The State of Ransomware: June 2025

June recorded 96 ransomware attacks, the highest ever for the month and a 113% increase compared to June 2024. The Healthcare, Government, and Services sectors were the most frequently targeted, together accounting for 56% of all publicly disclosed incidents. A total of 32 ransomware groups claimed responsibility for attacks during the month, with Qilin emerging as the most active, linked to 11 incidents.

Discover who made ransomware headlines in June:

1. The City of Durant, Oklahoma, was targeted by a ransomware attack that disrupted several city services. According to officials, the cyberattack affected internal systems and temporarily shut down access to certain digital resources, prompting the city to disable parts of its network as a precaution. While emergency services remained operational, some non-critical departments experienced service delays. The incident is under investigation by cybersecurity experts, and the city is working to restore full functionality while assessing the scope of the breach. INC ransomware gang took credit for the attack, claiming to have exfiltrated more than 800GB of information.

2. North Dakota-based potato processing company, Nokota Packers, recently fell victim to a ransomware attack that disrupted its operations. The cybercriminal group J Group claimed responsibility, listing the company on its leak site and allegedly stealing 50GB of data. Nokota Packers has not publicly confirmed the extent of the breach.

3. Qilin ransomware gang reportedly targeted Office National, one of Australia’s largest office supply networks. The gang listed the company on its dark web leak site, claiming to have stolen a range of sensitive data including financial records, contracts, and personal information. While Office National has not yet confirmed the breach publicly, the listing suggests the attackers may soon release the stolen data unless a ransom is paid.

4. Central Maine Healthcare recently experienced a significant cyberattack that disrupted key operations across its hospital network. Unusual activity was identified, and the systems were immediately secured and shut down. The healthcare provider notified patients via a post on its Facebook page, detailing that document systems, internet access and its website were impacted. Further information will be released following an investigation. At this time, it is not known who is responsible for the incident.

5. The Puerto Rico Department of Justice recently confirmed it was targeted by a cyberattack affecting its Criminal Justice Information Office. In a joint statement with the Puerto Rico Innovation and Technology Service, officials announced that preventive protocols were activated to contain the incident. As a precaution, certain services such as issuing criminal record certificates, have been temporarily suspended. Authorities emphasized that systems will only be restored once their security and data integrity are fully verified. The investigation remains ongoing, and it is not yet known whether federal agencies are involved in the response.

6. Lorain County experienced a network security incident that disrupted dozens of government systems and forced officials to take them offline. While emergency services remained operational, several court systems were impacted, prompting warnings about potential changes to operating hours. The county has since reopened its courts and enlisted cybersecurity experts to investigate the cause and scope of the incident. The restoration process is ongoing.

7. 23,282 individuals were notified of a March 2025 data breach that compromised patient information at Compassion Health Care. CHC was forced to offer services remotely for some time following the incident. Safepay took credit for the breach, claiming to have stolen 107GB of data. Compromised data includes PII, claims information, clinical data and employee details.

8. Texas Digestive Specialists, a gastroenterology and surgical practice operating across the state of Texas, was targeted by the Interlock ransomware group. The attackers claimed to have exfiltrated approximately 263 GB of data, encompassing over 215,000 files across 16,920 folders. The compromised data reportedly included sensitive patient information such as names, dates of birth, medical histories, and detailed pathology reports spanning nearly two years. As of now, Texas Digestive Specialists has not issued a public statement regarding the breach, nor is there any indication of a breach disclosure on the medical group’s website.

9. Stormous claimed responsibility for a cyberattack on Volkswagen Group, alleging they had stolen sensitive corporate and customer data. The group listed Volkswagen on its dark web leak site, asserting that the exfiltrated data included user account details, authentication tokens, session cookies, contact information, and vehicle identification numbers (VINs). However, the group did not disclose the amount of data purportedly obtained, nor did it provide any data samples to support the claims.

10. Next Step Healthcare confirmed it notified over 12,000 patients of a June 2024 data breach. Upon discovering unusual activity within its network, Next Step took steps to secure its environment and enlisted the assistance of external experts. Qilin claimed the attack in July 2024, but Next Step has not verified the ransomware group’s claims.

11. Luxury jewelry brand Cartier disclosed a cyberattack in which an unauthorized party briefly accessed its systems and obtained limited customer information, including names, email addresses, and countries of residence. The company confirmed that no passwords, credit card details, or banking information were compromised. Cartier has since contained the breach, notified relevant authorities, and engaged external cybersecurity experts to enhance its defenses.

