GRIT Q3 2025 Ransomware & Cyber Threat Report

There were 1,576 total public posts related to ransomware victims (organizations and individuals) in Q3 2025.

SafePay impacted 71 organizations and individuals across 19 industries and 16 countries in Q3 2025.

In Q3 2025, manufacturing organizations experienced a 26% increase in ransomware attacks.

Qilin recorded 234 victims (organizations and individuals) in Q3 2025.

56.00% of global ransomware victims (organizations and individuals) in Q3 2025 were from the United States.

Akira had 133 victims (organizations and individuals) in Q2 2025.

The emerging threat group 'The Gentlemen' posted 32 victims (organizations and individuals) on a single day once their data leak site went live in 2025.

2.35% of global ransomware victims (organizations and individuals) in Q3 2025 were from France.

Qilin claimed 10 healthcare organizations as victims in Q3 2025.

GLOBAL and BlackLock had four distinct names in a little over a year.

IncRansom, SafePay, and Qilin together accounted for 30% of the 118 healthcare organizations that were victims in Q3 2025.

There were 77 total ransomware groups active in Q3 2025.

2.79% of global ransomware victims (organizations and individuals) in Q3 2025 were from Canada.

2.03% of global ransomware victims (organizations and individuals) in Q3 2025 were from Spain.

IncRansom had 71 victim claims (organizations and individuals) in Q1 2025.

IncRansom's Q3 2025 victim count was 126 organizations and individuals.

Ransomware groups claimed 118 healthcare organizations as victims in Q3 2025.

In Q2 2025, ransomware attacks on healthcare organizations accounted for 5.8% of all ransomware attacks.

During Q3 2025, Akira claimed one healthcare industry organization as a victim on their DLS.

Toha personally profited over €7 million from trading malware, stolen data, and malicious access on his platform.

The average number of public posts related to ransomware victims (organizations and individuals) per week in Q3 2025 was 121.

GRIT observed 14 publicly disclosed ransomware attacks against state agencies, counties, and municipalities in Florida since July 2022.

3.81% of global ransomware victims (organizations and individuals) in Q3 2025 were from the United Kingdom.

2.48% of global ransomware victims (organizations and individuals) in Q3 2025 were from the Republic of Korea.

Rhysida has claimed over 200 organizations and individuals as victims to their dark web DLS.

The 'The Gentlemen' group claimed 38 total victims (organizations and individuals) across the month of September 2025.

4.89% of global ransomware victims (organizations and individuals) in Q3 2025 were from Germany.

IncRansom had 62 victim claims (organizations and individuals) in Q2 2025.

The average number of ransomware groups posting victim data per week in Q3 2025 was 25.

There were 252 publicly claimed manufacturing organizations that were victims of ransomware attacks in Q3 2025.

Akira's victim count in Q3 is 212% higher than the same period in 2024.

10% to 15% of revenue was offered as a split for the core operator within the RaaS ecosystem.

The United States accounted for 52.1% of global ransomware victims (organizations and individuals) in the prior quarter (Q2 2025).

IncRansom claimed 14 healthcare organizations as victims in Q3 2025.

Akira experienced a single day spike of 20 claimed victims (organizations and individuals) on August 11th 2025.

Qilin's 234 victims comprised 15% of the total ransomware victims (organizations and individuals) for Q3 2025.

Akira is among the top 3 ransomware outfits that impact organizations within the Technology vertical.

2.60% of global ransomware victims (organizations and individuals) in Q3 2025 were from Italy.

1.46% of global ransomware victims (organizations and individuals) in Q3 2025 were from Brazil.

Ransomware attacks on healthcare organizations accounted for 7.5% of all ransomware attacks in Q3 2025.

One individual's death was directly tied to the Qilin ransomware attack on Synnovis in June 2024.

1.33% of global ransomware victims (organizations and individuals) in Q3 2025 were from Australia.

Qilin's victim count was 234 organizations and individuals.

There were 200 publicly claimed manufacturing organizations that were victims of ransomware attacks in Q2 2025.

22.29% of global ransomware victims (organizations and individuals) in Q3 2025 were from all other countries not specifically listed.

Akira had 150 victims (organizations and individuals) in Q3 2025.

Akira demonstrated a rise in activity with 13% more victims (organizations and individuals) in Q3 compared to Q2.

SafePay impacted 111 organizations and individuals spread across 27 industries and 18 countries in Q2 2025.

Qilin's activity marks a 318% YoY increase.

The Qilin campaign claimed 29 financial organizations headquartered in the Republic of Korea as victims to their DLS in a mid-September Qilin campaign.

Qilin claimed 56 victims (organizations and individuals) in Q3 2024.

There was a 36% decrease in SafePay's impact on organizations and individuals quarter-over-quarter.

SafePay claims a year-to-date total impact of 258 organizations and individuals across 29 distinct industries and 30 countries.

In Q2 2025, there were 92 reports of ransomware attacks on healthcare organizations.

SafePay claimed 11 healthcare organizations as victims in Q3 2025.