The State of Ransomware: April 2025

We recorded 86 publicly disclosed ransomware attacks, the highest April we’ve seen since we started tracking ransomware attacks back in 2020. This marks a 46% rise compared to April of last year. Government was the most targeted sector with 17 attacks, followed by healthcare with 12 attacks. 28 gangs claimed attacks in April, with Qilin being the most active variant with 8 attacks accredited to them.

1. It has been disclosed that Jackpot Junction Casino Hotel in Minnesota experienced a significant cyberattack that disrupted its operations.The casino reported technical difficulties beginning on March 27, including phone line outages and the closure of slot machines due to unforeseen technical issues. Subsequent disruptions affected bingo, promotional events, and restaurant services. On March 31 RansomHub claimed responsibility for the attack, demanding an undisclosed ransom with a one-month deadline. The casino has not confirmed whether the ransom was paid or if personal data was compromised.
2. ​ Vitenas Cosmetic Surgery in Houston fell victim to a cyberattack by the threat group Kairos and despite ongoing negotiations, the clinic reportedly failed to meet the attackers’ demands.Consequently, Kairos released approximately 1.34GB of unencrypted patient data which included sensitive information such as names, dates of birth, phone numbers, email addresses, Social Security numbers, and explicit photographs of identifiable patients. The leak also encompassed internal documents related to employees and business operations.
3. The Royal Saudi Air Force was reportedly targeted by the ransomware group Kill, who claimed to have stolen and encrypted sensitive military data. The group demanded a ransom and threatened to release classified information including aircraft schematics and fleet details, if ransom demands were not met.
4. Las Vegas real estate developer The Siegel Group confirmedthat it experienced a significant data breach that compromised a wide range of personal information. The breach exposed data including names, Social Security numbers, dates of birth, passport numbers, state-issued IDs, alien registration numbers, direct deposit account details, signatures, and medical information. Ransomware group Interlock claimed responsibility, alleging they stole over 11TB of data, including SQL databases and personal files.  The Siegel Group has not confirmed the extent of the breach, the number of affected individuals, or whether a ransom was paid.
5. Queensland-based IT services firm Hexicor was reportedly targeted by the Kill ransomware group.The attackers allegedly exfiltrated sensitive data, including customer folders, digital certificates, hashed passwords, and backup files. Kill listed Hexicor on its darknet leak site, offering to sell the stolen data to either the company or external buyers. The group also threatened to release the data publicly if their demands were not met. Hexicor has not publicly commented on the incident, and the full extent of the breach remains unclear.
6. It was recently disclosed that in August 2024, the District Labor Office in Police in Poland fell victim to a ransomware attack carried out by RansomHub. The hackers gained access to the office’s internal network infrastructure, allowing them to encrypt and partially copy data stored on its servers. As a result, the system experienced temporary downtime, and there were concerns about a potential breach of personal data. On August 22 the attackers released some of the copied data, including scans of documents containing personal information such as fragments of CVs, contracts, and lists of unemployed individuals.
7. INC ransomware group claimed responsibility for an attack on the State Bar of Texas.The breach occurred between January 28 and February 9, 2025, and was discovered on February 12. The attackers reportedly exfiltrated sensitive data, including full names and other personal information, which was later leaked by the group. In response the State Bar notified affected members and offered credit monitoring services to mitigate potential identity theft risks.
8. In early April, the Lower Sioux Indian Community in Minnesota experienced a significant cyberattack attributed to the RansomHub ransomware group.The attack disrupted operations across multiple facilities, including the community’s healthcare centre, government offices, casino, and hotel. Affected systems included phones, emails, fax lines, and digital gaming machines. Tribal officials are collaborating with third-party cybersecurity experts to restore services and secure their infrastructure.
9. Australian creative agency Fancy Films was targeted in a ransomware attack claimed by Kill.While the exact volume of stolen data remains undisclosed, Kill has shared various internal documents, such as client folders, insurance certificates, and hardware inventories. Notably, the leak includes information related to high-profile clients like Coles, Metro Trains, Australia Post, and the Country Fire Authority. Kill has not specified a ransom amount but has offered the stolen data for sale, with the option for the victim to “purchase” its deletion or for third parties to acquire it.
