The number of worldwide ransomware attacks climbed again in August, rising from 473 in July to 506 last month–a 7 percent increase. While this isn’t a huge rise, it is the second consecutive month we’ve seen an increase after a month-by-month downturn from March to June 2025.
August saw a first-of-a-kind attack on the State of Nevada. While hundreds of US government organizations have suffered ransomware attacks, this is the first-ever statewide attack. The attack was first detected on August 24, 2025, and has left many citizens and state agencies without access to essential services. No hackers have claimed the attack as of yet but if a ransom isn’t paid, it’s likely the group will come forward in the coming days/weeks.
While attacks against governments remain a consistent threat, it was the manufacturing sector that saw the biggest rise in attacks last month. Manufacturers saw a 57 percent increase in attack claims from July to August (rising from 72 to 113). Four of August’s attacks were confirmed.
In contrast, the healthcare and education sectors only saw one confirmed attack each. However, both also saw a higher number of unconfirmed attack claims (when compared to July), so it’s likely these figures will rise as more attacks are confirmed in the coming weeks.
We’ve seen a number of large breaches being reported by companies that operate within the healthcare sector but don’t provide direct care (we class these as businesses in our main sector-by-sector comparison). For example, last week, housekeeping provider Healthcare Services Group notified 624,496 people of a breach from October 2024, and dialysis firm DaVita confirmed that 2.7 million people had been caught up in its April 2025 breach.
Drug research firm Inotiv also suffered system disruption last month following an attack via Qilin. No notifications have been issued yet but Qilin alleged it had stolen 176 GB of data.
Key findings for August 2025:
- 506 attacks in total — 30 confirmed attacks (confirmed by the entity involved)
- Of the 30 confirmed attacks:
- 17 were on businesses
- 11 were on government entities
- 1 was on a healthcare company
- 1 was on an educational institution
- Of the 476 unconfirmed attacks claims*:
- 418 were on businesses
- 9 were on government entities
- 29 were on healthcare companies
- 15 were on educational institutions
- The most prolific ransomware gangs were Qilin (86), Akira (57), Sinobi (36), DragonForce (30), and SafePay (28)
- Qilin had the most confirmed attacks (6), followed by Interlock and Warlock (2 each), and Lynx, Kairos, PEAR, and Blue Locker (1 each)
- Where hackers provided the data theft size (in 201 cases), nearly 97.5 TB of data was allegedly stolen, giving an average of 485 GB per breach
- Several new gangs appeared this month, including PEAR, Cephalus, and Desolator
*5 attacks were on unknown companies that couldn’t be attributed to a specific sector.
Ransomware attacks by sector
Healthcare
As previously mentioned, only one attack on this sector has been confirmed for August 2025 to date.
Farmácia Moniz Silva in Angola was added to Qilin’s data leak site this month. The pharmacy chain had previously suspended its services due to a cyber attack.
So far this year (to the end of August), we’ve logged 83 confirmed attacks on healthcare companies and are monitoring a further 187 unconfirmed attacks.
Government
Out of the 11 confirmed attacks on government entities, seven were on US organizations and only three have been claimed/attributed to a hacker (as it stands).
Box Elder County, the City of Greenville, West Chester Township, the State of Nevada, Lycoming County, and the Pennsylvania Office of Attorney General are the US entities that have confirmed attacks. West Chester Township suffered two attacks in the same month.
The attack on Box Elder County was claimed by Interlock, which says it stole 4.5 TB of data. Newly-formed PEAR claimed the first attack on West Chester Township and said 2 TB of data had been stolen.
All of these attacks have caused disruptions to systems. In the case of the City of Greenville, the Attorney General of Texas issued a catastrophe notice as the city had no access to police records and other systems.
