February may be the shortest month of the year, but as Clop mass-released the remainder of its Cleo vulnerability victims and RansomHub continued its onslaught of claims, February turned into one of the busiest months for ransomware attacks over the last year or so.
Throughout February 2025, we saw 959 attacks in total, which is nearly double the figure we noted in January 2025 (512 in total). 41 of February’s attacks were confirmed by the targets involved (e.g., through a data breach notification or company press release). While this is a decrease from January’s figure (56), we expect this will rise as more attacks are confirmed in the coming weeks/months.
Healthcare in particular took a hit with seven confirmed attacks in February (up from four in January). Medusa was responsible for three of these healthcare attacks, which we’ll explore in more detail below.
Key findings for February 2025:
- 959 attacks in total — 41 confirmed attacks
- Of the 41 confirmed attacks:
- 20 were on businesses
- 8 were on government entities
- 7 were on healthcare companies
- 6 were on educational institutions
- Of the 918 unconfirmed attacks:
- 824 were on businesses
- 11 were on government entities
- 40 were on healthcare companies
- 21 were on educational institutions
- The most prolific ransomware gangs were Clop (323), RansomHub (95), Akira (80), Play (47), and Qilin (43). RansomHub and Qilin had the most confirmed attacks out of these claims with six and four, respectively
Ransomware attacks by month and year
| TOTAL | BUSINESS | EDUCATION | GOVERNMENT | HEALTHCARE | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Month | Confirmed | Unconfirmed | Confirmed | Unconfirmed | Confirmed | Unconfirmed | Confirmed | Unconfirmed | Confirmed | Unconfirmed |
| January 2024 | 116 | 213 | 65 | 200 | 10 | 5 | 19 | 2 | 22 | 6 |
| February 2024 | 128 | 284 | 83 | 258 | 14 | 5 | 15 | 2 | 16 | 19 |
| March 2024 | 121 | 302 | 82 | 278 | 8 | 7 | 17 | 5 | 14 | 12 |
| April 2024 | 122 | 268 | 77 | 245 | 5 | 6 | 13 | 2 | 27 | 15 |
| May 2024 | 105 | 416 | 64 | 367 | 15 | 15 | 14 | 14 | 12 | 20 |
| June 2024 | 119 | 254 | 64 | 236 | 11 | 4 | 20 | 4 | 24 | 10 |
| July 2024 | 126 | 302 | 73 | 266 | 12 | 18 | 21 | 6 | 20 | 12 |
| August 2024 | 108 | 372 | 75 | 334 | 7 | 10 | 16 | 8 | 10 | 20 |
| September 2024 | 103 | 336 | 64 | 301 | 13 | 9 | 10 | 8 | 16 | 18 |
| October 2024 | 120 | 448 | 72 | 394 | 13 | 16 | 22 | 10 | 13 | 29 |
| November 2024 | 93 | 502 | 52 | 434 | 5 | 20 | 18 | 15 | 18 | 33 |
| December 2024 | 82 | 535 | 52 | 479 | 8 | 13 | 8 | 22 | 14 | 21 |
| January 2025 | 56 | 452 | 35 | 384 | 7 | 19 | 10 | 22 | 4 | 29 |
| February 2025 | 41 | 896 | 20 | 825 | 6 | 21 | 8 | 11 | 7 | 40 |
Ransomware attacks by sector
Healthcare
As mentioned above, ransomware attacks on healthcare companies increased in February. Seven entities reported attacks, compared to four in January 2025.
Medusa claimed three of the seven attacks in February:
- SimonMed Imaging, US was hit with a $1 million ransom but said it had managed to “interrupt” hackers so no data was encrypted during the attack. Medusa alleged it stole 213 GB of data.
- HCRG Care Group, UK confirmed it suffered an attack after Medusa posted it to its site with a $2 million ransom following the alleged theft of nearly 2.3 TB of data.