12. The Mental Health Association (MHA), based in Massachusetts, reported a data breach impacting 12,633 individuals. The incident was first detected on December 2, 2024, prompting immediate action to secure systems and launch a forensic investigation. It was later confirmed that a threat actor had gained unauthorized access and may have exfiltrated sensitive data. The compromised information includes names, Social Security numbers, medical details, financial data, and other personal identifiers. MHA finalized its review in May 2025 and has since notified affected individuals, offering complimentary credit monitoring and identity theft protection.

13. Behavioral Health and addiction treatment provider Gateway Community Services, Inc. (GCS) recently notified 34,498 current and former patients that some of their protected health information was stolen in an April 2025 cyberattack. Upon detection of the intrusion, GCS took immediate action to secure its network and engage third-party experts to conduct an investigation. Data exfiltrated during the incident includes PII, medical treatment information and health insurance information.

14. The Payne County Sheriff’s Office was targeted by a ransomware attack. SafePay ransomware group claimed responsibility, alleging the theft of 8 GB of data. While the specific nature of the compromised data has not been confirmed, the Sheriff’s Office advised individuals who filed reports prior to May 15, 2025, to monitor their bank accounts, change passwords, and implement additional security measures. The FBI is conducting a criminal investigation into the incident. Despite the cyberattack, the Sheriff’s Office reported no impact on its critical public safety operations and efforts to restore internal IT systems are ongoing.

15. American Hospital Dubai (AHD), a leading private healthcare provider in the UAE, was targeted by the Gunra ransomware group in a significant cyberattack. The attackers claimed to have exfiltrated approximately 4TB of data, including sensitive personal, financial, and clinical records. Gunra threatened to release the stolen data publicly by June 8 if their ransom demands were not met. The breach reportedly disrupted critical hospital systems, including electronic health records and billing services. As of now, AHD has not publicly commented on the incident.

16. It has been revealed that in January 2025, Eindhoven University of Technology (TU/e) experienced a significant cyberattack that disrupted its operations. Attackers exploited compromised credentials to access the university’s network, remaining undetected for five days. Upon detecting suspicious activity, TU/e swiftly shut down its entire network to prevent further damage, leading to a week-long suspension of classes and exams. Investigations revealed that the attackers had gained administrative access and were close to deploying ransomware, but the university’s prompt response averted data encryption and theft.

17. Anchor Industries, a prominent manufacturer of outdoor structures based in Indiana, fell victim to a ransomware attack orchestrated by Play ransomware gang. The breach, discovered on May 30, led to the encryption of critical files and databases, significantly disrupting the company’s operations. The attackers claimed responsibility by posting evidence on their dark web leak site, including screenshots of internal documents, suggesting potential data exfiltration. While Anchor Industries believes that customer data impacted is limited to publicly available information, the full extent of the breach remains under investigation.

18. Campbell Petroleum Distributors, a fuel and logistics company based in New South Wales, Australia, reportedly fell victim to a ransomware attack by WorldLeaks. The breach allegedly compromised 696.1 GB of sensitive operational data, potentially including customer information and financial records. While the full extent of the data exfiltration remains unclear, the incident underscores the growing cybersecurity threats facing the energy and logistics sectors. As of now, Campbell Petroleum Distributors has not publicly commented on the breach.

19. Ransomware group Global claimed responsibility for an attack involving 40GB of allegedly stolen data, including patient records, medical imaging, and internal documents, which they reportedly leaked online. The group identified Epworth HealthCare, a major hospital network in Victoria, Australia, as the target. However, Epworth has firmly denied any breach of its systems, stating that an independent investigation found no evidence of unauthorized access or data compromise. The organization suggested the data may have originated from an unrelated third-party provider.

20. Qilin ransomware group claimed responsibility for a cyberattack on Regents Capital Corporation, a U.S.-based commercial equipment finance firm. The attackers alleged they had exfiltrated 99GB of confidential information including sensitive financial documents, such as client bank statements, share repurchase agreements, and solar power purchase agreements. Qilin announced plans to release the stolen data publicly on June 17, 2025, if their ransom demands were not met. As of now, Regents Capital has not publicly commented on the incident.

21. The Health Trust, a nonprofit organization serving Silicon Valley, was targeted by the Qilin ransomware group. The attackers claimed to have exfiltrated sensitive data, including community support agreements, employee pay stubs, and budget summaries. A sample of the stolen data was added to the leak site along with a threat that stolen data would be published on June 17 if an undisclosed ransom was not paid.

22. In Montana, All Nations Health Center was targeted by the Global ransomware gang. The threat actors claimed responsibility for the breach and threatened to publish stolen data unless a ransom was paid by June 8. As of now, the organization has not publicly confirmed the extent of the breach or whether any sensitive information was compromised.