10. Laborers’ International Union of North America (LiUNA) Local 1184 reported a data breach following a confirmed ransomware attack on November 17, 2024. The unauthorized access compromised sensitive information, including names, Social Security numbers, membership numbers, contact details, and work dispatch records. LiUNA regained control of its network the following day and initiated an investigation to assess the breach’s scope. Notification letters were sent to affected individuals on March 31, 2025, advising them of the breach and recommending protective measures.
11. Dameron Hospital in Stockton, California, experienced a ransomware attack back in November 2023, claimed by RansomHouse. The attackers exfiltrated approximately 480 GB of sensitive data, including personal and health information of over 260,000 individuals. Despite the data being leaked online shortly after the attack, the hospital only notified affected individuals in March 2025, approximately 16 months later. In response to a class-action lawsuit, Dameron Hospital agreed to a $650,000 settlement, with eligible individuals having until April 22, 2025, to file a claim.
12. Interlock claimed responsibility for a cyberattack on Cherokee County School District that disrupted its network, Wi-Fi, and several software applications.The ransomware group stated that it stole 624GB of data, including personal information of employees, financial records, and tax documents. Interlock posted images of the alleged stolen documents on their website. The district has not confirmed the breach or disclosed details about the ransom demand or payment.
13. Interlock ransomware group targeted Andretti Indoor Karting & Games, a family entertainment chain operating across the southern United States.The cyberattack led to the temporary closure of all locations on March 16 due to technical issues, with systems including arcade games, laser tag, bowling, karting, and food services being disrupted. Interlock claimed to have stolen 1.2TB of data from the company and posted sample images of the alleged stolen documents on its leak site. Andretti has not verified these claims.
14. A ransomware attack on Toppan Next Tech (TNT), a third-party printing and mailing vendor, compromised customer data from DBS Group and Bank of China (BoC) Singapore. DBS reported that approximately 8,200 client statements were potentially exposed, primarily affecting its DBS Vickers trading platform and Cashline loan accounts. The compromised data included customer names, addresses, and details of equities and loan holdings. BoC disclosed that around 3,000 customers’ data, used in printed correspondence managed by TNT, were potentially compromised, including names, addresses, and loan account numbers. Both banks emphasized that their core systems and customer deposits remained secure.
15. Europcar Mobility Group experienced a significant data breach when threat actors compromised its GitLab repositories. The attackers claimed to have obtained all the company’s GitLab repositories, including cloud infrastructure, internal applications, mobile applications for Europcar and GoldCar, website backups, over 269 .ENV files, and more than 9,000 SQL files containing personal data.This breach potentially affected up to 200,000 customers. The stolen data amounted to over 37GB, comprising 645,041 files and 183,400 folders. Europcar has not publicly confirmed the breach or disclosed the specific data compromised. The company is reportedly investigating the incident.
16. Regional Transport Baden-Wettingen (RVBW) fell victim to a ransomware attack by Play. While affected systems were isolated, some data was encrypted. Digital timetable displays at bus and tram stops were disrupted, and the operations center faced limitations. However, customer and subscription data were not impacted, and transport services and ticket sales continued as normal. The attackers attempted to extort the company by threatening to publish corporate data on the dark web, but RVBW did not comply with the demands. An investigation was launched, and local authorities were involved in addressing the incident.
17. Pulaski County Clerk Terri Hollingsworth acknowledged ongoing technical difficulties affecting the Circuit and County Clerk’s office.Since January 16, the office has experienced disruptions in its computer systems, leading to limited capabilities in departments such as accounting, real estate, and records. While the office has been unable to fully conduct business, including issuing marriage licenses and processing real estate documents, officials are actively troubleshooting the issues and working towards restoring normal operations.
18. Medusa ransomware group has reportedly breached NASCAR’s internal systems, demanding a $4 million ransom and threatening to release over 1 TB of sensitive data if their demands are not met within 10 days.The stolen information allegedly includes detailed raceway maps, staff names, email addresses, titles, and credential-related data. While NASCAR has not publicly confirmed the breach, Medusa has posted evidence on its dark web leak site.
