The State of Ransomware: July 2025

July saw a sharp rise in ransomware activity, with 96 publicly disclosed attacks, representing a 50% increase over July 2024 and the highest number ever recorded for this month. Healthcare was by far the most targeted industry, accounting for 35 of the incidents. The technology and government sectors were also significantly affected. While 37% of the attacks have yet to be attributed to a specific group, INC led known activity with 8 confirmed attacks, followed closely by Everest with 7.

Find out who made ransomware headlines in July:

1. Community Choice Credit Union in Colorado notified 8,465 individuals of a May 2025 data breach that compromised personal information. The notice stated that a cybersecurity incident led to the encryption of files on the computer network, with an investigation later revealing that some information had been exfiltrated during the attack. Play ransomware gang claimed responsibility for the attack, and is allegedly in possession of confidential data, client documents, and budget, payroll and accounting information.

2. Brazilian tech services firm C&M Software, which provides critical infrastructure support to financial institutions lacking their own connectivity systems, suffered a significant ransomware attack. As a precaution, Brazil’s central bank instructed C&M to suspend client access to its platform. By July 3, the company confirmed it had resumed operations after receiving clearance to restore services following containment efforts. No ransomware gang has claimed the attack.

3. Kraken added Nordic Apple product reseller Humac to its dark net blog, claiming to have stolen data from the organization. The attackers claim to have access to a trove of sensitive information, including financial records, customer data, and internal company documents. A sample of data included employee records, operational files, and internal databases. Humac has not publicly acknowledged claims made by Kraken.

4. It was reported that Myrtue Medical Center in Iowa had fallen victim to a cyberattack in mid-June. A data breach notice posted on its website alerted patients that an unauthorized third party had accessed its network and may have acquired files including patient information. Cybersecurity experts are investigating the nature and scope of the incident.

5. Fort Bend Library Services has announced that full operations may not resume until fall following a ransomware attack in February. The incident, which disrupted the library system earlier this year, was confirmed to be ransomware-related after a ransom note appeared on affected computers, indicating that all files had been encrypted and some data had been copied. The investigation is ongoing, and it has since emerged that law enforcement was not informed of the attack at the time it occurred.

6. Indian insurance giant Axis Max Life is investigating a data security incident after a threat actor claimed to steal confidential data after breaching its internal network. At this time, no known hacker group has claimed responsibility for the attack.

7. IdeaLab has recently informed individuals that an October 2024 data breach exposed sensitive information. The attack was attributed to the Hunters International ransomware group, which claimed to have exfiltrated 262.8GB of data. While IdeaLab has not confirmed the volume or specific types of information stolen, the company stated that the breach affected current and former employees as well as service support contractors.

8. Global IT distributor Ingram Micro disclosed it had identified ransomware on certain internal systems. In response, they took parts of their environment offline, and launched an investigation with law enforcement, actions that triggered multi‑day outages across its ordering sites and platforms. The attack has been linked to the SafePay group, which is now threatening to leak 3.5TB of allegedly stolen data, though Ingram Micro hasn’t confirmed any data theft. The company reported steady recovery, with core services progressively restored the following week.

9. Prominent Japanese electronics manufacturer Elematec Corporation was hit by a significant ransomware attack orchestrated by Devman. The ransomware group demanded a $10 million ransom from the organization and threatened to leak highly sensitive information including proprietary designs, customer records, and confidential financial information.

10. WorldLeaks ransomware gang claim to have exfiltrated 146.6GB of data from Kentfield Hospital in California. The stolen data, which contains 140,000 files, includes protected health information and medical images. The healthcare provider has not confirmed a cyberattack or data breach.

11. Minnesota-based medical device company Surmodics was forced to shut down part of its IT systems following a June cyberattack. The IT team discovered unauthorized access to its network and took systems offline to contain the incident. Critical IT systems have since been restored. The organization is still analyzing the scope and details of the IT data stolen during the attack. Currently, no ransomware group has claimed responsibility for the attack.

12. Cierant Corp, a marketing software and service provider, experienced a data breach involving Blue Cross and Blue Shield Massachusetts patient data. The incident took place in December 2024 during which Clop ransomware gang exfiltrated sensitive personal information belonging to the two Massachusetts healthcare providers. The attack impacted 232,506 individuals, with both PII and PHI exposed.

