BlackFog’s 2025 Q3 Ransomware Report

A $4 million ransom was demanded in a July 2025 DEVMAN attack on PT.EI. COM.

1510 undisclosed ransomware attacks occurred in Q3 2025.

DEVMAN demanded $91 million from Shimao Group, the largest ransom in Q3 2025.

DEVMAN has claimed 19 ransomware attacks across Asia, Africa, Europe, and Latin America.

The Qilin group was responsible for 20 ransomware incidents in Q3 2025.

The healthcare sector experienced 86 ransomware attacks.

The Qantas board imposed a 15% reduction in short-term bonuses for the CEO and senior executives due to the July 2025 breach.

The penalty for Qantas CEO Vanessa Hudson due to the bonus reduction following the July 2025 breach amounted to about A$250,000.

Qilin was responsible for 242 undisclosed ransomware attacks in Q3 2025, representing 16% of all undisclosed ransomware attacks.

Qilin was responsible for 16% of ransomware cases in Q3 2025..

Manufacturing accounted for 22% of all undisclosed ransomware attacks in Q3 2025.

1252 undisclosed ransomware attacks were recorded in Q3 2024.

Undisclosed ransomware attacks in Q3 2024 increased by 11% year-over-year compared to Q3 2023.

The government sector reported 28 ransomware attacks in Q3 2025.

Nearly 85% of all ransomware incidents were not disclosed publicly.

The technology sector reported 28 ransomware attacks in Q3 2025.

Q3 2025 saw the emergence of 18 new ransomware groups.

For every 100 ransomware attacks, only 15 were publicly reported.

270 publicly disclosed ransomware attacks were reported in Q3 2025 - 36% increase compared to the same quarter in 2024.

Reported ransomware attacks in July 2025 led with a sharp 50% year-on-year surge.

Reported ransomware attacks in August 2025 increased by 37%.

Reported ransomware attacks in September 2025 rose by 27%.

The healthcare, government, and technology industries together represented 53% of all publicly disclosed ransomware activity during Q3 2025.

There were 62 Disclosed Ransomware Attacks in Q3 2020.

Approximately 40% of reported ransomware attacks in Q3 2025 have not yet been attributed to any known ransomware group.

96% of all disclosed ransomware cases involved data exfiltration in Q3 2025.

There were 74 Disclosed Ransomware Attacks in Q3 2021.

The number of Disclosed Ransomware Attacks increased by 19% in Q3 2021 compared to Q3 2020.

There were 93 Disclosed Ransomware Attacks in Q3 2022.

The number of Disclosed Ransomware Attacks increased by 26% in Q3 2022 compared to Q3 2021.

There were 167 Disclosed Ransomware Attacks in Q3 2023.

The number of Disclosed Ransomware Attacks increased by 80% in Q3 2023 compared to Q3 2022.

There were 198 Disclosed Ransomware Attacks in Q3 2024.

The number of Disclosed Ransomware Attacks increased by 19% in Q3 2024 compared to Q3 2023.

Companies in 35 countries reported ransomware attacks in Q3 2025.

Q3 attacks have surged by 335% since 2020.

Akira was responsible for 139 undisclosed ransomware attacks in Q3 2025, representing 9% of all undisclosed ransomware attacks.

Ransomware group Radiant claimed to have exfiltrated data on over 8,000 children across Kido International's UK sites.

Ransomware group Radiant published profiles of ten children following a ransomware attack on Kido International.

INC was responsible for 111 undisclosed ransomware attacks in Q3 2025, representing 7% of all undisclosed ransomware attacks.

Ransomware group Radiant threatened to release full profiles of 30 children following a ransomware attack on Kido International.

Ransomware group Radiant threatened to release data for 100 employees following a ransomware attack on Kido International.

The number of unreported ransomware attacks in Q3 2025 showed a 21% increase compared with the same period in 2024.

Ransomware attacks in the healthcare sector accounted for 32% of all incidents in Q3 2025.

In Q3 2025, 54 ransomware groups were linked to attacks.

The services sector experienced 333 ransomware incidents in Q3 2025.

The construction sector suffered 143 ransomware attacks between July and September 2025.

1131 undisclosed ransomware attacks were recorded in Q3 2023.

Across 449 dark web victim listings where details were available, the average data volume exfiltrated was 527.65GB in Q3 2025.

Only 3% of undisclosed ransomware cases included an upfront ransom demand in Q3 2025.

The legal sector recorded 79 attacks, its highest level yet, in Q3 2025.

Ransomware groups targeted organizations in 93 countries worldwide in Q3 2025..

80 groups published victims on dark web leak sites in Q3 2025.

Other groups were collectively responsible for 1018 undisclosed ransomware attacks in Q3 2025, representing 67% of all undisclosed ransomware attacks.

The INC ransomware group exfiltrated 5.7 TB of data from the Pennsylvania Office of Attorney General.

The Pennsylvania Office of Attorney General's systems were taken down across 17 offices statewide.

Approximately 1,200 staff of the Pennsylvania Office of Attorney General had to use forced workarounds due to the cyberattack.

Attackers compromised service records of about six million Qantas customers.