BlackFog Report Reveals 36% Increase in Q3 Ransomware Attacks YoY

SAN FRANCISCO – 16th October, 2025 – BlackFog, the leader in ransomware prevention and anti data exfiltration (ADX), today revealed findings from its analysis of global ransomware activity from July to September 2025 across both publicly disclosed and non-disclosed attacks.

This came during a quarter marked by continued disruptions from ransomware campaigns affecting airlines, automotive manufacturers, governments, and other organizations in critical industries across a total of 93 countries worldwide.

The findings show that publicly disclosed attacks continued to set new records, with 270   attacks – a 36% increase compared to the same quarter, Q3, in 2024 (198 attacks). This also represents a 335% increase since Q3 2020, underscoring the continued rise in ransomware attacks over the last five years.

Additional Key Findings for July–September: 

Increase in Publicly Disclosed Attacks Year on Year 

Compared to the same period in previous years, the following monthly increases were observed:

• A 50% increase in July with a total of 96 attacks
• A 37% increase in August with a total of 92 attacks 
• A 27% increase in September with a total of 85 attacks

Qilin Topped as the Most Active Group; Newcomer DEVMAN Made an Impact

Between July and September, publicly disclosed attacks were attributed to 54 ransomware groups. As in Q2, the Qilin ransomware gang – which recently claimed responsibility for the attacks on the Asahi Group – was the most active, responsible for 20 incidents during this period. Notably, approximately 40% (107) of reported attacks have not yet been attributed to any known ransomware group.  

The quarter also saw the emergence of 18 new ransomware groups, several linked to high-profile incidents targeting large organizations. Among these, the newcomer DEVMAN made a significant impact, with 19 attacks across Asia, Africa, Europe, and Latin America. It was also behind a $91 million demand against Chinese real estate giant Shimao Group, one of the largest demands seen this year. 

Undisclosed Attacks: Manufacturing Sector Hit Hardest 

When looking at attacks that are not disclosed publicly, the manufacturing sector was hit hardest, accounting for 22% of all incidents. 

Close behind was the services sector, with 333 incidents, while the construction industry entered the top three for the first time with 143 attacks. The legal sector also saw a surge, recording 79 attacks – its highest level to date.  

Disclosed Attacks: Healthcare Sector Persists as Most Targeted 

In terms of publicly disclosed attacks, healthcare was once again the most targeted sector with 86 attacks – accounting for 32% of all incidents. This was followed by the government and technology sectors, each reporting 28 attacks. 

Lack of Reporting Remains a Challenge

In Q3 2025, nearly 85% of all ransomware attacks (estimated at 1,510) went unreported, representing a 21% increase compared with the same period in 2024. Qilin was also the most active in this segment, responsible for 16% of cases. 

Data theft remains the dominant tactic used by attackers, with 96% of all disclosed cases involving data exfiltration, marking the highest level recorded to date. 

Commenting on the findings, Dr. Darren Williams, Founder and CEO of BlackFog, said: “This has been a quarter in which the fallout of cyberattacks has continued to have a long and lasting impact. From grounded aircraft and stranded passengers to manufacturers forced to halt production, the disruption has been significant. Operations at Jaguar Land Rover, for instance, only recently resumed following the August incident, while numerous smaller suppliers are still counting the cost.

At the other end of the scale, we’ve seen attackers pulling no punches when it comes to the type of company – and data – they target. The attack on a UK nursery chain, Kido, in September marked a new low when it emerged that information on children, parents, and carers was taken.  

As ransomware volumes show a continued upward trend, the best option for organizations is to make it as hard as possible for cybercriminals to take advantage of them. That means protecting data so that they have no leverage for extortion and, critically, no incentive to return.”     

This report was generated in part from data collected by BlackFog Enterprise over the specific report period July – September 2025. It highlights significant events that prevented or reduced the risk of ransomware or a data breach and provides insights into global trends for benchmarking purposes. This report contains anonymized information about data movement across hundreds of organizations and should be used to assess risk associated with cybercrime. 

Industry classifications are based upon the ICB classification for Supersector used by the New York Stock Exchange (NYSE). 

All recorded events are based upon data exfiltration from the device endpoint across all major platforms.

BlackFog’s State of Ransomware report for July–September 2025 can be accessed here:

https://www.blackfog.com/2025-q3-ransomware-report/

BlackFog is the category-defining vendor in anti data exfiltration (ADX). Founded in 2015, the company invented ADX on the thesis that the endpoint is the only control point capable of stopping data from leaving an organization, an architectural bet that has now been validated across three exfiltration vectors: ransomware, shadow AI, and autonomous AI agents. BlackFog’s endpoint-native platform protects more than 500 enterprises, government agencies, and critical infrastructure operators worldwide. 

The company is the publisher of the annual State of Ransomware report and the BlackFog/Sapio Shadow AI Research, the most-cited primary research in the category. BlackFog’s recognition includes the teiss Awards 2026, the AI Excellence Award 2026, the Cybersecurity Excellence Awards 2026, and the Cybersecurity Breakthrough Award. Headquartered in San Francisco with international operations in London and Belfast. Learn more at blackfog.com.

Code Red Communications

Bl******@*******************ns.com