19. Gooding County was targeted in a ransomware attack that compromised the personal information of an undisclosed number of individuals.The county detected the intrusion on March 25, 2025, and confirmed unauthorized access to personal data. The specific number of affected individuals and the nature of the compromised data remain undisclosed. No ransom demand has been reported, and no group has claimed responsibility for the breach.
20. Sarcoma claimed responsibility for a ransomware attack on New Zealand hardware retailer The ToolShed, reportedly exfiltrating 160GB of sensitive data.The stolen information included financial documents and scans of employee passports. Sarcoma has threatened to release the data within five days unless a ransom is paid, though no specific demand has been disclosed. The company has not publicly commented on the breach.
21. Hungarian eye clinic Sasszemklinika suffered a cyberattack reportedly carried out by the Qilin ransomware gang, who claim to have stolen 101GB of data. Although the investigation is ongoing initial findings suggest that unauthorized individuals may have accessed certain digital data files. The clinic quickly responded by isolating its systems, collaborating with cybersecurity experts, and notifying the Hungarian Data Protection Authority in compliance with GDPR. Despite the breach, patient care and appointment scheduling remain unaffected.
22. Pulse Urgent Care Center in California appears to have been targeted in a ransomware attack by the Medusa group.The attackers claim to have exfiltrated over 127,000 lines of sensitive data, including patient medical records, insurance information, provider credentials, and login details for Rapid Radiology, Inc. Medusa has demanded a $120,000 ransom in BTC for either the deletion or return of the stolen data. Pulse has not publicly acknowledged the breach, and there is no indication that patient care has been disrupted.
23. It has been reported that Polish retailer Smyk suffered a ransomware attack in March which led to the compromise of sensitive data belonging to employees, contractors and some customers. Despite the breach, Smyk reported that current orders were unaffected, and all systems remained operational. Akira claimed the attack, allegedly stealing 18GB of data from the retailer.
24. ​A ransomware attack on the Arizona Federal Public Defender’s Office has delayed proceedings in the death penalty case of Ralph Menzies, convicted of a 1986 kidnapping and murder.Defense attorneys filed a motion seeking more time to prepare a reply brief on Menzies’ mental competency after the cyberattack wiped out their access to case files. The breach has disrupted legal preparations, highlighting the impact of cybercrime on the judicial process. Further details on this attack have not yet been publicly disclosed.
25. In Massachusetts, the Fall River Public Schools district was hit by a cyberattack on April 7, 2025, rendering its computer systems, including email and internet access, unusable for the remainder of the week.The superintendent confirmed that the district lacks cyber insurance, meaning recovery costs will be covered out of pocket. While there is no evidence that personal data was compromised, students have been restricted to paper-based lessons, and MCAS testing has been postponed. The district is cooperating with law enforcement as the investigation continues. Medusa has claimed the attack, demanding a ransom of $400,000 from the school district in exchange for the stolen data.
26. ​Sensata Technologies, a US-based industrial tech manufacturer, experienced a significant ransomware attack on April 6th disrupting its operations.The attack led to the encryption of certain devices within the company’s network, affecting critical functions such as shipping, receiving, manufacturing, and support services. Sensata took its network offline and engaged cybersecurity experts to assess the situation and restore affected systems. While the company has not disclosed the identity of the attackers or any ransom demands, it has confirmed that files were taken during the breach. It is not yet known who is responsible for the attack.
27. Ushio Europe released a statement on its website notifying its business partners that it had been targeted by a cyberattack. The notice suggested that emails had been impacted by the attack, but that production and shipping had not been affected. It was also reported that customer data had remained safe. Termite claimed the attack but has not released any details relating to the incident.
28. LockBit targeted Physicians Medical Billing, claiming to have exfiltrated 850GB of information. Stolen data allegedly includes sensitive patient and financial information. Despite these claims the company has not publicly acknowledged the breach.LockBit has posted screenshots as evidence of the stolen data on its leak site, but the full extent of the breach remains unclear.
29. Qilin claimed responsibility for a November 2024 ransomware attack on the North Platte Natural Resources District in Nebraska. While the district did not initially disclose the nature of the breach, it later recommended that individuals take precautions to protect their identities and Social Security numbers. Although Qilin claims to have exfiltrated data, it has not disclosed the amount or the nature of the allegedly stolen information. NPNRD has not verified this claim, nor has it confirmed whether any data was compromised, if a ransom was paid, or how the attackers gained access to the network.The district continues to investigate the incident and has not provided further updates.
