New data from Comparitech shows that of the 18 confirmed ransomware attacks in August, three hit manufacturers, two targeted healthcare companies, and another two struck the food and beverage sector. Overall, worldwide ransomware attacks rose from 473 in July to 506 in August, a 7% increase and the second consecutive month of growth after a decline from March through June 2025. While government systems remain a steady target, manufacturing recorded the sharpest rise, with attack claims surging 57% from 72 in July to 113 in August. Four of these incidents have been confirmed.
August saw a first-of-a-kind attack on the state of Nevada. While hundreds of U.S. government organizations have suffered ransomware attacks, this is the first-ever statewide attack. The attack was first detected on August 24, 2025, and has left many citizens and state agencies without access to essential services. No hackers have claimed the attack as of yet, but if a ransom isn’t paid, it’s likely the group will come forward in the coming days/weeks.
Comparitech reported that the healthcare and education sectors each recorded one confirmed attack in August, though both reported more unconfirmed attack claims compared with July. These numbers are expected to rise as additional incidents are confirmed in the coming weeks.
“If we needed a reminder of how dominant a threat ransomware is, August’s statistics provide it,” Rebecca Moody, head of data research at Comparitech, wrote in an emailed statement. “Not only did we see a steady increase in attacks, but we also witnessed a first-of-its-kind attack on the State of Nevada. The latter in particular highlights how no one, not even a multi-billion-dollar government organization, is immune to these types of attacks. And, even though numerous countries and governments are looking to ban public entities from making ransom payments, this is doing little to deter hackers.”
Addressing why, Moody noted that it is “likely due to a number of reasons. Firstly, these attacks are often random, e.g., because the hackers start exploiting a known vulnerability or a staff member happens to click on or download something they shouldn’t. Second, even if the hackers don’t receive the ransom, they’re most certainly going to gain notoriety when they make their claim on the State of Nevada. So, when another entity finds itself facing an attack from the same organization, they’ll instantly recognize the group’s name and may be more inclined to pay up before the attack escalates any further. Finally, it’s more than likely that the hackers will have stolen data in this attack on Nevada, so they’ll always have this to sell on the dark web if needed.”
“While banning public entities from making ransom payments may be a step toward reducing ransomware attacks, it isn’t the silver bullet. Rather, it should be part of a multi-pronged approach and one that makes sure the basics are covered,” according to Moody. “This includes patching any vulnerabilities as soon as they are flagged, making sure systems are regularly updated, carrying out frequent backups, investing in employee training, and having a step-by-step plan in place should an attack occur.”
In Poland, plastics manufacturer MARMA Polskie Folie Sp. z o.o was attacked by Qilin, which encrypted systems and left evidence of a possible data breach. In the U.S., electronics maker Data I/O Corporation disclosed in a Securities and Exchange Commission (SEC) filing that a ransomware attack had temporarily disrupted its operations, though the attackers have not been identified. In Japan, Nissan Creative Box Inc., the Tokyo-based design studio of Nissan, confirmed a breach after Qilin listed the company on its leak site and claimed to have stolen more than 4 terabytes of data.
In the healthcare sector, Inotiv was joined by Japan’s Osaki Medical Co., Ltd., which confirmed an attack but has not yet seen any group claim responsibility. In the food and beverage industry, Sunrise Co. Ltd. in Japan and Blenders in the Grass in the U.S. reported confirmed ransomware incidents, with no attribution made in either case.
Several large breaches have also been reported by companies in the healthcare sector that do not provide direct care but fall within the sector-by-sector comparison. The housekeeping provider Healthcare Services Group notified 624,496 people last week of a breach from October 2024, while dialysis provider DaVita confirmed that 2.7 million people were affected by its April 2025 breach. Drug research firm Inotiv experienced system disruption in August following an attack by Qilin. No notifications have been issued, but the group claimed to have stolen 176 GB of data.