13. 6,241 employees of IES Communications were notified of a March 2025 data breach that compromised personal information. The organization confirmed that it had experienced a cybersecurity incident which led to unauthorized access to files containing personal information. Chaos ransomware gang took credit for the attack, claiming to be in possession of 1TB of data.

14. According to reports, Clement Manor, a senior retirement community in Wisconsin, experienced a cyberattack in April that caused network disruptions and limited access to certain systems. Third-party cybersecurity experts were brought in to investigate, and their findings indicated that sensitive data, including personally identifiable information (PII) and some financial details, may have been accessed during the incident.

15. Following an investigation, it has been determined that protected health information of 47,000 individuals was potentially compromised during a cyberattack targeting Gardner Orthopedics in Florida. An intrusion was detected by the organization in April, forcing a rebuild of affected systems. INC ransomware group added Gartner Orthopedics to its leak site in May, along with samples of stolen data.

16. New ransomware group Payouts King added Crenshaw Community Hospital to its leak site. The group claimed to have stolen 53GB of data from the healthcare provider and has since listed it for download when an undisclosed ransomware was not paid. No further information on this attack has been made publicly available.

17. On July 8th, the Rhysida ransomware group listed Florida Hand Center on its leak site, publishing samples of allegedly stolen data as proof of the breach. The leaked samples included driver’s licenses, insurance claim forms, and medical images. The clinic was given a seven-day deadline to respond before the group threatened to auction off the data.

18. Everest claims to have stolen more than 31,000 records from Balance Diagnostics, a medical diagnostic imaging center in New York. The stolen data allegedly includes test results, SSNs, birth dates, and billing information. The full dataset was leaked in June.

19. PDI Health was also added to Everest’s leak site, with the group claiming to have exfiltrated more than 373,000 records from the mobile diagnostic imaging service provider. Compromised data includes test results, patient histories, and billing information. The listing was added to the group’s leak site in May, with the full data leak occurring in mid-June.

20. Data was leaked from a June ransomware attack on Avantic Medical Lab. Everest orchestrated the attack and gave the lab one week to make contact or risk having data published in full. Everest leaked the full data set, including patient files, on July 3^rd.

21. Everest claim to have published a huge variety of documents belonging to Arlington Occupational Health and Wellness, including EMRs, test results, patient histories, and billing information. The listing was added to the group’s leak site on July 4th, along with samples of stolen data and links to the full dataset.

22. New Zealand IT provider Norrcom disclosed a cybersecurity incident affecting systems tied to its Lamberts Business Systems unit, taking portions of the environment offline while activating incident response with external experts. Soon after, Lamberts confirmed unauthorized access and noted that a third party had named the company online alongside claims of data access; around the same time, the INC Ransom group listed Lamberts on its leak site and alleged data theft (discovery reported on July 9, 2025). The investigation and recovery are ongoing.

23. Qilin added Accu Reference Medical Lab to its leak site on July 10^th after acquiring data from the organization 10 days earlier. The dark web post included 12 screenshots containing unredacted protected health information of patients. Qilin did not indicate the number of files or the amount of data it claims to have exfiltrated. Accu Reference has not publicly acknowledged these claims.

24. It was confirmed that phone and technology outages that impacted Albemarle County in June were caused by a ransomware attack. The county warned that it is likely that hackers accessed data of local government and public school employees. The county believes that hackers failed to gain access to cloud-based systems and were only able to breach data held on local servers. INC claimed responsibility for the attack.

25. Accident Fund, an insurance company in Michigan, confirmed that IT issues it had experienced in June were caused by a cybersecurity incident. Certain systems are expected to be offline for the foreseeable future but the company states that there is no evidence that customer information has been impact. The attack has not yet been claimed by a cybercriminal gang.

26. The world’s largest online gambling operator Flutter Entertainment has confirmed a major data breach affecting up to 800,000 customers. The breach stemmed from a third-party vulnerability and led to the exposure of sensitive customer data. Unauthorized access has been removed, and the breach was contained.

27. Dordt University has begun issuing data breach notifications to 34,251 people who were impacted by an April 2024 ransomware attack. According to the notification, a limited amount of data was accessed and acquired during the incident. BianLian listed the university on its leak site last year, allegedly stealing 3TB of data. A 10-page proof pack was included in the listing and contained documents such as employee forms, social security documents, and an Excel file with student information.