30. The Oregon Department of Environmental Quality (DEQ) experienced a significant cyberattack, leading to the shutdown of its network and vehicle inspection stations.The agency isolated its systems to contain the attack and is collaborating with state and Microsoft cybersecurity teams to address the issue. While the DEQ has not confirmed whether data was stolen, Rhysida has claimed responsibility, posting files online that it asserts were taken from the agency. The group claims to have stolen 2.5TB of data from DEQ, giving the organization seven days to meet the demands.
31. The fallout from a late 2024 attack on Pembina Trails School Division is now coming to light, with investigations suggesting that the incident impacted more current and former students than initially predicted. The attack resulted in the shutdown of internal systems, including phone lines and student portals, affecting approximately 16,000 students.Investigations revealed that unauthorized access occurred in the days leading up to the incident, compromising sensitive personal information such as names, dates of birth, addresses, health data, and parental contact details.
32. Chinese-owned The Fullerton Hotels and Resorts confirmed a significant cyberattack on its Sydney location, The Fullerton Hotel. Akira ransomware group claimed responsibility, alleging the theft of over 148GB of sensitive data, including passports, driver’s licenses, corporate contracts, and financial records.The company has not publicly acknowledged the breach or disclosed whether a ransom was paid.
33. Western Sydney University (WSU) experienced a cyberattack, compromising the personal information of approximately 10,000 current and former students.The breach occurred through unauthorized access to the university’s single sign-on system, affecting data related to enrolment, academic progression, and demographics. WSU has initiated an investigation and is working with cybersecurity experts to assess the impact.
34. A cyberattack on the Brunswick Medical Center has compromised the personal information of patients and staff. A statement revealed that the attack impacted personal information relating to employees and professionals. The clinic is conducting an in-depth analysis of the information that was leaked. No ransomware group has come forward to claim the attack.
35. It was recently disclosed that Charlton Athletic Football Club was hit with a cyberattack in August which wiped significant financial data. The attack impacted its legacy accounting system and disrupted other areas of activity at the club. There is no further information available at this time.
36. South Korea’s SK Group fell victim to a cyberattack attributed to the Qilin ransomware gang.The attackers claimed to have exfiltrated 1TB sensitive data from SK Group’s systems, including financial documents, contracts, and employee information. Qilin threatened to release the stolen data unless a ransom was paid. SK Group has not publicly confirmed the breach or disclosed whether a ransom was paid.
37. Akira claimed responsibility for a cyberattack on Consonic, an Australian engineering and design firm based in Sydney.The group alleged to have exfiltrated 28GB of sensitive corporate data, including employee and customer contact information, internal communications, and financial records such as audits and payment details. The threat actors posted this claim on their dark web leak site on April 9, but the post was removed shortly thereafter.
38. A threat actor claimed responsibility for a significant data breach involving Wolters Kluwer, posting about the incident on a prominent cybercrime forum. The dataset, reportedly ranging between 3GB and 6GB, is being auctioned with a starting price of $15,000, with the seller claiming it will be sold to one buyer. Stolen data allegedly includes full names, email addresses, phone numbers, residential addresses, job information and some social media handles. Wolters Kluwer has acknowledged the situation and has confirmed that an investigation is ongoing.
39. Galvatech, an Australian steel galvanising company based in Sydney, was targeted by Qilin.The group claimed to have exfiltrated 11GB of data, encompassing over 23,000 files. The leaked documents reportedly include internal emails, cost reports, store receipts, and a training file with employee signatures. Galvatech has not yet publicly acknowledged the incident.
40. Leading U.S.-based kidney dialysis provider DaVita reported that a ransomware attack on April 12, 2025 encrypted parts of its network.The company activated its response protocols, isolating affected systems and implementing interim measures to restore operations. Despite these efforts some operations were adversely impacted, and the full extent and duration of the disruption remains unclear. DaVita continues to work with third-party cybersecurity experts and law enforcement to address the incident. Interlock claimed responsibility for the attack, allegedly exfiltrating 510GB of information from the healthcare provider.
