Ransomware roundup: Q1 2025

In Q1 of 2025, we recorded 2,190 ransomware attacks globally–1,000 more than we noted in the same period of 2024 (1,172). Government organizations remain a key focus for hackers, and the manufacturing industry has also seen a huge uptick in attacks.

Of the 2,190 attacks we’ve tracked, 197 of them have been confirmed (e.g., through a data breach notification or company press release). While this is significantly lower than the number logged in Q1 of 2024 (373), many attacks aren’t confirmed until months after the event.

The average ransom across all of the confirmed attacks was $2.14 million, with government organizations seeing the highest average across each sector ($6.7 million).

There weren’t any confirmed ransom payments during the reporting period, but 26 organizations confirmed they hadn’t paid a ransom. One of these was the $12 million ransom from unknown hackers on Slovakia’s Geodesy, Cartography, and Cadastre Office. Malaysia Airports Holdings Bhd also refused to pay a $10 million ransom to unknown hackers.

Key findings:

• 2,190 attacks in total — 197 confirmed attacks
• Of the 197 confirmed attacks:
  • 120 were on businesses
  • 35 were on government entities
  • 20 were on healthcare companies
  • 22 were on educational institutions
• Of the 1,993 unconfirmed attacks*:
  • 1,730 were on businesses
  • 73 were on government entities
  • 103 were on healthcare companies
  • 59 were on educational institutions
• The most prolific ransomware gangs were Clop (331), RansomHub (224), Akira (216), Qilin (108), Lynx (97), Play (91), and Fog (89). RansomHub and Qilin had the most confirmed attacks out of these claims with 22 and 12, respectively

*28 unconfirmed attacks couldn’t be attributed to a sector due to limited company information.

Ransomware attacks by sector

While all sectors have seen an uptick in the number of ransomware attacks, governments have become a key focus for hackers, as has the manufacturing industry.

Government

Comparing Q1 2024 to Q1 2025, the latter has seen an 80 percent increase in attacks.

• 108 attacks in total (confirmed and unconfirmed)–up from 60 in Q1 of 2024
• 35 confirmed attacks
• 73 unconfirmed attacks
• Average ransom of $6.7 million across confirmed attacks
• Largest ransom of $12 million was demanded by unknown hackers from Slovakia’s Geodesy, Cartography, and Cadastre Office, as noted above
• Several US government entities have reported breaches due to their attacks:
  • The City of West Haven, Connecticut – 4,932 affected
  • State Bar of Texas – 2,700 Texans affected
  • Gooding County – unknown number of people affected

Our recent report found that each government agency loses a month to downtime following a ransomware attack – on average.

Healthcare

Q1 2025 has seen a 32 percent increase in attacks when compared to the same reporting period in 2024.

• 123 attacks in total (confirmed and unconfirmed)–up from 93 in Q1 of 2024
• 20 confirmed attacks
• 103 unconfirmed attacks
• Average ransom of $860,000 across confirmed attacks
• Largest ransom of $2 million was demanded by Medusa from the HCRG Care Group in the UK
• Biggest data breach was on Utsunomiya Central Clinic, Japan, where 300,000 people were impacted after an attack by Qilin in February 2025

Education

Throughout Q1 2025, the education sector has seen 81 attacks in total–a 69 percent increase from Q1 2024 (48).

• 81 attacks in total (confirmed and unconfirmed)–up from 48 in Q1 of 2024
• 22 confirmed attacks
• 59 unconfirmed attacks
• Average ransom of $608,000 across confirmed attacks
• Largest ransom of $1.5 million was demanded by Crazy Hunter from Asia University, Taiwan
• No data breach figures have been provided from any of the attacks as of yet

Businesses

Businesses saw a 90 percent increase in the number of ransomware attacks from Q1 of 2024 to Q1 of 2025.

• 1,850 attacks in total (confirmed and unconfirmed)–up from 969 in Q1 of 2024
• 120 confirmed attacks
• 1,730 unconfirmed attacks
• Average ransom of $1.6 across confirmed attacks
• Largest ransom of $10 million was demanded from the Malaysia Airports Holdings Bhd by unknown hackers. This wasn’t paid
• The largest breach from a ransomware attack came from Japan’s Sanrio Entertainment Co., Ltd., in which 2 million people were affected. Unknown attackers breached the company that runs various theme parks

While ransomware attacks have increased across the majority of sectors, one sector has seen a significant uptick in recent months – manufacturing. In Q1 of 2025, we recorded 451 on manufacturing companies (33 of which are confirmed). This is over double the number recorded in Q1 of 2024 (201) and significantly higher than the 277 recorded in Q4 of 2024, too.

Manufacturers remain a key target for hackers due to the amount of disruption a ransomware attack can cause. In fact, our recent report found that manufacturers face average costs of $1.9 million per day due to downtime from ransomware attacks.

The most prolific and “successful” ransomware gangs

As we’ve already seen, the gang with the most claims in Q1 of 2025 was Clop with 331 attacks. The majority of these claims stem from the Cleo vulnerability exploit, which was carried out in December 2024. Several companies have confirmed a data breach following the Cleo exploit, including Chicago Public Schools (700,000 affected), Western Alliance Bank (21,899 affected), Champion Home Builders, and WK Kellogg Co.

RansomHub racked up 224 victims (22 of which were confirmed), while Akira claimed 216 (10 confirmed). RansomHub launched the most confirmed attacks, followed by Qilin (12) and Akira (10).

RansomHub had a particular focus on government organizations, with eight of its confirmed attacks being government entities. Only one of Akira’s confirmed attacks was on a government organization (Laramie County Library System) with the rest being on businesses, including the recently confirmed attack on Polish retail company SYMK. Meanwhile, Qilin was confirmed to be behind three government attacks as well as attacks on four healthcare companies, including Spain’s Hospital Los Madroños.

If we’re basing a ransomware gang’s success on the number of confirmed attacks vs. unconfirmed attacks, however, none of the aforementioned gangs make the top. Rather, the most “successful” gangs in Q1 of 2025 are:

• Interlock – 56% confirmed: Five confirmed attacks out of nine claims in total. Two US schools were among the confirmed attacks (Aztec Municipal School District and Cherokee County School District), while Andretti Indoor Karting & Games had to temporarily shut down its locations following an attack via Interlock in March.
• Crazy Hunter – 56% confirmed: Joint top is the newly-formed gang, Crazy Hunter. It too has five confirmed attacks from a total of nine claims. All five of its confirmed victims are based in Taiwan, including Mackay Memorial Hospital, which refused to pay a $1.5 million ransom demand following its attack in February 2025.
• Hunters International – 33% confirmed: 27 victims were listed by Hunters International with nine confirmed so far. This includes an attack on Tata Technologies in January 2025 and an attack on Cargills Bank PLC in March 2025.
• RansomHouse – 33% confirmed: Two confirmed from six claims with the two confirmed being the Supreme Administrative Court of Bulgaria and National Technology Co., Ltd., China.

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different quarter.