Ransomware and supply chain attacks hit their second-highest levels ever in November, as the two attack types increasingly converge, according to new research from Cyble.
Ransomware groups accounted for 58% of software supply chain attacks in November, Cyble noted in a new blog post. While that’s down from 73% in October, the threat intelligence company said that ransomware groups “are increasingly targeting software supply chain vulnerabilities, which has contributed to a doubling of supply chain attacks since April 2025.”
Cyble dark web researchers documented 38 supply chain attacks in November, just below October’s record (chart below). Ransomware groups claimed 22 of those attacks.
Overall, Cyble documented 640 ransomware attacks in November, the seventh consecutive monthly increase and below only February 2025’s record (chart below).
Qilin Top Ransomware Group Once Again
Qilin was once again the overall leader in claimed ransomware attacks despite CL0P’s mass exploitation of Oracle E-Business Suite vulnerabilities, which has hit more than 100 organizations to date. Qilin led all ransomware groups with 127 attacks, followed by Akira at 103, while CL0P, INC Ransom and Play rounded out the top five (chart below).
The U.S. once again was by far the most attacked country with 356 ransomware attacks, 10 times higher than the next-closest country, which was Canada with 35 attacks. The UK, Germany, India and Italy all had ransomware attack counts in the teens (chart below).
Construction, Professional Services, and Manufacturing were the most frequently attacked sectors in November, with more than 50 ransomware attacks each. Healthcare, Energy & Utilities, IT, Consumer Goods, and Technology experienced more than 30 attacks each (chart below).
Convergence of Ransomware and Supply Chain Attacks
Cyble documented more than 15 ransomware attacks in the blog post, many of which had supply chain implications.
“November was noteworthy for the number of ransomware attacks targeting critical sectors and the IT supply chain, with several groups claiming exfiltration of sensitive documents such as project and technical documentation,” the researchers said.
Among the ransomware attacks documented by Cyble were:
- An INC Ransom attack on a U.S.-based emergency alert system.
- An Akira cyberattack on “a major South Korea–based manufacturer of lithium-ion batteries.”
- An Akira attack on “a U.S.-based manufacturer of high-density, modular, and rugged embedded computing systems” that included the theft of “detailed project information … and confidential military-related materials.”
- An Akira attack on a U.S. engineering and project-management firm for rail and transportation infrastructure projects that included the theft of “NDAs, contracts and agreements, and project documentation.”
- A Qilin attack on a U.S. company that provides “remote power management, network monitoring, and out-of-band control technologies used across data centers, telecommunications, industrial operations, and critical infrastructure environments,” which included access to “customer digital key letters, nondisclosure agreements, and additional internal corporate materials, suggesting exposure of both sensitive business information and potentially downstream client environments.”
- A Qilin attack on a Florida regional airport that included the theft of “scanned employee IDs, aviation alerts and notices, airport blueprints, internal operational documents.”
- An Anubis ransomware group attack on a U.S.-based automotive component manufacturer that resulted in the theft of blueprints and internal documents labeled “confidential.”
“The alarming number of ransomware attacks targeting critical and sensitive sectors – including the theft of sensitive project and technical data – highlights the need for security teams to respond with vigilance equal to the threat,” Cyble said.
The researchers outlined a number of cybersecurity best practices that can help guard against such threats, such as vulnerability management, network segmentation, strong access controls, ransomware-resistant backups, and system and application hardening.