23. It was reported that 36,659 individuals were impacted by an April ransomware attack on Cumberland County Hospital. Upon discovering unauthorized access to its computer network, the hospital immediately shut down all computers and disabled data sharing connection. The attack led to unauthorized access to files containing patient and employee information.

24. Pennsylvania-based law firm Carpenter, McCadden & Lane (CML) experienced a cyberattack that compromised sensitive personal information of over 7,900 individuals. The breach remained undetected for almost one year, when CML discovered unauthorized access to its systems. The Meow ransomware group claimed responsibility, alleging the theft of approximately 100 GB of data, including employee records, client information, and scanned documents.

25. Solar City Tyre Service was targeted by the Blacklock ransomware group. The attack was detected on June 3, with the breach discovered the following day. Blacklock claimed responsibility and listed the company on its dark web leak site, suggesting that sensitive business data may have been compromised. It is not clear how much data was exfiltrated during the incident.

26. Queensland-based accounting firm Ryan Harvie McEnery was targeted by the BlackLock ransomware group, which listed the firm on its darknet leak site and threatened to publish allegedly stolen data by mid-June. No further information about this attack is available at this time.

27. A major cybersecurity breach forced the General Registry at Belize’s High Court to go dark, with the ransomware attack rendering core systems inoperable. An official release downplayed the incident as “technical difficulties” while sources confirmed that services had been stopped. It is not yet known who is responsible for the attack or if any data was stolen during the incident.

28. A recent cyberattack on Iowa County left residents without vital records and services. The April attack resulted in an attacker deleting a “significant portion” of the county’s network including backups, meaning some data cannot be recovered. Due to the ongoing nature of the investigation, further details have not been disclosed.

29. Optima Tax Relief, a prominent U.S. tax resolution firm, fell victim to a ransomware attack by the Chaos group. The attackers exfiltrated approximately 69GB of sensitive data, including corporate records and customer case files containing personal information such as Social Security numbers, phone numbers, and home addresses. Employing a double extortion tactic, the group not only encrypted the company’s servers but also leaked the stolen data online to pressure the company into paying ransom. As of now, Optima Tax Relief has not publicly commented on the incident.

30. Major North American grocery distributor United Natural Foods Inc (UNFI) experienced a significant cyberattack that disrupted its operations. The company detected unauthorized activity on its IT systems on June 5 and took immediate action by shutting down certain systems to contain the breach. This led to substantial delays in order fulfillment and distribution, affecting over 30,000 retail locations, including Whole Foods Market, which relies on UNFI as its primary supplier. The disruption resulted in noticeable product shortages in various grocery stores across the U.S. and Canada. UNFI has engaged external cybersecurity experts and notified law enforcement agencies to investigate the incident. While the company has implemented manual workarounds to continue servicing customers, the full restoration of systems is ongoing, and the exact nature of the cyberattack has not been disclosed.

31. Arkana ransomware gang allegedly gained access to Ticketmaster’s database infrastructure and exfiltrated a trove of sensitive customer data. The threat actors intend to sell the comprehensive databases containing ticket sales records, payment methodologies, demographic profiles, and confidential internal documentation.

32. In Philadelphia, Mastery Schools confirmed it notified 37,031 individuals of a September 2024 cyberattack that compromised personal information. At the time of the attack, the school network reported that an IT outage crippled phone lines and email access. DragonForce took credit for the attack, claiming to have stolen 171GB of data from Mastery Schools.

33. AMI Group, a travel and tours operator, was targeted by a ransomware attack attributed to APT73 (also known as Bashe). The incident was brought to AMI’s attention by the FBI’s Cyber Task Force in Philadelphia, which confirmed that the company’s name appeared on a ransomware group’s threat site. AMI clarified that the breach affected only its upcoming digital platforms scheduled for launch on July 1, 2025, while existing client systems and services remained fully operational and secure. As of the latest update, no ransom has been demanded or paid, and no data has been publicly leaked. AMI is collaborating with cybersecurity experts to investigate the incident and reinforce its security measures.

34. The superintendent of Lexington Richland School District reported a cyberattack and disruption at its D5 headquarters. Unusual network activity impacting certain operations was detected, with the district taking immediate steps to secure its network. An investigation into the full nature and scope of the incident is currently ongoing. Interlock has since claimed responsibility for the attack, allegedly stealing 1.3TB of data.

35. INC ransomware group added Nunez Dental to its dark web leak site, claiming to have stolen 45GB of data during a recent ransomware attack. The data allegedly includes financial information, contracts and patient information. The New York-based dental practice has yet to announce a cyberattack.

