New data from Comparitech reported that in the first half of this year, 3,627 ransomware attacks were logged, marking a 47% increase from the 2,472 attacks recorded in the first half of last year. Organizations have experienced a 50% rise in attacks, but some industries have been hit even harder. Technology saw an 88% increase, retail jumped 85%, legal rose 71%, transportation climbed 66%, and manufacturing grew 64%. However, utilities was the only sector to report a decline, down 31%.
“Of these 3,627 attacks, 445 were confirmed by the targeted organizations,” Rebecca Moody, head of data research at Comparitech, wrote in a Wednesday news post. “The rest were claimed by ransomware groups on their data leak sites but have not been acknowledged by the targets.”
Across the 445 confirmed attacks, 260 targeted businesses, 93 struck government entities, 52 hit health care companies, and 40 affected educational institutions, where over 17 million records were breached. Although this is far below the 279.6 million records compromised in the first half of last year across 744 confirmed attacks, many breaches are only verified months after they occur, so the 2025 figures are likely to climb substantially.
Comparitech noted that the number of attacks claimed on government entities increased by almost 60% from the first half of last year to the first half of this year. Schools, colleges, and universities saw a 23% increase across the same periods. In contrast, health care companies haven’t followed the same trend, with a mere 5% increase.
Moody disclosed that the average ransom demand exceeded US$1.6 million. Akira was the most prolific ransomware group, with 347 victims including both confirmed and unconfirmed cases, followed by Clop with 333, Qilin with 318, RansomHub with 222, Play with 214, and SafePay with 186. Among groups with the most confirmed attacks, Qilin led with 40 incidents, followed by RansomHub with 27, Akira with 25, SafePay with 19, and INC also with 19.
Throughout the first half of 2025, Comparitech detailed some of the largest data breaches linked to ransomware attacks that stood out for their scale and the fact that no specific group has claimed responsibility, raising the possibility that ransoms were quietly paid.
Episource in the U.S. reported a breach affecting more than 5.4 million people following a January attack. Its clients, Sharp HealthCare and Sharp Community Medical Group, also issued separate notifications after the incident. In Japan, Hoken Minaoshi Honpo Group was targeted in February, with 5.1 million records compromised. Sanrio Entertainment, known for its Puroland theme park, saw at least 2 million records breached in January. Newton Financial Consulting in Japan reported a February breach that affected 1.3 million records. Frederick Health in the U.S. confirmed that nearly one million patient records were exposed in a January ransomware attack.
Other major breaches included Utsunomiya Central Clinic in Japan with 300,000 affected, Nova Scotia Power in Canada with 280,000, Ocuco Limited in Ireland with data on 241,000 U.S. residents exposed, Marlboro-Chesterfield Pathology in the U.S. with 236,000 records impacted, and Central Texas Pediatric Orthopedics with 140,000 compromised. Most of these attacks occurred in the early months of 2025, underscoring how the true impact of ransomware incidents often does not emerge until well after the initial breach.
In the first half of this year, the largest ransom demands targeted mostly government entities. In Slovakia, the Geodesy, Cartography, and Cadastre Office faced a $12 million ransom demand from unknown hackers after an attack in January, though the ransom was not paid. Malaysia Airports Holdings, which operates Kuala Lumpur International Airport, was targeted by Qilin in March. The group claimed to have stolen 2 TB of data and demanded $10 million, but no payment was made.
Hungary’s National Archaeological Institute, part of the National Museum, was struck by RansomHub in February, which demanded $10 million after claiming to steal 180 GB of data. Kenya’s National Social Security Fund was attacked in May, with Devman demanding $4.5 million for 2.5 TB of data allegedly taken. Cleveland Municipal Court suffered weeks of system outages after a February attack, with Qilin reportedly demanding $4 million; no ransom was paid.
Other high-profile demands included the Oregon Department of Environmental Quality in the U.S. at $2.6 million, GMA News and Public Affairs in the Philippines at $2.5 million, Germany’s Welthungerhilfe at $2.15 million, the U.K.’s HCRG Care Group at $2 million, and the Italian city of Pisa at $2 million.
Comparitech reported that the most prolific ransomware gangs across all confirmed and unconfirmed attacks in the first half of 2025 were Akira with 347 victims, followed by Clop with 333, Qilin with 318, RansomHub with 222, Play with 214, and SafePay with 186. However, when looking only at confirmed attacks, Qilin led with 40 incidents, followed by RansomHub with 27, Akira with 25, SafePay with 19, and INC with 19.
“If we look at the type of entities targeted in these confirmed attacks, we can see how the modus operandi of each gang differs,” Moody explained. “For example, the majority of Akira’s (24) and SafePay’s (11) attacks were on businesses, while INC only targeted four businesses but was confirmed to have breached eight health care companies and seven government entities. RansomHub was more of a mixture (including 14 businesses and eight government entities), as was Qilin (including 21 businesses, nine government entities, and eight health care).”
In January, Comparitech reported that in 2024, ransomware groups claimed responsibility for 5,461 successful ransomware attacks on organizations worldwide. 1,204 of these attacks were confirmed by the targeted organizations, while the rest were claimed by ransomware groups on their data leak sites, but have not been acknowledged by the targets.
