Seven Days of Digital Siege: Inside This Week's Ransomware Explosion

Breached Company

Breached Company

18 min read
Seven Days of Digital Siege: Inside This Week's Ransomware Explosion

A comprehensive analysis of 348 cyber attacks detected across the global threat landscape from December 12-19, 2025

Executive Summary

The week of December 12-19, 2025 has shattered expectations for the traditional holiday cybersecurity slowdown. Instead of the anticipated decrease in attack activity, threat intelligence monitoring detected 348 distinct ransomware and data breach incidents — demonstrating that the ransomware ecosystem has evolved beyond seasonal patterns into a year-round, industrialized operation.

This seven-day period captures an ecosystem operating at peak efficiency, with established threat actors launching coordinated campaigns while emerging groups like SAFEPAY continue their aggressive expansion. The final week before the 2025 winter holidays reveals: instead of the traditional December slowdown, cybersecurity analysts have detected an unprecedented surge in ransomware and data breach activity, marking this as potentially the most active pre-holiday attack period on record.

Our analysis of real-time threat intelligence data from this week reveals five critical trends defining the current ransomware landscape as we close out 2025, building upon the ransomware revolution that's reshaping threat economics entering 2026.

By the Numbers: Week of December 12-19, 2025

Attack Volume & Distribution

  • Total Incidents Tracked: 348 attacks
  • Industries Targeted: 15+ distinct sectors
  • Geographic Spread: Global, with concentration in US, Germany, and UK
  • New vs. Established Groups: 7 active ransomware families identified
  • Average Time to Public Disclosure: 24-48 hours post-encryption

Top Five Targeted Sectors

  1. Healthcare Industry: 42 incidents (12.1%)
  2. Manufacturing: 38 incidents (10.9%)
  3. Finance & Banking: 36 incidents (10.3%)
  4. Retail & Hospitality: 31 incidents (8.9%)
  5. Technology Services: 28 incidents (8.0%)

Most Active Threat Actors (Dec 12-19)

  1. SAFEPAY: 18 claimed victims
  2. Incransom: 14 claimed victims
  3. Sinobi: 8 claimed victims
  4. Qilin: 6 claimed victims
  5. MS13089: 5 claimed victims

The SAFEPAY Phenomenon: Sustained High-Volume Operations

The most striking development in this week's data is the continued dominance of SAFEPAY ransomware, which maintains its position as one of the most prolific operators globally. With 18 confirmed attacks during this seven-day period alone, SAFEPAY demonstrates the operational tempo that has defined the group since its emergence in late 2024.

Following their massive Conduent breach that compromised 10.5 million Americans and ascent to the most active ransomware group by May 2025, SAFEPAY shows no signs of slowing as we close out the year.

Operational Characteristics

SAFEPAY distinguishes itself through several unique characteristics:

Speed-Based Extortion Model
Unlike traditional ransomware operations that allow weeks for negotiation, SAFEPAY implements aggressive 24-hour deadlines, creating immediate pressure that forces rapid decision-making under duress. During the analyzed period, victims included:

  • Colorado Powerline, Inc. (critical infrastructure)
  • DFC-SYSTEMS GmbH (healthcare technology)
  • Meyerlift GmbH (equipment rental)
  • Multiple German-based professional services firms

Technical Infrastructure
Security researchers have identified SAFEPAY's codebase as derivative of leaked LockBit 3.0 source code from late 2022, incorporating custom modifications and techniques observed in ALPHV/BlackCat operations. The ransomware:

  • Uses dual-channel communications (Tor + TON networks)
  • Employs ShareFinder.ps1 for network reconnaissance
  • Leverages living-off-the-land binaries (LOLBins) to disable Windows Defender
  • Implements AES + RSA encryption requiring 32-byte password parameters

Geographic Focus
Analysis of the week's victims reveals SAFEPAY's strategic targeting:

  • Germany: 7 attacks (39% of SAFEPAY activity)
  • United States: 6 attacks (33%)
  • United Kingdom: 3 attacks (17%)
  • Other regions: 2 attacks (11%)

This pattern aligns with broader 2024 trends showing SAFEPAY establishing dominant market position in Germany, where the group accounted for 24% of all ransomware victims in Q1 2025 according to Check Point research.

