The State of Ransomware: March 2025

March marked a historic milestone, becoming the first month ever to exceed 100 publicly disclosed ransomware attacks, reaching a total of 107. This represents an 81% increase compared to the same month last year. The healthcare sector remained the most targeted, with 22 attacks, followed by manufacturing with 13. A total of 39 different ransomware variants were responsible for the attacks, with Qilin, Clop, and Akira leading the way.

Here is the list of organizations who made ransomware headlines in March:

1. Akira added Austria-based Forstenlecher Installationstechnik to its victim site at the start of March, claiming to have exfiltrated 41GB of confidential information from the company. Compromised data allegedly included contact information belonging to employees and customers, HR documents including SSNs, financial data such as audit and payment information, and confidential licenses, agreements and contracts. The organization has not yet publicly confirmed Akira’s claims.
2. Turkish restaurant group BNS Food confirmed that a data security breach affected its Japanese food chain, Sushi Co. It was confirmed that unauthorized access had compromised certain customer information including names, contact details and order history. BNS Food assured customers that no financial data was impacted. An investigation into the nature and scope of the incident has been launched and it’s not currently known who was behind the attack.
3. Internet access and all critical systems have now been restored at Rainbow School District after being down for several days. A statement from the school board confirmed that data acquired by unauthorized individuals was deleted and has not been shared. Although it has not been confirmed, this statement suggests that the organization paid a ransom payment to the unknown threat actors.
4. Medusa claimed to have stolen 219.5GB of data from Bell Ambulance, demanding a ransom of $400,000 from the Wisconsin ambulance company. The attack caused significant disruption to operations and the organization launched an investigation to determine if any information was affected.
5. Parents from Penn Harris-Madison Corporation School District received a notification that the district had suffered a ransomware attack. The incident impacted Skyward and Canvas, two systems students rely on to turn in assignments. As a precaution all network connected desktops were shut down. PMH technology team consulted experts to investigate the situation and the ransomware gang responsible for this incident has yet to be named.
6. Qilin ransomware gang added Grammy award-winning Houston Symphony to its leak site in early March. The group claimed to have exfiltrated 300GB of data, adding a five-day deadline and a TOX address for communication to its leak site posting. A short time after it was posted the listing disappeared, suggesting that the organization contacted the cybercriminals and may be attempting to negotiate with them.
7. Singapore-based not for profit HomeTeamNS suffered a ransomware attack which affected some of its servers containing data belonging to current and former employees. Upon discovery of the incident, impacted servers were immediately disabled and isolated from the network. The organization engaged third-party cybersecurity experts to investigate and remediate the incident.
8. Systems Pavers, a construction company based in Santa Ana, recently notified an undisclosed number of individuals of a data breach following a ransomware attack in September 2024. The notice acknowledged the incident, stating that threat actors gained unauthorized access to data between September 20^th and October 4^th. The organization has not disclosed the types of data that was compromised or the group of individuals impacted. Medusa claimed the attack in October 2024, giving the organization a one-week deadline to pay a ransom demand of $1million.
9. Qilin ransomware gang has taken responsibility for a recent ransomware attack on Utsunomiya Central Clinic in Japan, leading to a major data breach. The group accessed the clinic’s servers and exfiltrated about 140GB of sensitive data, including over 178,000 files containing medical records, personal information, X-rays, and ECG data. This breach potentially impacted around 300,000 patients, with a portion of the stolen data already leaked online.
10. A recent cyberattack compromised D. Edri Brothers Ltd., an Israeli construction and infrastructure firm, with threat actors leaking 16GB of sensitive data. The breach exposed extensive personal and business information, including employee records, foreign contractors’ data, internal emails, project specifications, and client contracts. The compromised data includes payroll details and national IDs. Toufan has claimed responsibility for the attack.
11. Chicago Doorways, LLC, a U.S.-based supplier of commercial doors and hardware, became the target of a ransomware attack by the Qilin group. The attackers exfiltrated 46GB of sensitive data before encrypting the company’s systems. A proof of claims pack containing 21 images was added to the listing on the dark web page. The organization is yet to publicly acknowledge these claims.
12. Accountancy firm Legacy Professionals recently disclosed a significant data breach impacting over 190,000 individuals. The breach, which occurred in April 2024, involved the unauthorized access and theft of sensitive data, including Social Security numbers, driver’s license numbers, medical treatments, and health insurance information. LockBit claimed responsibility, demanding an undisclosed ransom and the firm has not confirmed whether the ransom was paid.
13. In Maine, Franklin County recently reported that it had suffered a ransomware attack in February, which caused temporary disruption to its computer systems. Due to the County’s prior investment in robust backup systems, the IT department was able to restore functionality quickly. The County immediately contacted law enforcement and engaged third-party cybersecurity specialists to manage the response. A forensic investigation has been conducted, and the County is working diligently to determine if any personal information was exposed.
