After three consecutive months of decline, July 2025 saw a four-percent uptick in the number of ransomware attacks: 464, compared to 445 in June 2025.
Governments remain a key focus for hackers with organizations from all over the globe targeted. This is highlighted by the fact that each of the nine confirmed attacks on this sector were carried out in nine different countries.
Two of the attacks struck public entities that provide utility services (Serviço Autônomo de Água e Esgoto de Barretos in Brazil and Eswatini Water Services Corporation), emphasizing how critical infrastructure is a frequent target for cybercriminals. Although neither of these attacks appeared to affect services or supply, systems were disrupted and EWSC had to suspend digital payments for a time.
July also saw the rise of several new gangs and the reemergence of an old gang (BlackByte). With more than 120 attacks already recorded in the first week of August, the dip in attacks from April to June may prove to be brief.
Key findings for July 2025:
- 464 attacks in total — 35 confirmed attacks
- Of the 35 confirmed attacks:
- 18 were on businesses
- 9 were on government entities
- 3 was on healthcare companies
- 5 were on educational institutions
- Of the 429 unconfirmed attacks*:
- 383 were on businesses
- 12 were on government entities
- 21 were on healthcare companies
- 12 were on educational institutions
- The most prolific ransomware gangs were Qilin (62), INC (55), SafePay (43), Akira (37), and Play (22). INC had the most confirmed attacks (5), followed by Qilin (4), SafePay (3), and Rhysida (2)
- Where hackers provided the data theft size (in 222 cases), nearly 105 TB of data was allegedly stolen, giving an average of 476 GB per breach
- Several new gangs appeared this month, including Payouts King, Beast, and D4RK 4RMY. BlackByte also resurfaced after a 10-month hiatus
*One attack hit an unknown company that couldn’t be attributed to a specific sector.
Ransomware attacks by sector
Healthcare
Three of the 24 healthcare ransomware attacks in July 2025 were confirmed by the entity involved. These included two US organizations (Susan B. Allen Memorial Hospital and Cookeville Regional Medical Center) and one German company (Baden-Württembergischer Landesverband für Prävention und Rehabilitation). All three were claimed by different ransomware groups.
Recently-formed Kawa4096 claimed the attack on Susan B. Allen Memorial Hospital, which caused system outages and the theft of 210 GB of data. Cookeville also experienced disruptions to its systems before Rhysida demanded a ransom of around $1.15 million for its stolen data. Meanwhile, Brain Cipher said it stole 1 TB of data from the German rehabilitation clinic.
So far this year (to the end of July), we’ve logged 78 confirmed attacks on healthcare companies and are monitoring a further 161 unconfirmed attacks.
Government
Nine attacks on government agencies were confirmed last month. As our recent report found, this sector in particular is seeing a huge increase in attacks (when compared to last year). H1 of 2025 saw 65 percent more attacks than the same period in 2024.
As we’ve already noted, all nine of the confirmed attacks from last month hit organizations in nine different countries. Attacks were confirmed by Ayuntamiento de la Vila Joiosa (Spain), Serviço Autônomo de Água e Esgoto de Barretos–SAAEB (Brazil), the Tax Administration (Curaçao), and the National Center for Industrial Property Information and Training (Japan) but the hackers responsible remain unknown.
Over the weekend, the City of St. Paul, Minnesota, also confirmed its recent attack was ransomware but that no ransom was paid. The hackers haven’t been identified, but it’s likely we’ll see the city being published to a data leak site shortly, especially as ransom negotiations were unsuccessful.
Attacks on the following were claimed:
- Ministry of Labour, Thailand – Devman defaced the government entity’s website and demanded $1.5 million for 300 GB of stolen data
- Municipality of Otjiwarongo, Namibia – INC was named as the hacker in this attack
- Eswatini Water Services Corporation (EWSC) – W.A. ransomware claimed this attack which led to digital payment solutions being suspended
- Town of Devon, Canada – INC posted the town to its data leak site after Devon had confirmed it was dealing with a cyber attack that impacted its systems and servers
Up to the end of July 2025, we’ve logged 115 confirmed attacks on government entities and we are monitoring a further 116 unconfirmed attacks.
Education
Attacks on this sector remain consistent, with five confirmed in July alone.
