Comparitech reported that in 2025, there were 7,419 ransomware attacks worldwide, representing a 32% increase over the 5,631 attacks recorded in 2024. Of the 7,419 attacks noted in 2025, 1,173 were confirmed by the targeted organizations. Ransomware groups claimed the remaining incidents on their data leak sites, but have not been publicly acknowledged by the affected organizations. Manufacturing was the hardest-hit sector throughout 2025, while attacks on healthcare and education providers appeared to plateau last year, with very similar year-on-year figures.
“Across the 1,173 confirmed attacks, nearly 59.2 million records were breached (and counting),” Rebecca Moody, Comparitech’s head of data research, wrote in a Tuesday blog post. “These figures for 2025 are lower than those recorded in 2024 (1,533 attacks affecting over 335.6 million records), but with many reports coming through months (and, in some cases, years) after the attack, we do expect 2025 confirmed figures to rise in the coming months.”
She noted that manufacturers saw a 56% increase in attacks, rising from 937 to 1,466, but the average ransom demand more than doubled from $523,000 in 2024 to nearly $1.2 million in 2025. “It was a similar case for legal firms where attacks increased by 54 percent and average ransom demands jumped by 60 percent to $610,000.”
However, attacks on healthcare and education providers appeared to plateau last year with very similar year-on-year figures. “This could be due to a number of factors, such as a change in focus for certain hacker groups (e.g. to the manufacturing sector) and increased awareness of attacks in these sectors due to a number of high-profile cases in recent years.”
Comparitech detailed that across the 7,419 attacks noted in 2025, just over 51% of these (3,810) were carried out on U.S. organizations. The U.S. saw a 33% increase in the number of attacks from 2024, up from 2,872.
Canada saw the second-highest number of attacks with 392 in total – a 31% increase from 2024 (300). It was followed by Germany with 303 attacks (up 62% from 2024’s figure of 187), the UK with 251 attacks (down 5% from 2024’s figure of 264), and France with 178 attacks (up 39% from 2024’s figure of 128).
As previously noted, one of the biggest increases was seen in South Korea, where attacks rose by 540% from 10 in 2024 to 64 in 2025. A large number of these involved asset management companies following Qilin’s breach of a shared third-party service provider.
The Comparitech 2025 data shows 7,419 ransomware attacks worldwide, underscoring the continued escalation of global ransomware activity. Businesses remained the primary target, accounting for 6,292 attacks, a 35% increase from 4,647 in 2024. Government entities experienced 374 attacks, up 27% from 294, while healthcare organizations recorded 444 attacks, a 2% increase from the previous year. Educational institutions were targeted in 252 attacks, also reflecting a 2% year-on-year rise.
Of the total attacks recorded, 1,173 were confirmed by the affected organizations. These confirmed incidents included 750 attacks on businesses, 196 on government entities, 134 on healthcare organizations, and 93 on educational institutions. Collectively, the attacks resulted in the compromise of more than 59 million records.
Despite the higher attack volume, the average ransom demand declined to $1.04 million, down 26% from $1.4 million in 2024. Qilin emerged as the most prolific ransomware group with 1,034 attacks, followed by Akira with 765, Clop with 454, Play with 393, SafePay with 374, and INC with 359. Across all incidents, ransomware groups claimed to have stolen an estimated 32.7 petabytes of data.
Geographically, the U.S. was the most targeted country with 3,810 attacks, followed by Canada with 392, Germany with 303, the U.K. with 251, and France with 178. South Korea recorded one of the sharpest increases in activity, with attacks rising 540% year-over-year, from 10 in 2024 to 64 in 2025.
Several large-scale data breaches in 2025 were directly linked to ransomware attacks, highlighting the scale of exposure that can follow successful intrusions. The largest reported breach involved a U.S.-based technology services provider, Conduent, where up to 15.9 million records were affected. Following a ransomware attack in January 2025, claimed by the SafePay group, the attackers alleged the theft of 8.5 terabytes of data. To date, around 1.6 million individuals have been formally notified of the breach.
In the U.K., the Co-operative Group confirmed that 6.5 million of its members were impacted by an April 2025 ransomware attack that severely disrupted retail operations. The incident, attributed to the use of DragonForce ransomware by the Scattered Spider group, resulted in an estimated £206 million, or approximately $276 million, in lost revenue.