28. The City of Gardendale, Alabama was listed on the INC Ransom leak site following a ransomware incident. The gang claimed it had exfiltrated nearly 50 GB of municipal and citizen data, including financial records, to pressure the city.

29. Saudi industrial conglomerate Rezayat Group was listed on the Everest ransomware gang’s leak site, with the actors claiming they had exfiltrated about 10 GB of corporate data and threatening exposure if talks failed. Screenshots of stolen data includes reports and contracts, alongside technical drawings. As of the latest reports, Rezayat has not issued a detailed public confirmation of the scope of any data theft.

30. Chicago radio station WFMT was reportedly hit by the Play ransomware group, which claimed to have compromised the station’s systems and leaked samples of stolen data. Reports indicate the exposed information included payroll, medical insurance, and other financial records, with the group listing WFMT on its leak site around July 8.

31. Reports reveal that Mobile Notary Zone (MNZ) suffered a major data breach that has serious implications for notaries and the clients they serve. The breach exposed highly sensitive personal data including names, SSNs, financial records and government-issued IDs.

32. HopeHealth Inc started issuing notification letters to individuals affected by a March 2025 cybersecurity incident. An unauthorized third-party gained access to the organization’s network in March, but a review of the exposed files was only completed in July. Data includes PII, financial data and health information.

33. It was announced that Rural Health Services (RHS) in South Carolina experienced a sizeable data breach earlier this year that has affected 36,542 patients. An unauthorized third party accessed its networks for almost one month between January and February 2025, resulting in files containing patient information being viewed and/or copied from the network. While information obtained by hackers varies for each individual, it includes PII, PHI, health insurance information and financial data. No ransomware group has claimed responsibility for this incident.

34. California based life science testing company Pacific Biolabs fell victim to a ransomware attack orchestrated by Cicada3301. The RaaS group claims to have exfiltrated 900GB of data in the attack on or around July 10. The attack has not yet been confirmed by the organization.

35. WPM Pathology Laboratory in Kansas began notifying 5,694 patients about a November 2024 ransomware attack. Third party cybersecurity professionals were engaged to help contain the threat and secure the network. An investigation determined that threat actors potentially accessed files containing patient information. Although not mentioned in the notification, it is believed that Fog ransomware was behind the incident.

36. Indian Springs School District recently notified 11,542 people of an October 2024 cybersecurity attack which led to personal details being compromised. RansomHub took credit for the attack, stating that it had stolen 45GB of data from the school district. The gang also posted sample images of stolen data on its leak site which included several financial documents.

37. Ransomware group DragonForce claimed responsibility for a May 2025 ransomware attack which caused disruption to US department store chain Belk. Upon discovering the incident, Belk worked diligently with cybersecurity experts to determine the source and scope of the incident, later determining that certain internal documents had been obtained by hackers. DragonForce claim to have stolen 156GB of data from the organization.

38. A ransomware attack crippled South Korea’s largest provider of guarantee insurance Seoul Guarantee Insurance. While some systems were restored promptly, SGI’s main data system remained inoperative for a number of days following the attack. At this time, it is not known who was responsible for the incident.

39. Telecommunications and infrastructure company Adrian Kenya was targeted by a Lynx ransomware attack. The threat actors added the organization to its leak site in mid-July, sharing screenshots of invoices and operational records as proof of claims. The organization is yet to make a public comment addressing these claims.

40. BARTEC posted an announcement on its website addressing a recent unauthorized data attack. The organization immediately checked its existing IT infrastructure and found no evidence of any further attempts to access data. No further information relating to the attack was included in the notice. Safepay ransomware has claimed responsibility for the incident.

41. Southern Connecticut Vascular Center announced a cybersecurity incident which impacted its IT systems. Further information about the attack was not disclosed, other than that law enforcement was notified of the incident. A forensic investigation confirmed that patient data was exposed.

42. Ransomware group Devman breached Thailand’s Ministry of Labour, defaced the official website, and claimed a deep compromise of internal systems. The ministry reported the attackers who had over 43 days of access, exfiltrated more than 300GB of sensitive data, wiped Active Directory, disrupted 98 Linux and 50 Windows servers, and encrypted around 2,000 laptops. Devman demanded a $15 million ransom and threatened to leak the data.

