KELA Report - National Cybersecurity Report Ransomware.pdf

In 2025, 70.4% of ransomware attacks, totaling 3,310 incidents, were distributed across other regions.

In 2025, five countries accounted for 1,391 ransomware events, representing nearly 30% of all recorded ransomware attacks.

In 2025, Germany experienced 102 ransomware incidents, representing 2.2% of all attacks.

In 2025, 50% of all ransomware attacks are projected to target critical infrastructure, highlighting the urgent need for enhanced cyber resilience strategies.

Manufacturing has been the #1 targeted industry for ransomware attacks for four consecutive years, according to the IBM X-Force 2025 Threat Intelligence Index.

In 2025, 5.9% of ransomware attacks were attributed to Qilin, 5.9% to Clop, 5.0% to Akira, 2.9% to Play, and 2.7% to SafePay.

Between January and September 2025, KELA observed 4,701 ransomware incidents, representing a 34% year-over-year increase compared to the same period in 2024.

In 2025, ransomware events against critical industries increased by 34% compared to the previous year.

The top five ransomware groups — Qilin, Clop, Akira, Play, and SafePay — were responsible for 938 incidents, accounting for nearly 25% of all ransomware attacks in 2025.

In 2025, there were 103 distinct ransomware threat actors observed targeting critical infrastructure.

Out of 103 active ransomware groups, five groups accounted for nearly 25% of global ransomware incidents.

In 2025, 2,332 ransomware incidents targeted critical infrastructure, accounting for 50% of all incidents, compared to 1,745 incidents, which accounted for 54%, in 2024.

Qilin was responsible for 248 incidents, Clop for 246 incidents, Akira for 209 incidents, Play for 120 incidents, and SafePay for 115 incidents in 2025.

From January 1 to September 1, 2025, there were 4,701 recorded ransomware incidents, with 2,332 incidents (50%) targeting critical sectors such as manufacturing, healthcare, energy, transportation, and financial services.

From January 1 to September 1, 2024, there were 3,219 total recorded ransomware incidents, with 1,745 incidents (54%) targeting critical sectors.

Ransomware attacks against the manufacturing sector surged from 520 incidents in 2024 to 838 incidents in 2025, marking a 61% increase.

In 2025, Italy experienced 74 ransomware incidents, representing 1.6% of all attacks.

In 2025, 77.7% of ransomware attacks were attributed to other actors outside the top five groups.

In 2025, the United States experienced 21.3% of all ransomware attacks, totaling approximately 1,000 incidents.

In 2025, Canada experienced 139 ransomware incidents, accounting for 3.0% of all attacks.

In 2025, half of all ransomware attacks worldwide targeted essential sectors such as manufacturing, healthcare, energy, transportation, and finance, indicating a shift from opportunistic crime to systemic disruption.

Ransomware attacks in the manufacturing sector surged by 61% from 520 incidents to 838 incidents year-over-year, marking the steepest growth among all sectors.

In 2025, the United States accounted for roughly 1,000 ransomware incidents targeting critical infrastructure, representing 21% of all global ransomware attacks.

In 2025, the United Kingdom experienced 76 ransomware incidents, accounting for 1.6% of all attacks.