB of data, including contracts, financial records, and customer data. - Rhysida sold stolen data from a U.S. biotech instrumentation company, including engineering blueprints and NDAs. - RansomHouse targeted a China-based electronics manufacturer, leaking CAD models, PCB designs, and proprietary production data. - INC Ransom breached a Hong Kong precision components supplier, exfiltrating 200 GB of data linked to global tech and automotive brands. - Nitrogen leaked 71 GB of data from a U.S. automotive components firm, including CAD drawings and financial records. - Anubis compromised an Italian maritime port authority, exposing operational data, safety reports, and infrastructure layouts. ### Emerging Ransomware Groups - Green Blood launched a new operation, encrypting files with the “.tgbg” extension and targeting victims in India, Senegal, and Colombia. - DataKeeper introduced a RaaS model with hybrid encryption (RSA-4096), in-memory execution, and TOR-based payment links. - MonoLock debuted a Linux-compatible RaaS using Beacon Object Files (BoF) for stealthy execution, avoiding public leak sites to reduce law enforcement exposure. The sustained rise in ransomware attacks, coupled with the emergence of new threat groups, underscores the evolving tactics of cybercriminals targeting critical infrastructure, supply chains, and high-value industries.

Canada Goose Investigates Customer Data Exposure After ShinyHunters Leak Canada Goose is probing a potential data exposure affecting over 600,000 customers after the hacking group ShinyHunters published a 1.67GB dataset allegedly tied to the company. The leaked records, which surfaced on the group’s leak site, include names, email addresses, phone numbers, billing and shipping details, order history, and partial payment card data (such as card type and last four digits). The compromised data appears to date back to August 2025 and primarily involves customers in North America and Europe. ShinyHunters claims the breach originated from a third-party payment processor, not Canada Goose’s internal systems. The company has acknowledged the incident but stated it has found no evidence of a direct breach within its own environment. While the leaked data does not include full payment card numbers, Canada Goose confirmed that no unmasked financial information was exposed. The investigation remains ongoing, and the company has not yet determined the total number of affected customers or whether formal notifications will be issued. Despite the lack of full financial details, the exposure poses significant risks. The combination of personal and transactional data such as order history and shipping addresses could enable highly targeted phishing and social engineering attacks. Attackers may use this information to craft convincing scams, particularly against high-value or repeat customers, increasing the potential for fraud and brand distrust. The incident underscores the challenges companies face in managing third-party security risks. Even when a breach occurs outside their direct systems, customers often hold brands accountable for data protection. Clear communication and proactive support will be critical in mitigating reputational damage as the investigation continues.

BreachForums Data Leak Exposes 324K Cybercriminals in Dramatic Retaliation On January 9, an individual using the alias "James" published a massive database containing the real identities and details of 323,986 BreachForums users, including administrators, moderators, and members of the notorious hacking community. The leak, framed as an act of retribution, targeted key figures behind BreachForums and ShinyHunters, with James claiming disillusionment with the groups’ shift toward attacking French targets. The manifesto, written in a theatrical 23-part style, portrayed James as a long-standing hacker who mentored these groups before turning against them. Among those named were French nationals Dorian Dali, Nahyl Ojeda, and Ali Aboussi, many of whom were reportedly teenagers or young adults. James declared the leak a move to "settle their destiny" by exposing them to authorities. Resecurity, a cybersecurity firm, confirmed the authenticity of the leaked data, which included usernames, email addresses, IP addresses, and registration details. While some members used anonymous email services, others relied on mainstream providers like Gmail, making identification easier for law enforcement. The data also revealed a global distribution of members, with concentrations in the U.S., Germany, Netherlands, France, Turkey, and the U.K., as well as significant activity in the Middle East and North Africa. The leak is expected to disrupt cybercriminal operations by stripping away anonymity, a cornerstone of groups like ShinyHunters. Shane Barney, CISO at Keeper Security, noted that the exposure of real identities and IP histories could accelerate investigations, making it harder for members to operate without fear of attribution. BreachForums, a successor to the shuttered RaidForums, has been a hub for trading stolen data, hacking tools, and personal information. Previous law enforcement actions, including the 2023 arrest of Conor Brian Fitzpatrick (pompompurin) and the 2024 sentencing of ShinyHunters member Sebastien Raoult, have failed to permanently dismantle the forum. This latest breach, however, may prove more damaging by exposing the infrastructure and identities of its members. While BreachForums users have dismissed the leak as outdated, Resecurity warned that many reuse registration details across underground platforms, meaning the data remains a valuable resource for law enforcement. The incident underscores the ongoing cat-and-mouse game between cybercriminals and authorities, with this leak marking a significant blow to one of the dark web’s most active marketplaces.