New data from Comparitech shows ransomware attacks jumped 25% in October, climbing from 546 in September to 684, marking a significant increase in attacks and the third-highest monthly total this year. Manufacturers remained the most targeted sector, accounting for nearly 19% of reported incidents (121), though attacks in this sector rose by a more modest 9% month over month.
In contrast, attacks on the healthcare sector rose significantly, jumping from 26 in September to 56 in October (115%). Other sectors that saw high increases were transportation (109%) and retail (104%). October saw ransomware gang Qilin surpass the 700 mark for the number of attack claims posted to its data leak site this year so far, making it the most active ransomware group of 2025. It claimed 186 victims in October alone.
In October, a total of 684 ransomware attacks were recorded, with 47 confirmed by the affected entities. Of these confirmed cases, 27 targeted businesses, 10 hit government organizations, three affected healthcare companies, and seven involved educational institutions. Among the 637 unconfirmed attacks, 561 were directed at businesses, 14 at government entities, 53 at healthcare organizations, and eight at educational institutions.
The most active ransomware groups during the month were Qilin with 186 attacks, Akira and Sinobi with 70 each, INC with 32, Play with 26, and DragonForce with 20. Qilin also led in confirmed attacks with 10, followed by Clop with four and RansomHouse with three. In cases where hackers disclosed data theft details, totaling 315 incidents, more than 162 terabytes of data were reportedly stolen, roughly an average of 516 gigabytes per breach.
The U.S. experienced the highest number of attacks at 374, marking a 33% increase from September’s 282 incidents. Australia also saw a sharp rise, from four to 14 attacks, while Japan’s count increased from three to 10.
Rebecca Moody, Comparitech’s head of data research, wrote in a Tuesday blog post that attacks on healthcare providers increased by 115% from September to October, rising from 26 to 56.
Three of October’s attacks have been confirmed so far. Centre hospitalier intercommunal de Haute-Comté in France was targeted by unknown hackers, Community Based Support (CBS) Ltd in Australia was targeted by Lynx, and Family Health West in the U.S. was targeted by Devman with a $700,000 ransom for 120 GB.
Moody said that so far this year, to the end of October, “we’ve logged 104 confirmed attacks on healthcare companies and are monitoring a further 248 unconfirmed attacks.”
Another sector that Moody highlighted in her post was the attacks on government entities increased by 20% from September to October, rising from 20 to 24. Of the 24 attacks noted in October, 10 were confirmed. Four of these confirmed attacks hit targets in France, three in Germany, and one each in the US, Sweden, and Mexico.
“Three of the attacks in France were carried out by Qilin (Ville de Saint-Claude, Region Hauts-de-France, and Commune d’Elne). Mairie de Fumel was targeted by DragonForce,” she identified. “Qilin was also responsible for the one attack in the US – the City of Sugar Land, Texas. In Germany, Stadt Hohen Neuendorf, Gemeinde Untereisesheim, and Stadtwerke Clausthal-Zellerfeld all confirmed attacks, but none of them were claimed by hackers. The attack on Stadtwerke Clausthal-Zellerfeld was one of two attacks on public utility companies, with Swedish electricity provider Svenska kraftnät also targeted.”
Everest claimed the attack on Svenska kraftnät and alleged that it had stolen 280 GB of data. On Monday (November 2), reports suggested the post had been removed from Everest’s site, which could imply a ransom has been paid, but Svenska kraftnät hasn’t confirmed a payment.
Moody wrote that Devman claimed the attack in Mexico, demanding $300,000 for 60 GB of data it alleged to have stolen from Junta Local de Conciliación y Arbitraje de la Ciudad de México. “Up to the end of October 2025, we’ve logged 162 confirmed attacks on government entities and are monitoring a further 143 unconfirmed attacks.”
Comparitech added that attacks on businesses increased by 21% from September to October, rising from 487 to 588. 27 attacks have been confirmed on global businesses throughout October 2025. Manufacturing remains the most targeted industry with eight confirmed attacks and a further 113 unconfirmed attack claims.
The confirmed attacks include several significant incidents across multiple countries. In Japan, Mino Kogyo experienced system disruptions and shutdowns at the start of the month, later confirming that 300 GB of communications data had been stolen; SafePay claimed responsibility for the attack. In Germany, WEBER GmbH’s website displayed messages indicating that systems had been encrypted and a possible data breach occurred, with RansomHouse claiming the attack. Aussie Fluid Power in Australia was targeted in mid-October by Anubis, who posted various documents as proof; the company confirmed unauthorized activity that may have compromised employee, customer, and supplier information.
Additionally, Nickelhütte Aue GmbH in Germany confirmed on Oct. 20 that it had suffered a ransomware attack by an unknown group, causing system disruptions with restoration ongoing. In the U.S., Jewett-Cameron Trading revealed in an SEC filing that hackers had encrypted part of its systems and accessed certain information, though no group has claimed responsibility. Kurogane Kasei Co., Ltd. in Japan experienced an attack on October 16, taking systems offline with continued disruptions; RansomHouse claimed the attack, but no data leaks were detected.
In Australia, Ansell Limited confirmed that certain company data had been accessed via licensed third-party software vulnerabilities, with Clop claiming the attack and suggesting exploitation of an Oracle zero-day. TEIN in Japan suffered an attack on Oct. 30, rendering its servers inaccessible, with the responsible hackers unknown. Elsewhere, RansomHouse claimed responsibility for an attack on ASKUL Corporation (Japan) that continues to cause mass disruptions to retailers across the globe. 1.1 TB was allegedly stolen in the attack.
The post noted that two utility companies were also targeted, Omrin in the Netherlands and Enessance Holdings in Japan, with systems disrupted and data stolen. Qilin claimed both of these attacks.
Recognizing that there was no competing with Qilin last month, Moody identified that the gang claimed a staggering 186 victims in October alone. Akira and Sinobi came joint second with 70 attacks each. “Qilin took the top spot for the number of confirmed attacks (10 in total). Four of these hit government entities. In addition to those mentioned above, Qilin claimed two attacks in South Korea (finance company KIS Pricing Inc. and tech company kt altimedia) and another on US healthcare company, MedImpact Healthcare Systems, Inc.”
She added that Clop claimed the second-highest number of confirmed attacks. “All of these appear to relate to the Oracle zero-day vulnerability exploit. As well as the aforementioned attacks, American Airlines’ subsidiary, Envoy Air Inc., also confirmed a Clop attack.”
When it comes to the amount of data stolen, Comparitech reported that “Qilin claimed the most (over 29.8 TB of data), followed by PEAR (25.5 TB) and INC (21.4 TB). Qilin’s attack on North Stonington Public Schools saw the highest volume of data stolen in a confirmed attack: 3 TB. INC said it stole 20 TB from a US mortgage company, but that claim remains unconfirmed at the time of writing. Across 2025 so far (to October), we’ve logged 551 confirmed attacks on businesses, and we’re tracking a further 4,459 unconfirmed attack claims.”
Last week, Cisco Talos published data identifying that in the second half of 2025, the ransomware group Qilin continued publishing victim information on its leak site at a rate exceeding 40 cases per month, making it one of the most active and disruptive ransomware operations globally. The manufacturing sector remains the most targeted, followed by professional and scientific services and wholesale trade. While attribution remains uncertain, some of the attacker’s scripts contained character encodings suggesting links to Eastern Europe or a Russian-speaking region, though this may represent a false flag.