14. The Town of Hinton in Alberta recently disclosed that its networks have been declared clear of any malicious activity resulting from cybersecurity incident in February. An unauthorized third party gained access to the Town’s servers, but after a thorough investigation it was determined that no sensitive information was stolen or misused. However, RansomHub claimed to have exfiltrated 92GB of information from the town’s networks.
15. In early March, Adval Tech Group fell victim to a cyberattack that targeted its global IT systems. Upon discovery of the incident, the company immediately shut down all its systems as part of an emergency protocol to protect its infrastructure, resulting in potential production interruptions at various locations. The impact of the attack is still under investigation. Lynx ransomware gang has since taken credit for the attack.
16. Crazy Hunter claimed to have stolen data belonging to Chuanghua Christian Hospital during a February ransomware attack. On its dark web blog, the newly emerged gang announced that data including personnel databases, health insurance claims, consultation records and employee information was among the data stolen. The Ministry of Health and Welfare has created new training guidelines including a framework on how to respond to the incident.
17. Ransomware gang Skira claimed responsibility for a late 2024 data breach at Carruth Compliance Consulting. The attack led to data breaches across at least 36 school districts and colleges, impacting over 110,000 school employees. The stolen data, which reportedly amounts to 469GB, included sensitive personal information such as Social Security numbers, financial details, medical billing information, and tax filings. Although the attack has been acknowledged, the organization has not verified Skira’s claims.
18. Sydney-based tour agency Wendy Wu Tours became a victim of the Kill ransomware group. The attackers listed the company on their darknet leak site, claiming to have exfiltrated sensitive data, including scans of valid passports from residents of Australia, the United Kingdom, and Germany. Along with passport scans, the hackers also released a passenger pre-travel form containing personal details such as names, residential and email addresses, and emergency contacts. Kill threatened to release more data unless the company complied with their demands, though no ransom amount was posted. Wendy Wu Tours has not yet commented on the breach, and the investigation is ongoing.
19. The National Defense Corporation (NDC), a subsidiary of National Presto Industries, was recently targeted in a ransomware attack by the group InterLock, which claimed to have stolen 4,200 GB of data. Despite this breach, NDC chose not to pay the ransom, citing that the stolen data held little value due to the company’s focus on low-tech military products. While the company informed U.S. government agencies about the attack and disclosed it publicly, it confirmed that operations were largely restored, and the attack did not significantly impact financials.
20. Taipei’s Mackay Memorial Hospital apologized to the public for an information leak caused by a cyberattack. The attackers encrypted hospital systems, causing disruptions to over 500 computers. The attack, orchestrated by Crazy Hunter, resulted in the theft of 32.5GB of data, affecting 16.6 million patients. The stolen data, which reportedly includes sensitive personal details of patients from across Taiwan, was allegedly sold online on February 28^th.
21. Fog claimed responsibility for a February 2025 data breach at Williamsburg-James City County Schools in Virginia. The attack caused disruption to the district’s operations, with systems being restored several days after the incident occurred. The ransomware group said it stole 27.7GB of data from WJCC but did not post a ransom demand or any further details on the alleged stolen data. WJCC has not verified Fog’s claims.
22. District officials announced that private information belonging to more than 700,000 current and former Chicago Public Schools students was leaked on the dark web following a ransomware attack in late 2024. The hackers reportedly gained access to CPS data through a weakness in vendor software, facilitating the theft of information including student names, birthdates, and ID numbers. Additionally, for around 344,000 students, Medicaid IDs and eligibility details were compromised. Clop ransomware gang claimed responsibility for the incident but did not post any further information on its leak site.
23. Qilin has claimed responsibility for an attack on the Ministry of Foreign Affairs of Ukraine. The hackers reportedly gained access to the Ministry’s systems and exfiltrated documents, including personal and confidential government files. Qilin demanded a ransom for the data, threatening to release the stolen information if their demands were not met. The Ukrainian government is investigating the breach, working with cybersecurity experts and authorities to assess the full scope of the attack and mitigate its impact.
24. SSK Plastic Surgery in California revealed that it was the victim of a cyberattack with an extortion demand last year. An unknown intruder accessed a limited number of patient documents, including personal information such as names, contact details, and limited health data, including images for virtual consultations. The breach, discovered in January 2025, led to notifications being sent to affected individuals, though the full scope of data exfiltration and any leaks remain unclear.
25. SYMA Austria, a subsidiary of the SYMA Group, suffered a cyberattack that compromised its systems. Play, who claimed the attack, threatened to release sensitive data obtained during the incident. However, with the support of its IT service provider and cybersecurity experts, SYMA was able to restore its operations quickly, with only the Austrian location being affected. The company has notified its customers and is cooperating with law enforcement and relevant authorities in Austria and Switzerland to investigate the attack.