36. The Vascular Experts announced a cybersecurity incident that was detected by Southern Connecticut Vascular Center in May. Steps were immediately taken to secure systems and notify relevant law enforcement. An investigation confirmed that PII and health insurance information was exposed and potentially stolen. INC added The Vascular Experts to its dark web leak site, posting screenshots as proof of theft.

37. It has been announced that Renkim Corporation, a Southgate, Michigan-based provider of communication and mailing solutions, experienced a ransomware-related data breach in March 2025 that impacted 46,592 individuals. Suspicious activity was detected on March 3, and an investigation confirmed unauthorized access had occurred the day prior. The attackers likely exfiltrated files containing data used for client mailings, including names, contact details, account numbers, and service dates. In some cases, Social Security numbers and dates of birth were also compromised. Renkim has begun notifying affected individuals and is working with cybersecurity experts to address the incident.

38. San Jose Country Club, a prestigious private club in California, fell victim to a ransomware attack by Medusa. The attackers claimed to have exfiltrated approximately 117GB of sensitive data, including personal information of employees and clients, such as names, dates of birth, Social Security numbers, and internal administrative documents. Medusa set a ransom deadline of June 30, 2025, demanding $150,000 and published proof-of-breach images to pressure the club into compliance. As of now, the club has not publicly commented on the incident.

39. 86,414 people were notified about a March 2025 data breach that targeted Dermatologists of Birmingham. The skin care practice began a comprehensive investigation after becoming aware of suspicious activity within its network. Qilin claimed responsibility for the attack, saying it stole 141GB of data.

40. Yes24, South Korea’s largest online bookstore and ticketing platform, suffered a ransomware attack that disrupted its services for several days. The attack rendered the company’s website and mobile app inaccessible, halting book sales, ticket reservations, e-book access, and digital library services. Initially, Yes24 reported that no personal data had been compromised. However, the Personal Information Protection Commission (PIPC) launched an investigation after Yes24 later acknowledged signs of unauthorized access to member information during their response efforts. As of now, Yes24 has not disclosed whether a ransom was paid, and recovery efforts are ongoing.

41. Ascot Vale Health Group, a medical center in Melbourne, Australia, was targeted by the emerging ransomware group Global. The group listed the organization on their dark web leak site, threatening to publish stolen data within 24 hours. While the specific nature of the compromised information has not been disclosed, the incident underscores the growing cybersecurity threats faced by healthcare providers. As of now, Ascot Vale Health Group has not publicly commented on the breach.

42. UK-based global maritime logistics firm S5 Agency World was targeted by a ransomware attack orchestrated by Bert. The threat actors claimed to have exfiltrated nearly 140GB of sensitive corporate data including internal documents, inspection reports, employee information, and passport copies. Samples of stolen data were published on the dark web. S5 Agency World has not publicly confirmed the breach.

43. Erie Insurance, a Fortune 500 insurer, experienced a significant cyberattack that disrupted its operations. On June 7, the company’s Information Security team detected unusual network activity, prompting immediate action to safeguard systems and data. The incident led to widespread outages, affecting customer portals and claims processing. Erie Insurance is collaborating with law enforcement and cybersecurity experts to investigate the breach. The full scope of the attack is still being determined but the organization is already facing two class action lawsuits relating to the incident.

44. Philadelphia Insurance Companies (PHLY) experienced a significant ransomware attack that disrupted its operations. The attack, attributed to Scattered Spider, led to a network outage affecting PHLY’s phone, email, and online application systems, rendering them inaccessible to both staff and customers. Employees were instructed to remain offline as the company initiated a forensic investigation and engaged law enforcement agencies to address the breach.

45. INC added Mount Rogers Community Services to its dark web leak sites, with a number of screenshots included as proof of claims. The data stolen from the mental health care provider appears to include names, addresses, invoices, personal messages, and confidentiality agreements.

46. Kerrville Independent School District (KISD) in Texas fell victim to a ransomware attack orchestrated by the Qilin group. The breach, discovered on June 11, compromised the district’s official website, potentially affecting access to educational resources and administrative systems. As of now, KISD has not publicly disclosed the extent of the breach or whether any sensitive data was exfiltrated.

47. McLean Mortgage Corporation confirmed it notified 30,453 people of an October 2024 ransomware attack that compromised names, SSNs, driver’s license numbers, and financial account numbers. Black Basta took credit for the attack, giving McLean one week to pay an undisclosed ransom demand. To prove its claim, Black Basta posted images of stolen files.

48. Asefa Insurance, a Spanish firm specializing in construction and civil works coverage, was targeted by the Qilin ransomware group. The company announced that it had suffered a cyberattack, which impacted part of its systems, forcing it to close down its website until further notice. Qilin claimed to have exfiltrated a total of 210GB of data from the insurer, adding several data samples to its dark web post.

