Ransomware attacks continued at a high pace through the end of 2025, with December 2025 seeing dozens of publicly disclosed incidents (e.g., BlackFog reported 78 publicly disclosed attacks that month alone, up 13% year-over-year). Healthcare remained the most targeted sector.

The latest major ransomware attack reported from late 2025 (one of the most recent high-profile ones in December) was the attack on Romania's national water management authority (Administrația Națională Apele Române), disclosed around December 21-22, 2025.

Key Details of the Attack

• Attack method: Attackers used the legitimate built-in Windows tool BitLocker to encrypt files on around 1,000 computers across regional offices, locking staff out of systems. This is a "living-off-the-land" tactic (using native tools to avoid detection) rather than custom ransomware malware.
• Impact: Administrative systems were disrupted, but core water supply operations continued via manual processes. No widespread service outages to the public were reported, but it highlighted vulnerabilities in critical infrastructure.
• Ransomware group: Not explicitly claimed by a known group in public reports; it appears opportunistic rather than tied to a major RaaS like Qilin or Akira.
• Context: This fits the 2025 trend of ransomware targeting critical infrastructure (e.g., energy, water, manufacturing), with attacks on such sectors rising ~34% year-over-year according to reports like KELA's.

Other Notable Very Late 2025 Incidents (December)

Several other attacks surfaced or were disclosed in December 2025, including:

• Marquis Software supply-chain incident (originally from August, but banks like Artisans' Bank and VeraBank notified thousands of customers in late December about downstream impacts from the ransomware breach).
• Payouts King claims against German firms like Rameder Anhängerkupplungen (automotive parts, ~1.4 TB data leaked) and others.
• Termite ransomware claimed access to MedHelp Clinics (US healthcare, ~25 GB data exfiltrated, mid-December disclosure).
• Smaller or emerging groups like TridentLocker (new in November) claimed hits on government contractors (e.g., Sedgwick Government Solutions on New Year's Eve 2025/early 2026).

Broader 2025 Ransomware Landscape (for Context)

2025 saw a shift toward data extortion over pure encryption, with groups like Qilin (most active overall, often 40–75 victims/month in late year), Akira, and remnants of RansomHub dominating. Major earlier attacks (e.g., Asahi Group in September, Ingram Micro supply-chain disruption) had longer tails, but December focused more on critical infrastructure and regional targets.

Ransomware remains highly active into 2026 — if you're looking for prevention tips, emerging groups to watch (e.g., Qilin successors), or details on a specific incident/sector, let me know! Stay proactive with backups, patching, and Zero Trust — 2025 proved these are essential.