26. In March, Best Collateral filed a data breach notification after discovering that an unauthorized party was able to access portions of its IT network. The company launched an investigation in February after discovering the compromised files. The sensitive customer data accessed includes names, SSNs, driver’s license numbers, biometric data, military IDs, and health insurance details. Rhysida claimed responsibility for the attack.
27. RansomHouse claimed responsibility for a cyberattack on Loretto Hospital in Chicago. The gang reportedly breached the hospital’s systems, stealing sensitive data totalling 1.5TB. The attackers threatened to release the stolen data unless their ransom demands were met. Although the exact nature of the compromised data has not been disclosed, the hospital has acknowledged the attack and is working with law enforcement and cybersecurity experts to mitigate the impact.
28. Funksec targeted Sorbonne University in Paris, exfiltrating 20GB of data from its systems. The group, known for utilizing AI-generated ransomware, demanded an undisclosed ransom and posted the university on their dark web leak site. While Funksec did not specify the type of data stolen, they provided evidence of their access, including a screenshot of a search query conducted on one of the university’s computers. The university is still currently investigating the situation.
29. RansomHub listed coal mining equipment supplier Bis Industries as a victim on its darknet leak site. The organization recently acknowledged the attack which happened in December 2024, stating that it quickly engaged cybersecurity experts to contain the incident and minimize operational impact. RansomHub has allegedly stolen 502GB of data and has leaked the stolen information on its darknet site. Bis Industries is investigating RansomHub’s claims.
30. RansomHub also listed Southern Regional Medical Group (SRMG), a medical provider based in Western Australia, as one of its victims in March. The group claimed to have stolen 19GB of data from the organization, though no specific documents or ransom demands were released. The gang posted the attack on its darknet leak site, threatening to publish the stolen data within five days if their demands were not met. SRMG has not responded publicly to the breach, and the situation remains under investigation.
31. NTT Communications has informed nearly 18,000 corporate clients about a data breach that exposed sensitive customer information. The breach, which occurred earlier in the year, affected the personal and business details of these clients. NTT has not disclosed the full scope of the compromised data but has taken immediate steps to mitigate further risks. The company is working closely with cybersecurity experts to address the breach, investigate its cause, and protect affected customers. It is not yet known who is behind this incident.
32. Safepay has confirmed that it targeted Willms Fleisch, one of Germany’s largest meat producers earlier this year. The company confirmed the breach, commenting that no downtime was experienced, but they have not disclosed specific details about the compromised data. The threat actors, who allegedly exfiltrated 2TB of data, demanded an undisclosed ransom with a deadline of March 13^th. Willms Fleisch decided not to pay the ransom, asserting that the data taken was not critical to their business operations.
33. A breach notification has been made public regarding a data breach at the Center for Digestive Health, which affected 122,437 individuals due to a ransomware attack in mid-2024. The notification revealed that unusual activity was spotted on the center’s IT network in April, leading to an investigation that confirmed unauthorized access to files containing patient data. The BianLian ransomware group claimed responsibility for the attack in May 2024 and subsequently leaked 2.2TB of the healthcare provider’s data.
34. Clop published files allegedly stolen from Rackspace, a major US-based cloud service provider. The group claimed that Rackspace ignored their demands, leading to the release of the data on their dark web leak site. The stolen files were not fully disclosed, and the amount or type of data has not been confirmed.
35. In North Carolina, Pinehurst Radiology Associates remained closed for more than one month following a cyberattack that occurred in late January 2025. The practice detected suspicious activity on its network and launched an investigation, bringing in legal counsel and cybersecurity experts. As of March 12, 2025, some systems remained offline, and services such as mammography and ultrasound appointments have been suspended. The breach has not been attributed to a specific ransomware group, and the practice is working to restore its network.
36. The Asbury Theological Seminary recently confirmed that 15,560 individuals were impacted by a June 2024 data breach that compromised a trove of sensitive personal and financial information. The organization did acknowledge the attack, announcing that a network security incident was responsible for website issues. Fog ransomware gang claimed the breach in back in June last year, stating that it stole more than 10GB of data from the seminary.
37. The City of Fort St. John confirmed that a February cyber incident, which affected its services, was a ransomware attack. The incident disrupted phone, email, and internal systems, bringing down much of the city’s network. Certain services, such as online bill payments, are still down for security reasons. A small amount of data, mostly non-sensitive departmental files, was stolen, but the city asserts that personal information was not compromised. INC ransomware gang has taken credit for the attack.