43. Russia’s Novabev Group, maker of Beluga vodka and owner of WineLab, suffered a large‑scale ransomware attack that disrupted its IT systems, forcing temporary closure of 2,000+ WineLab stores and delaying shipments. The attackers demanded a ransom, but Novabev said it refused to negotiate while it worked to restore services. The incident affected the availability of internal tools and retail operations across the group. The identity of the attackers remains unknown.

44. It was revealed that the United Australia Party (UAP) and Trumpet of Patriots, political entities associated with Clive Palmer, fell victim to a ransomware cyberattack in June. The attackers gained unauthorized access to the parties’ servers, potentially exfiltrating a vast volume of data, including all emails and attachments, documents, and electronic records held by the parties.

45. Namibia’s Otjiwarongo Municipality was struck by a ransomware attack performed by a group calling itself INC Ransom. The breach was identified on July 16, prompting the Namibia Cybersecurity Incident Response Team (NAM‑CSIRT) to advise immediate containment measures such as isolating affected systems and mapping data to determine exposure. The exact ransom amount and details of any stolen data have not been disclosed. Investigators are actively working to assess the full impact and secure compromised systems, and updates are expected once it’s safe to share findings publicly.

46. Stormous ransomware group claimed to have stolen the personal and health information of 600,000 patients from North County HealthCare. The healthcare organization was added to the group’s leak site in mid-July, alongside the data breach claims. The group also stated that data of 100,000 patients will be listed for sale, while the remaining 500,000 would be listed free on the leak site. The data has since been published by the group.

47. The College of New Caledonia in Canada disclosed that personal information belonging to students may have been compromised following a March 2025 ransomware attack. In a notification sent to students, it states that the college believes unauthorized access to online systems may have been active for almost five months. It is not known who was responsible for this attack.

48. Susan B. Allen Memorial Hospital reported “anomalous activity” that caused a system outage and disrupted patient scheduling and phone access while a third‑party team investigated. Soon after, the ransomware group Kawa4096 claimed the attack, listing the hospital on its leak site and alleging 210 GB of stolen data; the hospital said it would notify patients if personal information was implicated.

49. Florida law firm Zumpano Patricios PA announced a major data breach affected 279,275 individuals. A network intrusion was detected in May, triggering immediate and aggressive action to prevent any further spread. A forensic investigation revealed that patient data may have been copied from the network. Exposed data had been provided to the firm by its healthcare provider clients in connection with payment disputes that the law firm was trying to resolve.

50. It was confirmed that a huge amount of patient data was compromised during an attack on Radiology Associates of Richmond. A breach notice stated that protected health information of 1,419,091 individuals was impacted by the incident, making it one of the top five healthcare data breaches reported this year.

51. World Leaks claimed to have exfiltrated 1.3 TB of data, over 416,000 files, from Dell Technologies’ Customer Solution Centers platform. The affected environment, used for product demonstrations and proof-of-concept testing, is intentionally isolated from Dell’s core operational and customer systems. Dell emphasized that the breach involved primarily synthetic or publicly available test data, with the only genuine information being an outdated contact list; it stated there is no indication that customer or partner data was compromised.

52. Australian leasing provider LeasePLUS was confirmed as a victim of the Akira ransomware group. The breach was publicly disclosed on July 18, when Akira announced plans to leak 6 GB of corporate documents, including contracts, NDAs, and personal files belonging to more than 2,300 employees and customers, unless a ransom demand was met. To date, the specific ransom amount remains undisclosed.

53. Olde Towne Medical and Dental Center in Virigina announced a cyberattack that involved the unauthorized access to the protected health information of up to 2,567 individuals. In notification letters, OTMDC explained that a ransom note was received from INC, demanding payment following an attack on its computer systems. The systems were immediately shut down and an investigation was launched.

54. Ransomware gang Lynx took credit for a June data breach at gaming PC maker iBUYPOWER and its sister brand, HYTE. The company announced that it had experienced a network security incident which resulted in a temporary outage of several internal systems. Lynx has not disclosed a ransom demand or confirmed what data was allegedly stolen from iBUYPOWER.

