Ransomware roundup_ H1 2025
In the first half of 2025, we logged 3,627 ransomware attacks, a 47 percent increase since the first half of 2024 (2,472).

Of these 3,627 attacks, 445 were confirmed by the targeted organizations. The rest were claimed by ransomware groups on their data leak sites but have not been acknowledged by the targets.

Of particular note is the increased focus on government organizations and educational institutions. The number of attacks claimed on government entities increased by almost 60 percent from H1 of 2024 to H1 of 2025. Schools, colleges, and universities saw a 23 percent increase across the same periods. In contrast, healthcare companies haven’t followed the same trend, with a mere 5 percent increase.

Businesses have seen a 50 percent increase in attacks but certain industries have been more heavily impacted. These include technology (88% increase), retail (85%), legal (71%), transportation (66%), and manufacturing (64%). Utilities was the only industry to see a decline (-31%).

Across the 445 confirmed attacks, more than 17 million records were breached. While this is significantly lower than the figures reported in H1 of 2024 (279.6 million records breached across 744 confirmed attacks), many breaches (and/or attacks) are confirmed months after the event, so we expect 2025’s confirmed figures to increase significantly.

Key findings for H1 2025 ransomware attacks

  • 445 confirmed ransomware attacks
    • 260 were on businesses
    • 93 were on government entities
    • 52 were on healthcare companies
    • 40 were on educational institutions
  • 3,182 unconfirmed attacks*
    • 2,783 were on businesses
    • 110 were on government entities
    • 161 were on healthcare companies
    • 90 were on educational institutions
  • 17,070,617 records compromised in the confirmed attacks
  • Average ransom demand of over $1.6M
  • Akira was the most prolific ransomware group (347 victims – confirmed and unconfirmed), followed by Clop (333), Qilin (318), RansomHub (222), Play (214), and SafePay (186)
  • The gangs with the most confirmed attacks were Qilin (40), RansomHub (27), Akira (25), SafePay (19), and INC (19)

* 38 attacks were on unknown companies that couldn’t be attributed to a specific sector.

The top 5 biggest data breaches via ransomware in H1 2025

Throughout H1 2025, the biggest data breaches caused by a ransomware attack were the following. Interestingly, none of these attacks have been claimed by a specific group, which could suggest ransoms were paid.

  1. Episource, LLC , US – 5.4M affected: Following its attack in January 2025, Episource notified 5,418,86 people of a breach. Sharp HealthCare (24,971) and Sharp Community Medical Group (2,029), Episource clients, also issued their own notifications following this attack.
  2. Hoken Minaoshi Honpo Group Co., Ltd., Japan – 5.1M affected: The Japanese finance company was targeted in February 2025 with 5.1 million records impacted as a result.
  3. Sanrio Entertainment Co., Ltd., Japan – 2M affected: At least 2 million people had their data breached when the Japanese entertainment company, Sanrio, was hit in January 2025. The 2 million records were from Sanrio Puroland theme park.
  4. Newton Financial Consulting, Inc., Japan – 1.3M affected: The insurance company suffered an attack in February 2025 with 1.3 million records thought to have been leaked as a result.
  5. Frederick Health, US – 934,326 affected: In January, the US healthcare company was targeted in a ransomware attack, which led to the breach of nearly 1 million patient records.

Also in the top 10 are Utsunomiya Central Clinic , Japan (300K), Nova Scotia Power , Canada (280K), Ocuco Limited , Ireland (241K US residents), Marlboro-Chesterfield Pathology, PC , US (236K), and Central Texas Pediatric Orthopedics , US (140K).

The majority of these attacks are from the first few months of 2025, which highlights how the impact of many attacks is not known until several months later.

Ransomware attacks by sector

We categorize attacks into four sectors: business, education, government, and healthcare. As we have already noted, all but the healthcare sector saw a huge increase in the number of attacks noted from H1 2024 to H1 2025.