38. New Zealand-based insurance broker Vercoe confirmed it was investigating a ransomware attack by the DragonForce, which claimed to have stolen 60.67 GB of data. The incident, first reported on March 5, has not yet led to the publication of any stolen files or ransom demands, but DragonForce has threatened to release the data soon. Vercoe quickly restored its systems and stated that the incident had limited impact on its operations. The company is working with external experts to assess the full scope of the breach and has notified regulatory authorities and stakeholders.
39. Ascoma Insurance Advisors, a leading Monaco-based insurance brokerage, was targeted by an Akira ransomware attack. The group reportedly stole 12GB of sensitive data from the company, though specific details on the compromised information have not yet been confirmed. Ascoma has yet to issue an official statement on the matter.
40. It was confirmed that Brydens Lawyers suffered a ransomware attack in late February which led to the theft of over 600GB of sensitive information. The firm confirmed the breach and is actively investigating the extent of the damage. Brydens Lawyers is working with authorities, including the Australian Cyber Security Centre, and has restored its IT systems. No ransomware group has yet claimed responsibility.
41. Lynx ransomware group listed CI Scientific as one of its victims, claiming to have stolen 81GB of sensitive data. The stolen data reportedly includes business contracts, financial records, and human resources information. Despite the claim, no files have been released yet, and there is no ransom demand or deadline indicated. CI Scientific has not yet responded to the claims.
42. A ransomware attack briefly disrupted operations at Ganong Bros in late February. The company discovered the breach on February 22 and immediately took steps to protect its network, involving third-party cybersecurity experts and legal counsel. The investigation is ongoing to determine if personal information was compromised. Play ransomware group has been linked to the attack.
43. Harrell’s, LLC, an agrochemical distributor, fell victim to a ransomware attack by the Lynx group. The threat actors exfiltrated around 100GB of sensitive data, including financial records, proprietary chemical formulas, and employee information. Lynx published screenshots of the stolen data on its dark web leak site and threatened to release more unless a $15 million ransom is paid.
44. On March 11 2025, Babuk ransomware group claimed responsibility for a cyberattack on Lexmark, alleging that they had infiltrated the company’s systems. Lexmark’s cybersecurity team immediately launched an investigation into the claim. However, no evidence was found to support the presence of ransomware in Lexmark’s environment. The company is continuing to monitor the situation and has made efforts to ensure the security of its systems.
45. It was confirmed that Unicorr Packaging Group, a Connecticut-based packaging company, experienced a data breach in January 2025 after unauthorized activity was detected on its network. Upon investigation, the company confirmed that sensitive personal data, including Social Security numbers and credit card information, may have been compromised. Akira took responsibility for the attack, claiming to have stolen 90GB of data from the organization.
46. In mid-March, a ransomware attack targeted the Department of Health Services on the island of Yap, part of the Federated States of Micronesia. The attack forced the department to take its entire network offline, disrupting email communication and digital health systems. Efforts are underway to restore services, determine the extent of the breach, and assess the data compromised. No group has yet claimed responsibility for the attack.
47. Qilin claimed responsibility for a breach of SMC Corporation’s European branch. The threat actors exfiltrated 1.1TB of data, including sensitive corporate documents, employee records, and technical schematics. SMC is investigating the breach and has engaged third-party experts, while also negotiating with the attackers to prevent further data leaks.
48. In Switzerland, Ascom confirmed it was targeted by a cyberattack. The company quickly identified suspicious activity and began investigating the breach. Some of the organization’s internal systems had been compromised, leading to disrupted operations in certain areas. They have engaged cybersecurity experts and are working closely with authorities to address the issue. Hellcat ransomware gang claims to have exfiltrated 44GB of data from Ascom including internal reports, sales documents, confidential agreements, development tools and source code.
49. Hunters ransomware group claimed responsibility for a cyberattack on Courageous Home Care. The attackers exfiltrated approximately 262GB of sensitive data, including patient information, before encrypting the organization’s systems. The breach is believed to have occurred through compromised credentials or unpatched vulnerabilities.
50. An Apos ransomware attack targeted KIU System Solutions, a cloud service provider for the airline industry based in Uruguay. Apos allegedly exfiltrated 2.3TB of sensitive data, including airline software code, client agreements, and backend service credentials. The incident disrupted KIU’s operations, impacting critical aviation services. KIU is working with external cybersecurity experts to investigate and mitigate the damage.
51. A threat actor named Empire claimed to have breached Honda’s Indian division, exfiltrating over 3 million records. The stolen data includes sensitive customer details such as names, billing addresses, phone numbers, purchase dates, and more. The hacker listed the data for sale on a popular hacking forum for $1,500, posting a sample of the compromised information, though some fields appeared incomplete. The data has not been verified by the organization.
52. Western Alliance Bank revealed that a significant data breach had impacted nearly 22,000 individuals due to a vulnerability in Cleo. The breach occurred between October 2024 and January 2025, resulting in unauthorized access to sensitive data. The compromised information includes personal details such as Social Security numbers, financial account numbers, dates of birth, and identification numbers.