49. British Horseracing Authority (BHA) suffered a suspected ransomware cyberattack that forced the temporary closure of its London headquarters and saw staff transition to remote working while external cybersecurity experts assisted the investigation. The incident, initially detected at the end of May or the first week of June, appeared to be confined primarily to internal systems and data, with no reported impact on race calendar or public-facing operations. The BHA emphasized that all scheduled race meetings, including events over Derby weekend, continued uninterrupted. As investigations continue, law enforcement has been notified, and the organization is focused on restoring full system integrity and determining the full scope of the breach.

50. A ransomware attack disrupted operations at Waiwhetu Medical Centre, a community clinic in Lower Hutt, New Zealand. INC claimed responsibility, alleging the theft of 110GB of internal data, including contracts, HR records, financial files, and patient consent forms, though the extent of compromised sensitive information remains unclear. Despite the breach, the center maintained essential patient services and committed to notifying individuals if their data was impacted. Authorities were alerted, and the incident highlighted the growing cybersecurity risks faced by healthcare providers.

51. INC ransomware gang added The Catholic Cemeteries of the Diocese of Hamilton to its dark web forum this month. Sample data shared online suggests threat actors obtained financial documents, territory plans, contracts, and some employee information.

52. A cyberattack led to widespread phone and internet outages affecting the Ogeechee Judicial Circuit District Attorney’s Office in Georgia. In response, the office issued updates noting that operations were significantly limited, and multiple locations were closed for five days to allow for investigation and system recovery. At this stage, it remains unclear whether any data was stolen or who was behind the attack.

53. Despite a cyberattack that took many city systems offline in Thomasville, North Carolina, essential services for residents continued without interruption. The attack primarily targeted municipal infrastructure, though it remains uncertain whether any sensitive data was accessed or compromised.

54. Renowned office skyscraper at 550 Madison Avenue in Midtown Manhattan, the landmark building owned by the Olayan Group, was struck by a ransomware attack orchestrated by the Qilin group. Discovered on June 12, Qilin claimed possession of approximately 700GB of internal data and threatened to leak it publicly. While the breach did not appear to disrupt tenant operations or public access to the building, incident response teams are currently collaborating with cybersecurity experts to assess the full extent of the breach and secure the compromised systems.

55. A ransomware incident targeted Coop Hospital, run by the Palawan Medical Mission Group in Puerto Princesa City. The cybercriminal gang Qilin allegedly infiltrated the hospital’s systems, exfiltrating around 30GB of data, including over 45,000 files containing X‑rays and clinical chemistry results from November 2024, and threatened to publish it publicly by June 22 if undisclosed ransom demands weren’t met. While a third-party monitoring service first alerted hospital management, they responded quickly by isolating affected systems, initiating a forensic investigation. Despite the breach, essential medical services continued uninterrupted, and authorities are working to clarify the extent of the compromise and whether ransom negotiations occurred.

56. It has been reported that more than 5 million individuals were reportedly affected by a ransomware attack on medical software provider Episource in January 2025. The breach also prompted separate notification disclosures from Episource clients, including Sharp Community Medical Group and Sharp Healthcare. Compromised data is believed to include personal details, health information, and health insurance records. As of now, no ransomware group has publicly claimed responsibility for the incident.

57. A ransomware attack severely impacted Skeggs Goldstien, a financial services firm based in New South Wales, Australia. The company was listed on a leak site by the Qilin. The breach allegedly exposed approximately 500GB of sensitive client and business data, including personal details, tax returns, confidentiality agreements, client questionnaires, statements of advice, and financial documents. In response, the firm enlisted cybersecurity specialists to investigate and notified both the Office of the Australian Information Commissioner and the Australian Cyber Security Centre. The full extent of the impact on clients has yet to be disclosed.

58. Deakin Medical Centre was hit by a ransomware attack attributed to Global ransomware group. The threat actors encrypted critical systems, locking staff out and halting access to patient records. A subsequent leak posted on a darknet forum reportedly included patient scan results, psychiatric assessments, and comprehensive care plans, indicating the attackers exfiltrated sensitive healthcare data. The extent of operational disruption hasn’t been fully disclosed.

59. WestJet, the second-largest carrier in Canada, was targeted by a cyberattack that disrupted access to its mobile app, website, and some internal systems. While operations and flight safety remained unaffected, guests encountered intermittent errors when booking or logging in. WestJet responded swiftly by activating its incident response team, bringing in external cybersecurity specialists, and coordinating with law enforcement and Transport Canada to assess the situation and secure its digital infrastructure. At this stage, the extent of any data compromise or the identity of the attackers is still undetermined.