55. Private healthcare network AMEOS Group announced a significant cybersecurity breach. Despite “extensive security measures,” threat actors briefly accessed its IT infrastructure, potentially exposing sensitive personal data of patients, employees, and business partners, including contact details and possibly more. As part of its immediate mitigation, AMEOS severed all internal and external network connections, shut down its systems, engaged forensic experts, notified data protection authorities under GDPR, and filed criminal complaints with authorities. No group has claimed responsibility, and no public data leak has been confirmed yet.

56. KNP logistics announced that a cyberattack has forced the closure of the 158-year-old UK transport company. Akira ransomware gang gained access to the organization’s network by guessing an employee password and left a note demanding an undisclosed ransom amount. Unable to meet the terms, KNP accepted data loss and entered into administration.

57. Western Montana Mental Health Center (WMMHC) recently disclosed a security incident involving unauthorized access to the protected health information of up to 86,758 individuals. An investigation into the September 2024 attack revealed that compromised files included names, SSNs, driver’s license numbers, medical information and financial information.

58. The State Attorney General were notified about a recent security incident involving unauthorized access to patient information at The Brien Center for Mental Health and Substance Abuse Services in Massachusetts. The intrusion was identified in late May, with cybersecurity experts brought in to investigate the incident. A file review of compromised information confirmed that data including names and clinical diagnostic information were among the file types accessed.

59. In Florida, 10,000 patients were notified of a recent data breach involving Florida Lung, Asthma & Sleep Specialists (FLASS). Following unauthorized network activity in May, a forensic investigation indicated that medical records of certain patients had been accessed. No ransomware gang has stepped forward to claim responsibility for this incident.

60. Naper Grove Vision Care announced a cybersecurity incident that was detected in May 2025. Cybersecurity experts were engaged to investigate the incident and confirmed that an unauthorized third party accessed its network and exfiltrated files including patient information. Interlock claimed responsibility for the attack, stating on its leak site that it had stolen 214GB of data from the healthcare provider. The full data set, including 32,971 folders and 656,891 files has since been leaked.

61. France’s national employment agency France Travail experienced an attack that compromised the personal information of approximately 340,000 jobseekers. Attackers reportedly infiltrated the portal through a compromised partner organization account infected with infostealer malware, allowing unauthorized access to the Kairos training management platform used by job placement providers. Exposed data included full names, postal and email addresses, phone numbers, France Travail identifiers, and job seeker status information; however, financial details and passwords were not impacted.

62. Commercial cleaning company Prestige Maintenance USA confirmed it notified 65,452 people of a January 2025 data breach that compromised personal information. The types of information the data contained was not publicly disclosed by the organization. Medusa took credit for the attack and demanded a ransom of $1.2 million.

63. INC ransomware group claimed responsibility for an attack targeting HeartLine Inc, a healthcare organization in Oklahoma. The claim on the dark web suggested that sensitive information may have been compromised during a breach of the organization’s internal networks. These claims have not been verified by HeartLine.

64. French naval defense contractor Naval Group was targeted by a hacker known as “Neferpitou,” who leaked 13GB of alleged internal data on a hacker forum, claiming to hold up to 1TB more. The files reportedly included combat management system code, technical documents, and developer resources related to French submarines and frigates. Naval Group denies any confirmed intrusion or operational impact but has launched an investigation with cybersecurity experts and French authorities to verify the leak’s authenticity and potential national security implications.

65. Ransomware group Kawa4096 claimed to have exfiltrated 150GB of personal information from CareSTL’s internal database following a recent cyberattack. The attack allegedly compromised electronic medical records, patient contact details, and possibly financial information.

66. Sanderling Healthcare was allegedly targeted by Sarcoma ransomware group. Sarcoma gained unauthorized access to the organization’s network, exfiltrating 587GB of data. The data reportedly included full backup archives, and internal company documents, alongside PHI. The claims made by Sarcoma have not yet been verified by the healthcare provider.

67. In Rhode Island, the town of North Providence confirmed it has notified 1,804 people of a May 2025 data breach that compromised their personal information. Although initially claiming no resident data was impacted, an investigation revealed that hackers had acquired certain individual personal information. Medusa took credit for the attack, demanding a $100,000 ransom.

68. Arbour Associates announced a data security incident that involved unauthorized access to patient data. An investigation into an April incident confirmed that patient information, including insurance data, had been accessed by an unauthorized individual. A report stated that 17,040 individuals were impacted by the incident.