53. Ikav Energy, a Luxembourg-based energy investment firm, confirmed that a late 2024 data breach had compromised the personal data of 722 individuals in Texas and 15 in Massachusetts. The breach, which was claimed by the DragonForce ransomware group, resulted in the theft of 177GB of sensitive data including SSNs.
54. Fog ransomware group claimed responsibility for a significant data breach at University Diagnostic Medical Imaging (UDMI), which impacted over 138,000 individuals. The group stole 28.1GB of personal information, including patient data, from the company’s internal systems. The radiology practice immediately launched an investigation, with assistance from external cybersecurity experts, to determine the nature and scope of the incident.
55. Babuk ransomware group took credit for a significant breach at Jingdong, also known as JD.com, one of China’s largest e-commerce platforms. The attackers claim to have stolen over 11GB of data, including sensitive customer information such as names, usernames, passwords, email addresses, QQ numbers, and ID card details.
56. Pinduoduo strongly denies claims that it has fallen victim to a Babuk ransomware attack. The threat actor alleges to have obtained 892GB of data, including sensitive customer details such as names, phone numbers, addresses, and purchase information, from the major Chinese e-commerce platform. The company believes the incident may have been fabricated by a competitor.
57. Hellcat breached Jaguar Land Rover (JLR) by exploiting stolen Jira credentials. The attackers gained access to sensitive internal documents, including development logs, proprietary source code, and a large employee dataset containing personal information. The breach compromised approximately 700 documents and 350GB of additional data, which was later leaked by the attackers.
58. Swedish lock and security company Assa Abloy was targeted in a cyberattack by the Cactus ransomware group. The attackers accessed internal data from local servers in Sweden, demanding a ransom for the stolen information. Although the company has confirmed the breach and is conducting an investigation, it believes the impact on its operations will not be significant. The ransomware group has reportedly stolen 229GB of information and added documents to its leak site as proof of claims.
59. Babuk claimed to have stolen over 2TB of data from Taobao, an e-commerce platform owned by Alibaba. The group allegedly obtained sensitive information relating to approximately 600 million users and more than 8 billion orders, including personal details such as names, phone numbers, and shopping histories. Babuk threatened to sell the data on the dark web, but Taobao has denied the claims, stating that its own internal investigation found no evidence of a breach on their platform.
60. Sitro Group Australia was targeted by an INC ransomware attack this month. INC leaked three documents as proof of the attack, suggesting that sensitive data may have been stolen and encrypted. Currently there is limited information available about this attack.
61. Atchison County in Kansas, experienced a cyberattack that led to the closure of its offices for a day as officials investigated the incident. The attack disrupted the county’s computer network, affecting its services. The authorities worked to determine the scope and impact of the breach, which had significant consequences for the county’s operations. It is not yet known who is responsible for the attack.
62. Also in Kansas, a cyber incident disrupted services and systems as Derby’s police department. Although the city’s officials have kept details scarce, it is believed that a significant portion of their internal systems were compromised. The department has not confirmed the exact nature of the attack, and the situation remains under investigation.
63. 5TB of data was allegedly exfiltrated from French telecommunications giant Orange. Babuk claimed the attack and appear to have stolen information including sensitive customer records, employee details, source code, contracts, invoices, and other personally identifiable information. Babuk threatened to release a quarter of the data if Orange refused to pay the ransom. The claims have not been verified by the organization.
64. Berkeley Research Group (BRG) was targeted by a cyberattack amidst an ongoing acquisition deal. The attack disrupted BRG’s operations, but the full scope of the damage is still under investigation. BRG has not publicly shared details of the incident, and it’s unclear whether any data was stolen. The identity of the attackers remains unknown.
65. California Cryobank (CCB) confirmed a cyberattack that occurred in April 2024, during which unauthorized actors accessed sensitive customer data. The breach occurred over a two-day period and involved the potential exfiltration of files containing personal information such as bank account details, payment card numbers, and health insurance information. The company has not revealed the number of affected individuals or whether its international operations were impacted.
66. Australian fibre installation firm Expert Data Cabling (EDC) was added to INC’s victim list this month. The group allegedly stole and encrypted a range of sensitive data, including driver’s licenses, contractor information, building maps, contracts, and personal details such as names, addresses, and phone numbers. EDC has not publicly commented on the breach, and INC has yet to publicly announce a ransom demand or a date for the data release.
67. The Pennsylvania State Education Association (PSEA) wrapped up an investigation into a July 2024 data breach. The breach involved the theft of personal information such as Social Security numbers, health details, and financial data like account numbers and payment card information. he attackers, suspected to be the Rhysida ransomware group, may have used double extortion tactics, as PSEA’s investigation included attempts to ensure the stolen data was deleted.