41. Details of a ransomware attack on Whiteboard Technologies Pvt have been released, with hackers reportedly demanding $70,000 to release stolen data. The impacted files including customers’ sensitive information and business data, were encrypted and exfiltrated during the attack. The group behind the attack has not yet been made public.
42. Study Hotels, a hotel chain serving Ivy League campuses, was reportedly hit by a ransomware attack. Play ransomware gang added the organization to its dark web leak site, with the group claiming to have stolen highly sensitive data including private and personal confidential information, client documents, budget, payroll, IDs, taxes and financial information.
43. Qilin and Devman hacking groups jointly claimed responsibility for a significant ransomware attack on Feel Four S.L., a Spanish clothing and footwear retailer.The cyberattack reportedly compromised all the company’s servers, selected user PCs, and internal databases containing both user and employee information. The attackers demanded a ransom of $60,000 to prevent the release or further exploitation of the stolen data. Feel Four S.L. has not yet issued an official statement regarding the incident.
44. Sarcoma claimed responsibility for an attack on TMA Group, a Sydney-based conglomerate with 12 subsidiaries operating across various sectors including aviation, logistics, manufacturing, and government services.The group alleged to have exfiltrated 1.1TB of sensitive data, including budget documents, passport scans, and confidential files. Sarcoma posted a sample of the stolen data on its dark web leak site and set a countdown timer for the release of the full dataset, although no ransom amount was disclosed. TMA Group has not publicly commented on the incident.
45. Bilbie Faraday Harrison fell victim to a Lynx ransomware attack this month. The group alleged to have encrypted the firm’s data, though they provided minimal details about the incident. The law firm has not yet publicly acknowledged the claims.
46. Prominent Vietnamese technology corporation, CMC Group, was targeted in a ransomware attack attributed to the Crypto24 hacking group.The breach reportedly compromised approximately 2TB of data. CMC confirmed the incident but assured that recovery efforts were swiftly executed, restoring services to full functionality within 24 hours. The company emphasized that core operations remained unaffected. Authorities have initiated an investigation into the attack.
47. The Laboratory Services Cooperative, a US-based medical testing provider, suffered a significant ransomware attack that compromised the personal and health data of approximately 16 million individuals.Qilin allegedly exfiltrated sensitive information, including patient names, dates of birth, and medical test results. Authorities are investigating the incident, and affected individuals are being notified. The organization has not publicly commented on the breach.
48. The Municipality of Kirkel in Germany fell victim to a cyberattack that disrupted several of its IT systems. The internal IT department detected the malware, prompting an immediate shutdown of affected systems. As a result, the town hall was temporarily closed, and email communication was unavailable. Thanks to regular backups, data loss was minimized. External experts, along with the Cybercrime Department of the State Criminal Police Office are assisting in investigating the incident. Safepay has allegedly claimed responsibility for the attack.
49. Following a lengthy investigation, the City of Long Beach started the process of notifying individuals whose personal information was potentially compromised in a cybersecurity breach that occurred in 2023. Cybersecurity experts determined that an unauthorized actor may have illegally accessed or acquired sensitive files during the incident. While officials confirmed that there is no evidence of the stolen information being misused for identity theft or fraud, the city is proceeding with the notifications in compliance with legal requirements and as a precautionary measure.
50. The UK Information Commissioner’s Office (ICO) fined DPP Law £60,000 following a ransomware attack that exposed 32GB of sensitive client data.The breach occurred when hackers exploited an administrator account lacking multi-factor authentication, enabling them to access and exfiltrate over 32GB of data, including court documents and police footage. The firm only became aware of the breach after being notified by the National Crime Agency. The ICO determined that DPP Law failed to implement adequate security measures, violating UK GDPR requirements. DPP Law has stated its intention to appeal the decision.
51. Maine-based swap shop and sell-it guide, Uncle Henry’s, appeared back online following a cyberattack in March. The company’s President stated that although hackers deleted the website’s database, no personal information was compromised during the incident. Unnamed hackers demanded an undisclosed BTC ransom in exchange for the data.