69. Eswatini’s Water Services Corporation (EWSC) was hit by a cyberattack that forced it to suspend digital payment channels (e-Mali, Mobile Money, Cash Plus and Unayo) while systems were secured. W.A. Ransomware later claimed the breach. EWSC said services would continue via physical centers as it investigated potential data exposure.

70. Bordeaux-based architecture firm Moon Safari was hit by a ransomware attack claimed by the Qilin group. The attack was discovered around July 24, and while details remain scarce, Qilin reportedly posted a data leak page suggesting files were exfiltrated and encrypted. No further details on this attack are currently available.

71. Australian airline Qantas disclosed a cyberattack traced to June 30, when threat actors infiltrated a third-party contact‑centre platform. The breach affected records for approximately 5.7 million customers, exposing personal data such as names, email addresses, phone numbers, birthdates, frequent flyer numbers. Qantas stressed that no financial details, passport data, passwords, PINs, or login credentials were compromised. The unknown threat actors allegedly gave the organization 72 hours to contact them.

72. Women-only dating-safety app Tea suffered a major breach of legacy data from users who registered before February 2024. Hackers accessed around 72,000 images, including 13,000 ID verification photos, and a second leak exposed 1.1 million private messages dating back to 2023. Tea took systems offline, disabled messaging, notified law enforcement, and offered free identity protection to affected users while reinforcing security measures. Those responsible for the attack have not yet been named.

73. Qilin ransomware group uploaded financial records to its leak site as proof of an attack on Morgan County 911. The incident, which took place in May, disrupted administration systems for several days. Although it acknowledged the attack, Morgan County 911 did not disclose any details on how many people were affected or if a ransom had been demanded.

74. Further details on the May ransomware attack targeting Infinite Services were released. Employees were unable to access the network and the network disconnected, interrupting the encryption process. The organization determined that some patient and employee data, contained in the compromised server, had been accessed by threat actors. No ransomware group has publicly claimed responsibility for the attack.

75. Allianz Life Insurance Company of North America suffered a breach after attackers used social engineering to access a third-party cloud CRM platform, exposing personal data for most of its 1.4 million U.S. customers, as well as some financial professionals and employees. Allianz notified authorities and said that internal systems were not compromised. 24 months of free identity protection was offered to impacted customers.

76. Gourmet cookie chain Crumbl was targeted by the Everest ransomware group, which publicly claimed to have compromised employee data from approximately 29,000 staff members. Everest posted sample files and issued a ransom countdown, though Crumbl has not commented publicly on the extent of the impact or data exfiltration claims.

77. Massachusetts Municipal Wholesale Electric Company (MMWEC) confirmed it notified at least 514 people of a January 2025 data breach that compromised confidential personal information. BlackSuit claimed responsibility for the attack, saying it had stolen data belonging to employees, partners, and people associated with the company.

78. In Michigan, McKenzie Memorial Hospital disclosed a cybersecurity incident that was detected in April 2025, when suspicious activity was identified within its network. A forensic investigation revealed that files containing patients’ protected health information may have been accessed during the incident. It is not yet known who is responsible for the attack.

79. Curaçao’s Tax Office was hit by a ransomware attack, forcing office closures and limiting services while systems were secured. Officials said early checks showed no indication of stolen or leaked confidential data. Dutch cybersecurity experts were tasked with a phased restoration.

80. North American ice manufacturer and distributor Arctic Glacier was hit by the Qilin ransomware group. The attack began on July 19 and was discovered on July 22, with Qilin publishing leaked screenshots, purporting to show sensitive corporate documents, employee passports, driver’s licenses, financial records, and internal legal files, on its dark web blog. Arctic Glacier has not confirmed the breach publicly.

81. The city of St. Paul, Minnesota suffered a major cyberattack first detected on Friday, July 25. Officials described it as a “deliberate, coordinated, digital attack” by a sophisticated external actor, prompting a full shutdown of the city’s information systems—including city building Wi‑Fi, library systems, and online services—to contain the threat. The Minnesota National Guard’s cyber protection unit was activated, and the governor declared a local state of emergency. The FBI and two cybersecurity firms are assisting the response; authorities have not yet confirmed any ransom demand or unauthorized data exfiltration.