Ransomware attacks on government agencies

  • 93 confirmed attacks
  • 110 unconfirmed attacks
  • Average ransom demanded = $3 million
  • 25 entities confirmed they hadn’t paid a ransom (none confirmed to have paid)

Ransomware attacks on healthcare

  • 52 confirmed attacks
  • 161 unconfirmed attacks
  • Average ransom demanded = $776,000
  • 9 entities confirmed they hadn’t paid a ransom (none confirmed to have paid)

Ransomware attacks on education

  • 40 confirmed attacks
  • 90 unconfirmed attacks
  • Average ransom demanded = $556,000
  • 5 entities confirmed they hadn’t paid a ransom (none confirmed to have paid)

Ransomware attacks on businesses

  • 260 confirmed attacks
  • 2,783 unconfirmed attacks
  • Average ransom demanded = $1.2 million
  • 15 entities confirmed they hadn’t paid a ransom (none confirmed to have paid)

As we have already noted, some business sectors were more heavily targeted than others, including:

  • Manufacturing – 713 attacks recorded (inc. 57 confirmed)
  • Service-based businesses – 480 attacks recorded (inc. 28 confirmed)
  • Technology – 317 attacks recorded (inc. 22 confirmed)
  • Retail – 262 attacks recorded (inc. 24 confirmed)
  • Finance – 242 attacks recorded (inc. 31 confirmed)

The top 5 biggest ransom demands in H1 2025

According to our data, the following entities saw the biggest ransom demands (across confirmed attacks) in the first half of 2025. Four out of five were government entities:

  1. Úrad geodézie, kartografie a katastra SR, Slovakia – $12M: Slovakia’s Geodesy, Cartography, and Cadastre Office was presented with a $12 million ransom demand from unknown hackers following its attack in January 2025. The ransom demand wasn’t met.
  2. Malaysia Airports Holdings Bhd – $10M: Targeted by Qilin in March 2025, Malaysia’s Kuala Lumpur International Airport suffered a number of disruptions. Qilin claimed the attack after allegedly stealing 2 TB of data. No ransom was paid.
  3. Magyar Nemzeti Múzeum (Nemzeti Régészeti Intézet), Hungary – $10M: RansomHub struck the Hungarian National Museum (National Archaeological Institute) in February 2025 and said it had stolen 180 GB of data.
  4. National Social Security Fund, Kenya – $4.5M: After the NSSF suffered an attack in May, Devman came forward to claim the attack and demanded $4.5 million for 2.5 TB of data it alleged to have been stolen.
  5. Cleveland Municipal Court – $4M: This attack in February 2025 crippled key systems for weeks. Qilin came forward to claim this attack and is reported to have demanded $4 million from the government entity. No ransom was paid.

Also within the top 10 are the Oregon Department of Environmental Quality , US ($2.6M), GMA News and Public Affairs , Philippines ($2.5M), Welthungerhilfe (WHH) , Germany ($2.15M), HCRG Care Group , UK ($2M), and Comune di Pisa , Italy ($2M).

The most prolific ransomware strains in H1 2025

As we’ve already noted, the most prolific ransomware gangs across all attacks (confirmed and unconfirmed) in H1 2025 were Akira (347 victims), Clop (333), Qilin (318), RansomHub (222), Play (214), and SafePay (186).

But the gangs with the most confirmed attacks were Qilin (40), RansomHub (27), Akira (25), SafePay (19), and INC (19).

If we look at the type of entities targeted in these confirmed attacks, we can see how the modus operandi of each gang differs. For example, the majority of Akira’s (24) and SafePay’s (11) attacks were on businesses, while INC only targeted four businesses but was confirmed to have breached eight healthcare companies and seven government entities. RansomHub was more of a mixture (including 14 businesses and eight government entities), as was Qilin (including 21 businesses, nine government entities, and eight healthcare).

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

All data is derived from our worldwide ransomware tracker (updated daily) – here .