Ransomware roundup_ October 2025

Ransomware attacks increased by 25 percent last month, rising from 546 in September to 684 in October. This is a significant increase in attacks and the third-highest monthly figure in 2025 so far.

Manufacturers continue to see the most attacks, accounting for nearly 19 percent of those logged in October (121). However, the number of attacks in this sector only rose by nine percent when compared to the previous month.

In contrast, attacks on the healthcare sector rose significantly, jumping from 26 in September to 56 in October (115 percent). Other sectors that saw high increases were transportation (109%) and retail (104%).

October saw ransomware gang Qilin surpass the 700 mark for the number of attack claims posted to its data leak site this year so far, making it the most active ransomware group of 2025. It claimed 186 victims in October alone.

Key findings for October 2025:

  • 684 attacks in total — 47 confirmed attacks (confirmed by the entity involved)
  • Of the 47 confirmed attacks:
    • 27 were on businesses
    • 10 were on government entities
    • 3 were on healthcare companies
    • 7 were on educational institutions
  • Of the 637 unconfirmed attacks*:
    • 561 were on businesses
    • 14 were on government entities
    • 53 were on healthcare companies
    • 8 were on educational institutions
  • The most prolific ransomware gangs were Qilin (186), Akira and Sinobi (70 each), INC (32), Play (26), and DragonForce (20)
  • Qilin had the most confirmed attacks (10), followed by Clop (4) and RansomHouse (3)
  • Where hackers provided the data theft size (in 315 cases), over 162 TB of data was allegedly stolen, an average of 516 GB per breach
  • The US saw the most attacks (374), a 33 percent increase from September (282). Australia saw one of the biggest monthly increases in attacks (rising from four to 14), as did Japan (rising from three to 10)

*1 attack was on an unknown company that couldn’t be attributed to a specific sector.

Ransomware attacks by sector

Healthcare


Attacks on healthcare providers increased by 115 percent from September to October, rising from 26 to 56. Three of October’s attacks have been confirmed so far.

Centre hospitalier intercommunal de Haute-Comté in France was targeted by unknown hackers, Community Based Support (CBS) Ltd in Australia was targeted by Lynx, and Family Health West in the US was targeted by Devman with a $700,000 ransom for 120 GB.

So far this year (to the end of October), we’ve logged 104 confirmed attacks on healthcare companies and are monitoring a further 248 unconfirmed attacks.

Devman lists Family Health West on its data leak site.
Devman lists Family Health West on its data leak site.

Government


Attacks on government entities increased by 20 percent from September to October, rising from 20 to 24. Of the 24 attacks noted in October, 10 were confirmed.

Four of these confirmed attacks hit targets in France, three in Germany, and one each in the US, Sweden, and Mexico.

Three of the attacks in France were carried out by Qilin (Ville de Saint-Claude, Region Hauts-de-France, and Commune d’Elne). Mairie de Fumel was targeted by DragonForce.

Qilin was also responsible for the one attack in the US – the City of Sugar Land, Texas.

In Germany, Stadt Hohen Neuendorf, Gemeinde Untereisesheim, and Stadtwerke Clausthal-Zellerfeld all confirmed attacks, but none of them were claimed by hackers. The attack on Stadtwerke Clausthal-Zellerfeld was one of two attacks on public utility companies, with Swedish electricity provider Svenska kraftnät also targeted.

Everest claimed the attack on Svenska kraftnät and alleged that it had stolen 280 GB of data. On Monday (November 2), reports suggested the post had been removed from Everest’s site, which could imply a ransom has been paid, but Svenska kraftnät hasn’t confirmed a payment.

Devman claimed the attack in Mexico, demanding $300,000 for 60 GB of data it alleged to have stolen from Junta Local de Conciliación y Arbitraje de la Ciudad de México.

Up to the end of October 2025, we’ve logged 162 confirmed attacks on government entities and are monitoring a further 143 unconfirmed attacks.

City of Sugar Land Qilin
Qilin adds the City of Sugar Land, TX, to its site

Education


Attacks on the education sector increased by 25 percent from September to October, rising from 12 to 15. Of the 15 attacks noted in October, 7 were confirmed.

Clop and Interlock took credit for the most confirmed attacks on the education sector with two attacks each.

Both of Interlock’s attacks hit schools in the US (Kearney Public Schools and North Stonington Public Schools), while Clop’s attacks were in the US (Harvard University) and South Africa (Wits University). Both of Clop’s attacks exploited an Oracle zero-day vulnerability.

