Government ransomware roundup - H1

In the first half of 2025, we logged 208 ransomware attacks on government agencies across the globe.

This is a 65 percent increase in attacks during the same period of 2024 (126) and a 25 percent increase on H2 of 2024 (167).

Of the 208 attacks noted in H1 of 2025, half of these (104) were confirmed by the entity that was targeted.

These figures highlight how government organizations are a dominant focus for hackers, especially in contrast to other key sectors like healthcare. Our recent report on the healthcare sector found a four percent increase from H1 2024 to H1 2025 and a nine percent decrease from H2 2024 to H1 2025.

A number of governments banning (or looking to ban) public entities from paying ransoms doesn’t appear to be deterring hackers. If negotiations fail, most hackers auction off stolen data on the dark web, allowing them to profit even if ransoms aren’t paid.

Attacks against governments are frequently reported on by news outlets, which can add to a gang’s notoriety. 50 percent of all attacks in H1 were confirmed by the agency involved. In education, that figure is 31 percent, in healthcare it was 32 percent, and across all other businesses it was just eight percent.

These lower ratios, especially across businesses, are likely due to many of these attacks going under the radar, especially if systems are brought back online quickly and no data breach notifications are submitted afterward. By attacking government entities that are required to disclose breaches, ransomware groups are more likely to see their attacks widely reported on.

*Please note: this report was generated after our initial H1 report so figures may have changed slightly as more attacks have been confirmed.

Key findings for H1 2025 ransomware attacks on government organizations

  • 208 attacks in total – 124 in Q1 and 84 in Q2
  • 104 confirmed attacks – 54 in Q1 and 50 in Q2
  • 104 unconfirmed attacks – 70 in Q1 and 34 in Q2
  • 366,006 records are known to have been breached in the confirmed attacks
  • 78.5 TB of data allegedly stolen (67.2 TB in the confirmed attacks)
  • Average theft of 1.3 TB of data per attack
  • Average ransom demand of $1.65 million
  • The most prolific ransomware strains with the highest number of claims against government entities were Babuk (26), Qilin (17), INC (16), Funksec (12), and RansomHub (12)
  • Qilin had the most confirmed attacks (13), followed by INC and RansomHub (8 each)

Government data breaches via ransomware in H1 2025

While more data breaches are confirmed and figures are finalized, the majority of the breach records stem from the attack on the Pierce County Library System. In this attack in April 2025, 336,826 people had their data breached. INC claimed the attack.

Other confirmed breaches include:

  • City of West Haven, Connecticut, US: 4,932 people had their data breached in January 2025 following an attack via Qilin
  • Gloucester County, Virginia, US: after an attack in April 2025 via BlackSuit, 3,527 people received data breach notifications
  • Gooding County, Idaho, US: unknown hackers targeted Gooding County in March 2025. 3,253 people were impacted in the breach
  • Gaines County, Texas, US: Qilin also claimed this attack which occurred in February 2025 and impacted 3,160 people
  • State Bar of Texas, US: 3,012 people received data breach letters following an attack via INC in January 2025

Ransomware attacks on government organizations by country

A large proportion (35%) of the 208 ransomware attacks noted against government organizations are from those based in the US (72). 44 of these attacks were confirmed by the government agency.

Brazil (9), India (9), Canada (8), and France, Spain, and Indonesia (5) were also within the top five.

Of the nine attacks targeting Brazilian government entities, five were confirmed. None of these were claimed by hackers on their data leak sites. The city halls of Ivinhema, Chapadão do Sul, São José do Rio Preto, and Porto Nacional were targeted as well as the Instituto de Pesquisas Energéticas e Nucleares (IPEN). Chapadão do Sul and Porto Nacional both confirmed that no ransom was paid, with the amount demanded from Chapadão do Sul being $266,000. IPEN also confirmed its attack had resulted in losses of R$2.5 million (USD$450,000).

Four of Canada’s attacks were confirmed, with each being carried out by a different group. Three of the attacks were carried out in February 2025 – The Town of Hinton by RansomHub, the City of Fort St. John by INC, and the Town of Orangeville by BlackSuit. MRC de Maskinongé’s attack happened in March 2025 and was claimed by Medusa with a demand of $100,000.

In France, Mairie de Berson and Mairie de Ostheim were both hit by unknown hackers in February 2025 and neither paid the ransom, while Commune d’Ardon was targeted by NightSpire in April 2025.

