Ransomware roundup_ 2025 end-of-year report

In 2025, we recorded 7,419 ransomware attacks across the globe – a 32 percent increase on 2024’s figure of 5,631.

Of the 7,419 we noted in 2025, 1,173 of these were confirmed by the targeted organizations. The rest were claimed by ransomware groups on their data leak sites, but have not been acknowledged by the targets.

This report will focus on both confirmed and unconfirmed attacks. It is worth noting here that there are a number of attacks that go unreported. For example, a company may pay a ransom, and if no claim is made by the ransomware group and no breach/cybersecurity notification is issued by the company, it may fall under the radar. A recent Sophos survey found that nearly half of all companies pay a ransom to have data returned.

While our report only accounts for attacks that are publicly reported or claimed by hackers, it does give us valuable insight into which industries are being targeted, how ransomware is evolving, and the consequences of these attacks.

Across the 1,173 confirmed attacks, nearly 59.2 million records were breached (and counting). These figures for 2025 are lower than those recorded in 2024 (1,533 attacks affecting over 335.6 million records), but with many reports coming through months (and, in some cases, years) after the attack, we do expect 2025 confirmed figures to rise in the coming months.

The hardest hit sector throughout 2025 was manufacturing. Manufacturers not only saw a 56 percent increase in attacks (rising from 937 to 1,466) but the average ransom demand more than doubled from $523,000 in 2024 to nearly $1.2 million in 2025. It was a similar case for legal firms where attacks increased by 54 percent and average ransom demands jumped by 60 percent to $610,000.

There was some positive news, however. Attacks on healthcare and education providers appeared to plateau last year with very similar year-on-year figures. This could be due to a number of factors, such as a change in focus for certain hacker groups (e.g. to the manufacturing sector) and increased awareness of attacks in these sectors due to a number of high-profile cases in recent years.

Key findings for 2025 ransomware attacks

  • 7,419 attacks in total
    • 6,292 were on businesses – UP 35% from 2024 (4,647)
    • 374 were on government entities – UP 27% from 2024 (294)
    • 444 were on healthcare companies – UP 2% from 2024 (436)
    • 252 were on educational institutions – UP 2% from 2024 (248)
  • 1,173 confirmed attacks (confirmed by the entity involved)
    • 750 were on businesses
    • 196 were on government entities
    • 134 were on healthcare companies
    • 93 were on educational institutions
    • 59,155,258 records compromised in these attacks
  • Average ransom demand of $1.04M across all attacks – DOWN 26% from 2024 ($1.4M)
  • Qilin was the most prolific gang with 1,034 attacks, followed by Akira (765), Clop (454), Play (393), SafePay (374), and INC (359)
  • Gangs alleged to have stolen 32.7 petabytes of data across all of the attacks
  • The United States was the most targeted country with 3,810 attacks in total, followed by Canada (392), Germany (303), the United Kingdom (251), and France (178)
  • South Korea saw one of the biggest upticks in attacks from 2024 to 2025 (up 540% from 10 to 64)

The top 5 biggest data breaches via ransomware in 2025

To date, the biggest data breaches following a ransomware attack in 2025 were:

  1. Conduent, US – 15.9M affected*: So far, around 1.6 million people have been notified of this breach on tech company, Conduent. This follows a ransomware attack in January 2025, which was claimed by SafePay who alleged to have stolen 8.5 TB of data.
  2. The Co-operative Group (Co-op), UK – 6.5M affected: All of Co-op’s 6.5 million members were confirmed to have been impacted in its April 2025 attack which crippled the retailer’s systems and cost £206 million (USD $276M) in lost revenue. DragonForce ransomware was used in the attack and was deployed by the Scattered Spider group.
  3. Episource, LLC, US – 5.4M affected: The healthcare tech company notified over 5.4 million people of its attack in January 2025. The hackers involved remain unknown.
  4. University of Phoenix, US – 3.5M affected: A total of 3,489,274 were confirmed to have had their data breached following an attack via ransomware group Clop. The attack was part of Clop’s exploit of an Oracle zero-day vulnerability.
  5. DaVita Inc., US – 2.7M affected: In March 2025, kidney dialysis company DaVita was targeted in an attack that resulted in a breach of 2,689,826 records. It was claimed by Interlock who allegedly stole over 1.5 TB of data.