60. The servers of North Delhi’s NKS Super Speciality Hospital were compromised in a targeted cyberattack that knocked out digital systems and disrupted outpatient and inpatient services. Patient records, financial information, and administrative files were reportedly accessed, prompting hospital staff to revert to manual processes to ensure continued care. Delhi Police were contacted and the hospital engaged cybersecurity specialists to trace the perpetrators.

61. A cyberattack struck the servers of North Delhi’s Sant Parmanand Hospital, disrupting critical systems and prompting staff to switch to manual operations for essential services. Investigations revealed unauthorized access to patient records, billing systems, and administrative data. The Delhi Police promptly lodged an FIR under Section 66 of the IT Act and enlisted cybersecurity experts to assess the impact of the attack.

62. Israeli energy and infrastructure giant Delek Group suffered a significant ransomware attack. The breach, allegedly carried out by Handala, resulted in the theft of over 2TB of internal data spanning fuel supply, exploration, and retail operations. Files from military‑contract-related activities were reportedly included in the leak. Investigations are ongoing to determine the full scope of the compromise, and whether any operational disruptions occurred.

63. Aerodreams, a former government-affiliated drone and aerial services company became the target of a ransomware attack by the Handala group. Handala allegedly exfiltrated and leaked approximately 400GB of internal documents detailing covert drone operations, training protocols, and logistics sensitive to Argentina’s defense infrastructure.

64. DragonForce uploaded Stafford County to its leak site, giving the government entity five days to meet an undisclosed ransom demand before it leaks 830.03GB of data. Stafford County reported that it experienced a security incident in March which caused network disruption and impacted system operations. No further details have been provided and claims made by DragonForce have not been verified.

65. Germany’s century‑old paper napkin manufacturer, Fasana GmbH, was crippled by a ransomware attack that encrypted its entire IT infrastructure, including around 190 laptops and desktop PCs. The assault halted production, invoice printing, salary payments, and deliveries, causing massive losses and pushing the company into insolvency proceedings. Ransom notes were reportedly printed directly from corporate printers, and although a known ransomware gang was implicated, no public ransom demand has surfaced.

66. Car-sharing platform Zoomcar suffered a cyberattack that exposed the personal data of approximately 8.4 million users. The incident was discovered when employees were contacted directly by the threat actor. The breach involved the theft of names, phone numbers, email addresses, home addresses, and vehicle registration details. The organization activated its incident response plan, implementing enhanced security measures, engaging external cybersecurity experts, and cooperating with regulatory and law enforcement authorities. Although financial data and passwords appear to have remained secure and operations were not materially disrupted, the company continues to assess the extent of the damage and its implications.

67. Freedman Healthcare reportedly experienced a major cyberattack, allegedly orchestrated by the ransomware group WorldLeaks. According to the group, around 52GB comprising approximately 42,000 files, likely containing sensitive healthcare analytics, insurance payment data, and patient-related records, were exfiltrated during the incident. Incident response efforts are reportedly underway, though details on system disruptions, ransom demands, or data authenticity remain unclear. Freedman Healthcare has not yet publicly addressed the claims made by the threat actors.

68. Kairos claimed to have successfully deployed a ransomware attack across Taos County’s official systems, significantly disrupting local government operations and public services. The group claimed responsibility via its leak site for the attack, stating that it stole 1.94TB of data from the local government. Taos County IT teams, together with external cybersecurity responders, are working to restore affected services and isolate infected systems. Detailed information about the data exfiltrated during the attack or ransom demands remains unclear. Further forensic analysis is underway to determine the full scope of the breach and guide remediation efforts.

69. Ocuco Inc., a global provider of optical software solutions, disclosed a significant data breach affecting the protected health information (PHI) of 240,961 individuals. Although the company has not yet provided detailed specifics about the incident, the Kill ransomware gang listed Ocuco on its leak site in April. Screenshots posted there reveal compromised materials such as business documents, patient appointment records, and folders associated with clients across the U.S. and Canada. The breach has prompted legal scrutiny, with multiple law firms launching investigations into potential class action litigation.

70. Mower County’s digital systems were knocked offline by a ransomware attack that forced shutdowns of most IT systems, with officials aiming to fully restore services by the end of the week. The incident was confirmed and county officials emphasized that recovery efforts were underway. While the nature of the data affected hasn’t been disclosed, the interruption mainly impacted internal operations rather than public-facing services. Incident response teams have been mobilized to clean infected systems, investigate the intrusion, and reinforce cybersecurity defenses.

