Ransomware roundup_ Q3 2025

So far this year, Comparitech researchers have recorded 5,186 ransomware attacks. This is a 36 percent increase on the number of attacks (3,810) we tracked from January to September 2024.

Q3 of 2025 also saw a 6 percent increase in attacks from Q2 of 2025—rising from 1,434 to 1,517.

In the last quarter, attacks on government entities and healthcare companies declined, falling by 31 and 14 percent, respectively. Attacks on education providers remained consistent, while attacks on businesses increased by 11 percent.

Across the business sector, the manufacturing industry remains the hardest hit with attacks in the sector increasing by 13 percent from Q2 of 2025 to Q3 of 2025. But some of the most disruptive attacks in the last quarter targeted third-party technology vendors.

These include an attack on Collins Aerospace in September 2025 that caused chaos across multiple European airports; Data Carry’s attack on Sweden’s Miljödata, which disrupted over 200 municipalities and has seen over 1 million impacted in the breach; and Qilin’s ransom demands on South Korean investment companies following an attack on a cloud server maintained by an IT company.

Key findings for Q3 2025:

  • 1,517 attacks in total — 158 confirmed attacks
  • Of the 158 confirmed attacks:
    • 99 were on businesses
    • 35 were on government entities
    • 10 were on healthcare companies
    • 14 were on educational institutions
  • Of the 1,359 unconfirmed attacks*:
    • 1,226 were on businesses
    • 26 were on government entities
    • 68 were on healthcare companies
    • 33 were on educational institutions
  • The most prolific ransomware gangs were Qilin (233 attack claims), Akira (155), INC (114), Play (102), and SafePay (90). Qilin and INC had the most confirmed attacks out of these claims with 40 and 12, respectively
  • Over 335 TB of data has been stolen across all these attacks

*6 unconfirmed attacks couldn’t be attributed to a sector due to limited company information.

Ransomware attacks by sector

Government

From Q2 of 2025 to Q3 of 2025, attacks on government entities decreased by 31 percent, falling from 89 in Q2 to 61 in Q3.

  • 61 attacks in total (confirmed and unconfirmed)
  • 35 confirmed attacks
  • 26 unconfirmed attacks
  • Average ransom of $3.57 million across all attacks
  • Largest ransom of $15 million was demanded by Devman from Thailand’s Ministry of Labour. The government agency confirmed the attack but said only its website was impacted (and defaced)–no servers were accessed
  • 23.6 TB of data was stolen across all attacks

So far this year, we’ve noted 274 attacks on government organizations–a 40 percent increase on the same period of last year (we recorded 196 in the first three quarters of 2024).

Healthcare

Q3 of 2025 saw 78 attacks on the healthcare sector, which is a 14 percent decrease on Q2 of 2025 where 91 attacks were recorded.

  • 78 attacks in total (confirmed and unconfirmed)
  • 10 confirmed attacks
  • 68 unconfirmed attacks
  • Average ransom of $844,500 across all attacks
  • Largest ransom of $1.15 million was demanded by Rhysida from Cookeville Regional Medical Center, US
  • 12.5 TB of data was stolen across all attacks

Throughout 2025 so far, we’ve seen 293 attacks on the healthcare sector, which is a similar figure to what was noted in the first nine months of 2024 (300).

Education

Throughout Q3 2025, the education sector has seen 47 attacks in total, which is a similar figure to that noted in Q2 of 2025 (49).

  • 47 attacks in total (confirmed and unconfirmed)
  • 14 confirmed attacks
  • 33 unconfirmed attacks
  • Average ransom of $576,500 across all attacks
  • Largest ransom of $1.14 million was demanded by Rhysida from Eklhart Independent School District (an unconfirmed attack)
  • 8.6 TB of data was stolen across all attacks

In the first nine months of 2025, 178 attacks on the education sector have been noted. This is a slight increase (5%) on the figure we recorded in the same period of 2024 (170).

Businesses

Attacks on businesses climbed from 1,195 in Q2 of 2025 to 1,325 in Q3 of 2025—an 11 percent increase.