68. The Town of Orangeville has been dealing with the aftermath of a February cyberattack, which caused disruption to some of its online systems. Although the full extent of the breach is still under investigation, the town acted swiftly to secure its systems and continue delivering essential services. While some systems remain affected, most critical services, like fire and transit, have continued without interruption. BlackSuit ransomware gang claimed the attack.
69. Ransomware gang Cloak just claimed responsibility for a February 2025 cyberattack on the attorney general of Virginia. The attack led to the shutdown of essential systems, including email, VPN, and the office website. Employees were forced to switch to paper-based filing as a result. Cloak has since posted stolen documents on its data leak site.
70. Ransomware gang Kraken claimed responsibility for a data breach at Klickitat Valley Health in Washington. The attack resulted in the breach of sensitive patient information including Social Security numbers, health insurance details, medical records, and personal identification information. KVH has not verified Kraken’s claims.
71. Parascript, LLC just filed a notice of data breach after experiencing a ransomware attack back in August 2024. The breach was detected on August 16, 2024, after suspicious network activity was observed. An investigation revealed unauthorized access to files containing confidential data between July 29 and August 16, 2024. Compromised sensitive consumer information included names and Social Security numbers.
72. Charles County Ambulance District (SCCAD) notified 1,265 individuals about a security breach caused by a sophisticated malware attack. The attack involved unauthorized access to a user account, exposing sensitive data of individuals who had received treatment or transportation services from SCCAD. The exposed data included names, addresses, dates of birth, and treatment details, with some individuals’ destination hospital information also compromised. Those responsible for this attack have not yet been revealed.
73. Topy America Inc., a manufacturer based in Frankfort, Kentucky, experienced a data breach after unauthorized access to its network was detected. During the incident files were copied from the company’s systems, exposing sensitive information of current and former employees, as well as their beneficiaries and dependents. The compromised data included personal details such as names, addresses, Social Security numbers, medical treatment information, and health plan enrolment data.
74. Clop allegedly hacked MGA Entertainment, a major U.S. toy manufacturer known for brands like Bratz and Little Tikes. The gang listed the company on its dark web leak site but provided few details on the extent of the breach. Clop criticized the company for neglecting customer security, and although no publication date for the stolen data was given, MGA’s operations in multiple countries may have been affected. The company has not yet confirmed the full scope or impact of the attack.
75. It’s been disclosed that Lake Washington Vascular fell victim to a ransomware attack on February 14, 2025. The Qilin ransomware group claimed responsibility, demanding a ransom, but the center was able to prevent significant damage by restoring files from secure off-site backups. However, the attack encrypted the center’s electronic health record and practice management systems, potentially compromising the data of 21,534 patients. The exposed information may include personal details, medical histories, and treatment data, though financial information was not affected.
76. The City of Mission in Texas, is grappling with the aftermath of a ransomware attack that occurred last month, with recovery efforts expected to last for months. The city has acknowledged the attack but has been cautious about releasing detailed information. The breach involved unauthorized access to the city’s systems, and the ongoing mitigation is aimed at addressing vulnerabilities and preventing further incidents. The city has not disclosed which ransomware group was behind the attack.
77. A ransomware attack on Aztec Municipal School District led to a significant network outage that forced the closure of schools. Interlock claimed the attack which resulted in the theft of 1.3TB of data, including financial documents, tax disclosures, and personal information of employees and students. Interlock posted stolen documents as proof, although the district has not confirmed the full extent of the data breach.
78. MinebeaMitsumi Inc. reported a cybersecurity breach after unauthorized access to its network was detected. The breach involved a third party potentially accessing data from a company file server. In response, MinebeaMitsumi took immediate action by restricting external access and blocking connections from internal to external networks. While the breach is still under investigation, the company has not confirmed any significant business impact. Cicada3001 has claimed the attack, allegedly stealing over 3TB of data.
79. In Pennsylvania, Union County fell victim to a ransomware attack that compromised personal information from its government systems. The attackers stole data related to county law enforcement, court matters, and other county business, potentially including Social Security numbers and driver’s license numbers. The county has notified federal law enforcement and hired cybersecurity experts to assist with recovery. The specific ransomware group behind the attack has not yet been confirmed.
80. A cybersecurity incident at Cargills Bank involved unauthorized access to a system within its infrastructure. The bank acted quickly to isolate the affected components and engage cybersecurity experts to assess the situation and protect customer interests. Despite the breach, there were no disruptions to banking operations. Hunters ransomware group has been credited with the attack, with the group claiming to have exfiltrated 1.9TB of data.
81. Australian skincare manufacturer Baxter Laboratories was targeted by RansomHub, who claimed to have stolen 40GB of data. The attack encrypted part of the company’s IT systems, but Baxter quickly contained the incident and engaged cybersecurity experts to assess the situation. While RansomHub listed Baxter on its dark web leak site, the company has not yet confirmed what specific data was compromised.
