The ransomware crisis continues to deepen. In the first half of 2025, 3,627 attacks were logged worldwide, a 47% jump from the same period last year. But confirmation remains scarce.
According to Comparitech, of those incidents, just 445 were publicly acknowledged by victims. The rest were claimed by threat actors on their leak sites, often without official word from the organizations themselves.
Governments and schools are feeling the heat. Attacks on public-sector bodies rose nearly 60% year-on-year. Educational institutions also saw a marked increase, up 23%, with schools, colleges, and universities scrambling to keep up. Healthcare, long a favorite target, bucked the trend. Its increase was modest: just 5%.
Business, meanwhile, is booming, for attackers at least. Companies saw a 50% surge in ransomware hits, but some sectors were hit harder than others. Technology firms recorded an 88% spike. Retail followed closely at 85%, then legal (71%), transportation (66%), and manufacturing (64%). Only utilities saw a drop, down 31%.
Across the 445 confirmed attacks, 17 million records were breached. That’s well below the 279.6 million reported this time last year, but it’s not cause for comfort. Breaches often go undisclosed for months. Many figures for 2025 are likely to rise in due time.
The Sector Breakdown
Of the confirmed 445 cases:
- 260 hit businesses
- 93 hit government agencies
- 52 hit healthcare providers
- 40 hit educational institutions
The remaining 38 couldn’t be tied to a specific sector.
On the unconfirmed side, ransomware groups claimed:
- 2,783 attacks on businesses
- 110 on government
- 161 on healthcare
- 90 on education
Average ransom demands vary by sector. Government organizations faced the steepest asks, around $3 million. Businesses averaged $1.2 million, healthcare $776,000, and education $556,000.
Despite the pressure, few targets admitted to paying. None confirmed that they had.
The Worst of the Breaches
The five largest ransomware-related data breaches in H1 2025 share something in common: none have been claimed by a known ransomware group. That could suggest quiet negotiations, or paid ransoms.
- Episource, LLC (US): 5.4 million people affected. Clients Sharp HealthCare and Sharp Community Medical Group issued separate breach notices.
- Hoken Minaoshi Honpo Group (Japan): 5.1 million records breached in February.
- Sanrio Entertainment (Japan): 2 million records leaked from Sanrio Puroland theme park in January.
- Newton Financial Consulting (Japan): 1.3 million impacted in a February attack.
- Frederick Health (US): 934,326 patient records breached in January.
Other major incidents affected Utsunomiya Central Clinic (Japan), Nova Scotia Power (Canada), and Ocuco Limited (Ireland), among others.
Many of these breaches occurred in early 2025, but only came to light months later.
Biggest Ransom Demands
The largest known demands this year came mostly from attacks on public institutions.
- Slovakia’s Geodesy and Cartography Office was hit with a $12 million demand in January. No payment was made.
- Malaysia Airports Holdings faced a $10 million demand from Qilin in March. The group claimed to have stolen 2 TB of data.
- Hungary’s National Archaeological Institute was hit by RansomHub in February. Demand: $10 million.
- Kenya’s National Social Security Fund was attacked in May. Devman demanded $4.5 million.
- Cleveland Municipal Court (US) was asked for $4 million by Qilin. The court did not pay.
Ransom demands for other public and private entities ranged from $2 million to $2.6 million.
The Gangs Behind the Curtain
Akira, Clop, and Qilin dominated the first half of the year in terms of volume.
- Akira led with 347 claimed attacks.
- Clop followed with 333.
- Qilin trailed closely with 318.
- RansomHub (222), Play (214), and SafePay (186) rounded out the top six.
In terms of confirmed attacks, Qilin was responsible for 40, followed by RansomHub (27), Akira (25), SafePay (19), and INC (19).
Their victim profiles vary. Akira and SafePay mostly hit businesses. INC leaned into healthcare and government. RansomHub and Qilin spread their attacks more evenly across sectors.
Confirmed vs. Unconfirmed
A ransomware attack is marked as “confirmed” when the victim publicly discloses it or when the public statement matches a known ransomware group’s claim. If a gang makes a claim and the organization stays silent, it remains “unconfirmed.”
Some groups lie. Others jump the gun. And many victims simply don’t want the world to know they were hit, or coughed up.
That’s why confirmed numbers are often a fraction of reality. And why, month by month, figures shift as more incidents are publicly acknowledged. The ransomware landscape is never static. Like the criminals behind it, it adapts.
All data here is sourced from a live ransomware tracker, updated daily. The threat is growing. The numbers prove it. But the full picture? That’s still coming into focus.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.