In April 2025, Comparitech researchers logged 479 ransomware attacks in total, 39 of which were confirmed by the targeted entity (e.g., through a data breach notification or press release). This is a significant decline from the monthly figures we tracked in Q1 of 2025 (530 in January, 973 in February, and 713 in March). The decline was in part caused by the most prolific ransomware gang in recent months–RansomHub–seemingly going dark from March 31 (more on that below!).

April may have been quieter, but it did see some of the largest attacks so far this year. These include the ongoing attack on UK retail chain, Marks & Spencer, which has been attributed to Scattered Spider (previously responsible for large-scale attacks on the likes of MGM Resorts and Caesars Entertainment) and the crippling attack on US kidney dialysis company, DaVita Inc.

April saw Germany’s Eu-Rec GmbH filing for insolvency following an attack by SafePay that exacerbated other issues, including a decline in workload. And Virgin Islands Lottery (VIL) confirmed it had fallen victim to a ransomware attack for the second time in just over a year (it was previously hit by Play in January 2024). In this attack, which started on March 31, unknown hackers demanded a $1 million ransom, which VIL refused to pay.

VIL’s ransom demand was no match for the one placed on the Oregon Department of Environmental Quality (DEQ). Rhysida hit the government entity with a $2.7 million demand that DEQ has since confirmed it refused to pay. DEQ hasn’t addressed Qilin’s claims of a breach of over 2.5 TB of data. At time of writing, its website still states, “There continues to be no evidence of a data breach.”

Government entities remain a frequent target for ransomware gangs. Ransomware figures in this sector remain high despite lower attack figures overall. Meanwhile, healthcare companies saw an increase in confirmed attacks.

Key findings for April 2025:

  • 479 attacks in total — 39 confirmed attacks
  • Of the 39 confirmed attacks:
    • 21 were on businesses
    • 9 were on government entities
    • 6 were on healthcare companies
    • 3 were on educational institutions
  • Of the 440 unconfirmed attacks*:
    • 396 were on businesses
    • 16 were on government entities
    • 16 were on healthcare companies
    • 11 were on educational institutions
  • The most prolific ransomware gangs were Qilin (67), Akira (62), Play (50), Lynx (32), and NightSpire (22). Akira had the most confirmed (3) followed by Qilin, NightSpire, Silent, and Sarcoma with two each
  • RansomHub went “dark” in April, listing no new victims on its data leak site. Some suggest affiliates have moved to the likes of Qilin–and with a notable increase in claims from Qilin (up to 67 in April from 45 in March) this could be the case

*One attack was on an unknown company that couldn’t be attributed to a specific sector.

Ransomware attacks by sector

Healthcare

Hospitals, clinics, and other healthcare companies saw an increase in the number of confirmed attacks last month. Six attacks were confirmed in April compared to five in March, and all six of April’s attacks took place in different countries:

  • DaVita Inc., United States – hit by Interlock with 1.5 TB of data stolen
  • ChangShen Hospital, Taiwan – hit by NightSpire with 800 GB of data stolen
  • Doctors Hospital, Cayman Islands – unknown hackers
  • Gov. Juan F. Luis Hospital and Medical Center, U.S. Virgin Islands – unknown hackers
  • Sasszemklinika, Hungary – targeted by Qilin with 101 GB stolen
  • Saint James Hospital Group – recently claimed by INC with 250 GB stolen

So far this year, we’ve logged 34 confirmed attacks on healthcare companies and we are monitoring a further 115 unconfirmed attacks.

Interlock’s claim for DaVita – 1.5 TB allegedly stolen

Government

We noted nine attacks on government entities in April 2025, following 12 confirmed attacks in March.

As well as the attack on Oregon DEQ (mentioned above), three other US government entities were hit by attacks in April – Arizona Federal Public Defender’s Office, DuPage County, and Hamilton County Sheriff’s Office. No hackers have claimed these attacks as of yet.

Elsewhere, Prague City Service Administration was hit by Cicada3301, while Spanish municipality Badajoz, Mexican water utility company SIAPA, and two Belgian social welfare centers (one in Rebecq and one in Jemeppe-sur-Sambre) were hit by unknown hackers. CPAS de Jemeppe-sur-Sambre confirmed it received a €70,000 ransom demand that it refused to pay.

Throughout 2025, we’ve logged 49 confirmed attacks on government entities and we are monitoring a further 89 unconfirmed attacks.

Education

In April, we noted just three confirmed attacks on educational institutions, down from five in March.

These were:

  • Fall River Public Schools, US – claimed by Medusa with a $400,000 ransom demand
  • Tokai University, Japan – hit by unknown hackers
  • Western New Mexico University, US – ransomware gang Qilin took over the university’s website and displayed messages on it

Throughout the first four months of this year, we’ve logged 27 confirmed attacks on the education sector and are monitoring a further 69 unconfirmed attacks.

frps ransomware medusa
Medusa’s claim for Fall River Public School

Businesses

21 businesses confirmed ransomware attacks in April 2025 compared to 47 in March 2025.

Among the confirmed attacks last month were Singapore’s Toppan Next Tech, which was targeted by Akira with 12 GB of data stolen. The attack saw a data breach involving at least 11,200 people, including 3,000 from the Bank of China and 8,200 from Singapore’s DBS Group.

In the UK, Manchester Credit Union confirmed it was hit by a “failed ransomware attack” by Sarcoma that led to two days of downtime and some servers being wiped. According to the credit union, the attackers did not demand a ransom. Sarcoma also claimed an attack against German beverage retailer, FAKO-M Getränke GmbH & Co. KG which disrupted its entire IT network. Sarcoma says it stole 446 GB of data.

Across 2025 so far we’ve seen 165 confirmed attacks on businesses, and we’re tracking a further 2,118 unconfirmed.

The most prolific ransomware strains in April 2025

As we’ve already noted, Qilin was the most prolific ransomware strain in April with 67 attacks. Qilin’s rise might have something to do with RansomHub going dark. Some experts suggest RansomHub’s affiliates have migrated to Qilin. With such an increase in the number of attacks claimed by Qilin in April (up from 45 in March), that explanation is plausible.

Akira had the most confirmed attacks with three in total. As well as Toppan Next Tech, Akira claimed the attacks on Italian food manufacturer Asolo Dolce S.p.A. and US tech company Hitachi Vantara.

Followed by Akira with two confirmed attacks each were Qilin, NightSpire, Sarcoma, and Silent. Silent was new to the scene this month with just four claims in total. Its two confirmed attacks were against Fleet Canada, Inc. (its website displayed messages from the group for a brief period of time) and Versa Networks. Silent alleged to have stolen 600 GB from Fleet Canada and 854 GB for Versa.

As well as ChangShen Hospital, NightSpire also claimed an attack on Japanese manufacturer Nippon Ceramic Co., Ltd.

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.