82. Tanaka Precious Metals confirmed a cyberattack on its Taiwan production site, Tanaka Electronics Taiwan (TET). The attack resulted in unauthorized external access to servers, with TET quickly responded by cutting off internet connections, suspending infected file servers, and enhancing security measures. Newly emerged ransomware gang NightSpire took credit for the attack, claiming to have exfiltrated 150GB of data.
83. A cyberattack on Fabricaciones Militares, a key state-owned company for the Argentine defense industry, has resulted in the theft of over 300 GB of sensitive data. The compromised data includes plans for cutting-edge weapons projects. Negotiations are reportedly underway to recover the stolen information. Monti ransomware group was responsible for the incident.
84. Cablevision was hit by a cybersecurity incident that disrupted its operations and impacted customers. The company’s website was down at time of writing, displaying a notice about a system outage affecting its computer systems, preventing customers from accessing their accounts, placing orders, or managing billing tasks. Cablevision has acknowledged the issue and is actively investigating the incident while working to restore its systems and services. Hunters has claimed the attack, stealing 66.8GB of data from the organization.
85. 126,580 individuals were recently notified about a data breach on Joseph’s College of Maine caused by a ransomware attack claimed by the Clop group. The breach, which occurred between December 15, 2023, and January 24, 2024, compromised sensitive data, including Social Security numbers. While Clop has listed the college on its dark web leak site, the institution has not confirmed whether it paid a ransom.
86. A ransomware attack targeted a student at Teays Valley Christian School in Putnam County, West Virginia. The student received a threatening email, stating that a “hit list” would be sent from their account unless a file was downloaded. The attack compromised the student’s Discord and Google accounts, with unauthorized access from multiple IP addresses. In response, local law enforcement began investigating the incident.
87. A cyberattack that caused significant delays in operations for Astral Foods, South Africa’s largest chicken producer. The attack led to downtime in processing and delivery, resulting in a loss of about 20 million rand (approximately $1 million). The company quickly implemented its disaster recovery protocols and restored normal operations. Astral Foods confirmed that no sensitive customer or supplier data was compromised, but the exact nature of the attack and the attackers remain unclear.
88. Cross Valley Federal Credit Union experienced a data breach that compromised the personal information of over 17,000 individuals. The breach, which occurred in 2024, exposed sensitive data, though the specific details of the compromised information were not disclosed. LeakedData shared information from this attack in early January 2025.
89. A cybercriminal group called Arkana claimed responsibility for a data breach at WideOpenWest (WOW!), a major American cable company. The group released a music video to boast about stealing sensitive information from 403,000 customers, including usernames, passwords, partial credit card details, and email addresses. Arkana has threatened to sell or leak this data if WOW! does not pay a ransom by the given deadline. The breach occurred after an employee’s computer was infected with malware, allowing the attackers to gain access to WOW!’s backend systems. The group has also warned they could push malware to the company’s customers.
90. In South Carolina, Columbia Eye Clinic reported a data security incident potentially affecting patient information. The clinic disclosed that protected patient health information may have been compromised. While specific details about the exposed data remain unclear, the clinic has initiated an investigation to determine the full scope of the breach and is taking steps to enhance security measures.
91. Meigs County Emergency Medical Services (EMS) recently notified 5,802 individuals about a cyber incident in which patient data was stolen. In late January, unauthorized access was detected in an employee email account, and an investigation confirmed that the account’s contents were downloaded. The exposed information included names, SSNs, medical details, insurance information, and more. The cybercriminals behind the attack are yet to be named.
92. Cottrill’s Specialty Pharmacy in New York recently disclosed a data security incident that affected the personal information of 2,348 patients. Unauthorized access was detected within its network on January 21, 2025, and although the breach was brief, it is possible that sensitive data was stolen. A file review completed in February, confirmed that compromised data included names, dates of birth, SSNs, driver’s license or state ID numbers, medical information, and health insurance details.
93. ALN Medical Management recently disclosed a data breach that was identified back in March 2024. The breach involved unauthorized access to systems hosted by a third-party service provider, with an investigation confirming that various files and folders were accessed or copied. A review process completed in January 2025, revealed that affected data may include names, SSNs, financial details, medical information, and health insurance data. Notification letters to impacted individuals were sent in March this year, though the exact number of affected individuals remains unclear.
94. Heritage South Credit Union in Alabama recently confirmed a data breach that affected an undisclosed number of people. The breach, which occurred in February 2025 was claimed by Embargo, who stole 300GB of sensitive data. This included SSNs, financial account details, debit card information, addresses, and more. The group demanded a ransom, but Heritage South has not confirmed if they paid the attackers.