Elsewhere, the following were attacked:
- Pakistan Petroleum Limited (PPL) – the government oil and gas exploration firm detected an attack on August 6, 2025. It caused minimal disruption and no contact was made with the hackers (Blue Locker)
- Gemeinde Hoppegarten, Germany – the German municipality suffered over a week and a half of downtime due to the attack. At the time of writing, telephone systems had been restored. Hackers unknown
- Ayuntamiento de Elche, Spain – late in August, the Spanish city notified residents of a cyber attack after its system was rendered inoperable. Hackers unknown
- Ayuntamiento de Cajeme, Mexico – unknown hackers demanded $150,000 after encrypting the Mexican city’s systems in the last week of August. No ransom was paid
Up to the end of August 2025, we’ve logged 129 confirmed attacks on government entities and are monitoring a further 124 unconfirmed attacks.
Education
Trico Community Unit School District #176 is the only confirmed attack from August 2025 so far, and details remain limited. Kairos claimed the attack after allegedly stealing 180 GB of data.
During the first eight months of this year, we’ve logged 53 confirmed attacks and a further 113 unconfirmed attacks on schools, universities, and other educational institutions.
Businesses
17 attacks have been confirmed on global businesses throughout August 2025.
As mentioned, manufacturers were a particular focus for hackers last month. Of the 18 confirmed attacks, three were on manufacturers. Another two each hit healthcare and food and beverage manufacturers.
- MARMA Polskie Folie Sp. z o.o, Poland – the plastics manufacturer was targeted by Qilin with systems encrypted and evidence of a potential data breach
- Data I/O Corporation, United States – in a SEC filing, the electronics manufacturer confirmed its operations had been temporarily impacted following a ransomware attack. Hackers unknown
- Nissan Creative Box Inc., Japan – the car manufacturer’s Tokyo-based design studio confirmed it had suffered a data breach after Qilin added it to its data leak site. Qilin alleges it has stolen over 4 TB of data
As well as Inotiv, another healthcare manufacturer, Osaki Medical Co., Ltd., confirmed an attack last month. No groups have come forward to claim the latter as of yet.
Sunrise Co. Ltd., Japan, and Blenders in the Grass, US, were the two confirmed attacks on food and beverage manufacturers. The hackers remain unknown in both of these attacks.
Technology companies also continued to suffer an onslaught of attacks with five confirmed for the month so far:
- USAC SYSTEM Co., Ltd., Japan – unknown hackers targeted the Japanese tech company. USAC’s initial investigations determined that only internal servers had been affected
- Linedata, France – the French tech provider confirmed malicious encryption of data hosted on a domain belonging to its Asset Management business line. Hackers unknown
- Morgenstern AG, Germany – on August 7, 2025, the German tech company stopped an attempted cyber attack with investigations into a possible data breach ongoing. Qilin claimed the attack
- Infoniqa, Austria – Warlock claimed this attack after stealing an alleged 165 GB of data. Infoniqa confirmed the attack had disrupted its cloud-based services
- Miljödata, Sweden – this attack on Miljödata, an IT provider for around 80 percent of Sweden’s municipal governments, caused widespread disruption with the (as yet unknown) hackers reportedly demanding $168,000
Across 2025 so far (to August), we’ve logged 380 confirmed attacks on businesses, and we’re tracking a further 3,526 unconfirmed.
The most prolific ransomware strains in August 2025
For the third month in a row, Qilin remains the most prolific ransomware strain with 86 claims in total. It was followed by Akira (57), while Sinobi, which only started adding victims to its data leak site in July 2025, took third place with 36 claims.
Qilin was also the gang with the most confirmed attacks with six in total. As well as Inotiv, Inc., MARMA Polskie Folie Sp. z o.o, Farmácia Moniz Silva, Nissan Creative Box Inc., and Morgenstern AG, Qilin was also the group behind an attack on Welcome Financial Group Inc., South Korea. In this case, Qilin alleged to have stolen over 1 TB of data. However, Welcome Financial said the data affected was internal and didn’t impact customers.
Interlock and Warlock confirmed two attacks each. Alongside Box Elder County, an attack on Pocono Farms Country Club Association, Inc. was also confirmed for Interlock. Warlock’s other attack (as well as the attack on Infoniq) was on the UK telecommunications company, Colt Technology Services. The attack on Colt impacted business support systems and led to a data breach.
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
