Ransomware Attacks Reach Peak Levels During December 2025 Holiday Period | #ransomware | #cybercrime

Kazu represents the most prolific operation of the four, with confirmed nation-state-adjacent targeting across military, healthcare, and government sectors. According to Bitdefender’s November 2025 Threat Debrief, the group has rapidly expanded operations across Southeast Asia, the Middle East, and South America.

The group operates a double-extortion model prioritizing data theft over traditional encryption. Red Piranha’s December 2025 threat intelligence report documents their deployment of SmokeLoader as an initial loader, subsequently dropping a LockBit 5.0 variant as the ransomware payload. Critically, Kazu implements a locale-based execution guard that skips execution on Russian/CIS language systems.

The group’s most prominent December attack was against New Zealand’s Manage My Health portal, detailed in the Press Coverage section below. Ransom demands have ranged from $60,000 to $500,000.

Benzona emerged in late November with aggressive expansion targeting manufacturing, healthcare, and automotive sectors. As noted by DarkFeed researcher Ido Cohen on X, the name is a Hebrew curse word, making it “one of the strangest branding choices” for a cyber-criminal operation.

A CYFIRMA weekly intelligence report from December 5, 2025 documented extensive anti-analysis capabilities including virtualization detection, timestomping, and shadow copy deletion. The ransomware appends the “.benzona” extension to encrypted files.

Romania accounts for approximately 50% of known victims, with ransomware trackers logging eight confirmed attacks. Additional victims span Côte d’Ivoire, Taiwan, India, and Iran.

TridentLocker has distinguished itself through targeting of government-adjacent infrastructure. Security Affairs and Bleeping Computer reported that in late December 2025, the group compromised a major claims management company’s government services subsidiary, a federal contractor serving multiple U.S. agencies including DHS, ICE, CBP, and notably CISA itself.

According to The Record, the attack targeted an isolated file transfer system. Cyber Press noted the incident was officially confirmed in early January 2026.

So far, threat trackers log 12 confirmed victims with an average dwell time of 12.6 days between attack and public claim. The group’s leak site runs on Kestrel (ASP.NET Core), distinguishing it from typical NGINX-based operations. No IOCs, YARA rules, or technical malware analysis have been published by major vendors.

MintEye represents the least documented threat actor, having emerged only weeks before this report. According to PurpleOps threat intelligence, MintEye was the most active ransomware group on December 12-13, 2025, claiming five victims simultaneously, more than Play News, Medusa, or Qilin.

Reports from DeXpose and RedPacket Security show targets across professional services, architecture, legal, and logistics sectors. Total claimed exfiltration exceeds 6 TB across five victims in the United States and Chile.

Beyond that, public tracking databases maintain only a basic profile. No malware samples, technical IOCs, initial access vectors, or ransom amounts have been disclosed. No coverage exists from enterprise-tier threat intelligence vendors such as Mandiant, CrowdStrike, or Sophos.