SAN FRANCISCO – 16th July, 2025 – BlackFog, the leader in ransomware prevention and anti data exfiltration (ADX), today revealed findings from analysis of ransomware activity from April to June 2025 across publicly disclosed and non-disclosed attacks.
The data shows that over this period there was a 63% increase in publicly disclosed attack volumes with a total of 276 incidents compared to Q2 2024 (169 incidents). Notably, this is the highest number for this timeframe since BlackFog began tracking in 2020.
Key findings for April to June
Sharp increase in publicly disclosed attacks year on year
All three months set a new high compared with the same time period in previous years. Year on year the increases by month are:
- A 113% increase in June with a total of 96 attacks
- A 51% increase in April with a total of 89 attacks
- A 40% increase in May with a total of 91 attacks
Healthcare sector the most targeted
In terms of disclosed attacks, healthcare was the most targeted sector with 52 attacks. This was followed by the government sector, which recorded 45 attacks and the services industry with 33 attacks.
Retail in the ransomware crosshairs
The retail sector recorded its highest ever Q2 attack volumes, with UK retailers in particular bearing the brunt of high-profile ransomware attacks. The number of publicly disclosed ransomware incidents in this sector jumped by 58% compared to Q1 2025.
The Construction, Hospitality and Arts and Entertainment sectors also reported the highest ever Q2 attack volumes. Across the board, the use of data exfiltration remained consistently high, with 95% of publicly disclosed attacks involving the theft of sensitive information.
Qilin dominates the global ransomware threat with a strategic shift
Amongst 53 active ransomware groups, the Qilin ransomware gang took the lead as the most active, responsible for 10% (28) of disclosed attacks and 15% of those revealed on dark web leak sites. Earlier this year, CISA issued a formal warning after Qilin struck high profile targets in the UK and US with the group labelled a major risk to critical infrastructure.
The hidden landscape: unreported incidents continue to increase
The figures also reveal that the scale of hidden activity remains significant with 80.9% of all ransomware attacks going unreported. Across Q2 there were 1,446 undisclosed ransomware attacks marking a 19% increase compared to the same quarter in 2024.
As with the first quarter of this year, the services industry was the hardest hit, accounting for 23% (337) of all undisclosed attacks in Q2.
Commenting on the findings, Dr. Darren Williams, Founder and CEO of BlackFog said: “The findings lay bare the extent of the challenge that organizations face. The past few months have been especially punishing for global retailers, with prominent high street stores falling victim and absorbing the financial and operational fallout of these attacks.
He continues “The findings also highlight that, time and again, attackers are ultimately after one thing: data. This is yet another reminder that organizations must take decisive action to reduce the risk of exfiltration with controls and processes that form a protective ‘ring of steel’ around their most sensitive data to stop attackers in their tracks.”
Methodology
This report was generated in part from data collected by BlackFog Enterprise over the specific report period April – June 2025. It highlights significant events that prevented or reduced the risk of ransomware or a data breach and provides insights into global trends for benchmarking purposes. This report contains anonymized information about data movement across hundreds of organizations and should be used to assess risk associated with cybercrime.
Industry classifications are based upon the ICB classification for Supersector used by the New York Stock Exchange (NYSE).
All recorded events are based upon data exfiltration from the device endpoint across all major platforms.
BlackFog’s State of Ransomware report for April – June 2025 can be accessed here:
About BlackFog
Founded in 2015, BlackFog is a global AI based cybersecurity company that has pioneered on-device anti data exfiltration (ADX) technology to protect organizations from ransomware and data loss. With 95% of all attacks involving some form of data exfiltration, preventing this has become critical in the fight against extortion, the loss of customer data and trade secrets.
BlackFog recently won a Gold Globee award for AI-Driven Data Protection Solution and the coveted Cybersecurity Breakthrough Award for AI-based Cybersecurity Innovation of the Year. BlackFog also won Gold at the Globee awards in 2024 for best Data Loss Prevention and the State of Ransomware report which recognizes outstanding contributions in securing the digital landscape.
Trusted by hundreds of organizations all over the world, BlackFog is redefining modern cybersecurity practices. For more information visit blackfog.com.
Media Contact:
Related Posts
BlackFog report reveals 63% increase in Q2 ransomware attacks YoY
BlackFog report reveals 63% YoY surge in ransomware attacks in Q2 2025, with healthcare and retail sectors among the hardest hit.
Fog Ransomware Surges in 2025 Hitting Schools and Banks Alike
Fog ransomware has surged in 2025, targeting the educational and financial sector. Learn about its technical tactics, double extortion methods, and defense strategies.
Data Risk Assessment: The First Step Toward Smarter Data Protection
Understanding how to conduct a data risk assessment is a key step in protecting systems and networks from both internal and external threats.
Data Risk Management: A Smarter, Deeper Approach
Make sure your data risk management strategy goes beyond the basics to ensure critical information is safe from hackers, accidental breaches and other threats.
GDPR Audit: A Practical Guide to Staying Compliant
What should firms be thinking about when conducting a GDPR audit and why must this be a key part of a data risk management strategy?
5 Emerging Data Security Threats You May Not Have Considered
Keep an eye on these five rapidly-evolving data security threats to ensure sensitive information is fully protected from exposure.