International Game Technology PLC (IGT)
November 20, 2025
•[ ransomware, data leak ]
Ransomware-as-a-service group Qilin added gambling-technology giant IGT to its data leak site and claims to have stolen about 10GB of data, roughly 21,600 files, from the companys systems; the archive is labeled as already published on the dark web, but no file samples or detailed data contents were shared publicly at the time of reporting, and IGT has not confirmed or denied the incident, so this entry treats the event as a threat-actor-claimed data-theft attack with the nature of the exposed information still undetermined.
DocuBizz
November 20, 2025
•[ ransomware, data leak ]
A ransomware attack against Danish automotive IT provider DocuBizz resulted in theft of drivers license information, CPR numbers, bank account numbers, and other customer data belonging to car dealerships and their clients. No encryption or service disruption has been confirmed.
City of Leavenworth (Kansas)
November 19, 2025
•[ cyberattack, network outage, ransomware ]
DataBreaches reported that Leavenworth, Kansas officials said a cyberattack caused a network outage on November 19, 2025 after computer and phone systems began failing late that morning. The city brought in outside IT experts and later confirmed on November 25 that the disruption stemmed from a cyberattack on the municipal internal network. As of the December 8 report, impacts were still ongoing for invoicing, permitting, and hiring systems, while emergency services were reported unaffected, and no ransomware or extortion group had publicly claimed responsibility.
Doctor Alliance LLC
November 18, 2025
•[ ransomware, data leak ]
Ransomware actor Kazu again compromised Dallas-based healthcare document and billing platform Doctor Alliance, exploiting an unpatched vulnerability and reused admin credentials to access a high-privilege account and steal nearly 1.27 TB of medical documents and related files affecting potentially more than a million patients; the firm has acknowledged unauthorized access to at least one client account and faces multiple federal class actions while still providing limited public transparency.
Mid South Pulmonary & Sleep Specialists (MSPS)
November 17, 2025
•[ ransomware, data leak, data breach ]
Reporting on Anubis RaaS described a severe ransomware incident affecting Mid South Pulmonary & Sleep Specialists (MSPS) in Tennessee. The threat actor claimed initial access on Nov. 10, 2025, spent about a week conducting internal reconnaissance and data theft, then paralyzed the organizations network in a single night. The group claimed to have encrypted MSPSs Nutanix systems and used a wiper to delete backups, leaving MSPS unable to restore systems; the actor also claimed exfiltration of roughly 860 GB and leakage of hundreds of gigabytes containing administrative records, insurance billing files, and extensive PII/PHI. MSPS had not publicly confirmed details in the reporting, but the described impacts suggest prolonged disruption and exposure of sensitive medical data.
Under Armour
November 17, 2025
•[ ransomware, data leak ]
In November 2025, the Everest ransomware group claimed Under Armour as a victim and attempted to extort a ransom, alleging they had obtained access to 343GB of data. In January 2026, customer data from the incident was published publicly on a popular hacking forum, including 72M email addresses. Many records also contained additional personal information such as names, dates of birth, genders, geographic locations and purchase information.
Detmold Public Utilities
November 16, 2025
•[ ransomware, data leak ]
A ransomware attack against Stadtwerke Detmold forced the municipal utility to shut down its IT infrastructure, leaving the company largely unreachable by phone or email and knocking out online customer portals and related services. Multiple affiliated business units, including energy and public transport operations, were impacted in their back-office systems, though the delivery of electricity, gas, water, and district heating reportedly continued. Police cybercrime teams and external specialists were engaged to stabilize systems, analyze the intrusion, and determine whether customer data was accessed.
Petrobras
November 14, 2025
•[ ransomware, data leak ]
Everest ransomware group listed Petrobras and exploration partner SAExploration on its leak site and claims it stole a large seismic survey database with detailed technical information from Petrobras surveys and Campos Basin projects while threatening further action if the company does not contact the group
Trumbull County Recorder’s Office
November 14, 2025
•[ ransomware, data leak, supply chain attack ]
Trumbull County, Ohio reported that a ransomware attack on its third-party vendor C Systems Software led to a security breach affecting systems used for real-estate recordings and property records. County officials said they were alerted around November 14, 2025, and, with help from Ohio Homeland Security and external cybersecurity firm GuidePoint, determined that the same cybercriminals behind the vendor breach had attempted to exploit the county network. While they reported no evidence of successful intrusion into county systems, offices had to fall back on manual processing and suspend some online services for about ten days. The incident is believed to have exposed resident data held by the vendor and has prompted additional security and monitoring measures.
Attorney General’s Office of the State of Guanajuato (FGEG)
November 13, 2025
•[ ransomware, data leak, double-extortion ]
Mexico Business News reports Guanajuatos Attorney Generals Office confirmed a cybersecurity incident after a ransomware attack attributed to Tekir APT. Attackers claim they stole 250GB+ of confidential data, including judicial files and internal databases. Officials are reviewing controls, without confirming attribution or ransom payment. Hackmanac alleges subdomain encryption and double-extortion.
