Ransomware groups are ramping up pressure on the public sector. In the first half of 2025, 208 attacks were recorded against government entities worldwide. That’s a 65% increase over the same period in 2024, and a 25 percent rise from the second half of last year.
These were some of the findings from Comparitech’s Map of worldwide ransomware attacks that is updated daily.
Half of the incidents were confirmed by the targeted agencies. The rest remain unresolved or unacknowledged.
This level of transparency is rare outside the public sector. In education, only 31% of incidents were confirmed. Healthcare: 32%. In the broader business sector, just 8%. Governments, bound by disclosure laws or public accountability, have little choice. And ransomware groups know it.
Public Sector Under Pressure
The attacks followed a clear pattern.
- 366,006 known records breached
- 78.5 terabytes of data allegedly stolen
- Average ransom demand: $1.65 million
- Average data theft: 1.3 terabytes per incident
The most active strains were Babuk, Qilin, INC, Funksec, and RansomHub. Qilin was responsible for the most confirmed breaches.
One attack stood out. In April, a ransomware group compromised systems at a public library network in Washington state. Over 336,000 individuals had their data exposed. It was the largest breach by record count this year.
Other significant breaches included:
- West Haven, Connecticut – 4,932 people affected
- Gloucester County, Virginia – 3,527 affected
- Gooding County, Idaho – 3,253 affected
- Gaines County, Texas – 3,160 affected
- State Bar of Texas – 3,012 affected
Each attack disrupted core services. In some cases, recovery took weeks.
Where the Damage Landed
The United States absorbed the brunt of the attacks, with 72 incidents, which is more than a third of the global total. Brazil and India followed with nine each. Canada recorded eight, while France, Spain, and Indonesia each reported five.
In Brazil, city governments and research institutions were targeted. Losses ranged from system outages to financial costs. One agency confirmed damages of nearly half a million dollars.
Canada saw four confirmed attacks between February and March. Each involved a different group, and smaller municipalities were common targets.
In Spain, a June attack disrupted digital services in the city of Melilla. Hackers demanded $2.1 million. The city refused. Recovery took roughly three weeks.
Several countries (including India and Indonesia) reported multiple attacks but provided no public confirmation. This could be due to limitations in reporting or differences in regulatory requirements.
In the UK, three incidents were confirmed. These included attacks on two local councils and a national sporting body. Ransom demands varied, but in one case exceeded $600,000.
The Economics of Extortion
Ransom demands varied widely. Across all incidents, the average demand reached $1.65 million. In confirmed cases, the figure was closer to $2.44 million. In unconfirmed cases, it averaged $310,000.
The five highest known demands were:
- Slovakia’s national mapping agency – $12 million
- Hungarian National Museum – $10 million
- Kenya’s social security fund – $4.5 million
- Cleveland Municipal Court – $4 million
- Oregon Department of Environmental Quality – $2.6 million
Four of these rank among the highest ransom demands across all sectors this year.
Attackers and Their Patterns
Some groups pursue targets across all industries. Others focus more narrowly. Qilin and INC appear to favour government and healthcare institutions. Both were among the most active groups in the public sector this year.
- Qilin: 17 government-related claims, 13 confirmed
- INC: 16 claims, 8 confirmed
- RansomHub: 12 claims, 8 confirmed
- Funksec: 12 claims, 1 confirmed
- Medusa: 8 claims, 5 confirmed
Qilin claimed responsibility for several high-volume data thefts, including over 5TB across six attacks. Most of that came from the incident in Melilla.
INC was responsible for the largest breach by number of records, owing to the attack on the Pierce County Library System.
Funksec, while active, had few confirmed hits. RansomHub and Medusa had higher confirmation rates, suggesting better follow-through or more aggressive targeting.
Confirmed vs. Unconfirmed
An incident is considered confirmed when an organisation publicly acknowledges a ransomware event or when its disclosure matches a group’s claim. If a ransomware group claims responsibility but the target remains silent, the incident is marked unconfirmed.
There are many reasons for this. The claim might be false. The target might choose silence. In some cases, the incident may not meet legal thresholds for disclosure.
In jurisdictions with strong breach laws, such as the United States, public reporting is more likely. Elsewhere, the picture is less clear.
Figures may also shift over time. A claim in January might correspond to an attack in December. Confirmations may lag. Some incidents move from unconfirmed to confirmed weeks or months after the fact.
This analysis reflects the latest available information from public disclosures and incident monitoring across multiple jurisdictions.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
