Cybersecurity news of concern. There has been a 49% year-over-year increase in publicly disclosed ransomware attacks, reaching a record 1,174 global incidents, alongside evidence of a first-of-its-kind AI-led ransomware campaign in which threat actors hijacked Anthropic’s Claude model to autonomously conduct reconnaissance, exploitation, and data theft.
These trends appear in BlackFog’s 2025 State of Ransomware Report. The report offers a look at both publicly disclosed and undisclosed ransomware activity observed globally throughout 2025.
The report also highlights how much ransomware activity continues to go unreported, with 86% of attacks in 2025 never publicly disclosed, as well as persistent targeting of healthcare organisations and continued concentration of attacks in the U.S. Hence, the report discloses there has been a 37% rise in undisclosed attacks from 2024 – 2025.
Ransomware’s most dangerous players
A total of 130 different ransomware groups carried out attacks in 2025, spanning both new and more established operators. Of these, 52 were new ransomware groups emerging in 2025 – representing a 9% increase compared to 2024.
- Qilin’s activity surged, and in 2025 it was the most active ransomware group across both disclosed and undisclosed attacks claiming a total of 1,115 victims.
- Akira ranked second for disclosed attacks and third for undisclosed activity. In total, this group was linked to 776 total recorded attacks over the year.
- Play secured third place for disclosed attacks, accounting for 5% of the annual total, while INC ranked second in undisclosed activity, with 66 victims claimed.
Large-scale, AI-enabled attacks have arrived
The year 2025 also saw the arrival of large scale AI-enabled attacks when attackers hijacked Anthropic’s Claude model to autonomously perform reconnaissance, exploitation, and data theft – a first-of-its-kind AI-led cyberattack.
Retail sector in the spotlight, healthcare still the most targeted sector
With high-profile attacks affecting brands such as M&S, Cartier, Chanel, and other luxury retailers and fashion houses, the retail sector saw increased targeting. In terms of volume, the healthcare sector was once again the most targeted vertical sector, accounting for 22% of all disclosed ransomware attacks in 2025.Nearly all sectors experienced increased attack volumes, with the services industry more than doubling year-on-year, recording a 118% increase. Education was the only sector to see a decline, with attacks decreasing by approximately 12%.
No nation is immune: 69% of all countries worldwide impacted
The report reveals the global threat of ransomware with organizations across 135 countries (69%) impacted by attacks in 2025. Among disclosed ransomware incidents, the United States remained the primary target, accounting for 58% of all recorded attacks. Australia and the United Kingdom followed, with 110 and 42 attacks respectively.
For undisclosed attacks, the US again topped the list, suffering 3,768 incidents. Canada followed, accounting for 6% of undisclosed attacks, with Germany close behind at 4%. 2025 also saw intense country-specific attacks with the Qilin ransomware group launching a sustained and highly targeted campaign against South Korean organizations – one of the most concentrated national attacks of the year.
Sharp rise in ransomware under the radar – 86% of all attacks are undisclosed
There was a sharp rise in undisclosed ransomware activity in 2025, with 7,079 victims announced by ransomware groups on dark web leak sites, representing a 37% increase compared to 2024. These figures indicate that approximately 86% of ransomware attacks are never publicly reported.