52. US Claims Capital (USClaims) confirmed that a ransomware attack earlier this year affected 25,722 individuals. The company detected suspicious activity on January 7 and initiated an investigation which revealed unauthorized access to personal and health information. The ransomware group LeakedData claimed responsibility for the breach, listing USClaims on its data leak site with the status “Leaked,” indicating that the stolen data might be publicly accessible.USClaims has not confirmed whether a ransom was paid or how the attackers gained access to their network.
53. Sarcoma ransomware group claimed responsibility for a cyberattack on Manchester Credit Union (MCU) in the UK. MCU reported technical difficulties with its inbound payment system on April 3rd and described the incident as a “failed ransomware attack.”The credit union stated that no customer data appeared to be compromised, and recovery efforts were underway. However, the attack resulted in two days of downtime for 21 team members and wiped some MCU servers. Sarcoma listed MCU on its data leak site and gave the credit union just over one week to pay an undisclosed ransom or face the auction or release of allegedly stolen data.
54. Online lottery ticket vendor TheLotter Australia confirmed a cyberattack after a threat actor named “Ponce” claimed to have exfiltrated data from over 201,000 customers.The compromised information reportedly includes names, addresses, order dates, IP addresses, and account statuses. The breach was first disclosed on a hacking forum on April 11. company is investigating the incident and has not confirmed the authenticity of the data leak.
55. SafePay ransomware group claimed responsibility for a cyberattack on Australia based Extreme Fire Solutions.The group listed the company on its dark web leak site, alleging the exfiltration of 47GB of data. A countdown timer was set for the publication of the stolen data, though the provided download link was non-functional at the time of reporting. Details regarding the specific data compromised remain undisclosed.
56. Ahold Delhaize confirmed that it had suffered a major ransomware attack orchestrated by INC. The company took several systems offline to contain the incident, affecting pharmacy services and e-commerce operations across its U.S. brands.While physical stores remained operational some customers reported service delays and disruptions. The ransomware gang claims to have stolen 6TB of information from the organization but has not disclosed the nature of the stolen data, although some documents including NDAs and IDs, have been leaked as proof of claims.
57. French fintech company Harvest SAS fell victim to a ransomware attack carried out by the group Run Some Wares.The breach, which was first detected on February 27th, led to the exfiltration of extensive sensitive data including internal strategies, financial records, employee information, access credentials, legal documents, source code, and client communications. Run Some Wares employed a double extortion tactic, encrypting Harvest’s data and threatening public disclosure to coerce payment. The stolen data was subsequently released on the group’s dark web site.
58. Live events giant Legends International recently began notifying some employees and customers that their personal information was compromised as a result of a November 2024 cyberattack. The breach, which was detected on November 9, 2024, led to the exfiltration of data including dates of birth, Social Security numbers, driver’s license numbers, government ID numbers, payment card information, medical records, and health insurance details. The group responsible for the attack remains unknown.
59. Baker Imaging and Northwest Radiologists, a radiology practice based in Washington recently disclosed that it is working alongside the FBI to investigate a ransomware attack which took place in January. Affected data potentially includes dates of birth, Social Security and driver’s license numbers, and diagnostic information. While the specific nature of the attack has not been disclosed, the involvement of the FBI indicates the severity of the incident.
60. Kairos leaked data acquired during a ransomware attack on Baltimore City’s State Attorney’s Office. The attackers claimed to have exfiltrated a total of 325GB of sensitive information including detailed criminal case files, juvenile offenders’ records, and personal information about victims and law enforcement personnel. Despite initial communications between the two parties, negotiations were unsuccessful which led to the leak of the data.
61. Letters have been issued to individuals whose data was impacted by a ransomware attack on Whitman Hospital & Medical Clinics (WHMC). The healthcare providers initially claimed that no patient information was compromised, but following a third-party investigation it was revealed that information pertaining to patients and members of WHMC’s Group Health Plan had been impacted. No ransomware group has claimed responsibility for the attack.
62. The full impact of a November 2024 ransomware attack on Behavioral Health Resources remains unknown following investigations. In mid-April, it was reported that an investigation could not conclusively determine whether data had been viewed or accessed, but that the organization had notified 50,083 about a potential breach.
63. Car rental company Hertz confirmed that 1,000,175 people were notified of a late-2024 data breach which compromised personal information. This information reportedly includes names, contact info, payment card info, driver’s license data, with a small number of SSNs and IDs also stolen. Clop claimed responsibility for this attack in November 2024, and it is believed that Hertz was targeted during the group’s assault on Cleo.
