Full Report
The worldwide ransomware landscape saw a dramatic shift in attacks in October 2025, jumping 41% month over month, with the most prolific attacker, Qlin, more than doubling the number of attacks it launched, according to Trustwave, A LevelBlue Company, research. The US remained the primary recipient of ransomware attacks, but October saw manufacturing overtake technology as the most targeted vertical sector. The ransomware information was derived from a new SpiderLabs ransomware-tracking tool that gathers information from a variety of open intelligence sources and our own proprietary research. This unique combination of open-source and in-house research provides new insights into ransomware attack trends, the threat groups involved, and their primary targets. The data is not all-inclusive but contains enough information to draw basic conclusions on the direction attacks are taking. October Attack Figures In October 2025, SpiderLabs recorded 722 ransomware attacks worldwide, up from 492 in September 2025 and 635 in October 2024. As noted, the US was the nation most under attack with 298 incidents noted, followed by Canada and France with 45 and 25 attacks, respectively. Top 5 Threat Groups Qlin again dominated the stage, but there were some changes in the top five list. Sinobi appeared in third place, pushing Incransom down to fourth and Play to fifth. A quick breakdown of the new threat actor on the list: According to Ransomware.live, Sinobi became active in July 2025 and has so far specialized in attacking healthcare, manufacturing, and construction firms. Top Threat Groups for October 2025 Threat Groups Oct. 2025 Number of Attacks Threat Groups Sept. 2025 Number of Attacks Qilin 191 or 26.5% Qlin 61 or 15.2% Akira 71 or 9.8% Akira 42 or 10.4% Sinobi 62 or 8.6% Sinobi 36 or 8.9% Incransom 30 or 4.3% Incransom 31 or 7.7% Play 22 or 3.1% Play 29 or 7.2% Top Vertical Sectors Targeted for October 2025 Sector Oct. 2025 Number of Attacks as a % Sector Sept. 2025 Number of Attacks as a % Manufacturing 101 or 14% Business Services 150 or 23.6% Technology 76 or 10.5% Manufacturing 84 or 13.2% Healthcare 59 or 8.2% Technology 79 or 12.4% Business Services 33 or 4.6% Healthcare 63 or 10% Construction 29 or 4% Government 38 or 6% SpiderLabs’ research noted a major shift in targeting when data is examined year over year. In October of 2024, business services were the most often targeted vertical sector, followed by manufacturing and technology. 2025 Ransomware Attacks to Date Threat Group Number of Attacks Target Sector Number of Attacks Qilin 724 or 11.6% Manufacturing 726 or 11.7% Akira 577 or 9.2% Technology 735 or 11.7% Sinobi 419 or 6.7% Healthcare 420 or 6.8% Incransom 332 or 5.3% Business Services 334 or 5.3% Play 283 or 4.5% Financial Services 311 or 5% Total attacks tracked to date for 2025 are 6,251, up dramatically from the 4,660 SpiderLabs saw in 2024. One data point from the target sector list to call out for October is manufacturing supplanted technology as the threat actor’s favorite victim sector. Defending Against Ransomware Trustwave, A LevelBlue Company, offers a number of services and solutions to help organizations defend themselves against ransomware and recover if successfully attacked. Trustwave’s Ransomware Preparedness service, unlike many offerings in the market today, doesn’t focus on singular aspects of a client’s security defense but looks at all critical lines of defense, using detailed insights and aggregated information to provide client security and business leaders. The service provides detailed assessments of the organization’s overall preparedness, an understanding of its existing capabilities to identify, respond to, and recover from a ransomware incident, and identification of the gaps, opportunities, and inherent risks it faces. In addition, Trustwave can help with the basic mitigations all organizations should implement including: Enhance cybersecurity hygiene and patch management Implement robust backup and recovery plans Employee training and awareness Multi-Factor Authentication (MFA) and strong credential management Incident response planning
Analysis Summary
# Incident Report: Global Ransomware Trends - October 2025 Surge
## Executive Summary
Globally, ransomware attacks surged by 41% in October 2025 compared to September, reaching 722 recorded incidents. The threat actor Qilin significantly escalated its activity, more than doubling its attack volume. The US remained the most targeted nation, and a key trend shift involved Manufacturing overtaking Technology as the most targeted vertical sector globally for the month.
## Incident Details
- Discovery Date: October 2025 (Monthly tracking period concluded)
- Incident Date: October 2025
- Affected Organization: Not applicable (Aggregate trend report)
- Sector: Global scope; Manufacturing became the top target (14% of attacks).
- Geography: Global scope; US led with 298 incidents.
## Timeline of Events
### Initial Access
- **Date/Time:** During October 2025.
- **Vector:** Unknown/Not specified in the report (Focus is on aggregate trends, not specific TTPs of a single breach).
- **Details:** Overall global attacks increased from 492 (Sep 2025) to 722 (Oct 2025).
### Lateral Movement
- *Data not specified for individual incidents; this is an aggregate report.*
### Data Exfiltration/Impact
- **Data Point:** Manufacturing supplanted Technology as the favorite victim sector for October 2025.
### Detection & Response
- **Detection Mechanism:** Information derived from Trustwave/SpiderLabs' new ransomware-tracking tool utilizing open intelligence sources and proprietary research.
- **Response Actions:** Trustwave suggests general defensive actions for organizations (see Recommendations).
## Attack Methodology
*Note: As this report summarizes global trends and actor performance, specific TTP details for individual compromises are not available. The following reflects aggregated performance and noted actor specializations.*
- **Initial Access:** Not specified.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Not specified.
- **Collection:** Not specified.
- **Exfiltration:** Not specified.
- **Impact:** Encryption/disruption via ransomware (implied).
- **Qilin Performance:** Increased from 61 attacks (Sep) to 191 attacks (Oct).
- **Sinobi Specialization:** Actively targets healthcare, manufacturing, and construction firms.
## Impact Assessment
- **Financial:** Not specified (aggregate report).
- **Data Breach:** Not specified (aggregate report).
- **Operational:** Significant global increase in ransomware activity (41% MoM jump).
- **Reputational:** Not specified (aggregate report).
## Indicators of Compromise
*No specific IOCs were provided as this is a macro-level trend analysis.*
## Response Actions
*The report highlights general recommendations for organizations rather than specific actions taken following a single incident:*
- Enhance cybersecurity hygiene and patch management.
- Implement robust backup and recovery plans.
- Enhance employee training and awareness.
- Implement Multi-Factor Authentication (MFA) and strong credential management.
- Develop and test Incident response planning.
## Lessons Learned
- **Trend Shifts:** Ransomware activity is highly dynamic, evidenced by the 41% MoM increase and the rise of Qilin's activity.
- **Sector Targeting Volatility:** Target verticals change rapidly; Manufacturing has overtaken Technology vulnerabilities.
- **New Actors Emerge:** Threat groups like Sinobi (active since July 2025) are quickly gaining prominence in the top attack rankings.
## Recommendations
- Organizations should review their security posture against the most active threat groups (Qilin, Akira, Sinobi).
- **Prioritize Manufacturing Sector Defense:** Given its new status as the most targeted vertical, manufacturing entities require heightened protective measures.
- Implement comprehensive security assessment services that look beyond singular defense aspects, covering identification, response, and recovery capabilities.
- **Mandate Foundational Controls:** Ensure robust implementation of MFA, patch management, and verified backup/recovery procedures (as recommended by Trustwave).