Who Ransomware Groups Hit in the UK in December 2025 — A Sector and Size Analysis

Ransomware.live tracks claims posted on ransomware group leak sites — the pages criminal groups use to publish victim names and stolen data when ransoms are not paid. It is not a complete record of UK ransomware incidents; most are resolved without public disclosure. But it provides the most transparent available window into the campaign activity running against UK organisations at any given time.

In December 2025, ransomware.live recorded 17 confirmed UK victims with discovery dates in that month, claimed by 10 separate ransomware groups. The month has three analytically distinct phases: a mid-month period in which two significant organisations were hit on consecutive days by the same group, a pre-Christmas cluster of manufacturing and services firms, and a five-day end-of-year sweep in which a single group claimed five UK victims between Christmas Eve and New Year's Eve. This post analyses all seventeen victims across those three phases.

The Seventeen: An Overview

• GreenBest (2 Dec) — Horticultural products supplier — Qilin
• CT Dent Ltd (6 Dec) — Dental CBCT imaging centre, London — Kazu
• Poyntell Limited (8 Dec) — Technology services — Qilin
• Abacus Employment Services (9 Dec, est. 8 Dec) — Staffing agency — Genesis
• Red Star Studio Ltd (11 Dec, est. 7 Dec) — Creative studio — Nightspire
• Wavenet (14 Dec) — UK telecom and MSP, ~900 staff — Worldleaks
• Thrings Solicitors (15 Dec) — UK Top 100 law firm, ~300 staff — Worldleaks
• Walters Group (19 Dec, est. 16 Dec) — Construction and engineering — Lockbit5
• MAT 4Site Engineers (19 Dec) — Building engineering — Akira
• RM Medics (19 Dec) — Medical recruitment agency — Sinobi
• Carbis Loadtec (23 Dec) — Industrial fluid transfer equipment manufacturer — Anubis
• Typhoo Tea (27 Dec) — Iconic UK tea brand — Qilin
• Heatcel (27 Dec) — Central heating spares supplier — Safepay
• iNPIPE Products (27 Dec) — British engineering and manufacturing — Safepay
• USDAW (29 Dec) — Union of Shop, Distributive and Allied Workers — Safepay
• Knight Group (29 Dec) — Precision metal stockist and processor — Safepay
• Envases Group (24 Dec) — Multinational packaging manufacturer (UK-listed) — Safepay

Ten different ransomware groups are represented. Three groups — Qilin, Safepay, and Worldleaks — each claimed multiple UK victims. As in January and February, no single group dominates. This is the output of parallel independent campaigns, not a coordinated operation by one actor.

Phase One: Worldleaks Hits a Telecoms MSP Then a Law Firm in 24 Hours

The most analytically significant entries in the December dataset are the two consecutive Worldleaks claims on 14 and 15 December: Wavenet and Thrings Solicitors.

Wavenet, headquartered at Blythe Valley Park in Solihull, is one of the UK's larger managed service providers. Founded in 2000 and majority-owned by Macquarie Capital, Wavenet employs approximately 900 people across nine UK offices and provides unified communications, connectivity, cloud services, and — critically — cybersecurity services. Its cybersecurity offering includes penetration testing, managed SIEM, and staff awareness training. It describes itself as a market leader in UK cybersecurity solutions and actively markets security services to businesses across the public sector, education, legal, and financial sectors. In December 2025, Wavenet was itself compromised and published on a ransomware group's leak site.

The irony is uncomfortable but instructive. A company selling cybersecurity monitoring services to other businesses had its own data exfiltrated and published by Worldleaks. This is not an argument that Wavenet's security posture was negligent — the details of the breach are not public. It is a reminder that scale, sector expertise, and security product sales do not confer immunity. Managed service providers and technology companies face the same adversary as their clients, and the data they hold is often more valuable: configuration details, network diagrams, client system information, and access credentials for customer environments. An MSP is, from an attacker's perspective, a route to the data of every client it serves.

Thrings Solicitors was claimed the following day. Thrings is a UK Top 100 law firm with approximately 300 to 350 staff across offices in Bath, Bristol, London, Romsey, and Swindon. It is SRA-regulated (SRA number 510691) and holds Law Society Lexcel accreditation. Its practice areas include commercial property, corporate, agriculture, family, employment, and private wealth. The firm has advised on defence, aerospace, and financial services sector transactions, and its private client practice handles high-net-worth estate and wealth matters. The data such a firm holds — conveyancing files, client financial details, employment contracts, M&A transaction documents, estate plans — is precisely the category of material that both the SRA and the ICO require to be protected under demonstrably robust technical controls.