64. At least 88,848 patients of Vitruvian Health were impacted by a ransomware attack on one of its service providers, Nationwide Recovery Services. An investigation determined that an unauthorized individual accessed NRS systems in July 2024, with Vitruvian Health being notified of a potential data leak in February this year. Compromised data included patient details, SSNs, financial account information and other medical information.
65. NightSpire ransomware group targeted the Municipality of Ardon in France, exfiltrating approximately 30GB of sensitive data.The group announced the breach on their dark web portal, accompanied by proof files and a ransom demand. They set a deadline for payment, threatening to release the stolen data publicly on April 30 if their demands were not met.
66. The City of Abilene in Texas experienced a cyberattack that disrupted its internal systems.The attack which began on April 18 rendered several city systems unresponsive, prompting immediate action from the city’s IT department. To contain the incident, critical assets were disconnected, and cybersecurity experts were engaged to investigate the nature and scope of the breach. While emergency services continued to operate, some online services were slower than usual, and past-due utility accounts were not shut off. The city has not confirmed the involvement of a specific ransomware group.
67. Alabama Ophthalmology Associates confirmed that a ransomware attack impacted more than 100,000 individuals. Personal and protected health information including names, addresses, SSNs, medical, and health insurance information was stolen during the incident. BianLian claimed responsibility for the attack in February.
68. Taiwan’s Ministry of Health and Welfare confirmed that Chansn Hospital, a key medical facility in Taoyuan City’s Zhongli District, was the target of a ransomware attack that compromised the personal medical data of more than 80,000 patients. Emergency cybersecurity protocols were activated upon the discovery of unusual activity in the hospital’s network. NightSpire claimed the attack, allegedly stealing 800GB of information from the healthcare provider.
69. It was confirmed that over 300 individuals were notified about a February data breach involving Urban One. The data breach reportedly involved names, SSNs, direct deposit info, W-2 information, and home addresses. Cactus claimed the attack in March saying it had stolen 2.5TB of data from the US media conglomerate. As proof of claims Cactus posted a sample of stolen data on its leak site including passports, contracts and a company income statement.
70. A breach notice from officials at Baltimore City Public Schools revealed that students, teachers and administrators had information stolen during a ransomware attack in February this year. The attack, which exposed certain IT systems, resulted in certain documents being compromised. The incident was confirmed as ransomware, with Cloak claiming the attack, but no ransom was paid by the school district.
71. The Catawba Two Kings Casino Resort was allegedly breached by Anubis this month. The hackers posted on a leak site claiming to have a “terribly detailed archive” including blueprints of the casino’s main floor, parking, hotel tower and restricted back-of-house zones.
72. MTN Group experienced a cybersecurity incident involving unauthorized access to personal customer information in certain markets.The company confirmed that its core network, billing systems, and financial services infrastructure remained secure and fully operational. An unknown third party claimed to have accessed data linked to parts of MTN’s systems, however, there is no evidence suggesting that customer accounts or wallets were directly compromised. Affected customers are being notified in compliance with local legal and regulatory obligations.
73. Hydraulic component manufacturer KYB Americas Corporation notified an undisclosed number of people about a February 2025 data breach that compromised their personal information. An investigation revealed that an unknown actor had gained access to certain company systems and had accessed or stolen certain information from those systems. Cactus has taken credit for the incident claiming to have stolen 1.8TB of information from the organization. Stolen data allegedly includes engineering data, drawings, PII, customer and partner information, and confidential corporate information. A proof pack containing various documents was added to the group’s leak site.
74. UK retailer Marks & Spencer (M&S) suffered a significant cyberattack attributed to the Scattered Spider ransomware group. The attack led to widespread disruptions, including the suspension of online orders, failures in contactless payments, and empty store shelves. The incident resulted in a nearly 7% drop in M&S’s stock value. In response, the company is collaborating with cybersecurity experts from the National Cyber Security Centre and Scotland Yard to resolve the issue and restore system functionality.