95. A recent cyberattack targeted Kuala Lumpur International Airport (KLIA), disrupting operations and raising concerns about cybersecurity. The attackers demanded a $10 million ransom, but Malaysia’s Prime Minister Anwar Ibrahim firmly rejected the demand, stating there was “no way” the country would bow to criminal threats. Malaysia Airports Holdings Berhad (MAHB), which operates the airport, confirmed the attack but did not disclose further details about the perpetrators or whether the attack had been fully resolved.
96. Akira claimed to have exfiltrated 54GB of organizational data, potentially exposing sensitive information related to Helbor Empreendimentos S/A’s operations, clients, and projects. Compromised data stolen from the Brazilian real estate developer includes corporate NDAs, internal correspondence, financial data, corporate licenses, agreements and contracts, and employee and customer contact information.
97. Monette Barakett Avocats senc, a prestigious Montreal-based law firm has fallen victim to Akira’s latest cyberattack. The ransomware group claims to have obtained sensitive organizational data, potentially compromising client confidentiality and exposing critical legal information.
98. Concord Orthopaedics (COPA) notified nearly 68,000 patients about a data breach caused by a vendor that handles patient registration and appointment check-ins. The breach, which was discovered back in November 2024, exposed sensitive patient information. The vendor, whose name has not been disclosed, stored unencrypted personal and health data, some of which was later leaked on the dark web.
99. VanHelsing recently listed Compumedics, an Australian medical device company, on its ransomware leak site. The group claimed to have stolen a variety of sensitive data, including passport scans of employees, product and testing data, and other company-related documents. Although the exact amount of data and ransom demands have not been disclosed, the breach also affected Compumedics’ subsidiary, NeuroMedical Supplies.
100. In Georgia, Pineland Behavioral Health and Developmental Disabilities Community Service Board recently reported a data breach that exposed sensitive personal information, including SSNs and medical details, of an undisclosed number of individuals. The breach was claimed by the ransomware group Space Bears who also stole documents and medical histories.
101. Pacific Residential Mortgage confirmed a data breach following a ransomware attack discovered in February. The attack resulted in unauthorized access to sensitive consumer information, including names, addresses, SSNs, dates of birth, driver’s license numbers, and financial details. After securing its network and conducting an investigation, the company identified the affected individuals and began sending notification letters in March this year. Law enforcement was notified, and cybersecurity experts were engaged to mitigate further risks. Lynx ransomware gang claimed the attack.
102. Australian property developer TOGA, was listed as a victim of the Akira ransomware group, who claimed to have stolen over 530GB of sensitive corporate data. The leaked information includes financial records, audit details, employee and customer contact information, and database files. This breach follows a cyber incident affecting TOGA’s subsidiary, TFE Hotels, which caused significant disruption to its operations. Akira has not issued a ransom demand but has warned about releasing the stolen data.
103. Medusa targeted O’Shea Builders, a construction service provider in Central Illinois. The gang reportedly exfiltrated 120.5 GB of data and demanded a ransom of $350,000 within seven days. Medusa also threatened to leak the stolen data, including spreadsheets, diagrams, and invoices, if the ransom was not paid. The organization is yet to publicly address Medusa’s claims.
104. Walmart-owned Sam’s Club is investigating a potential security breach claimed by the Clop ransomware group. The group listed the retailer on its dark web portal, suggesting that Sam’s Club had been targeted after exploiting the Cleo zero-day vulnerability. While no data has been leaked yet, Clop threatened to release the exfiltrated information if a ransom is not paid. The company is looking into the incident, though it has not provided further details.
105. Brighton Australia was recently listed as a victim by the SafePay ransomware group. The hackers claimed to have stolen over 160GB of data, including financial statements, intellectual property, accounting records, and sensitive personnel and customer information. SafePay also posted a ransom note, stating that the breach was due to security misconfigurations and that they had exfiltrated files of interest. While the stolen data has not yet been made public, SafePay threatened to release it unless a ransom is paid.
106. Details of an August 2024 ransomware attack on Cincinnati Pain Physicians have been revealed this month, with Dr Sudasrshan recalling the disruption caused by the incident. Clinic workers were unable to access the computer system before external IT personnel confirmed that the clinic had been hit by ransomware. Helldown provided the clinic with information on how to pay an undisclosed ransom to retrieve stolen data.
107. Rhysida demanded a ransom of 5BTC (approx. $420,000) from the Forrest City School District in Arkansas following a cyberattack in December 2024. The attack, which caused the district to suspend its internet services, resulted in the theft of sensitive data, including student transcripts and internal documents. Rhysida threatened to auction the stolen data if the district did not pay the ransom within a week. Documents were uploaded to the dark web as proof of the incident, but the school district are yet to verify Rhysida’s claims.