Who Ransomware Groups Hit in the UK in November 2025 — A Record Month in Context

November 2025 was, by the data, the second-worst month for ransomware activity ever recorded. Cyble counted 640 ransomware group claims globally — exceeded only by February 2025 — and the volume of attacks rose for the seventh consecutive month. It was the month that Qilin posted 107 claimed victims, Akira posted 100, and Clop used an Oracle E-Business Suite zero-day exploit (CVE-2025-61882) to sweep silently through enterprise environments worldwide.

Against that backdrop, Comparitech tracked 17 UK ransomware victims in November, placing the UK third in the global league table behind the United States (354 attacks) and Canada (34). That figure likely understates the real impact, for reasons covered later in this analysis. What is on the record represents a diverse cross-section of UK industry: a major city centre shopping complex, a Formula 2 and Formula 3 motorsport team, a precision engineering manufacturer, an industrial distribution business, an architectural aluminium manufacturer, and others.

The Confirmed November Victims

• WLR Precision Engineering (27 Nov) — CNC precision machining manufacturer, UK — Qilin
• Comansco (27 Nov) — Industrial supplies and distribution — Qilin
• Hitech Grand Prix (27 Nov) — F2/F3 motorsport team, Silverstone — Akira
• West Quay (late Nov, publicly confirmed) — Southampton shopping and leisure complex — Qilin
• Parkside Group Ltd — Architectural aluminium manufacturer and distributor — Safepay
• McNealy Brown Ltd — Global procurement services, UK-founded — ransomware group

A further 11 UK organisations were claimed in November across the full Comparitech dataset, the majority in sectors and at sizes consistent with the pattern across the preceding months: small manufacturing, engineering, professional services, and construction firms whose names do not appear in the general press but whose data is now in the possession of criminal groups.

27 November: Three UK Organisations Published in a Single Day

The 27th of November was a particularly notable date in the UK dataset. On that single day, at least three UK organisations appeared on ransomware group leak sites: WLR Precision Engineering and Comansco (both claimed by Qilin), and Hitech Grand Prix (claimed by Akira). Two different groups, three different victims, published within hours of each other.

This is not coincidence. It reflects the operational rhythm of how modern ransomware groups publish their victim lists. Qilin and Akira each maintain data leak sites where they post victim names on a rolling schedule, typically when ransom negotiation deadlines expire or when batch publication cycles turn over. The organisations on the 27 November list were not necessarily attacked on that date — Qilin's average delay between attack and publication runs at approximately 46 days, and Akira operates on a comparable timeline. The attacks behind these three November disclosures likely occurred in September or October. They were simply published together as deadlines expired in the same window.

This detail matters because it shapes how organisations should think about monitoring. The absence of your organisation's name from a ransomware leak site today does not mean the absence of an ongoing breach. It may mean a clock is running.

WLR Precision Engineering

WLR Precision Engineering is a UK-based manufacturer specialising in CNC machining and precision engineering for industrial machinery and equipment. Qilin's claim placed the company in the manufacturing sector. The firm, operating out of the UK with a focus on high-precision component production, holds the type of data that is specifically valuable in a precision manufacturing context: customer technical drawings, tolerances, production specifications, material sourcing records, and order histories for clients who may themselves be operating in defence, aerospace, automotive, or medical device supply chains. The loss of that data to a threat actor is not simply a regulatory compliance problem. It potentially exposes the commercial and engineering secrets of every downstream customer whose components WLR has machined.

Comansco

Comansco is a UK-based industrial supplies and distribution company. Like many industrial distributors, its value to a ransomware group lies in the commercial relationships its data contains: supplier agreements, customer accounts, pricing structures, and logistics records. The Qilin claim on 27 November placed it alongside WLR in what appears to be a standard affiliate batch publication — two UK manufacturers whose ransom negotiations had expired on the same deadline cycle.

Hitech Grand Prix

The most unexpected entry in November's UK dataset is Hitech Grand Prix. Based at Silverstone, Hitech is one of the established names in single-seater motorsport, competing in Formula 2, Formula 3, and other feeder series. Akira claimed the team on 27 November.

Motorsport is not a sector that typically appears in ransomware threat briefings directed at UK businesses, and that is precisely why it is worth noting. The data held by a professional racing team operating at the top tiers of international single-seater motorsport includes driver contracts and personal data, sponsor agreements, technical development records, car setup data, financial forecasts, and personnel information for engineers and mechanics who may hold competitive intelligence relevant to rival teams. In a championship environment where minor technical advantages are fiercely guarded, the exfiltration of a team's operating data represents both a commercial and reputational exposure that goes well beyond typical IT disruption. Akira, which claimed Hitech, is one of the most active and persistent ransomware groups of 2025, with a particular focus on manufacturing and technology organisations. Hitech's IT infrastructure, like many SME-scale motorsport operations, is unlikely to have been the subject of the same investment as its engineering and development budget.

West Quay: The One That Said So

West Quay is one of Southampton's primary retail and leisure destinations, operated under the Hammerson portfolio. Qilin claimed the attack in late November, and West Quay did something that the overwhelming majority of UK ransomware victims do not: it publicly acknowledged it.

West Quay's statement confirmed that threat actors had unlawfully accessed and encrypted its IT systems. It noted that forensic and remediation efforts had restored operations, and that investigation into the nature and extent of any data exfiltration remained ongoing. That acknowledgment is notable not because it reveals something unusual but because it demonstrates what the data from November's other claimed victims does not: what a Qilin attack actually looks like from the victim's perspective. Systems encrypted. Operations disrupted. Forensic teams engaged. An investigation that may run for months before the full data exposure picture is clear.