75. Yodogawa Steel Works has reported a ransomware attack on its Taiwanese subsidiary, Sheng Yu Steel Co., Ltd., which may have led to the leakage of personal and confidential information. The company is investigating the incident with external experts and working to mitigate the impact, while ensuring no other subsidiaries are affected. The full impact on business performance is still being assessed. Underground ransomware group claimed the attack, reportedly stealing 353.9GB of information.
76. Western New Mexico University (WNMU) experienced a significant cyberattack at the hands of Qilin ransomware group.The group claimed to have compromised sensitive employee data, including Social Security numbers, driver’s licenses, and payroll information. Ransomware deployed on WNMU systems displayed a message threatening to publish the stolen data unless demands were met. The university’s website and digital systems were disrupted for nearly two weeks, with internal communications referring to the incident as the work of a “foreign hacking group”. As of the report, the stolen data had not been posted on Qilin’s leak site, and WNMU had not publicly confirmed the breach.
77. Hitachi Vantara, a subsidiary of the Japanese conglomerate Hitachi, experienced a ransomware attack which has been claimed by Akira.The attack led to disruptions in some of the company’s systems, prompting immediate action. Hitachi Vantara took its servers offline to contain the incident and engaged external cybersecurity experts to investigate and remediate the situation.
78. In the Cayman Islands, Doctors Hospital successfully thwarted a ransomware attack without compromising patient data. Upon detecting unusual activity, the hospital’s IT team swiftly activated its cybersecurity incident response plan.The hospital confirmed that its platform which securely stores patient information was unaffected by the breach. Additionally, data from third-party providers remained secure. As a precaution the hospital restored impacted systems in controlled phases to ensure a secure environment before resuming full operations. Despite the attack patient care continued uninterrupted.
79. DuPage County in Illinois experienced a ransomware attack affecting multiple government offices, including the sheriff’s office, the 18th Judicial Circuit Court, and the Circuit Court Clerk’s office.Attackers claimed to have stolen files containing financial records and lawsuits, demanding an undisclosed ransom for decryption keys. While in-person court operations continued with minimal disruption, online court sessions were unavailable, and some proceedings reverted to paper documentation. The county reported the incident to the FBI and Secret Service and is working to assess the full impact.
80. Qilin claimed responsibility for a March 2025 cyberattack against the Kuala Lumpur International Airport in Malaysia. In late March the airport announced that a cyberattack had disrupted operations and officials stated that they rejected a ransom demand of $10million. Qilin claimed to have exfiltrated 2TB of information during the attack on the airport.
81. Rhysida claimed responsibility for a significant cyberattack on LaBella Associates. The attackers announced selling “exclusive data” for 30BTC (approx. $2.82million) and set the ransom payment deadline for May 5^th. The exact scope of the breach has not been disclosed, and LaBella Associates are yet to make a public comment regarding the claims.
82. Qilin added SoloVue Business Systems to its leak site, claiming to have exfiltrated data from the organization’s systems. According to the posting compromised data includes extensive company information including spreadsheets and client contact databases. Sample screenshots were also provided as proof of claims and seemingly contain lists of customers, address records, shipping details and partial payment card entries.
83. Hamilton County Sheriff’s Office was hit by a ransomware attack on April 14^th, causing disruption to some of the services they provide. The HCSO worked methodically and diligently alongside external experts, to investigate the incident and systematically restore service to all internal and external systems. No ransomware gang has claimed the attack.
84. Kintetsu World Express (KWE), a major Japanese freight forwarding company, experienced a ransomware attack that disrupted its global operations.The company confirmed unauthorized access to its systems by a third party, leading to significant IT outages affecting customers and operations. The attack prompted the company to take affected systems offline and initiate recovery efforts. It is not yet known who is responsible for the incident.
85. It was confirmed that at least 22,000 people were impacted by a ransomware attack on Complete Payroll Solutions in October 2023. Compromised data included SSNs, financial account information and driver’s licenses. Meow claimed the attack, stating that it had stolen 3GB of data from the organization, and posted sample images as proof of claims. Meow claimed to have exfiltrated employee data, client info, scanned payment documents, personal data, tax documents, and payment records.
86. British retailer Co-Op Group revealed that hackers attempted to break into their systems, forcing the company to shut down some of its back office and call center operations. Further information relating to this attack has not yet been made public.