VSK Insurance Joint-Stock Company
November 12, 2025
•[ ransomware ]
Russian insurer VSK disclosed that a large-scale cyberattack beginning around November 12, 2025 severely disrupted its IT systems and online services. Customers across Russia reported being unable to access the companys website, mobile app, and email, and some healthcare providers delayed or cancelled appointments because they could not verify insurance coverage. VSK said it was working with law enforcement and cybersecurity experts and claimed that no confirmed evidence of data theft had been found, while independent specialists suggested the incident was probably ransomware. The attack significantly impacted delivery of insurance and related health services nationwide.
At least one Andorid user in Latin America
November 12, 2025
•[ malware, ransomware, phishing ]
The Record described a newly identified Android malware/ransomware campaign (DroidLock) distributed through phishing websites that trick users into installing fake apps and then lock devices behind a ransom message. The reporting focuses on a broad campaign targeting Spanish-speaking users rather than a single named victim organization with a discrete primary effect suitable for this datasets event unit. Because there is no specific victim organization, confirmed disruption window, or bounded impact scope for one entity, it is not coded here as an individual cyber event record.
Ireland's Office of the Ombudsman
November 12, 2025
•[ ransomware, service disruption ]
The Office of the Ombudsman in Ireland reported that it was the victim of a ransomware attack involving unauthorized access to its IT systems on December 11, 2025. As part of containment, the Office took systems offline and worked with the National Cyber Security Centre and external specialists to investigate and restore services, while notifying law enforcement and the Data Protection Commission. The Office later stated it was confident no personal data had been taken in the incident, and it incrementally restored services, reporting by early January 2026 that public-facing services were back online. The incident primarily caused disruption through precautionary shutdown and recovery operations rather than publicly reported data theft.
The Chamber of Deputies of Chaco
November 10, 2025
•[ ransomware, government, cybercrime ]
The Chamber of Deputies of Chaco province in Argentina reported that a cybersecurity incident affecting part of its server infrastructure had been identified as a ransomware attack, prompting technicians and the state IT firm ECOM Chaco to shut down the official website, the online system for tracking legislative procedures and the electronic legal digest while they contained the intrusion and preserved institutional information; authorities filed a criminal complaint with the provincial cybercrime unit and emphasized that maintaining the continuity of essential legislative functions and the security of data were priorities during the response.
Logitech
November 8, 2025
•[ ransomware, data leak ]
Swiss outlet watson.ch, citing Tribune de Genve and 24 Heures, reports that Swiss peripherals maker Logitech was listed on the Clop ransomware gangs dark web leak site, with extortionists claiming to have stolen data and threatening to publish it unless a ransom was paid; subsequent regulatory filings and security reporting confirm t
Georgia Superior Court Clerks’ Cooperative Authority
November 8, 2025
•[ ransomware, data leak ]
The Devman ransomware group attacked the Georgia Superior Court Clerks Cooperative Authority beginning November 8, 2025. GSCCCA voluntarily restricted access to its systems while investigating a credible cyber threat. Devman claimed to have exfiltrated 500 GB of organizational data from GSCCCAs application servers and demanded a $400,000 ransom by November 27.
Mower County
November 6, 2025
•[ ransomware, data leak, government ]
Mower County reported that it detected a ransomware attack on June 18, 2025 and investigated with cybersecurity and data forensics consultants. The county said unauthorized access to its systems occurred sometime between June 11 and June 18, 2025 and that sensitive personal data collected by the county was stolen. Reported affected data types include Social Security numbers, birthdates, names, ID card numbers, fingerprints, financial account information, medical/health insurance information, and payment card information. As of Dec. 3, 2025, the county said it had no indication the stolen information had been released or offered for sale; it also noted approximately 27,064 notification letters were being sent.
Oscars Group
November 5, 2025
•[ ransomware, data leak ]
Insurance Business reports that Australian hospitality conglomerate Oscars Group was listed on the Medusa ransomware gang's leak site on November 5, 2025, with the criminals claiming to have exfiltrated more than one hundred and thirty thousand internal files and threatening to publish them unless a ransom of one hundred thousand US dollars is paid or daily fees are provided to delay release; samples posted as proof reportedly include invoices, staff rosters, event schedules, daily financial records and identity documents such as passports and driver licences, much of it tied to the recently acquired Lakes Resort Hotel in South Australia, indicating a significant data breach even though no operational outages have been publicly disclosed.
Microbix Biosystems Inc.
November 5, 2025
•[ ransomware, data leak ]
Microbix Biosystems disclosed that an international ransomware group infiltrated and corrupted one of its corporate servers, deploying ransomware that temporarily took file storage systems offline but did not disrupt manufacturing, safety or communications. The company successfully recovered the server and data from backups yet later learned that at least some data had been copied externally, including commercially sensitive information and employee data
Habib Bank AG Zurich
November 5, 2025
•[ ransomware, data leak ]
Qilin ransomware group listed Habib Bank AG Zurich on its leak site on November 5, 2025, claiming theft of more than 2.5 TB of data and nearly 2 million files. Cybernews verified screenshots showing stolen passport numbers, account balances, transaction notifications, and internal tool source code.