U.S.-based healthcare technology firm Episource reported that more than 5.4 million individuals were affected by a ransomware attack disclosed in January 2025, although the attackers responsible have not been publicly identified. The University of Phoenix also reported a major breach affecting 3,489,274 individuals after an attack linked to the Clop ransomware group, which exploited a zero-day vulnerability in Oracle software as part of a broader campaign.
DaVita, a U.S. kidney dialysis provider, disclosed in March 2025 that a ransomware attack led to the exposure of 2,689,826 records. The attack was claimed by the Interlock group, which alleged the theft of more than 1.5 terabytes of data.
Other significant ransomware-related breaches reported in 2025 included Sanrio Entertainment in Japan, which reported approximately 2 million affected records; Asahi Group Holdings in Japan, with 1.9 million; Huis Ten Bosch in Japan and Miljödata in Sweden, each with around 1.5 million affected records; and Marquis Software Solutions in the U.S., also reporting roughly 1.5 million impacted individuals.
While ransomware activity surged across businesses and government agencies in 2025, attack volumes against the education and healthcare sectors remained broadly consistent with 2024 levels. The data suggests that attackers concentrated their growth efforts on commercial and public-sector targets rather than expanding significantly into traditionally sensitive sectors.
Government agencies experienced 374 ransomware attacks in total during 2025, with 196 of those incidents confirmed by the affected entities. The confirmed attacks resulted in the exposure of approximately 2.19 million records. Average ransom demands across all government-related attacks fell to $1.55 million, representing a 15% decline from $1.83 million in 2024.
The healthcare sector recorded 444 ransomware attacks in 2025, including 134 confirmed incidents. These confirmed attacks led to the compromise of 10.1 million records. Despite the scale of data exposure, average ransom demands dropped sharply to $615,000, down 84% from $3.9 million the previous year.
Educational institutions reported 252 ransomware attacks in 2025, with 93 confirmed cases. Across these confirmed incidents, approximately 3.9 million records were affected. Average ransom demands in the education sector declined to $457,200, down 34% from $694,000 in 2024.
Businesses continued to bear the brunt of ransomware activity, accounting for 6,292 attacks in 2025. Of these, 750 were confirmed by the targeted organizations and resulted in the compromise of roughly 43 million records. Average ransom demands for businesses remained unchanged year over year at $1.09 million.
A closer look at business-sector attacks shows uneven growth across industries. Manufacturing emerged as the most heavily targeted sector, with attacks rising 56% from 937 in 2024 to 1,466 in 2025. Manufacturers were also among the few industries to see higher ransom demands, with averages more than doubling from $523,000 to $1.16 million.
The legal sector recorded the second-largest increase, with attacks climbing 54% from 225 to 346 year over year. Average ransom demands in legal services also rose sharply, increasing 60% from $383,000 in 2024 to $611,000 in 2025. Other industries experiencing notable increases in ransomware activity included food and beverage, up 38%; retail, up 37%; transportation, up 34%; service-based businesses, up 33%; and technology companies, up 32%.
Comparitech reported that Qilin emerged as the most prolific ransomware group in 2025, accounting for 14% of all recorded attacks. The group claimed responsibility for 1,034 of the 7,419 incidents logged during the year, with 172 of those attacks confirmed by the affected organizations. Qilin also reported the largest volume of stolen data, totaling 31.2 petabytes. The vast majority of this figure was attributed to a single attack on a U.S. manufacturer, in which the group claimed to have exfiltrated 31.09 petabytes of data, although this claim has not been independently confirmed.
Akira ranked second in overall activity, with 765 attacks recorded in 2025. Of these incidents, 84 were confirmed by the targeted entities. Across all of its campaigns, Akira was linked to the theft of approximately 35.2 terabytes of data.
Despite their high attack volumes, neither Qilin nor Akira was responsible for the largest number of compromised records. That distinction went to SafePay, which breached a total of 16.15 million records in 2025. Nearly all of those records, approximately 15.9 million, were tied to its attack on Conduent.
DragonForce ranked second in terms of records exposed, with just over 6.5 million compromised records. As with SafePay, the majority of DragonForce’s total stemmed from a single large-scale incident, the ransomware attack on the Co-operative Group.