Apart from the Nevada attack, the Maryland Transit Administration (MTA) also revealed that it was investigating a cyberattack that resulted in unauthorized access to several operational and information systems, including its call centers and real-time data feeds. Core transit services, including local buses, Metro Subway, Light Rail, MARC, Mobility, Call-A-Ride, and Commuter Bus, run normally, although some information systems, including real-time information and call centers, remain impacted.
“The Maryland Department of Emergency Management (MDEM) has activated the Statewide Emergency Operations Center (SEOC), which includes the MTA, DoIT, and other appropriate state agencies,” MTA disclosed. “We are working with third-party cybersecurity experts and law enforcement partners to assess the scope of the incident and mitigate its impact. The investigation is ongoing. We will provide updates as more information becomes available.”
In August, Comparitech revealed that there were 506 ransomware attacks in total, with 30 confirmed by the entities involved. Of these confirmed incidents, 17 targeted businesses, 11 affected government entities, one involved a healthcare company, and one hit an educational institution. Among the 476 unconfirmed attack claims, 418 were directed at businesses, nine at government entities, 29 at healthcare companies, and 15 at educational institutions. Five additional attacks were reported on unknown companies that could not be attributed to a specific sector.
Comparitech mentioned that the most active ransomware groups during the month were Qilin with 86 attacks, Akira with 57, Sinobi with 36, DragonForce with 30, and SafePay with 28. Qilin also recorded the most confirmed attacks at six, followed by Interlock and Warlock with two each, while Lynx, Kairos, PEAR, and Blue Locker each accounted for one confirmed incident.
When the hackers disclosed the size of stolen data, which occurred in 201 cases, nearly 97.5 terabytes were reportedly taken, averaging 485 gigabytes per breach. Several new ransomware gangs also emerged in August, including PEAR, Cephalus, and Desolator.
Out of the 11 confirmed attacks on government entities in August, seven targeted organizations in the United States. Only three of these incidents have so far been claimed or attributed to a hacker group. The affected U.S. entities include Box Elder County, the City of Greenville, West Chester Township, the State of Nevada, Lycoming County, and the Pennsylvania Office of Attorney General. West Chester Township experienced two separate attacks during the month.
The attack on Box Elder County was claimed by Interlock, which said it had stolen 4.5 terabytes of data. The newly formed group PEAR claimed responsibility for the first attack on West Chester Township, stating that it had stolen 2 terabytes of data. All of these attacks caused system disruptions. In Greenville, Texas, the impact was so severe that the state attorney general issued a catastrophe notice after the city lost access to police records and other systems.
Comparitech also reported that Pakistan Petroleum Limited, the government-owned oil and gas exploration company, detected an attack on August 6, 2025. The incident caused minimal disruption, and no contact was made with the hackers, who were later identified as Blue Locker. In Germany, the municipality of Gemeinde Hoppegarten suffered more than a week and a half of downtime before telephone systems were restored, though the attackers remain unidentified.
In Spain, the city of Elche disclosed a late-August cyberattack that rendered its systems inoperable, with no group yet claiming responsibility. In Mexico, the city of Cajeme reported that unknown hackers demanded US$150,000 after encrypting municipal systems during the final week of August, but officials said no ransom was paid. By the end of August, Comparitech identified that there had been 129 confirmed ransomware attacks on government entities, with another 124 unconfirmed cases under investigation.
For the third month in a row, Qilin remains the most prolific ransomware strain with 86 claims in total. It was followed by Akira (57), while Sinobi, which only started adding victims to its data leak site in July 2025, took third place with 36 claims.
Qilin was also the gang with the most confirmed attacks, with six in total. As well as Inotiv, MARMA Polskie Folie, Farmácia Moniz Silva, Nissan Creative Box, and Morgenstern, Qilin was behind an attack on Welcome Financial Group Inc., South Korea. In this case, Qilin is alleged to have stolen over 1 TB of data. However, Welcome Financial said the data affected was internal and did not impact customers.