Two of these attacks were on US school districts: Fort Smith Public Schools was targeted by Qilin and Ridgefield Public Schools was hit by SafePay (90 GB allegedly stolen). Both attacks caused system disruptions.
Brazil’s Universidade Católica de Pernambuco (UNICAP) also suffered an attack last month, but the hackers remain unknown. An attack on Universidad Mayor in Chile was claimed by Dire Wolf (50 GB allegedly stolen) and Nova (formerly RALord) claimed the attack on Ensemble Montplaisir in France.
During the first seven months of this year, we’ve logged 49 confirmed attacks and a further 99 unconfirmed attacks on the education sector.
Businesses
As it stands, 18 attacks have been confirmed on global businesses throughout July 2025.
Manufacturing and technology companies were a particular focus for hackers.
There were three confirmed attacks on tech companies. This includes the attack on Ingram Micro, which led to widespread disruptions for several days. Although no data breach has been formally communicated by Ingram Micro, SafePay did post the tech company to its site after claiming to steal 3.5 TB of data.
Another US tech company, CJIS Solutions, suffered an attack last month. This incident came to light after Lamoille County Sheriff’s Department reported disruptions to its emails due to the incident. No hackers have claimed this one as of yet but INC did claim an attack on New Zealand’s Lamberts Business Systems.
Five manufacturers were also targeted and have confirmed attacks:
- WIBAIE, France – hit by Qilin
- BARTEC Pte., Singapore – claimed by SafePay with 21 GB allegedly stolen
- CxS Corporation, Japan – unknown hackers
- JTEKT Europe – recently added to Qilin’s data leak site. This follows a previous attack on JTEKT’s North American company via BlackSuit in October 2024
- Novabev Group, Russia – the Russian alcohol manufacturer noted major disruptions to its operations and retail chain (WineLab) following the attack via unknown hackers. No ransom was paid
Another key attack was on SGI (Seoul Guarantee Insurance), which led to disrupted systems for over 12 hours. Gunra claimed this one and the theft of a whopping 13.2 TB of data.
Across 2025 so far (to July), we’ve logged 330 confirmed attacks on businesses, and we’re tracking a further 3,126 unconfirmed.
The most prolific ransomware strains in July 2025
Once again, Qilin took the top spot for the number of ransomware claims with 62 in total. It was closely followed by INC (55), while SafePay, which had topped the rankings in May, dropped to third with 43 claims.
INC had the most confirmed attacks with five in total. As well as the two government entities (Municipality of Otjiwarongo and the Town of Devon) and NZ tech company, Lamberts Business Systems, INC was also responsible for attacks on La Biennale di Venezia (Italy) and 99 Cents Only Stores (USA). In the latter case, INC’s claim was initially for Dollar Tree where it alleged it had stolen 1.2 TB from the US discount retail chain. Dollar Tree refuted this claim, however, and said the data related to 99 Cents Only Stores. While Dollar Tree did purchase real estate leases from 99 Cents Only, it didn’t acquire any systems/data.
Qilin had four confirmed attacks. Qilin’s other confirmed attack (alongside Fort Smith Public Schools, WIBAIE, and JTEKT Europe) was Australian construction company Metricon Homes Pty Ltd.
Meanwhile, SafePay, with three confirmed attacks, was responsible for the attacks on BARTEC Pte., Ingram Micro, and Ridgefield Public Schools.
Finally, as well as Cookeville Regional Medical Center, Rhysida also claimed an attack on First Baptist Church of Hammond. It demanded a 5 Bitcoin (USD $594,000) ransom and gave the megachurch a week to pay up before data was released. Fortunately, First Baptist had already started warning church staff, missionaries, and volunteers that their data may have been impacted in a cyber attack. Data affected incuded Social Security numbers, state-issued IDs, and some health information.
Payouts King, Beast, and D4RK 4RMY were among the new ransomware strains last month.
Payouts King claimed 17 attacks. One of these was confirmed in April 2025 (Gateway Community Services, Inc.). Beast claimed 16 victims with two confirmed attacks from previous months (Hafnia Law Firm, Denmark, in February 2025, and Washington Court House in May 2025). None of D4RK 4RMY’s eight victims were confirmed but it has added eight more victims already this month–five of which are global finance companies.
BlackByte resurfaced after a 10-month hiatus. It listed nine victims in total, none of which have been confirmed yet.
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