- Bell Ambulance, US – notified employees of a cyber attack mid-February, which Medusa then claimed with a $400,000 ransom for 212 GB of data.
Other organizations attacked in February include Mackay Memorial Hospital (Taiwan), LUP-Kliniken gGmbH (Germany), Genea (Australia), and Utsunomiya Central Clinic (Japan). In the case of Utsunomiya Central Clinic, 300,000 people were confirmed to have been impacted in this breach, making it the biggest healthcare breach this year so far (via ransomware). Qilin claimed this attack. Meanwhile, Genea sought a court-ordered injunction to prohibit its attackers (Termite) and third parties from accessing, using, sharing, or publicizing the stolen data.
We are monitoring a further 40 unconfirmed attacks from February and 29 from January.
Government
Following 10 confirmed attacks in January 2025, eight government entities across the globe confirmed ransomware attacks last month. RansomHub claimed responsibility for three of February’s attacks, including those on the City of Tarrant and the Sault Ste. Marie Tribe of Chippewa Indians in the US and state utility provider in the Galapagos, ELECGALAPAGOS S.A.
Qilin hit Palau Ministry of Health and Human Services while INC was reportedly behind an attack on Anne Arundel County. Stadtgemeinde Tulln (Austria), InvestHK (Hong Kong), and Mairie de Berson (France) also confirmed attacks but the hackers remain unknown.
We are monitoring a further 11 unconfirmed attacks from February and 22 from January.
Education
Schools, colleges, and universities saw similar figures in January (7) and February (6).
Last month, CESI Ecole d’Ingénieurs (France) fell victim to Termite, Saint George’s College (Chile) was hit by Fog, and Laurens County School District 56 (US) faced a $320,000 ransom demand from Medusa.
Jefferson School District 251 (US), the University of The Bahamas, and Universidad de Valladolid (Spain) also confirmed attacks but the hackers remain unknown.
We are also monitoring a further 19 unconfirmed attacks from February and 21 from January.
Businesses
20 business entities confirmed attacks in February 2025, following 35 confirmed attacks in January. Of particular note was the attack on Lee Enterprises, which caused widespread disruption to its 70-plus newspapers. Qilin later claimed the attack and alleged 350 GB of data had been stolen.
Talent agency The Agency (London) also found itself listed on Rhysida’s data leak site with a ransom demand of 7 bitcoins (around $682,000).
The most targeted sector (for confirmed attacks) was the manufacturing sector with five confirmed attacks in February. These included an attack on Italy’s Alf DaFrè, which saw manufacturing come to a halt for eight days and redundancy payments being sought for its 350 employees.
Two utilities providers were also attacked — Paratus Group (Naimbia) and Telio Group (Germany). In the case of Telio, its attack took out communication and entertainment services for prisoners for several weeks. Akira claimed the attack on Paratus while the attackers for Telio and Alf DaFrè remain unknown.
We are also monitoring a further 824 unconfirmed attacks from February and 382 from January.
The most prolific ransomware strains in February 2025
As we’ve seen, Clop claimed the most attacks in February, but the group with the most confirmed attacks is RansomHub (6), closely followed by Medusa (4) and Qilin (4).
Clop claimed a staggering 323 attacks in February with the vast majority of these being Cleo vulnerability victims. Akira had 79 unconfirmed attacks and one confirmed (the attack on Paratus mentioned above), while Play claimed 47 but none were confirmed.
We logged 43 claims made by Qilin in February including four confirmed attacks. As well as Lee Enterprises, Utsunomiya Central Clinic, and Palau Ministry of Health and Human Services, Qilin also claimed the attack on Deutsche Bischofskonferenz (the German Bishops’ Conference).
February also saw the emergence of some new groups. Anubis appeared with four victims, including Pound Road Medical Centre, Australia, which confirmed an attack in November. Run Some Wares claimed four victims (all unconfirmed) and took the title for most unoriginal name for a ransomware group.
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