Two organisations claimed by the same group on consecutive days in mid-December. The double-strike pattern mirrors the Worldleaks claims against Adelphi and the Thames Valley Chamber of Commerce in February 2026, and points toward a common exploitation mechanism rather than bespoke targeting of each organisation individually. Worldleaks appears to be operating a batch disclosure model, publishing claims in pairs or clusters as ransom deadlines expire across a cohort of victims reached through the same initial access method.

Phase Two: The Pre-Christmas Manufacturing Cluster

Between 16 and 23 December, five UK organisations were claimed across three different groups — Lockbit5, Akira, Sinobi, and Anubis — in what appears to be independent parallel campaigns converging on the pre-Christmas period.

Walters Group, claimed by Lockbit5 on 19 December with an estimated attack date of 16 December, is a UK construction and engineering company. The Lockbit5 attribution is itself notable. LockBit, once the world's most prolific ransomware operation, was disrupted by an international law enforcement operation in February 2024 that seized infrastructure and charged affiliates. Within months, the operation reconstituted under new branding. Lockbit5 represents the latest iteration of that reconstitution. Its appearance in the UK victim list confirms that the group continues to operate against UK targets despite the law enforcement action.

MAT 4Site Engineers, also claimed on 19 December by Akira, specialises in building engineering systems — MEP (mechanical, electrical, and plumbing) design and build services. Building engineering firms hold construction project records, equipment specifications, client site access arrangements, and supply chain contracts. Their presence in the dataset is consistent with the broader construction and engineering sector concentration visible across the December, January, and February datasets alike.

Carbis Loadtec, claimed by Anubis on 23 December, is a specialist manufacturer based in Sunderland. Carbis Loadtec designs and manufactures loading arms and fluid transfer systems used in the oil, gas, petrochemical, and chemical industries. The Anubis claim description specifically references contracts, drawings, and client contacts — the specific categories of industrial intellectual property that are commercially valuable and that underpin a manufacturer's competitive position in a specialist engineering market. The loss of proprietary design documentation in a niche manufacturing sector is a significant commercial harm well beyond the IT disruption of the attack itself.

Phase Three: The Christmas Sweep

Five of the seventeen December victims were claimed in the final five days of the calendar year: Typhoo Tea on 27 December, Heatcel and iNPIPE Products on 27 December, and USDAW and Knight Group on 29 December. All except Typhoo Tea were claimed by the same group, Safepay, in a clear batch exploitation event timed to the Christmas and New Year holiday period.

Typhoo Tea: A Brand Emerging From Administration, Hit at Christmas

Typhoo Tea is one of the UK's most recognisable consumer brands. Founded in 1903, it was the UK's first pre-packaged tea brand and for most of the twentieth century was a household staple. The company entered administration in November 2024 following years of mounting losses — pre-tax losses of £29.9 million in 2019, declining revenue, and a deteriorating balance sheet. On 2 December 2024, Supreme Imports acquired the Typhoo brand from administration for approximately £10 million.

Typhoo's ransomware claim was published on 27 December 2025 — 25 days before the first anniversary of that acquisition. A company that had spent 2025 rebuilding under new ownership, transitioning IT infrastructure from an administration estate to a functioning business, was compromised and published on a leak site at Christmas. The IT infrastructure of a company emerging from insolvency is typically in precisely the fragile transitional state that makes it most vulnerable: systems may have been operating under minimal support during administration, infrastructure decisions deferred, and the security posture of the acquired entity not yet fully assessed by the new owner. Qilin found Typhoo in that window.

USDAW: A Trade Union's Member Data at Risk

The Union of Shop, Distributive and Allied Workers is one of the UK's largest trade unions, representing approximately 400,000 workers in retail, distribution, transport, and food manufacturing. Its membership data is not commercially sensitive in the way that a payments company or a law firm's data is — but it is genuinely personal. Union membership records contain employment details, workplace grievance records, pay negotiation history, and potentially sensitive communications about industrial relations matters. For individual members employed in workplaces where union membership is not universal, the exposure of union membership status could itself carry personal implications.

