SpiderLabs Ransomware Tracker Update November 2025: Qlin, Cl0p, and Akira Vie for Top Attacker

Trustwave SpiderLabs ransomware tracker noted a slight dip in the overall number of attacks that took place in November 2025, but the research team saw the threat group Cl0p surge, conducting 98 attacks during the month, up from just 13 in October.

Trustwave SpiderLabs, A LevelBlue Company, derived the information from its ransomware-tracking tool, which gathers data from a variety of open intelligence sources and our own proprietary research.

This unique combination of open-source and in-house research provides new insights into ransomware attack trends, the threat groups involved, and their primary targets. The data is not all-inclusive, but it contains enough information to draw basic conclusions on the direction attacks are taking.

November Attack Figures

The tracker recorded 668 ransomware attacks worldwide in November, down from 755 in October and 636 in November 2024. This figure brings the 2025 ransomware attack tally to date to 6,983.

The attack numbers are dynamic. As SpiderLabs uncovers information on previous attacks, it is added to the database, which means older monthly attack numbers will shift as they are updated throughout the year.

The US remained the top targeted nation, absorbing 282 attacks, and the data noted manufacturing was again the most attacked vertical sector, being struck 87 times.

Top 5 Threat Groups

Qlin remained the top threat group for the third consecutive month, but the gap between it, Cl0p, and Akira closed up during November. Cl0p became the second-most active attacker, displacing Play from the leaderboard and allowing Dragonforce to return.

Incransom should be highlighted, as it not only almost doubled the number of attacks it launched month over month, but also saw its November activity rank it among the top five most prolific groups of the year.

Top Threat Groups for November 2025

Figure 1. Top Threat Groups for November 2025.

The only change noted in vertical sectors attacked was education moving up into the top five, pushing construction off the list for the month.

Top Vertical Sectors Targeted for November 2025

Figure 2. Top Vertical Sectors Targeted for November 2025.

2025 Ransomware Attacks to Date

Figure 3. 2025 Ransomware Attacks to Date.

Defending Against Ransomware

Trustwave offers a number of services and solutions to help organizations defend themselves against ransomware and recover if successfully attacked.

Trustwave Ransomware Preparedness service, unlike many offerings in the market today, doesn’t focus on singular aspects of a client’s security defense but looks at all critical lines of defense, using detailed insights and aggregated information to provide clients and business leaders with security.

The service provides detailed assessments of the organization’s overall preparedness, an understanding of its existing capabilities to identify, respond to, and recover from a ransomware incident, and identification of the gaps, opportunities, and inherent risks it faces.

In addition, Trustwave can help with the basic mitigations all organizations should implement, including:

• Enhance cybersecurity hygiene and patch management
• Implement robust backup and recovery plans
• Employee training and awareness
• Multi-Factor Authentication (MFA) and strong credential management
• Incident response planning.