SAN FRANCISCO – 9th April, 2025 – BlackFog has revealed findings from analysis of ransomware activity from January to March across publicly disclosed and non-disclosed attacks.
This data shows that the number of publicly disclosed ransomware attacks for the first quarter of this year has reached its highest level for this period since BlackFog’s records started in 2020.
Key findings for January to March
Number of disclosed ransomware attacks breaks previous records
- The first quarter of 2025 saw record-breaking numbers of publicly disclosed ransomware attacks, with a total of 278 incidents, marking a 45% increase compared to Q1 2024.
- March set a new high, recording the largest number of disclosed attacks since BlackFog began tracking in 2020, with 107 attacks. This is an 81% increase compared with March 2024.
- Both January and February also set new monthly records for disclosed attacks, with increases from 2024 of 22% and 36%, respectively.
Services, Healthcare and Government are most targeted sectors
In terms of disclosed attacks, healthcare was the most targeted sector with 57 attacks, followed by the services industry, which recorded 44 attacks, and the government sector with 30 attacks. Together, attacks on these three sectors accounted for nearly half (47%) of all disclosed incidents in the quarter.
Number of unreported incidents continues to rise
The figures for undisclosed attacks reveal the true extent of the rise in ransomware. Across the quarter there were 2,124 undisclosed attacks, marking a 113% increase compared to the same period in 2024. This highlights that companies are still failing to publicly disclose ransomware incidents when they are targeted.
The services industry was the hardest hit accounting for 22% (475) of all undisclosed attacks in Q1.
RansomHub continues to dominate
Following a swathe of attacks in 2024, RansomHub continued to be amongst the most active ransomware groups and was responsible for 9% of disclosed attacks in the first three months of 2025 (a total of 24 attacks).
Following on was Qilin, accounting for 15 attacks and Akira with 14 attacks. Other groups accounted for 81% (225) of all disclosed attacks.
Data exfiltration rate climbs higher than ever
The rate of data exfiltration has continued to rise, with 95% of all publicly disclosed attacks in this period involving data exfiltration.
Commenting on the findings, Dr. Darren Williams, Founder and CEO of BlackFog. said:
“Ransomware incident volumes are reaching unprecedented levels. This presents ongoing challenges for organisations dealing with attackers focused on disruption, data theft and extortion. Different groups will emerge and disband, but they all focus on the same end goal, data exfiltration.”
Methodology
This report was generated in part from data collected by BlackFog Enterprise over the specific report period January – March 2025. It highlights significant events that prevented or reduced the risk of ransomware or a data breach and provides insights into global trends for benchmarking purposes. This report contains anonymized information about data movement across hundreds of organizations and should be used to assess risk associated with cybercrime.
Industry classifications are based upon the ICB classification for Supersector used by the York Stock Exchange (NYSE).
All recorded events are based upon data exfiltration from the device endpoint across all major platforms.