The Safepay claim against USDAW on 29 December sits alongside four other UK victims claimed by the same group in the preceding five days. This is not a targeted operation against a trade union. It is an automated campaign sweeping the UK's internet-facing attack surface during the period of maximum holiday-period inattention, publishing whatever it found. USDAW happened to be reachable.

The Safepay Christmas Batch

Heatcel, iNPIPE Products, USDAW, and Knight Group represent four very different organisations brought together by a single shared characteristic: all were reachable by Safepay's exploitation tooling in the Christmas window. Heatcel supplies central heating spare parts and components. iNPIPE Products is a British engineering and manufacturing firm based in Brompton on Swale in North Yorkshire, making pipeline products for the industrial sector. Knight Group is a precision metal stockist and processor with decades of manufacturing history. None of these organisations would conventionally be considered high-value ransomware targets. All of them operate internet-facing systems that Safepay's scanning capability identified and exploited during a period when monitoring was reduced and response times extended.

The timing is deliberate. The Christmas and New Year holiday window is one of the most reliably productive periods in the ransomware calendar. IT teams are on leave. Monitoring thresholds are lowered. Incident response resources are skeletal. Recovery timelines are constrained by the need to restore operations before the new year. Safepay's five-victim UK harvest in five days reflects the operational discipline of a group that has internalised this seasonal dynamic.

LockBit's Reconstitution: Lockbit5 in the UK

The Walters Group claim by Lockbit5 warrants brief specific attention because it confirms something that the law enforcement community has been tracking since the February 2024 disruption of the original LockBit operation. Operation Cronos, the international law enforcement action coordinated by the NCA, FBI, and Europol, seized LockBit's infrastructure, took down its leak site, and exposed the identities and whereabouts of affiliates. The operation was widely described as a decisive blow against the world's most prolific ransomware group.

LockBit restarted within days. By mid-2025 it had reconstituted sufficiently to be claiming UK victims under the Lockbit5 designation. The December claim against Walters Group is a visible data point in that ongoing reconstitution. It is also a reminder that law enforcement disruption of ransomware infrastructure, while operationally significant, does not eliminate the threat. The same actors, or closely affiliated ones, reconstitute under new branding. The UK victim list continues.

Size Distribution: December's Broader Range

December's victim set is slightly more varied in size than January and February, reflecting the presence of Wavenet (900 staff) and Thrings (~300 staff) alongside the characteristic SMB majority. Even so, the profile remains overwhelmingly small business. Carbis Loadtec, Heatcel, iNPIPE, Abacus Employment Services, Red Star Studio, GreenBest, Poyntell, and RM Medics are all sub-50-employee businesses by reasonable estimate.

The inclusion of Wavenet in the dataset carries a specific implication for the client base it serves. Wavenet describes itself as a managed service provider to thousands of UK businesses and organisations. The data it holds includes client network configurations, authentication systems, telephony infrastructure, and potentially access credentials for the environments it manages. An MSP compromise is not bounded by the MSP's own data: it potentially touches every organisation that trusts the MSP with its infrastructure. This is the supply chain dynamic that runs through the entire three-month dataset — the organisation on the leak site is often not the ultimate boundary of the breach.

What the Three-Month Series Tells Us

Viewed alongside the January and February analyses, December 2025 completes a three-month picture with consistent structural characteristics.

Across December, January, and February 2026, ransomware.live recorded approximately 50 confirmed UK victims. That is roughly one every two days. Manufacturing and construction account for a disproportionate share across all three months. Healthcare-adjacent organisations — medical recruitment, dental imaging, pharmaceutical consulting — appear consistently. Professional services firms in law and accountancy are present in every month. Specific iconic or notable organisations — Typhoo Tea, Adelphi, Trust Payments, Thrings, Wavenet, Purcell — appear alongside small businesses with names unlikely to be recognised outside their immediate sector.

The pattern across all three months is the same: organisations without continuous monitoring, across every sector of the UK economy, are being found by automated campaigns that scan for reachable systems, apply known CVEs and credential grinding, and move to data exfiltration before the organisation is aware anything is happening. Holiday periods produce clusters. Batch exploitation events produce same-day multi-victim claims. The ransomware-as-a-service market produces ten or more different groups operating simultaneously against the UK attack surface.

What changed between December 2025 and February 2026 is not the attack method, the target profile, or the volume. What changed is which specific organisations were unlucky enough to have an unmonitored exposure at the moment an automated campaign swept past.