New data from Comparitech reported 5,186 ransomware attacks so far in 2025, a 36% increase compared with 3,810 incidents tracked during the same period in 2024. The third quarter also saw a six percent rise from the second quarter, with attacks increasing from 1,434 to 1,517, of which 158 were confirmed. However, the increase has not been uniform across all industries. Attacks on the education sector rose by only 5%, while those on the healthcare sector fell by 2%.
“In the last quarter, attacks on government entities and healthcare companies declined, falling by 31 and 14 percent, respectively. Attacks on education providers remained consistent, while attacks on businesses increased by 11 percent,” Rebecca Moody, head of data research at Comparitech, wrote in a Thursday news post. “Across the business sector, the manufacturing industry remains the hardest hit, with attacks in the sector increasing by 13 percent from Q2 of 2025 to Q3 of 2025. But some of the most disruptive attacks in the last quarter targeted third-party technology vendors.”
Moody noted that these include an attack on Collins Aerospace in September 2025 that caused chaos across multiple European airports; Data Carry’s attack on Sweden’s Miljödata, which disrupted over 200 municipalities and has seen over 1 million impacted in the breach; and Qilin’s ransom demands on South Korean investment companies following an attack on a cloud server maintained by an IT company.
She also observed that “After such high-profile attacks on the healthcare sector in recent years, hackers appear to have switched some of their focus to companies that specialize in healthcare but don’t provide direct care. As we noted, organizations like medical device manufacturers, healthcare billing providers, and pharmaceutical companies have seen an influx in attacks because they give hackers access to multiple healthcare organizations through one source.”
Among the confirmed attacks, for the third quarter of 2025, 99 targeted businesses, 35 affected government entities, 10 involved healthcare companies, and 14 impacted educational institutions. Of the 1,359 unconfirmed attacks, 1,226 were on businesses, 26 on government entities, 68 on healthcare companies, and 33 on educational institutions. The most active ransomware gangs were Qilin, with 233 attack claims, Akira with 155, INC with 114, Play with 102, and SafePay with 90. Among these, Qilin and INC recorded the highest number of confirmed attacks, with 40 and 12, respectively. Across all attacks, over 335 terabytes of data were reported stolen.
From the second to the third quarter of 2025, ransomware attacks on government entities fell by 31 percent, dropping from 89 to 61 incidents. Of these, 35 were confirmed and 26 remained unconfirmed. The average ransom demanded across all attacks was US$3.57 million, with the largest, $15 million, sought by Devman from Thailand’s Ministry of Labour. The ministry confirmed the attack but stated that only its website was defaced, with no servers accessed. Across all incidents, 23.6 terabytes of data were stolen. So far in 2025, there have been 274 attacks on government organizations, a 40 percent increase compared with 196 incidents recorded during the same period in 2024.
During the third quarter of 2025, the healthcare sector experienced 78 ransomware attacks, a 14 percent decline from 91 incidents in the second quarter. Of these, 10 were confirmed and 68 remained unconfirmed. The average ransom demanded across all attacks was $844,500, with the largest, $1.15 million, sought by Rhysida from Cookeville Regional Medical Center in the U.S.. A total of 12.5 terabytes of data were stolen across all incidents. So far in 2025, the sector has seen 293 attacks, roughly matching the 300 incidents recorded during the first nine months of 2024.
Ransomware attacks on businesses rose from 1,195 in the second quarter of 2025 to 1,325 in the third quarter, an 11% increase. Of these, 99 were confirmed and 1,226 remained unconfirmed. The average ransom demanded across all attacks was $3.02 million, with the largest, $91 million, sought by Devman from China’s Shimao Group, although this attack remains unconfirmed. A total of 290.3 terabytes of data were stolen across all incidents. While every sub-industry except transportation and construction saw an increase in attacks from the second to the third quarter, some sectors experienced a notably higher surge than others.
Moody detailed that companies operating within the healthcare sector, but don’t offer direct care to patients, such as medical billing providers, healthcare device manufacturers, and pharmaceutical companies, saw an increase of over 60% over the last quarter. These types of companies are an increasingly attractive target for hackers because of the number of individual healthcare organizations they often deal with. By targeting these entities, hackers can cause mass disruption to numerous healthcare organizations and/or access larger datasets.
Manufacturers remain the most targeted businesses with 296 attacks in Q3 of 2025, up from 262 in Q2 of 2025, recording a 13% increase. “Throughout 2025 so far, we’ve noted 4,397 attacks on businesses. This is a 40 percent increase on the 3,140 recorded in the first nine months of 2024.”
Comparitech mentioned that Qilin, Akira, INC, and Play claimed the most attacks in the third quarter of this year, with over 100 each. “But it was Qilin and INC who had the most confirmed attacks out of these claims with 40 and 12, respectively. 15 of Qilin’s confirmed attacks were carried out on asset management firms in South Korea. Having accessed the finance companies’ systems via an IT provider, Qilin started adding the companies to its data leak site throughout September. 28 of these companies have been listed on its data leak site so far.”
Data Carry claimed the largest breach of the third quarter in its attack on the Swedish IT company, Miljödata. Around 1 million Swedes are said to have been impacted, but the figure will likely increase as other companies come forward. For example, Volvo Group started issuing notifications in the US following this attack.
Nova (formerly RA Lord) claimed the second-largest attack in which 941,000 records were breached at Dutch healthcare company Clinical Diagnostics (Eurofins).
“It was INC that alleged to have stolen the most amount of data, though, with 45.4 TB in total,” Comparitech identified. “However, INC doesn’t always reveal how much data has been stolen in its attacks (we noted figures in 37 of its 114 attacks), so the real figure is likely a lot higher. Its biggest claim of 20 TB came from an unconfirmed attack on a healthcare manufacturer, but its second highest was on Pennsylvania’s Attorney General, where it took credit for stealing 5.7 TB of data.”
Last month, Comparitech reported that of the 18 confirmed ransomware attacks in August, three hit manufacturers, two targeted healthcare companies, and another two struck the food and beverage sector. Overall, worldwide ransomware attacks rose from 473 in July to 506 in August, a 7% increase and the second consecutive month of growth after a decline from March through June 2025. While government systems remain a steady target, manufacturing recorded the sharpest rise, with attack claims surging 57% from 72 in July to 113 in August. Four of these incidents have been confirmed.
