During the first nine months of this year, Comparitech researchers logged 276 attacks on government organizations, a 41 percent increase from the same period in 2024 (196).
147 of this year’s attacks have been confirmed by the targeted entities. While the number confirmed is similar to the same period of 2024 (146), we expect this figure to rise as more attacks are confirmed in the coming months.
As the above chart demonstrates, it’s not all doom and gloom when it comes to ransomware attacks on government agencies. The total number of attacks have declined each quarter from Q1 of 2025, even though confirmed attacks do remain consistently high.
Public utility companies haven’t seen this same decline, however. We’ve noted 10 confirmed attacks on public utility companies during the first nine months of this year and five of these happened in the last three months alone. These include the disruptive attack on Lakehaven Water & Sewer District in September, which was claimed by Qilin.
This attack, which caused problems and delays with Lakehaven’s payment system, highlights why critical infrastructure and government organizations remain a key focus for hackers. Firstly, these attacks can have a huge impact on citizen services and have the potential to cause large data breaches. Second, attacks on these organizations add to a gang’s notoriety, as they are often highly publicized.
We’re already witnessing this in Q4 of 2025 as Qilin once again finds itself dominating headlines this month. Its attack on Region Hauts-de-France disrupted network and internet access at 80% of the region’s public high schools. Qilin also said 1.1 TB of data was stolen from the region.
*Please note: this report was written after our Q3 report, so figures may have changed slightly as more attacks have been confirmed.
Key findings for Q1-Q3 2025
- 276 attacks in total
- 147 confirmed attacks
- 129 unconfirmed attacks
- 443,522 records are known to have been breached in the confirmed attacks
- Average ransom demand across all attacks = $1.95 million
- The US has seen an 8% increase in attacks (when compared to the same period of 2024)
- The ransomware strains that claimed the most attacks against government agencies were Qilin (31), Babuk (26), INC (25), SafePay (13), Funksec (12), RansomHub (12), and Medusa (10)
- Qilin took credit for the most confirmed attacks (19), followed by INC (12), RansomHub (8), and SafePay (6), and Medusa (6)
Government data breaches via ransomware in Q1-Q3 2025
The majority of the 443,500 records breached via government entities so far this year stem from an attack on the Pierce County Library System in Washington, USA. The library notified 336,826 people of a data breach after this April 2025 attack for which INC took credit.
Other significant breaches include:
- Union County, Ohio, US: 45,487 people were affected in this May 2025 attack by unknown hackers.
- Lorain County Auditor’s Office, Ohio, US: 18,491 people were affected in this May 2025 attack, which was claimed by Global.
- City of St. Joseph, Missouri, US: So far, 11,538 people are confirmed to have been affected (through the health department) following an attack in June 2025. No hackers have claimed this attack but the city has confirmed it spent $1 million to improve its systems following the attack.
Ransomware attacks on government agencies by country
Of the 276 attacks we’ve seen this year, 103 involved US government agencies. Brazil and Canada were second with 10 each, Spain and India followed with nine each, and France and Germany both had seven each.
If we compare these figures to last year, the US has seen an eight percent increase in attacks. France, Canada, and Brazil saw a decline in the number of attacks (-22, -17, and -9 percent, respectively), while Spain, India, and Germany saw significant increases (+80, +800, and +600, respectively).
Of the confirmed attacks, 64 were in the US. They include the attack on the State of Nevada—the first-ever on an entire state. The hackers still remain unknown in this case and the state hasn’t confirmed whether or not a ransom was paid.
Spain had the second-highest figure for confirmed attacks with seven in total. Only three of these attacks were claimed: Ayuntamiento de Níjar was claimed by Devman, Ciudad Autónoma de Melilla by Qilin (who allegedly demanded $2.12 million, which wasn’t paid), and Cámara de Comercio de Valencia by SafePay.
None of Brazil’s six confirmed attacks have been claimed by hackers. But the Instituto de Pesquisas Energéticas e Nucleares (IPEN) confirmed that it had suffered losses of around R$2.5 million (USD $459,000) because of its attack in March 2025.
In contrast, all of the confirmed attacks noted in Canada have been claimed by hackers. Attacks on the City of Fort St. John and the Town of Devon were claimed by INC, the Town of Hinton by RansomHub, the Town of Orangeville by BlackSuit, and the MRC de Maskinongé by Medusa.
Ransom demands on government organizations in Q1-Q3 2025
Across both confirmed and unconfirmed attacks, ransomware gangs demanded nearly $1.95 million on average. The average for confirmed attacks was higher at $2.86 million (figures known in 21 cases). Across the unconfirmed attacks, it was $478,315 (figures known in 13 cases).
The top 5 biggest ransom demands on governments in Q1 to Q3 2025
According to our findings, the biggest ransom demands in the first half of 2025 were on these government organizations:
- Ministry of Labour, Thailand – $15M: Devman demanded this eye-watering figure from Thailand’s Ministry of Labour after an attack in July 2025. The attack involved the defacement of the government agency’s website.
- Úrad geodézie, kartografie a katastra SR, Slovakia – $12M: Slovakia’s Geodesy, Cartography, and Cadastre Office was presented with a $12 million ransom demand from unknown hackers following its attack in January 2025. The ransom demand wasn’t met.
- Magyar Nemzeti Múzeum (Nemzeti Régészeti Intézet), Hungary – $10M: RansomHub struck the Hungarian National Museum (National Archaeological Institute) in February 2025 and said it had stolen 180 GB of data.
- National Social Security Fund, Kenya – $4.5M: After the NSSF suffered an attack in May, Devman came forward to claim the attack and demanded $4.5 million for 2.5 TB of data it alleged to have been stolen.
- Cleveland Municipal Court, US – $4M: This attack in February 2025 crippled key systems for weeks. Qilin came forward to claim this attack and is reported to have demanded $4 million from the government entity. No ransom was paid.
Which gangs are targeting governments?
As we have already seen, Qilin, Babuk, and INC claimed the most attacks against government entities in the first nine months of 2025. None of Babuk’s claims were confirmed, however. Qilin and INC also had the highest number of confirmed claims.
15 of Qilin’s confirmed claims targeted US government agencies. The other four targeted the Palau Ministry of Health and Human Services, Ciudad Autónoma de Melilla (Spain), Consorzio di Bonifica Adige Po (Italy), and N.V. ELMAR, a public utilities company in Aruba.
Seven of INC’s claims targeted US companies and two hit the aforementioned Canadian Town of Devon City of Fort St. John. Inc also demanded $1 million from Tonga’s Ministry of Health (which wasn’t paid) and breached the Municipality of Otjiwarongo in Namibia and the Ministry of Economy and Finance in Panama.
The most “successful” gangs with their attacks on government agencies
If we base a gang’s success on how much data it breached, INC comes out on top for records affected. INC was the gang behind the attack on Pierce County Library System. Its attack on the State Bar of Texas also led to the breach of 3,012 records.
INC claims to have stolen the second-highest amount of data with 13.9 TB across all its attacks. Gunra claimed the most with 45 TB from its attack on Justicia Penal Militar y Policial in Colombia in June 2025.
INC’s highest claim was for the Pennsylvania Office of Attorney General in August 2025. Here, it alleged it had stolen 5.7 TB of data and published this to its leak site after the AG refused to pay its ransom demand.
Qilin said it had stolen 8.2 TB across its attacks. It claims to have stolen 4 to 5 TB of data in its attack on the Ciudad Autónoma de Melilla.
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
All data is derived from our worldwide ransomware tracker (updated daily) – here.