71. Pressure Dynamics, headquartered in Western Australia was hit by a ransomware attack carried out by the DragonForce group. The group claims to be in possession of 106.84GB of data, which has already been published in full. The two published folders consist of historical sites and customer reports, as well as detailed technical drawings of equipment. One of the folders also contains pathology and medical reports relating to employees. The organization is aware of the claims made by DragonForce and is working with relevant authorities.

72. Chain IQ, a global procurement and supply chain management firm operating across hubs like Zurich, London, and Singapore, was struck by a ransomware attack perpetrated by the WorldLeaks group. The breach reportedly compromised 910GB of sensitive internal data. While specific details on what data was stolen remain limited, it’s believed to include operational documentation and client related information.

73. Scania revealed that its corporate insurance platform had been compromised by threat actors who used stolen credentials to gain access, encrypt systems, and steal approximately 34,000 internal files related to insurance claims. The breach involved exfiltration of potentially sensitive customer and vehicle data, as evidenced by preview of leaked documents. Scania acknowledged the incident, confirmed that external partner credentials had been misused and temporarily took its insurance portal offline. The company has launched an internal investigation and is working to assess the full impact, including potential exposure of customer information.

74. Space Bears listed Sydney-based managed services provider Vertel as a victim on its leak site. The gang claims to have successfully exfiltrated data, including SQL databases, client personal information, and financial documents. The organization confirmed it is recovering from an incident, and that an investigation is currently underway.

75. Asheville Eye Associates (AEA), an eye care provider based in North Carolina, confirmed that a data breach in late 2024 exposed the personal information of over 147,000 individuals. Investigations revealed that threat actors had exfiltrated a wide range of sensitive data. The ransomware group DragonForce took responsibility for the attack, claiming to have stolen 540GB of information, which was later released online.

76. Eastern Platinum Limited (Eastplats), a Canada‑based mining company with operations in South Africa, was struck by a ransomware incident involving WorldLeaks. Suspicious activity was first detected on June 11, 2025, indicating that the attackers had compromised internal IT systems. In response, Eastplats disclosed on June 16, with the company swiftly containing the incident, engaging cybersecurity experts, and confirming that core operations remained unaffected. Some internal files were exfiltrated and later leaked on restricted-access web forums, prompting Eastplats to notify relevant authorities and review the exposed information to safeguard legal compliance and commercial confidentiality.

77. Oxford City Council detected an unauthorized presence within its network, triggering its automated defense to limit the cybercriminal’s access. While core systems, such as email and payment platforms, remained largely unaffected and have since been restored, legacy systems housing data on election staff were taken offline for forensic investigation, causing temporary service disruptions. An investigation revealed that personal information of individuals involved in council-administered elections between 2001 and 2022 may have been accessed. The council has individually notified those potentially affected, engaged external cybersecurity experts, and reported the incident to authorities.

78. Russian dairy producers reported supply disruptions following a cyberattack on The Mercury Platform, the country’s digital system for certifying animal-based products. The system was taken offline, forcing producers and suppliers to revert to paper-based veterinary certificates. The outage also disrupted data exchange with other government platforms. No group has claimed responsibility for the attack.

79. Dairy Farmers of America revealed that a number of its 84 nationwide manufacturing plants experienced disruption following a cyberattack. The threat was immediately contained, with the organization working with cybersecurity experts to ensure a full recovery. Play ransomware gang has claimed the attack, allegedly stealing confidential information including client documents, financial information and other personal data.

80. It emerged that Nova ransomware gang attacked Feng Chia University. The private university in Taichung received outside intelligence indicating that it had been targeted by the ransomware group, prompting the immediate launch of an investigation. After 24 hours, the university claimed that it had confirmed the cause and scope of damage. The ransomware group claims to have obtained 10GB of data including source code, employee information, student payment records and database structures. A ten-day deadline for negotiations has been set by the threat actors.

81. Just before the system went completely offline, administrators discovered that a ransomware group had encrypted Tonga’s National Health Information System, effectively halting digital access to every patient record, prescription, appointment, and health plan. Staff were forced to revert immediately to manual record-keeping while critical services continued under extreme strain. Although the hackers reportedly demanded a ransom in the “couple of millions” of US dollars, Tonga’s Health Minister assured Parliament that the integrity of medical data remained intact, with no confirmed deletion or alteration. INC has since claimed responsibility for the attack, adding screenshots as proof of claims to its dark web site.

82. In Brazil, Hospital Santa Rita was reportedly attacked by INC ransomware gang, with the group publishing samples of the stolen data online as proof of the attack. The attack compromised the hospital’s IT infrastructure, disrupting digital operations and prompting an immediate incident response to contain the threat. The group offered a three-day window for ransom negotiations.

