New data has revealed that publicly disclosed ransomware attacks increased by 63% in the second quarter of 2025 compared to the same period last year, according to figures from BlackFog.
The second quarter of 2025 recorded 276 publicly disclosed ransomware incidents, reportedly the highest number for any Q2 since BlackFog began tracking data in 2020. Each of the three months in the quarter surpassed prior years’ figures, demonstrating a widespread escalation in ransomware activity.
Monthly breakdown
According to BlackFog’s analysis, June 2025 experienced the steepest increase, with the number of recorded ransomware attacks rising by 113% compared to June 2024 and totalling 96 incidents. April saw a 51% increase with 89 attacks, while May rose 40% reaching 91 publicly disclosed incidents.
Sectors most affected
Healthcare has emerged as the primary target for ransomware groups, experiencing 52 publicly disclosed attacks during Q2 2025. The government sector was the second most affected, reporting 45 attacks, while the services industry registered 33 cases.
The retail sector also saw a substantial increase in ransomware incidents. According to the report, Q2 2025 marked the sector’s highest attack volume ever recorded for this period.
Other sectors experiencing record Q2 attack volumes include construction, hospitality, and arts and entertainment, highlighting the breadth of industries targeted by ransomware operators during the period assessed by BlackFog.
Prevalence of data exfiltration
The report noted that data exfiltration – unauthorised transfer of sensitive data – was used in 95% of all publicly disclosed ransomware attacks in Q2 2025, signifying a continued reliance by attackers on stealing data as a primary tactic for extortion.
Key ransomware groups
The analysis identified the Qilin ransomware group as the most active during the quarter. Of the 53 active ransomware groups tracked, Qilin was responsible for 10% (28) of publicly disclosed attacks and 15% of those shared on dark web leak sites.
Scale of unreported incidents
BlackFog also highlighted a significant volume of ransomware attacks that remain unreported. The report estimates that 80.9% of all ransomware incidents in Q2 were not publicly disclosed. In total, there were 1,446 undisclosed attacks during the quarter, marking a 19% year-on-year increase in hidden activity compared to Q2 2024.
Within these undocumented incidents, the services industry accounted for 23% (337) of all unreported attacks in Q2 2025, suggesting a concentration of secretive targeting within this sector.
Expert commentary
“The findings lay bare the extent of the challenge that organizations face. The past few months have been especially punishing for global retailers, with prominent high street stores falling victim and absorbing the financial and operational fallout of these attacks.
Dr Darren Williams, Founder and Chief Executive Officer of BlackFog, commented on the growing threat landscape. He continued, “The findings also highlight that, time and again, attackers are ultimately after one thing: data. This is yet another reminder that organizations must take decisive action to reduce the risk of exfiltration with controls and processes that form a protective ‘ring of steel’ around their most sensitive data to stop attackers in their tracks.”
Report methodology
BlackFog’s report utilised data gathered from April to June 2025 through its BlackFog Enterprise product. The report incorporates anonymised information on data movements across hundreds of organisations, focusing on incidents involving data exfiltration at the endpoint level.
The data classifies incidents using the ICB classification for Supersector standard adopted by the New York Stock Exchange. According to the company, results should be interpreted as a guide for assessing risk associated with cybercrime and in benchmarking sector performance globally.