Also in the top 10 are Sanrio Entertainment Co., Ltd., Japan (2M), Asahi Group Holdings, Japan (1.9M), Huis Ten Bosch Co., Ltd., Japan (1.5M), Miljödata, Sweden (1.5M), and Marquis Software Solutions, US (1.5M).

*The figures involved in this attack are still being updated. The current total is based on figures issued to various U.S. Attorney General data breach reporting tools.

Ransomware attacks by sector

We categorize attacks into four sectors: business, education, government, and healthcare. Attacks on businesses are then divided into further industries, e.g. manufacturing, retail, and legal, which we’ll explore in more detail below.

While businesses and government agencies saw significant increases in attacks, those on the education and healthcare sectors remained similar when comparing 2024’s figures to 2025’s.

Ransomware attacks on government agencies

  • 374 attacks in total
  • 196 confirmed attacks
  • 2.19M records affected across the confirmed attacks
  • Average ransom demand across all attacks = $1.55M (DOWN 15% from 2024 – $1.83M)

Ransomware attacks on healthcare

  • 444 attacks in total
  • 134 confirmed attacks
  • 10.1M records affected across the confirmed attacks
  • Average ransom demand across all attacks = $615,000 (DOWN 84% from 2024 – $3.9M)

Ransomware attacks on education

  • 252 attacks in total
  • 93 confirmed attacks
  • 3.9M records affected across the confirmed attacks
  • Average ransom demand across all attacks = $457,200 (DOWN 34% from 2024 – $694,000)

Ransomware attacks on businesses

  • 6,292 attacks in total
  • 750 confirmed attacks
  • 43M records affected across the confirmed attacks
  • Average ransom demand across all attacks = $1.09M (EQUAL to 2024)

Ransomware attacks by industry

When we look at the 6,292 attacks on businesses by the industry, some have seen a far greater increase than others.

Throughout 2025, manufacturers became a dominant target for hackers. Here, attacks increased by 56 percent from 937 in 2024 to 1,466 in 2025. Manufacturers were also one of the few industries that saw an increase in average ransom demands, which more than doubled from $523,000 in 2024 to $1.16 million in 2025.

The legal sector saw the second-highest increase in attacks, rising from 225 in 2024 to 346 in 2025 (a 54% increase). Interestingly, average ransom demands also increased here, rising from $383,000 in 2024 to $611,000 in 2025 (up 60%).

Other industries with high increases in attacks were the food and beverage sector (up 38%), retail (up 37%), transportation (up 34%), service-based businesses (up 33%), and tech companies (up 32%).

Businesses within the construction sector saw the biggest increase in average ransom demands. In 2025, these entities were hit with demands that were 15 times higher than the previous year – $2.33 million compared to $156,000.

Transportation and service-based businesses were the only other industries to see an increase in average ransom demands. Transportation saw an average of $2.19 million in 2025, compared to $279,000 in 2024 (up 685%) and service-based businesses were hit with an average demand of $511,000 in 2025 compared to $325,000 in 2024 (a 57 percent increase).

Companies operating in the healthcare sector (but those that don’t provide direct care, e.g. pharmaceutical manufacturers and medical billing providers), saw the biggest decline in average ransoms. These dropped to $584,700 in 2025 from $7.7 million in 2024 (a 92 percent decline).

The top 5 biggest ransom demands in 2025

While there is a lot of data available regarding ransom demands, these come from the hackers and not the companies involved. Despite half of all companies paying a ransom to retrieve their data (as noted above), information on ransoms paid is incredibly limited. Organizations are not typically keen on sharing whether they paid a ransom, and even less so the specific amount paid.