83. Network monitoring systems flagged suspicious activity within Aflac’s U.S. infrastructure, prompting the insurer to activate its incident response protocols and halt the intrusion within hours. The breach, attributed to a “sophisticated cybercrime group,” which reports are suggesting is Scattered Spider, relied on social engineering tactics to gain access. Preliminary findings indicate that sensitive customer information, such as Social Security numbers, health records, claims data, and possibly employee and agent details, may have been compromised. The company remains operational, working with third-party cybersecurity experts to assess the full scope of the breach and determine the number of affected individuals.

84. Disneyland Paris was reportedly targeted by the Anubis ransomware group, which claimed responsibility for a significant data breach. The group alleged that they obtained 64GB of sensitive data, including approximately 39,000 files related to the park’s construction and renovation projects. These files purportedly contained detailed engineering plans and blueprints for various attractions such as Frozen, Pirates of the Caribbean, and Ratatouille. The breach was said to have occurred through a partner company associated with Disneyland Paris. As of now, Disneyland Paris has not officially confirmed the breach, and there is no public information regarding any ransom demands or the potential impact on customer data.

85. 101,104 individuals were notified of an April 2024 data breach involving Mainline Health Systems. INC ransomware gang claimed the attack, adding the healthcare provider to its leak site in early May. The dark web posting included a number of screenshots as proof of claims. Mainline has not verified INC’s claims.

86. Apex Global Solutions LLC, a managed services provider based in New York, reported a cybersecurity breach in June 2024 that led to unauthorized access to sensitive information. An investigation confirmed that both personally identifiable information (PII) and protected health information (PHI) were among the data compromised. The breach affected 14,741 individuals.

87. It was revealed that a December 2024 cyberattack resulted in unauthorized access to the cloud storage platform of Georgia-based Decisely Insurance Services, leading to the exfiltration of sensitive data. A total of 65,405 individuals were notified of the breach. The identity of the attacker has not been made publicly available.

88. The City of Green River’s finance director confirmed that the city had fallen victim to a ransomware attack that impacted its computer systems. Due to the ongoing nature of the incident, limited information has been made public. At this time there is no evidence of a data breach or data exfiltration.

89. Claims of a potential data breach involving Telcom Insurance Group are under investigation by data breach attorneys, following the appearance of the company’s name on the Lynx ransomware gang’s leak site. While Telcom has not confirmed any breach, the threat actors claim to have exfiltrated data and have posted screenshots on the dark web as purported evidence.

90. Upper Dublin Family Dentistry reported a ransomware attack and data breach which occurred in May 2025. Upon discovering the attack, an investigation was launched, and systems have since been restored. It is believed that patient data may have been accessed and potentially stolen by threat actors.

91. In the UK, Glasgow City Council confirmed it was struck by a cyberattack that forced key digital services offline and may have resulted in the theft of customer data. Specifics on the nature and volume of data have not been disclosed. No ransomware gang has yet claimed responsibility for the incident.

92. Freight company Estes Forwarding Worldwide confirmed it notified victims of a May 2025 cyberattack carried out by Qilin. The organization assured partners, customers, and employees that there was no significant disruption to the business as a result of the attack. To prove its claims, Qilin posted sample images of alleged stolen data from Estes, including passport scans, driver’s licenses, and spreadsheets.

93. Hawaiian Airlines experienced a cybersecurity incident that disrupted certain IT systems. Despite the disruption, Hawaiian Airlines confirmed that all flights continued to operate safely and on schedule. The airline has engaged authorities and cybersecurity experts to investigate and mitigate the impact of the breach. The Federal Aviation Administration is monitoring the situation and has stated there is no impact on flight safety.

94. Texas Centers for Infectious Disease Associates (TCIDA) issued a press release and sent notification letters to patients affected by an attack they first discovered last July. An investigation determined that an unauthorized individual may have accessed or acquired certain files and data stored within their systems as a result of an incident experienced by their former third-party billing vendor. BianLian claimed responsibility for the attack, allegedly stealing 300 GB of “accounting data”, medical and personal data, network users’ personal folders, files from President PC, and file server data.

95. Swiss nonprofit health organization Radix confirmed that its systems had been breached by Sarcoma ransomware group. An official statement from the Swiss government noted that various federal offices are among Radix’s customers. Sarcoma claimed to be in possession of more than 2TB of data, but the nature of information exfiltrated remains unknown.

96. Nonprofit organization Deutsche Welthungerhilfe was targeted in a cyberattack attributed to the Rhysida ransomware group. According to reports, the incident did not disrupt operational activities or ongoing aid projects. Rhysida issued a six-day deadline for the organization to pay a ransom demand of 20 BTC. To support its claims, the group published a dark web post containing several screenshots of sensitive data, including passports and corporate documents.