Global Ransomware Attacks Surge 32% in 2025, With Manufacturing and U.S. Organizations Hit Hardest
In 2025, global ransomware attacks reached 7,419 incidents, marking a 32% increase from the 5,631 recorded in 2024, according to a report by Comparitech. Of these, 1,173 attacks were confirmed by targeted organizations, while the remaining were claimed by ransomware groups via data leak sites. Collectively, the confirmed attacks breached 59.2 million records, though this figure is expected to rise as delayed reports emerge.
Key Trends and Sector Impacts
- Manufacturing saw the sharpest rise in attacks, surging 56% to 1,466 incidents, with average ransom demands more than doubling from $523,000 in 2024 to $1.2 million in 2025.
- Legal firms experienced a 54% increase in attacks, alongside a 60% jump in ransom demands, averaging $610,000.
- Healthcare and education saw stable attack volumes, with only 2% increases in incidents, suggesting a potential shift in attacker focus or improved defenses in these sectors.
Geographic Breakdown
The U.S. remained the most targeted country, accounting for 3,810 attacks (51% of the global total), a 33% increase from 2024. Other heavily affected nations included:
- Canada: 392 attacks (31% increase)
- Germany: 303 attacks (62% increase)
- U.K.: 251 attacks (5% decrease)
- France: 178 attacks (39% increase)
- South Korea: 64 attacks (540% increase), driven largely by attacks on asset management firms following Qilin’s breach of a third-party provider.
Ransomware Groups and Data Theft
- Qilin was the most active group, responsible for 1,034 attacks (14% of the total), including 172 confirmed incidents. The group claimed to have stolen 31.2 petabytes of data, primarily from a single U.S. manufacturer.
- Akira ranked second with 765 attacks, while SafePay was linked to the largest number of breached records (16.15 million), nearly all from its attack on Conduent.
- DragonForce exposed 6.5 million records, mostly from its attack on the U.K.’s Co-operative Group, which resulted in £206 million ($276 million) in lost revenue.
Notable Breaches in 2025
- Conduent (U.S.): 15.9 million records exposed in a SafePay attack, with 8.5 terabytes of data allegedly stolen.
- Episource (U.S.): 5.4 million records compromised in an unidentified ransomware attack.
- University of Phoenix (U.S.): 3.49 million records breached via a Clop attack exploiting an Oracle zero-day vulnerability.
- DaVita (U.S.): 2.69 million records exposed in an Interlock attack, with 1.5 terabytes of data stolen.
- Sanrio (Japan): 2 million records affected.
- Asahi Group (Japan): 1.9 million records compromised.
Sector-Specific Trends
- Businesses bore the brunt of attacks (6,292 incidents, 35% increase), with 43 million records exposed in confirmed cases. Average ransom demands held steady at $1.09 million.
- Government entities faced 374 attacks (27% increase), with 2.19 million records compromised. Ransom demands fell 15% to $1.55 million.
- Healthcare saw 444 attacks (2% increase), with 10.1 million records exposed. Ransom demands plummeted 84% to $615,000.
- Education recorded 252 attacks (2% increase), with 3.9 million records breached. Ransom demands dropped 34% to $457,200.
The data underscores a strategic shift in ransomware targeting, with attackers prioritizing high-value commercial and public-sector entities while maintaining pressure on traditionally vulnerable sectors. Despite the surge in attacks, average ransom demands declined overall, dropping 26% to $1.04 million. However, select industries particularly manufacturing and legal services saw significant increases in both attack frequency and ransom demands.
Conduent cybersecurity rating report: https://www.rankiteo.com/company/conduent
DaVita Kidney Care cybersecurity rating report: https://www.rankiteo.com/company/davita
Oracle cybersecurity rating report: https://www.rankiteo.com/company/oracle
Sanrio Global Limited cybersecurity rating report: https://www.rankiteo.com/company/sanrio-global-limited
Asahi Group Holdings cybersecurity rating report: https://www.rankiteo.com/company/asahigroup-holdings
"id": "CONDAVORASANASA1770645741",
"linkid": "conduent, davita, oracle, sanrio-global-limited, asahigroup-holdings",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Business Services',
'location': 'U.S.',
'name': 'Conduent',
'type': 'Business'},
{'industry': 'Healthcare/Technology',
'location': 'U.S.',
'name': 'Episource',
'type': 'Business'},
{'industry': 'Education',
'location': 'U.S.',
'name': 'University of Phoenix',
'type': 'Education'},
{'industry': 'Healthcare',
'location': 'U.S.',
'name': 'DaVita',
'type': 'Business'},
{'industry': 'Retail/Consumer Goods',
'location': 'Japan',
'name': 'Sanrio',
'type': 'Business'},
{'industry': 'Food & Beverage',
'location': 'Japan',
'name': 'Asahi Group',
'type': 'Business'},
{'industry': 'Retail',
'location': 'U.K.',
'name': 'Co-operative Group',
'type': 'Business'}],
'data_breach': {'data_exfiltration': ['31.2 petabytes (Qilin)',
'8.5 terabytes (Conduent)',
'1.5 terabytes (DaVita)'],
'number_of_records_exposed': ['59.2 million (confirmed)',
'15.9 million (Conduent)',
'5.4 million (Episource)',
'3.49 million (University of '
'Phoenix)',
'2.69 million (DaVita)',
'2 million (Sanrio)',
'1.9 million (Asahi Group)'],
'type_of_data_compromised': ['Personally identifiable '
'information',
'Corporate data']},
'date_publicly_disclosed': '2025',
'description': 'In 2025, global ransomware attacks reached 7,419 incidents, '
'marking a 32% increase from 2024. Manufacturing saw the '
'sharpest rise in attacks (56% to 1,466 incidents), with '
'average ransom demands doubling to $1.2 million. The U.S. '
'remained the most targeted country (3,810 attacks, 51% of '
'global total). Notable breaches included Conduent (15.9M '
'records), Episource (5.4M records), and University of Phoenix '
'(3.49M records). Ransomware groups like Qilin, Akira, and '
'SafePay were highly active, with Qilin responsible for 1,034 '
'attacks.',
'impact': {'data_compromised': '59.2 million records (confirmed), 31.2 '
'petabytes (Qilin)',
'financial_loss': ['£206 million ($276 million) in lost revenue '
'(Co-operative Group)',
'$276 million (Co-operative Group)'],
'revenue_loss': ['£206 million ($276 million) (Co-operative '
'Group)']},
'motivation': ['Financial gain', 'Data exfiltration'],
'ransomware': {'data_exfiltration': ['31.2 petabytes (Qilin)',
'8.5 terabytes (Conduent)',
'1.5 terabytes (DaVita)'],
'ransom_demanded': ['$1.2 million (manufacturing average)',
'$610,000 (legal firms average)',
'$1.09 million (businesses average)',
'$1.55 million (government average)',
'$615,000 (healthcare average)',
'$457,200 (education average)'],
'ransomware_strain': ['Qilin',
'Akira',
'SafePay',
'Clop',
'Interlock',
'DragonForce']},
'references': [{'date_accessed': '2025', 'source': 'Comparitech'}],
'threat_actor': ['Qilin',
'Akira',
'SafePay',
'Clop',
'Interlock',
'DragonForce'],
'title': 'Global Ransomware Attacks Surge 32% in 2025, With Manufacturing and '
'U.S. Organizations Hit Hardest',
'type': 'Ransomware',
'vulnerability_exploited': ['Oracle zero-day vulnerability']}