The Spanish cities of Badajoz and La Rinconada suffered attacks in April 2025 but no hackers took credit. Níjar was targeted in May 2025 by Devman with 250 GB allegedly stolen. But the attack in Melilla was perhaps the most disruptive. Qilin targeted the Spanish city in June 2025. Melilla refused to pay a reported ransom of $2.1 million. It took the city around three weeks to recover.

None of the attacks in India or Indonesia were confirmed but this could be due to less reporting/publication of attacks in these countries.

Belgium saw four confirmed attacks, while the UK and Colombia saw three confirmed attacks. In the UK, Gateshead Council was targeted in January 2025 by Medusa who demanded $600,000. Another council (West Lothian) was hit in May 2025, this time by Interlock who says it stole 2.63 TB of data. The British Horseracing Authority (BHA) also confirmed an attack in June 2025, but its hackers remain unknown.

Ransom demands on government organizations in H1 2025

Across both confirmed and unconfirmed attacks, ransomware gangs demanded $1.65 million. Across the confirmed attacks, the average was higher at just nearly $2.44 million (figures known in 17 cases). Across the unconfirmed attacks, it was $309,800 (figures known in 10 cases)

The top 5 biggest ransom demands on governments in H1 2025

According to our findings, the biggest ransom demands in the first half of 2025 were on these government organizations:

  1. Úrad geodézie, kartografie a katastra SR, Slovakia – $12M: Slovakia’s Geodesy, Cartography, and Cadastre Office was presented with a $12 million ransom demand from unknown hackers following its attack in January 2025. The ransom demand wasn’t met.
  2. Magyar Nemzeti Múzeum (Nemzeti Régészeti Intézet), Hungary – $10M: RansomHub struck the Hungarian National Museum (National Archaeological Institute) in February 2025 and said it had stolen 180 GB of data.
  3. National Social Security Fund, Kenya – $4.5M: After the NSSF suffered an attack in May, Devman came forward to claim the attack and demanded $4.5 million for 2.5 TB of data it alleged to have been stolen.
  4. Cleveland Municipal Court, US – $4M: This attack in February 2025 crippled key systems for weeks. Qilin came forward to claim this attack and is reported to have demanded $4 million from the government entity. No ransom was paid.
  5. Oregon Department of Environmental Quality, US – $2.6M: In April 2025, Oregon DEQ was targeted by Rhysida. It issued the government entity with a ransom demand of $2.6 million after allegedly stealing 2.5 TB of data.

The top four of these are also within the top five across all ransomware attacks in all sectors for H1 2025.

Which ransomware gangs are targeting government entities?

While some groups don’t appear to have a specific sector that they target, others do. The ransomware groups that claimed the most attacks on the government sector in H1 2025 include:

  • Qilin – 17 claims in total = 5% of its total claims (320)
    • 13 confirmed attacks = 27% of its total confirmed attacks (49)
  • INC – 16 claims in total = 12% of its total claims (132)
    • 8 confirmed attacks = 32% of its total confirmed attacks (25)
  • RansomHub – 12 claims in total = 5% of its total claims (221)
    • 8 confirmed attacks = 25% of its total confirmed attacks (32)
  • Funksec – 12 claims in total = 18% of its total claims (68)
    • 1 confirmed attack = 17% of its total confirmed attacks (6)
  • Medusa – 8 claims in total = 8% of its total claims (104)
    • 5 confirmed attacks = 28% of its total confirmed attacks (18)
  • SafePay – 8 claims in total = 4% of its total claims (186)
    • 3 confirmed attacks = 15% of its total confirmed attacks (20)

Please note: Babuk hasn’t been included above as none of its attacks against government entities were confirmed.

Funksec and INC appear to have more of a focus on the government sector, but if we look at the percentage of confirmed attacks to unconfirmed attacks, Qilin (27%) and INC (32%) have the highest rates. We also found that both of these were heavily focused on the healthcare sector.

INC accounts for the highest volume of records breached thanks to its attack on Pierce County Library System, which, as we’ve noted above, accounts for most of this year’s breached records.

Meanwhile, Qilin alleges to have stolen the most data. It states that over 5.3 TB of data was lost across just six of its attacks (Qilin doesn’t always provide the amount of data stolen). Most of this data (around 4 TB) was stolen in the attack against Melilla, noted above.

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

All data is derived from our worldwide ransomware tracker (updated daily) – here.