By number of attacks claimed by ransomware groups, last month was the quietest month this year so far with 457 in total–down from 494 in April and about half February’s vast figure of 980.
In May, we recorded 33 attacks that have been confirmed by the entity involved (e.g., through a data breach notification or press release) and a further 424 unconfirmed attacks.
The education sector became a key target for hackers last month with six confirmed attacks in total–up from four in April and five in March.
Meanwhile, the healthcare sector appeared to enjoy a slight reprieve with just two confirmed attacks (down from seven in April). However, both of these attacks (on Kettering Health and Grupo Jorge Batista) had a widespread impact across multiple locations, as we’ll explore in more detail below. Equally, companies operating within the healthcare sector but ones that don’t provide direct patient care (e.g., pharmaceutical manufacturers) saw an influx in attacks last month with four confirmed compared to just one in April.
As ransomware gangs continue to evolve, regroup, and alter their strategies, it’s hard to predict exactly what the next month may hold. That said, May’s figures are much more promising than the ones we saw throughout the first quarter of the year.
Key findings for May 2025:
- 457 attacks in total — 33 confirmed attacks
- Of the 33 confirmed attacks:
- 19 were on businesses
- 6 were on government entities
- 2 was on healthcare companies
- 6 were on educational institutions
- Of the 424 unconfirmed attacks*:
- 376 were on businesses
- 13 were on government entities
- 21 were on healthcare companies
- 11 were on educational institutions
- The most prolific ransomware gangs were SafePay (71), Qilin (50), Play (44), Akira (32), NightSpire (16), and Devman (16). Qilin and Devman had the most confirmed attacks (three each), followed by SafePay, Dire Wolf, Interlock, and Gunra with two each
- Where hackers provide the data theft size (in 223 cases), over 75.8 TB of data was allegedly stolen, giving an average of 340 GB per breach
*Three attacks were on unknown companies that couldn’t be attributed to a specific sector.
Ransomware attacks by sector
Healthcare
As we have already noted, just two healthcare companies confirmed ransomware attacks last month. But both were large-scale attacks that disrupted multiple locations.
One of these was the attack on Kettering Health in the US. This attack, which was carried out in the early hours of May 20, caused system-wide outages and disrupted patient care at all 14 of its medical centers. As of June 2, the electronic healthcare record (EHR) system had been relaunched, with other system restoration continuing. Interlock is said to be behind the attack, but no posts have appeared on its data leak site to date, suggesting negotiations may be ongoing.
Brazil’s Grupo Jorge Batista shut down many operations following an attack on May 12. This had a significant impact on its pharmaceutical stores, Drogarias Globo and Distribuidora Nazária, with initial estimates putting losses at around R$400 million (USD $70.5 million). Gunra claimed this attack.
So far this year, we’ve logged 43 confirmed attacks on healthcare companies and we are monitoring a further 130 unconfirmed attacks.
Government
Six attacks on government entities around the world were confirmed in May. This is a significant dip from the first four months of the year (with an average of 16 each) but we expect this figure to rise in the coming weeks/months as more are confirmed.
- West Lothian Council, UK – The council’s education system was targeted in an attack via Interlock. Interlock is alleged to have stolen 2.63 TB of data. West Lothian has confirmed sensitive data has been stolen in the attack but investigations into exactly how many are impacted remain ongoing.
- Comune di Pisa, Italy – Nova (formerly RALord) posted the Italian municipality to its data leak site with a claim it had stolen 2 TB of data. Pisa is said to have rejected the gang’s $2 million ransom demand but has yet to issue a full statement about the incident.
- National Social Security Fund, Kenya – After Devman claimed an attack on NSSF and demanded $4.5 million for 2.5 TB of stolen data, NSSF came forward to confirm an attack but assured everyone its core system remained secure and that there was no evidence that any personal or financial member data had been compromised or extracted.
- Legal Practice Board of Western Australia – One of this year’s newest ransomware gangs, Dire Wolf, added the Legal Practice Board to its site after allegedly stealing 300 GB of data. The attack resulted in some systems being taken offline and investigations into potential data theft remain ongoing.
- Ayuntamiento de Níjar, Spain – Níjar confirmed it had suffered a ransomware attack on the night of May 24/25 but that disruption had been minimal. Devman claimed the attack and said 120 GB had been stolen.
- La Maison Liégeoise, Belgium – The Belgian social housing agency confirmed an attack in May but said it had refused to meet the gang’s €200,000 demands ($214,000). Data Carry, also new to the ransomware scene this month, claimed the attack.
Throughout 2025, we’ve logged 69 confirmed attacks on government entities and we are monitoring a further 98 unconfirmed attacks.
Education
Following a dip in the number of confirmed attacks in March (5) and April (4), May saw a new uptick in the number of ransomware attacks on educational institutions with six in total.
Four of these attacks were on US schools and colleges (Coweta County School System, Bartlesville Public Schools, Botetourt County Public Schools, and Flemington-Raritan School District) while the other two were on Japan’s Miyagi Gakuin Women’s University and Czechia’s Gymnázium a Jazyková škola Zlín.
While the hackers remain unknown in three cases, Nitrogen claimed Coweta, SafePay claimed the Czech school, and Qilin claimed Botetourt.
Throughout the first five months of this year, we’ve logged 34 confirmed attacks and a further 80 unconfirmed attacks on the education sector.
Businesses
So far, 19 businesses have confirmed ransomware attacks for May 2025, compared to 32 in April.
As we’ve already noted, four of these attacks were on companies operating in the healthcare sector. These included two pharmaceutical manufacturers–India’s Choksi Laboratories Limited and the US subsidiary of Japan’s CMIC Group (CMIC CMO USA Corporation). Qilin claimed the CMIC attack, while Choksi’s hackers remain unknown.
The other two attacks were the Drug Safety Testing Center at Hong Kong Science and Technology Parks Corporation and Japanese medical distribution company, Sanshodo Co., Ltd. Neither of these attacks have been claimed yet.
Other significant attacks include UK retailer Harrods (also hit with DragonForce ransomware like its counterparts Co-op and Marks and Spencer) and Peter Green Chilled, a food transport company for many top supermarkets in the UK. The hackers remain unknown in the latter attack.
Across 2025 so far, we’ve seen 211 confirmed attacks on businesses, and we’re tracking a further 2,478 unconfirmed.
The most prolific ransomware strains in May 2025
Qilin continues to dominate as one of the most prolific strains with 50 claims in May alone, but it was knocked off the top spot last month by SafePay with its 71 claims. Qilin did, however, have the most confirmed claims, alongside Devman (each with three claims).
As well as the aforementioned attacks on Botetourt County Public Schools and CMIC CMO USA Corporation, Qilin claimed an attack on Australia’s MKA Accountants. Alongside its two government targets (NSSF and Níjar), Devman also claimed an attack on GMA News and Public Affairs. It issued the Philippine media conglomerate with a $2.5 million ransom for 65 GB of stolen data.
SafePay had two confirmed attacks. As well as the Czech school, it added Australian legal firm, Ruddy Tomlins and Baxter (RTB Legal), to its data leak site after allegedly stealing 200 GB of data.
Also with two confirmed attacks each were Dire Wolf, Gunra, and Interlock. Dire Wolf’s other victim (as well as the Legal Practice Board of Western Australia) was Singapore’s DataPost in which at least 146 insurance customers had their data breached. Gunra’s two victims were Grupo Jorge Batista (noted above) and Japanese manufacturer, Tomoku Co., Ltd.
Interlock’s victims were the two high-profile cases we’ve already discussed–Kettering Health and West Lothian Council.
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