The Non-RaaS Advantage

Perhaps SAFEPAY's most significant strategic innovation is its rejection of the Ransomware-as-a-Service model that dominates the ecosystem. By operating as a closed group without affiliates, SAFEPAY:

  • Retains 100% of ransom revenue
  • Eliminates operational security risks from unknown affiliates
  • Maintains tighter control over victim selection and timing
  • Avoids the fragmentation that plagued groups like LockBit after law enforcement disruption

This centralized approach enables the rapid-fire attack waves observed during the analyzed period, where the group sometimes claims 10+ victims in a single day.

Traditional Power Players: Qilin, Incransom, and the Double-Extortion Evolution

While SAFEPAY dominated volume metrics, established ransomware families demonstrated more selective targeting with higher-profile victims during the December 12-19 period.

Qilin: Precision Over Volume

Qilin's six attacks during this week include strategically significant targets:

Grandes Vinos Winery (Spain)

  • Data Exfiltrated: 620 GB
  • Compromised Assets: Personal identification documents, legal contracts, financial records
  • Threat: Public release unless ransom paid
  • Industry Impact: First major attack on Spanish wine industry infrastructure

Current Context: Qilin continues to be one of 2025's most active and dangerous ransomware operations, having executed major attacks throughout the year including the Habib Bank AG Zurich breach that stole 2.5TB of banking data.

Best Hotels Spain

  • Evidence Released: 14 leaked screenshots of internal documents
  • Tactic: Proof-of-breach demonstration before full extortion
  • Sector: Hospitality industry during peak holiday season

Telechaim

  • Method: Double-extortion with threatened public data release
  • Focus: Reputational damage to force compliance

Qilin's approach reflects the maturation of ransomware tactics beyond simple encryption. The group's typical ransom demands range from $50,000 to $800,000, with notable success extracting a $50 million payment from London hospitals earlier in 2024.

Incransom: Continued Healthcare-Focused Assault

Incransom (INC Ransom) demonstrates its characteristic focus on healthcare infrastructure with 14 attacks during this week, including:

Context: INC Ransom has become known throughout 2025 as the ransomware group that abandoned all ethical boundaries, systematically targeting the very sectors most groups claim to avoid — including critical infrastructure like emergency notification systems serving millions of Americans.

Singular Genomics

  • Data Volume: 20 TB exfiltrated
  • Compromised: Source codes, biological data, personal information
  • Risk Level: Critical - impacts research integrity and patient privacy
  • Industry: Biopharma/genomics research

EAG Realty International

  • Attack Type: Client data encryption with ransom demand
  • Exposure Risk: Potential for financial fraud against real estate clients
  • Operational Impact: Business disruption during critical year-end period

Glasser's TV Service Ltd

  • Revenue at Risk: $5M
  • Attack Vector: Data encryption with follow-on attack potential
  • Customer Impact: Service continuity disruption

Emerging Actors: Sinobi, MS13089, and Market Fragmentation

The December 12-19 period showcased several lesser-known ransomware families attempting to establish market presence through volume attacks.

Sinobi: Manufacturing Sector Specialist

Eight confirmed attacks, all targeting manufacturing and healthcare:

  • Turnamics, Inc. (manufacturing/robotics)
  • RM Medics (healthcare services)
  • North Star Asset Management (financial services)

Sinobi's tactics suggest opportunistic targeting of organizations with:

  • Legacy infrastructure
  • Limited cybersecurity investment
  • High operational continuity requirements
  • Moderate revenue making mid-tier ransoms viable

MS13089: Professional Services Hunter

Five attacks against specialized firms:

URO.COM (Healthcare)

  • Compromised: PDFs, ZIP archives with patient information
  • Threat Model: Identity theft and regulatory fine exposure

dgpcommercialisti.it (Italian Accounting)

  • Data Type: Client and operational data
  • Publication Threat: Detailed leak page prepared for public release
  • Target Profile: Professional services with strict confidentiality obligations

Sector-Specific Analysis: Why These Industries?

Healthcare: The 12.1% Problem

Healthcare emerged as the most targeted sector with 42 incidents during the seven-day period. This concentration reflects several converging factors:

Operational Necessity = Payment Probability
Healthcare organizations cannot suspend operations during ransomware negotiations. Patient care continuity requirements create extreme time pressure favoring attacker demands.

Read more