As it stands, we are only aware of six confirmed ransom payments in 2025 and have figures for just two of these. Swiss manufacturing company Bugnard SA paid $200,000 to Akira in September 2025 and the City of Gloversville in New York paid $150,000 to unknown hackers in March 2025.

In contrast, 122 companies have confirmed they did not pay a ransom.

According to our data, the biggest ransom demands across confirmed attacks in 2025 were:

  1. Ministry of Labour, Thailand – $15M: Devman demanded the highest ransom in 2025 after its attack on this Thai government entity in July 2025. Devman defaced the Ministry of Labour’s website and allegedly stole 300 GB of data.
  2. Úrad geodézie, kartografie a katastra SR, Slovakia – $12M: Slovakia’s Office of Geodesy, Cartography and Cadastre was targeted by unknown hackers in January 2025. The government organization refused to meet the hackers’ demands.
  3. Malaysia Airports Holdings Bhd – $10M: After stealing an alleged 2 TB of data, Qilin is said to have demanded $10 million from Malaysia Airports Holdings Bhd, which it refused to pay. The attack took place in March 2025.
  4. Magyar Nemzeti Múzeum – Nemzeti Régészeti Intézet, Hungary – $10M: RansomHub targeted the Hungarian National Museum – National Archaeological Institute in February 2025. It is said to have demanded $10 million and to have stolen 180 GB of data.
  5. Elematec Corporation, Japan – $10M: This Japanese manufacturing company was also targeted by Devman who demanded $10 million after its attack in May 2025.

Also within the top 10 were Spanish airline Iberia (Everest demanded $6M), French healthcare company EHPAD Résidence du Parc (unknown hackers demanded $5M), the National Social Security Fund, a Kenyan government entity (Devman demanded $4.5M), US government entity Cleveland Municipal Court (Qilin demanded $4M which wasn’t paid), and National Association for Stock Car Auto Racing, LLC (NASCAR) in the US (Medusa demanded $4M).

The most prolific ransomware strains in 2025

As we’ve already noted, the most prolific ransomware gang in 2025 was Qilin. Qilin claimed 14 percent of all the attacks we logged in 2025, accounting for 1,034 of 7,419. 172 of Qilin’s attacks were confirmed by the entity involved. Qilin also stole the most data with 31.2 petabytes in total (most of this comes from an attack on a US manufacturer, where it said it had stolen 31.09 petabytes of data – this hasn’t been confirmed, however).

Akira accounted for the second-highest number of attacks with 765 in total. 84 of these were confirmed. It stole 35.2 TB of data across all of its attacks.

Neither Qilin nor Akira breached the highest number of records, however. Here, the topspot goes to SafePay with a total of 16.15 million records breached. Most of these (15.9M) stem from its breach on Conduent, noted above.

DragonForce breached the second-highest number of records with just over 6.5 million in total. Again, most of these are from one attack (Co-op).

Ransomware attacks by country in 2025

Across the 7,419 noted in 2025, just over 51 percent of these (3,810) were carried out on organizations in the US. The US saw a 33 percent increase in the number of attacks from 2024 (up from 2,872).

Canada saw the second-highest number of attacks with 392 in total – a 31 percent increase from 2024 (300). It was followed by Germany with 303 attacks (up 62 percent from 2024’s figure of 187), the UK with 251 attacks (down five percent from 2024’s figure of 264), and France with 178 attacks (up 39 percent from 2024’s figure of 128).

As previously noted, one of the biggest increases was seen in South Korea where attacks rose by 540 percent from 10 in 2024 to 64 in 2025. A large number of these involved asset management companies following Qilin’s breach of a shared third-party service provider.

You can track current ransomware attacks using our worldwide tracker (updated daily) here.

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.