  • 1,325 attacks in total (confirmed and unconfirmed)
  • 99 confirmed attacks
  • 1,226 unconfirmed attacks
  • Average ransom of $3.02 million across all attacks
  • Largest ransom of $91 million was demanded by Devman from China’s Shimao Group (unconfirmed attack)
  • 290.3 TB of data was stolen across all attacks

While every sub-industry bar transportation and construction saw an increase in attacks from Q2 2025 to Q3 2025, some industries saw a higher uptick than others.

Companies operating within the healthcare sector (but don’t offer direct care to patients, e.g. medical billing providers, healthcare device manufacturers, and pharmaceutical companies) saw an increase of over 60 percent over the last quarter. These types of companies are an increasingly attractive target for hackers because of the number of individual healthcare organizations they often deal with. By targeting these entities, hackers can cause mass disruption to numerous healthcare organizations and/or access larger datasets.

Manufacturers remain the most targeted businesses with 296 attacks in Q3 of 2025—up from 262 in Q2 of 2025 (13% increase).

Throughout 2025 so far, we’ve noted 4,397 attacks on businesses. This is a 40 percent increase on the 3,140 recorded in the first nine months of 2024.

The most prolific ransomware strains in Q3 2025

As we’ve already noted, Qilin, Akira, INC, and Play claimed the most attacks in Q3 of 2025 with over 100 each. But it was Qilin and INC who had the most confirmed attacks out of these claims with 40 and 12, respectively.

15 of Qilin’s confirmed attacks were carried out on asset management firms in South Korea. Having accessed the finance companies’ systems via an IT provider, Qilin started adding the companies to its data leak site throughout September. 28 of these companies have been listed on its data leak site so far.

Data Carry claimed the largest breach of Q3 in its attack on the Swedish IT company, Miljödata. Around 1 million Swedes are said to have been impacted but the figure will likely increase as other companies come forward. For example, Volvo Group started issuing notifications in the US following this attack.

Nova (formerly RA Lord) claimed the second-largest attack in which 941,000 records were breached at Dutch healthcare company Clinical Diagnostics (Eurofins).

It was INC that alleged to have stolen the most amount of data, though, with 45.4 TB in total. However, INC doesn’t always reveal how much data has been stolen in its attacks (we noted figures in 37 of its 114 attacks), so the real figure is likely a lot higher. Its biggest claim of 20 TB came from an unconfirmed attack on a healthcare manufacturer, but its second highest was on Pennsylvania’s Attorney General, where it took credit for stealing 5.7 TB of data.

2025 sees a 36 percent increase in ransomware attacks

The first nine months of 2025 have seen over 1,300 more attacks than the same period of 2024 (5,186 compared to 3,810). However, this increase hasn’t been significant across all industries.

Attacks on the education sector increased by just 5 percent, while attacks on the healthcare sector decreased by 2 percent.

After such high-profile attacks on the healthcare sector in recent years, hackers appear to have switched some of their focus to companies that specialize in healthcare but don’t provide direct care. As we noted, organizations like medical device manufacturers, healthcare billing providers, and pharmaceutical companies have seen an influx in attacks because they give hackers access to multiple healthcare organizations through one source.

Why hack 100 individual companies when you can hack one and access hundreds at the same time?

Attacks on such healthcare-based companies have seen a 30 percent increase from Q1-Q3 of 2024 to Q1-Q3 of 2025.

We have already noted the ongoing focus on manufacturers, but as the above chart demonstrates, retailers, tech companies, and legal firms have seen large increases in ransomware attacks.

Each has a potentially different appeal for hackers. Targeting a retailer can cause huge disruption when systems are encrypted, as we saw with Marks & Spencer this year. Breaching a legal firm can give cybercriminals access to highly sensitive data. And hitting a technology company can give hackers the best of both worlds—access to large data sets (e.g. Miljödata) and mass disruption (see Collins Aerospace).

Hackers are continually evolving by targeting different niches and sectors as others get more resilient (e.g. healthcare and education). This isn’t to say healthcare companies and education providers aren’t still a key target for hackers (after all, attacks have remained relatively consistent on these sectors), but other industries are often proving to be more lucrative and/or easy to hack for ransomware gangs.

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different quarter.