Post-Holiday Ransomware Surge: 15+ New Victims in 48 Hours

Breached Company

28 Dec 2025 — 6 min read

Photo by Donovan Dean Photography / Unsplash

As organizations powered down for the holidays, threat actors ramped up operations—Qilin, Akira, The Gentlemen, and emerging groups capitalize on reduced staffing

December 28, 2025

While most of the world was unwrapping presents and recovering from holiday festivities, ransomware operators were busy unwrapping something else entirely: corporate networks. Between December 26-28, 2025, at least 15 new victims appeared on ransomware leak sites across multiple threat actor groups, highlighting a familiar but alarming pattern—cybercriminals don't take holidays.

The Holiday Weekend Onslaught

Data from ransomware tracking platforms reveals a surge of activity during the post-Christmas window. On December 26 alone, 63 new ransomware victims were added to leak sites, with a concentration of attacks impacting Professional Services and Manufacturing sectors. The following days maintained the tempo, with victims spanning North America, Europe, and Asia-Pacific.

Qilin Strikes Critical Infrastructure

Qilin, currently the most prolific ransomware operation of 2025 with over 1,000 claimed victims this year, continued its relentless campaign with high-profile targets. As detailed in our analysis of The RaaS Ecosystem in Late 2025, Qilin has averaged 75 victims per month in Q3 2025 alone:

Bangchak Corporation (Thailand) — Posted December 25, this Thai energy giant became Qilin's latest critical infrastructure target. Bangchak is a major petroleum refiner and distributor, making this attack particularly concerning for regional energy security.
Questica (Canada) — Discovered December 28, this Canadian technology company specializing in budgeting and analytics software joins Qilin's growing victim list. The breach signals continued pressure on North American organizations.

Qilin has demonstrated an appetite for critical sectors throughout 2025, responsible for 29% of all ransomware attacks according to recent NCC Group data. The group's rise accelerated dramatically after RansomHub went dark in April, absorbing many of its affiliates and triggering a 280% jump in attack claims. Recent high-profile attacks include the Habib Bank AG Zurich breach (2.5TB stolen), the Asahi Group Holdings attack affecting 1.9 million individuals, and the sophisticated Korean Leaks campaign that devastated South Korea's financial sector through a single MSP breach.

Akira Targets Rural America

Akira, which has claimed approximately $244.17 million in ransom proceeds since its emergence in 2023, focused its holiday attacks on smaller American organizations. As we documented in our investigation of how Akira exploits Cisco infrastructure, the group has become one of the fastest-moving threats in the current landscape:

Agralite Electric Cooperative — This Minnesota-based rural electric cooperative was hit on December 24. Akira claims to have exfiltrated 136GB of data including detailed employee PII, client information, and NDA documents. The targeting of critical energy infrastructure serving rural communities is particularly concerning.
Alex Rubbish & Recycling — Also based in Minnesota, this waste management company providing residential and commercial services was compromised alongside Agralite. The attack demonstrates Akira's opportunistic approach to bundling smaller regional targets.
Trubee Wealth Advisors — A financial advisory firm added to Akira's leak site on December 24, putting sensitive client financial data at risk.

CISA issued an updated advisory on Akira in November 2025, warning of "an imminent threat to critical infrastructure" and noting the group's evolution to a new Akira_v2 variant enabling faster encryption speeds. The devastating impact of Akira's attacks was exemplified by our coverage of how one weak password destroyed a 158-year-old company—KNP Logistics, which fell to Akira after a single credential compromise.

The Gentlemen: Sophisticated Newcomer Stays Active

The Gentlemen, which emerged in July 2025 and rapidly became one of the year's most dangerous new operations, continued posting victims through the holiday period. With 48+ victims in just their first two months of operation, this group has distinguished itself through:

Advanced detection evasion using the ThrottleStop.sys driver (exploiting CVE-2025-7771)
Cross-platform capabilities targeting Windows, Linux, and ESXi environments
Methodical reconnaissance and custom tools targeting specific security vendors

The group has attacked organizations across 17 countries, favoring manufacturing, construction, healthcare, and insurance sectors. Their "corporate" branding and sophisticated operational security suggest experienced operators—possibly a rebrand of veteran ransomware actors.

SpaceBears and WorldLeaks Maintain Pressure

SpaceBears, aligned with the Phobos ransomware-as-a-service operation, remained active with its distinctive "corporate-style" leak site. As we detailed in our October ransomware onslaught coverage, SpaceBears targets primarily manufacturing, small technology solutions organizations, and healthcare-related companies. Recent victims include telecommunications and technology firms, with the group notably claiming a breach at Comcast through their contractor Quasar Inc.

