Ransomware Attacks on Government Agencies Surge 65% in Early 2025
A new report from Comparitech reveals a sharp escalation in ransomware attacks targeting government entities worldwide, with 208 incidents recorded in the first half of 2025—a 65% increase compared to the same period in 2024 and a 25% rise from the latter half of last year. Of these attacks, 104 were confirmed by affected agencies, highlighting governments as a prime target for ransomware actors, outpacing sectors like healthcare, which saw only a 4% year-over-year increase.
The U.S. bore the brunt of the attacks, accounting for 35% (72 incidents) of the global total, with 44 confirmed. Other heavily targeted countries included Brazil and India (nine attacks each), Canada (eight), and France, Spain, and Indonesia (five each). Notably, none of the attacks in India or Indonesia were officially confirmed, likely due to limited public disclosure.
Several high-profile incidents underscored the financial and operational toll. In Brazil, the Instituto de Pesquisas Energéticas e Nucleares (IPEN) reported losses of $450,000 after refusing a ransom demand. Canada saw four confirmed attacks in February and March, including strikes by RansomHub, INC, BlackSuit, and Medusa, with the latter demanding $100,000. Spain’s Melilla faced a $2.1 million demand from Qilin in June, while the U.K.’s Gateshead Council was hit by Medusa in January, with a $600,000 ransom.
The largest ransom demands of the period included Slovakia’s Geodesy, Cartography, and Cadastre Office ($12 million), Hungary’s National Museum ($10 million), and Kenya’s National Social Security Fund ($4.5 million). In the U.S., the Cleveland Municipal Court and Oregon’s Department of Environmental Quality faced demands of $4 million and $2.6 million, respectively.
Ransomware groups exhibited varying degrees of focus on government targets. Qilin, INC, and RansomHub were among the most active, with INC confirming 32% of its government-related attacks—the highest rate among tracked groups. Qilin, meanwhile, claimed the largest volume of stolen data, including nearly 4 terabytes exfiltrated from Spain’s Melilla.
The surge in government attacks contrasts with broader trends, as global ransomware incidents rose 47% year-over-year, with technology (88% increase), retail (85%), and legal (71%) sectors also experiencing significant spikes. Only the utilities sector saw a decline, dropping 31%. The data underscores the persistent and evolving threat ransomware poses to public-sector organizations, despite growing restrictions on ransom payments.
TPRM report: https://www.rankiteo.com/company/autoridad-portuaria-de-melilla
"id": "aut1765677875",
"linkid": "autoridad-portuaria-de-melilla",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Geodesy/Cartography',
'location': 'Slovakia',
'name': 'Úrad geodézie, kartografie a katastra SR '
'(Slovakia)',
'type': 'Government Agency'},
{'industry': 'Cultural Heritage',
'location': 'Hungary',
'name': 'National Archaeological Institute (Hungary)',
'type': 'Government Agency'},
{'industry': 'Social Security',
'location': 'Kenya',
'name': 'National Social Security Fund (Kenya)',
'type': 'Government Agency'},
{'industry': 'Judicial',
'location': 'United States',
'name': 'Cleveland Municipal Court (U.S.)',
'type': 'Government Agency'},
{'industry': 'Environmental',
'location': 'United States',
'name': 'Oregon Department of Environmental Quality '
'(U.S.)',
'type': 'Government Agency'},
{'industry': 'Public Administration',
'location': 'Spain',
'name': 'Melilla (Spain)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Spain',
'name': 'Níjar (Spain)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Spain',
'name': 'Badajoz (Spain)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Spain',
'name': 'La Rinconada (Spain)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'France',
'name': 'Commune d’Ardon (France)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'France',
'name': 'Mairie de Berson (France)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'France',
'name': 'Mairie de Ostheim (France)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Canada',
'name': 'Town of Hinton (Canada)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Canada',
'name': 'City of Fort St. John (Canada)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Canada',
'name': 'Town of Orangeville (Canada)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Canada',
'name': 'MRC de Maskinongé (Canada)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Brazil',
'name': 'Ivinhema (Brazil)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Brazil',
'name': 'Chapadão do Sul (Brazil)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Brazil',
'name': 'São José do Rio Preto (Brazil)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'Brazil',
'name': 'Porto Nacional (Brazil)',