82. High Point Treatment Center in Massachusetts reported a recent data event that was detected in early July. Third-party forensic experts and legal counsel were brought in to investigate unusual network activity. The investigation revealed that certain information had been breached. Abyss took responsibility for the attacks, claiming to have stolen 1.8TB of data.

83. Ireland’s state broadcaster RTÉ was allegedly targeted by Global ransomware group, which listed RTÉ on its dark web victim site on July 26. No data leaks or proof of compromise have been published, and RTÉ says it is working with Ireland’s National Cyber Security Centre to investigate the claim and verify whether its systems were breached.

84. Global ransomware gang claimed responsibility for attacking Albavisión, an international Spanish-language media conglomerate. The group alleges it exfiltrated roughly 400GB of sensitive internal data, including corporate communications and business documents, and is threatening to leak or sell the information if Albavisión does not enter into ransom negotiations.

85. Indiana’s First Baptist Church of Hammond was attacked by the Rhysida ransomware group, who claimed to have stolen sensitive staff and missionary records, including Social Security and ID details. The criminal gang demanded 5 BTC, approximately $594,000. The church confirmed a malware intrusion, shut down systems, and launched a forensic investigation, but has not disclosed whether ransom was paid.

86. Australia’s largest home builder, Metricon Homes, was hit by the Qilin ransomware group, who allegedly exfiltrated 128GB of sensitive data, including architectural designs, financial records, HR and employee documents, and over 98,000 files from the company’s systems. Metricon confirmed the cyber incident but emphasized that their construction operations and site safety were not affected. External experts were engaged to contain the incident, and the company notified Australian authorities.

87. New ransomware group Beast took credit for a May 2025 ransomware attack on the city of Washington Court House, Ohio. The attack disrupted city services, including the local tax office, the water department’s payment system, and municipal court records. The threat actors claimed to have stolen 134GB of data, posting sample images including personnel forms and tax documents as proof of claims.

88. INC ransomware gang claimed it had stolen 1.2 TB of sensitive data from Dollar Tree. Dollar Tree responded that the data likely originates from legacy systems at 99 Cents Only (acquired land/lease rights in 2024), not its own corporate systems, and that any link to Dollar Tree is “inaccurate.”

89. Medusa took credit for a June 2025 cyberattack on Franklin Pierce Schools in Washington. The school district was forced to cancel classes in response to a server, network, internet and phone outage caused by a system compromise. Medusa claimed to have exfiltrated 821GB of data and gave the district 10 days to pay a $400,000 ransom.

90. Beast ransomware gang added El Paso Quality Dentistry to its data leak site, claiming to have stolen approximately 700GB of data. Screenshots were uploaded to the leak site, with some folder names suggesting that patient data may have been compromised. At time of writing the stolen data had not been leaked.

91. DragonForce claimed to have stolen 96GB from Emerson Chiropractic in Indianapolis. While there is very little information available in relation to the attack, all data has now published on the group’s dark web leak site.

92. Minnesota Epilepsy Group (MEG) experienced a cybersecurity incident that affected certain systems within its network and caused some disruption to business operations. According to a breach notice, the incident took place in February, when immediate action was taken to secure systems following suspicious network activity. Although the investigation is still ongoing, it has been confirmed that client and employee data was exposed during the incident.

93. Computer specialists are working to recover systems at Ridgefield Public School system following a ransomware attack. School officials stated that the network was taken offline in an attempt to limit the impact of the incident. At this time, it is not clear if any personal data has been compromised.

94. Mid Florida Primary Care publicly disclosed information relating to a late 2024 ransomware attack. The incident began when BianLian claimed responsibility for infiltrating the practice’s network and posted evidence of the attack on the dark web. The group claimed to have obtained a wide range of data including financial records, HR data, and multiple patient records.

95. Everest added Mailchimp to its dark leak blog in late July, claiming to have internal documents containing a variety of personal and client information. The group allegedly exfiltrated 767MB of data and posted two alleged database samples on its leak site along with an instruction to contact them before a countdown timer runs out.

96. Wood River Health disclosed that they had experienced a data security incident last year which involved the sensitive personal information of over 50,000 individuals. The breach stemmed from unauthorized access to an employee email account, prompting an investigation to assess its nature and scope. Exposed data included personally identifiable information (PII), protected health information (PHI), and various insurance-related documents. To date, no criminal group has claimed responsibility for the incident.