WorldLeaks, which emerged in January 2025 as a rebrand of Hunters International, posted multiple new victims including:

Ellison Educational Equipment (December 24) — Education sector
Chatham Asset Management (December 23) — Financial services

WorldLeaks represents an evolution in the ransomware model, focusing solely on data theft and extortion without file encryption—a strategy that reduces operational complexity while maintaining leverage over victims.

Why Holidays Are Prime Time for Ransomware

The post-holiday surge follows a predictable pattern that security teams have observed for years:

1. Skeleton Crews — IT and security teams typically operate with minimal staffing during holiday periods, slowing incident detection and response times.

2. Extended Dwell Time — Attackers who breach networks before holidays have extra time to move laterally and position for maximum impact before discovery.

3. Distracted Decision-Makers — Executives needed to authorize incident response actions may be unreachable or slow to respond during family time.

4. Delayed Patches — Organizations often freeze changes during holiday periods, leaving newly disclosed vulnerabilities unpatched.

The 2025 Ransomware Landscape

This holiday surge caps a record-breaking year for ransomware. As documented in our Ransomware Revolution analysis and ENISA Threat Landscape briefing:

7,902 victims listed on leak sites in 2025 (vs. 6,129 in 2024)
50% increase in overall ransomware attacks year-over-year
Qilin leads all groups with 1,000+ victims
United States accounts for nearly 55% of all attacks
Manufacturing and Healthcare remain the most targeted sectors

The Russia-based RaaS ecosystem continues to dominate, with Qilin, Akira, and The Gentlemen all showing indicators linking them to Russian-speaking operators.

Notable Attack Patterns This Weekend

Sector Concentration:

Energy & Utilities: Bangchak Corporation, Agralite Electric Cooperative
Professional Services: Multiple victims across groups
Manufacturing: Continued targeting by LockBit, Qilin
Healthcare: Ongoing attacks noted by Chaos group

Geographic Spread:

United States: Highest concentration of victims
Thailand: Bangchak marks significant APAC targeting
Canada: Questica and other Canadian firms impacted
Turkey and France: Notable LockBit activity

Recommendations for Organizations

With many organizations returning to full operations after the holiday period, security teams should prioritize:

Immediate Actions:

Review authentication logs for anomalous access during the holiday window
Check for unauthorized account creation or privilege escalation
Verify backup integrity and test restoration capabilities
Scan for indicators of compromise associated with active groups

Strategic Improvements:

Implement 24/7 monitoring or MDR services to cover staffing gaps
Enforce multi-factor authentication on all remote access, especially VPNs
Establish clear escalation procedures that work during holidays
Consider tabletop exercises specifically for holiday-period scenarios

Looking Ahead

As organizations process the holiday weekend's damage, security researchers expect ransomware activity to remain elevated through year-end. Our Seven Days of Digital Siege analysis from mid-December showed 348 distinct incidents in a single week—shattering expectations for any traditional holiday slowdown. The emergence of sophisticated new groups like The Gentlemen, combined with the continued dominance of established players like Qilin and Akira, suggests 2026 will bring no respite from the ransomware epidemic.

For the 15+ organizations that found themselves on leak sites this weekend, the path forward involves difficult decisions about negotiation, recovery, and disclosure. For the rest, this serves as another stark reminder: cybercriminals are always on the clock.

Sources: Ransomware.live, RedPacket Security, Purple Ops, CISA, Cyble, Cisco Talos, Cybereason, ASEC

Key Groups Referenced

Group	2025 Victims	Primary Targets	Notable TTP
Qilin	1,000+	Manufacturing, Healthcare, Government	Double extortion, RaaS model
Akira	250+	SMBs, Critical Infrastructure	Cisco VPN exploitation, $244M in ransoms
The Gentlemen	48+	Manufacturing, Construction	ThrottleStop.sys driver abuse
SpaceBears	70+	Technology, Healthcare	Phobos-aligned, corporate branding
WorldLeaks	100+	Healthcare, Finance	Data theft only, no encryption

This article is for informational purposes. Organizations listed as victims should be contacted directly for official statements regarding any security incidents.

Ransomware Group Deep Dives:

Recent Threat Intelligence:

Case Studies:

Post-Holiday Ransomware Surge: 15+ New Victims in 48 Hours

Breached Company