'type': 'Local Government'},
{'industry': 'Research/Energy',
'location': 'Brazil',
'name': 'Instituto de Pesquisas Energéticas e '
'Nucleares (IPEN) (Brazil)',
'type': 'Government Agency'},
{'industry': 'Public Administration',
'location': 'United Kingdom',
'name': 'Gateshead Council (U.K.)',
'type': 'Local Government'},
{'industry': 'Public Administration',
'location': 'United Kingdom',
'name': 'West Lothian Council (U.K.)',
'type': 'Local Government'},
{'industry': 'Sports/Governance',
'location': 'United Kingdom',
'name': 'British Horseracing Authority (U.K.)',
'type': 'Government Agency'}],
'data_breach': {'data_encryption': 'Yes (common in ransomware attacks)',
'data_exfiltration': 'Yes (e.g., 5.3 TB by Qilin, 2.63 TB by '
'Interlock)',
'sensitivity_of_data': 'High (e.g., personally identifiable '
'information, sensitive government '
'records)',
'type_of_data_compromised': ['Government records',
'Archaeological data',
'Social security data',
'Judicial records',
'Environmental data',
'Personal data']},
'date_publicly_disclosed': '2025-07-18',
'description': 'Comparitech data shows a 65% increase in ransomware attacks '
'on government agencies worldwide in the first half of 2025, '
'with 208 incidents logged. Government entities remain a top '
'target for ransomware actors, outpacing other critical '
'sectors like healthcare. The U.S. was the most targeted '
'country, accounting for 35% of attacks. Notable ransom '
'demands included $12 million (Slovakia), $10 million '
'(Hungary), and $4.5 million (Kenya).',
'impact': {'brand_reputation_impact': 'Increased notoriety for ransomware '
'gangs due to high-profile government '
'attacks.',
'data_compromised': ['180 GB - Hungary (National Archaeological '
'Institute)',
'2.5 TB - Kenya (National Social Security '
'Fund)',
'2.63 TB - West Lothian Council (U.K.)',
'250 GB - Níjar (Spain)',
'4 TB - Melilla (Spain)',
'5.3 TB total exfiltrated by Qilin (across 6 '
'incidents)'],
'downtime': ['~3 weeks - Melilla (Spain)'],
'financial_loss': ['2.5 million reais (~$450,000) - IPEN (Brazil)',
'$266,000 ransom demand - Chapadão do Sul '
'(Brazil)',
'$2.1 million ransom demand - Melilla (Spain)',
'$12 million ransom demand - Slovakia',
'$10 million ransom demand - Hungary',
'$4.5 million ransom demand - Kenya',
'$4 million ransom demand - Cleveland Municipal '
'Court (U.S.)',
'$2.6 million ransom demand - Oregon Department '
'of Environmental Quality (U.S.)'],
'operational_impact': 'Disruption of government services, delayed '
'recovery, and operational downtime for '
'affected agencies.'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (e.g., failed ransom '
'negotiations led to dark '
'web auctions)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Government agencies are increasingly targeted due to '
'high-profile notoriety and potential for large ransom '
'payouts. Bans on ransom payments do not deter attackers, '
'who often auction stolen data on the dark web. '
'Confirmation rates for government attacks (50%) are '
'significantly higher than other sectors.',
'motivation': ['Financial gain',
'Notoriety',
'Data exfiltration for dark web sales'],
'post_incident_analysis': {'root_causes': 'Lack of deterrence from ransom '
'payment bans, high-value data '
'targets, and notoriety-driven '
'attacks.'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': ['$266,000 - Chapadão do Sul (Brazil)',
'$100,000 - MRC de Maskinongé (Canada)',
'$600,000 - Gateshead Council (U.K.)',
'$2.1 million - Melilla (Spain)',
'$12 million - Slovakia',
'$10 million - Hungary',
'$4.5 million - Kenya',
'$4 million - Cleveland Municipal Court '
'(U.S.)',
'$2.6 million - Oregon Department of '
'Environmental Quality (U.S.)'],
'ransom_paid': ['No - Chapadão do Sul (Brazil)',
'No - Porto Nacional (Brazil)',
'No - Melilla (Spain)',
'No - Slovakia',
'No - Cleveland Municipal Court (U.S.)'],
'ransomware_strain': ['Qilin',
'INC',
'RansomHub',
'Funksec',
'Medusa',
'SafePay',
'BlackSuit',
'Devman',
'Rhysida',
'NightSpire']},
'recommendations': ['Enhance cybersecurity measures for government agencies, '
'including network segmentation and adaptive monitoring.',
'Improve incident response plans to minimize downtime and '
'data exposure.',
'Increase public disclosure and transparency to deter '
'threat actors.',
'Strengthen international collaboration to track and '
'mitigate ransomware groups.'],
'references': [{'date_accessed': '2025-07-18',
'source': 'Comparitech',
'url': 'https://www.comparitech.com/'}],
'response': {'communication_strategy': 'Public disclosure by affected '
'agencies varied, with 50% of '
'government attacks confirmed (vs. 8% '
'for businesses).'},
'threat_actor': ['Qilin',
'INC',
'RansomHub',
'Funksec',
'Medusa',
'SafePay',
'BlackSuit',
'Devman',
'Rhysida',
'NightSpire',
'Babuk'],
'title': 'Global Rise in Ransomware Attacks on Government Agencies (H1 2025)',
'type': 'Ransomware'}