West Quay is not a small organisation. As part of the Hammerson estate, it has an IT function, commercial relationships with hundreds of retail and leisure tenants, customer data from footfall and loyalty programmes, and staff payroll and HR records. The public acknowledgment positions it as one of the few November UK victims where the claim can be independently corroborated. For the majority of the other 16 UK victims in November, no such confirmation exists. That does not mean the attacks did not happen; it means the organisations chose, or were able, to manage the situation without public disclosure.

The West Quay incident also illustrates a dynamic that runs through the entire November UK dataset. Qilin's UK victims in November included a CNC manufacturer, an industrial distributor, and a major city centre leisure complex. There is no single profile. Qilin affiliates are scanning the UK's internet-facing attack surface continuously, following credential trails from dark web markets, and exploiting unpatched VPN and RDP exposures wherever they find them. The sector is irrelevant. The size is irrelevant. The reachability is the criterion.

Safepay and the UK Manufacturing Target

Parkside Group Ltd's appearance on the Safepay leak site in November continues a pattern that Check Point Research identified across Q3 2025: Safepay has the UK as one of its primary geographic targets, with approximately 10% of its total victim portfolio based in Britain, alongside a similar concentration in Germany.

Parkside Group is a UK-based manufacturer and distributor of architectural-grade aluminium products used in the construction sector. It supplies a customer base of architects, contractors, and construction firms with products for facades, fenestration, and structural glazing. Safepay's claim adds another UK manufacturer to its growing list, and the construction-adjacent sector link is consistent with the broader sectoral pattern visible across the November, December, January, and February datasets alike.

Safepay first appeared in September 2024 and by November 2025 had become one of the top ten most active ransomware groups globally, with approximately 374 victims claimed in its first year of operation. It does not operate on the Ransomware-as-a-Service model in the conventional sense. Its targeting is systematic, its tools are sophisticated, and its UK focus is deliberate. SafePay gains initial access through valid credentials purchased on dark web marketplaces, accessing endpoints through VPN gateways, and then deploys double extortion: encrypt and exfiltrate, threatening publication if the ransom is unpaid.

The Shadow of Clop's Oracle Campaign

November 2025 needs to be understood in the context of a campaign that was running silently in parallel with the published victim lists: Clop's exploitation of CVE-2025-61882, a critical zero-day vulnerability in Oracle's E-Business Suite. Clop, third most active globally in November with 94 claimed victims, was using this vulnerability to access Oracle EBS environments without authentication and extract payroll, HR, and financial databases at scale.

Clop does not publish victims immediately. Its campaigns typically follow a pattern of months-long dwell time before any public disclosure, as the group negotiates with multiple victims simultaneously and publishes in batches as deadlines expire. The Oracle EBS campaign was active in October and November 2025. Its UK impact would not appear on ransomware.live's November count; it would surface weeks or months later, after extortion deadlines passed and Clop published organisations that had refused to pay. The January 2026 UK victim list includes multiple Clop claims — Warranty First, BAQUS, and Trust Payments among them — some of which may trace back to November exploitation activity.

This is the structural reason why November's 17 publicly claimed UK victims likely understates the real picture. The Comparitech figure captures only what had been published by 30 November. It does not include UK organisations compromised in November whose names would surface in December or January. Clop's Oracle campaign is the clearest example of a mechanism that systematically delays the visible UK victim count relative to the actual UK attack count.

A Global Record Month With a UK Dimension

November 2025 was a watershed in the ransomware calendar for reasons that extend beyond the UK. Cyble recorded 640 total ransomware claims globally — the second-highest monthly total ever, behind only February 2025. The US bore the brunt with 354 attacks. Canada came second. The UK came third, ahead of Germany and India. Supply chain attacks reached their second-highest level ever in November, with ransomware groups claiming 22 of the 38 documented supply chain incidents.

Qilin's 107 November claims represented a continuation of its dominance as the world's most prolific ransomware group. Cisco Talos confirmed in November 2025 that Qilin was publishing more than 40 victim listings per month consistently in the second half of the year, and Comparitech's data shows it already surpassed RansomHub's entire 2024 victim count by October, having claimed its 700th victim of 2025 that month. The group's affiliates were using stolen VPN credentials, exploiting unpatched Fortinet, SAP, and Citrix vulnerabilities, and deploying Cobalt Strike for post-exploitation lateral movement before the ransomware payload was ever delivered.

Akira, which claimed Hitech, ran a parallel campaign at 100 November claims. Its confirmed November attacks included LG Energy Solution in South Korea (1.67 TB stolen) and Ruag LLC in the US. Hitech sits in the same output batch as those globally significant victims, claimed by the same group on the same publication cycle, applying the same toolkit against a motorsport team in Silverstone that it applied against a defence contractor and a battery manufacturer in the same week.

The Pattern That Does Not Change

Read November alongside December, January, and February and the structural characteristics of the UK ransomware dataset are entirely consistent. Manufacturing and engineering are disproportionately targeted in every month. Professional services appear reliably. Occasional notable consumer-facing or well-known organisations (West Quay in November, Typhoo Tea in December, Purcell Architects in January, Adelphi in February) sit alongside the small, named-only-on-a-leak-site majority. Different groups claim UK victims every month, with Qilin, Akira, and Safepay present across the entire four-month period.

November adds one dimension that the other months do not so clearly illustrate: the gap between the published count and the true count. The 17 Comparitech figure is a floor, not a ceiling. Clop's Oracle campaign, Safepay's batch publication delays, and the baseline fact that organisations who pay ransoms typically never appear on a leak site at all mean the 17 is a minimum. The true November impact on UK organisations is larger, likely significantly so, and will continue to materialise in the form of leak site publications and ICO data breach notifications for months to come.