One other attack confirmed in the US (Halifax County Public Schools) was claimed by Qilin. And two Japanese educational institutions were targeted by unknown hackers – Higashiyama Junior and Senior High School and Ryutsu Keizai University.

During the first 10 months of this year, we’ve logged 70 confirmed attacks and a further 125 unconfirmed attacks on schools, universities, and other educational institutions.

Interlock lists North Stonington Public Schools on its data leak site.
Interlock lists North Stonington Public Schools on its data leak site.

Businesses


Attacks on businesses increased by 21 percent from September to October, rising from 487 to 588. 27 attacks have been confirmed on global businesses throughout October 2025.

Manufacturing remains the most targeted industry with eight confirmed attacks (and a further 113 unconfirmed attack claims). The confirmed attacks are:

  • Mino Kogyo Co., Ltd., Japan – The attack caused system disruption and shutdowns after being detected at the start of the month. Mino Kogyo later confirmed 300 GB of communications data had been stolen. SafePay claimed the attack.
  • WEBER GmbH, Germany – The company’s website continues to display a message notifying customers of an attack that has encrypted systems and led to a possible data breach. RansomHouse claimed the attack.
  • Aussie Fluid Power, Australia – Anubis claimed an attack on the company in the middle of October, posting various documents to its site as proof. Aussie Fluid Power confirmed it had detected unauthorized activity on its systems, which may have resulted in certain employee, customer, and supplier information being compromised.
  • Nickelhütte Aue GmbH, Germany – On October 20, 2025, Nickelhütte Aue confirmed it was the victim of a ransomware attack by an unknown group. Systems were disrupted with restoration ongoing.
  • Jewett-Cameron Trading Co. Ltd., United States – In a SEC filing, the US manufacturer confirmed hackers had encrypted a portion of its systems and gained access to certain information and data. No hackers have claimed the attack as of yet.
  • Kurogane Kasei Co., Ltd., Japan – Following an attack on October 16, 2025, systems were taken offline with disruptions continuing throughout the rest of October. In its last update on October 31, Kurogane Kasei said no information leaks had been detected but RansomHouse has claimed the attack and alleges to have stolen data.
  • Ansell Limited, Australia – Ansell confirmed “certain sets of company data” had been accessed following unauthorized access to its systems “via licensed third-party software vulnerabilities.” Clop later claimed the attack, implying it exploited an Oracle zero-day vulnerability.
  • TEIN, Inc., Japan – After experiencing an attack on October 30, 2025, the Japanese manufacturer’s servers became inaccessible. Hackers unknown.

Elsewhere, RansomHouse claimed responsibility for an attack on ASKUL Corporation (Japan) that continues to cause mass disruptions to retailers across the globe. 1.1 TB was allegedly stolen in the attack.

Two utility companies were also targeted (Omrin in the Netherlands and Enessance Holdings Co., Ltd. in Japan) with systems disrupted and data stolen. Qilin claimed both of these attacks.

Across 2025 so far (to October), we’ve logged 551 confirmed attacks on businesses, and we’re tracking a further 4,459 unconfirmed attack claims.

The most prolific ransomware strains in October 2025

As we’ve noted, there was no competing with Qilin last month. The gang claimed a staggering 186 victims in October alone. Akira and Sinobi came joint second with 70 attacks each.

Qilin took the top spot for the number of confirmed attacks (10 in total). Four of these hit government entities. In addition to those mentioned above, Qilin claimed two attacks in South Korea (finance company KIS Pricing Inc. and tech company kt altimedia) and another on US healthcare company, MedImpact Healthcare Systems, Inc.

Clop claimed the second-highest number of confirmed attacks. All of these appear to relate to the Oracle zero-day vulnerability exploit. As well as the aforementioned attacks, American Airlines’ subsidiary, Envoy Air Inc., also confirmed a Clop attack.

When it comes to the amount of data stolen, Qilin claimed the most (over 29.8 TB of data), followed by PEAR (25.5 TB) and INC (21.4 TB).

Qilin’s attack on North Stonington Public Schools saw the highest volume of data stolen in a confirmed attack: 3 TB. INC said it stole 20 TB from a US mortgage company, but that claim remains unconfirmed at the time of writing.

October 2025 ransomware attacks by country

The US absorbed the vast majority of attacks in October with 374 in total, followed by Canada (42), France (29), and Germany (20). The US also saw the most confirmed attacks (10), followed by Japan (8).

Attacks in Australia increased significantly last month, rising by 250 percent from four in September to 14 in October. Japan also saw a sizable increase of over 230 percent (10 in October compared to 3 in September).

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

You can view all attacks, from 2018 to present via our worldwide ransomware tracker here.