Cybersecurity Weekly Update: 10-17 November 2025

1. Law Enforcement Takes Down 1,025 Malware-Servers in “Operation Endgame”

Europol announced that in a coordinated action from 10–13 November, it dismantled 1,025 servers associated with major malware families: Rhadamanthys (infostealer), VenomRAT (remote access trojan), and the Elysium botnet. (Industrial Cyber)

Why it matters: These malware strains are widely used to harvest credentials, gain initial access, and enable large-scale cybercrime. The infrastructure taken down was linked to hundreds of thousands of victim machines, including possible connections to critical infrastructure and industrial environments. (Industrial Cyber)

Action: Organisations—especially in critical infrastructure, OT/ICS environments, and industrial sectors—should review their threat detection capabilities and ensure their defenses can identify infections from these malware types.

2. Akira Ransomware Draws Global Warning

Security agencies, including the U.S. FBI, issued a joint advisory on Akira ransomware, highlighting its growing threat. (Cyber Security Review)

Akira is linked to several groups (Storm-1567, Howling Scorpius, Punk Spider, Gold Sahara) and has been observed targeting a broad range of sectors: from SMBs to larger organisations in manufacturing, education, healthcare, financial services, and public interest industries. (Cyber Security Review)

Why it matters: The advisory underscores that Akira’s tactics include not just encryption, but also extortion via data exfiltration. For sectors handling sensitive data (defence, health, finance), this is especially concerning.

Action: Review and apply the IOCs and TTPs outlined in the advisory. Ensure robust backup, but also assume data could be stolen—not just encrypted. Increase monitoring for unusual data movements, and tighten privileged access.

3. EU Public Administration Under Fire from DDoS Campaigns

A new report from ENISA reveals that public administrations in the EU are increasingly targeted by DDoS attacks, often orchestrated by hacktivist actors. (ENISA)

According to the report, 60% of publicly reported cyber incidents in 2024 against public administration were DDoS events. Central governments (parliaments, ministries, national agencies) were especially affected. (ENISA)

Why it matters: Public administration systems (education, healthcare, transport) often provide essential services. DDoS attacks—even if short-lived—can disrupt service delivery, undermine citizen trust, and create broader secondary impacts.

Action: If your organisation is connected (or supplies) public services, ensure that DDoS resilience is part of your risk model. Review your capacity, redundancy, and incident response plans. Consider using scrubbing services or DDoS protection tools.

4. Ransomware Pressure in Europe Hits Record Levels

According to CrowdStrike’s 2025 European Threat Landscape Report, ransomware attacks across Europe have surged. (CrowdStrike) Some key findings:

• Over 2,100 European organisations were named on extortion/leak sites since January 2024. (CrowdStrike)

• The underground cyber-crime economy has matured: services like Malware-as-a-Service (MaaS), initial-access brokers, and phishing toolkits are increasingly commoditised. (CrowdStrike)

• State-aligned threat actors from Russia, China, North Korea, Iran are more active in Europe, targeting sectors like defence, healthcare, and finance. (CrowdStrike)

  
  

Why it matters: This trend speaks to both maturity and scale in Europe’s cyber risk landscape. For defence and financial institutions, the combination of sophisticated adversaries plus criminal enterprise models is especially worrying.

Action: Strengthen ransomware defense strategies: implement zero-trust principles, verify supplier security, and enhance incident recovery planning. Frequent backups are necessary but insufficient—plan for exfiltration and extortion.

5. Longer-Term Trend: Shift to Exfiltration-Only Ransomware

The 2025 OpenText Cybersecurity Threat Report highlights a significant tactical shift: ransomware groups are increasingly adopting “exfiltration-only” attacks, where data is stolen and threatened with public release rather than encrypted. (OpenText)

Why it matters: Even organisations with strong backup strategies are at risk if the threat actor can leak sensitive data. This changes the “ransom” calculus: it’s not just about restoring systems, but also reputational, regulatory, and legal risk from data exposure.

Action: Reassess your cyber resilience model. Ensure data-leak readiness: classify data, monitor exfiltration channels, deploy data loss prevention (DLP) controls, and make sure legal and crisis teams are ready for extortion scenarios.

Key Recommendations

1. Improve threat detection and response

   • Monitor for activity linked to Rhadamanthys, VenomRAT, Elysium, and Akira.

   • Review IOCs/TTPs from public advisories and law enforcement.

2. Ransomware resilience must evolve

   • Assume exfiltration is possible, not just encryption.

   • Harden identity/access management; use multi-factor authentication (MFA), least privilege, zero trust.

3. DDoS risk cannot be ignored

   • For public-sector or service-critical organisations, make DDoS resilience part of your cyber risk strategy.

   • Test incident response plans under load; consider mitigation services.

4. Cross-border and geopolitical readiness

   • With state-aligned cyber actors increasingly operating in Europe, organisations should revisit geopolitical threat modelling.

   • Strengthen collaboration with industry peers, threat intel providers, and law enforcement where possible.