BlackFog Report Reveals 36% Increase in Q3 Ransomware Attacks YoY

SAN FRANCISCO--(BUSINESS WIRE)--BlackFog, the leader in ransomware prevention and anti data exfiltration (ADX), today revealed findings from its analysis of global ransomware activity from July to September 2025 across both publicly disclosed and non-disclosed attacks.

This came during a quarter marked by continued disruptions from ransomware campaigns affecting airlines, automotive manufacturers, governments, and other organizations in critical industries across a total of 93 countries worldwide.

The findings show that publicly disclosed attacks continued to set new records, with 270 attacks – a 36% increase compared to the same quarter, Q3, in 2024 (198 attacks). This also represents a 335% increase since Q3 2020, underscoring the continued rise in ransomware attacks over the last five years.

Additional Key Findings for July–September:

Increase in Publicly Disclosed Attacks Year on Year

Compared to the same period in previous years, the following monthly increases were observed:

• A 50% increase in July with a total of 96 attacks
• A 37% increase in August with a total of 92 attacks
• A 27% increase in September with a total of 85 attacks

Qilin Topped as the Most Active Group; Newcomer DEVMAN Made an Impact

Between July and September, publicly disclosed attacks were attributed to 54 ransomware groups. As in Q2, the Qilin ransomware gang – which recently claimed responsibility for the attacks on the Asahi Group – was the most active, responsible for 20 incidents during this period. Notably, approximately 40% (107) of reported attacks have not yet been attributed to any known ransomware group.

The quarter also saw the emergence of 18 new ransomware groups, several linked to high-profile incidents targeting large organizations. Among these, the newcomer DEVMAN made a significant impact, with 19 attacks across Asia, Africa, Europe, and Latin America. It was also behind a $91 million demand against Chinese real estate giant Shimao Group, one of the largest demands seen this year.

Undisclosed Attacks: Manufacturing Sector Hit Hardest

When looking at attacks that are not disclosed publicly, the manufacturing sector was hit hardest, accounting for 22% of all incidents.

Close behind was the services sector, with 333 incidents, while the construction industry entered the top three for the first time with 143 attacks. The legal sector also saw a surge, recording 79 attacks – its highest level to date.

Disclosed Attacks: Healthcare Sector Persists as Most Targeted

In terms of publicly disclosed attacks, healthcare was once again the most targeted sector with 86 attacks – accounting for 32% of all incidents. This was followed by the government and technology sectors, each reporting 28 attacks.

Lack of Reporting Remains a Challenge

In Q3 2025, nearly 85% of all ransomware attacks (estimated at 1,510) went unreported, representing a 21% increase compared with the same period in 2024. Qilin was also the most active in this segment, responsible for 16% of cases.

Data theft remains the dominant tactic used by attackers, with 96% of all disclosed cases involving data exfiltration, marking the highest level recorded to date.

Commenting on the findings, Dr. Darren Williams, Founder and CEO of BlackFog, said: “This has been a quarter in which the fallout of cyberattacks has continued to have a long and lasting impact. From grounded aircraft and stranded passengers to manufacturers forced to halt production, the disruption has been significant. Operations at Jaguar Land Rover, for instance, only recently resumed following the August incident, while numerous smaller suppliers are still counting the cost.

At the other end of the scale, we’ve seen attackers pulling no punches when it comes to the type of company - and data - they target. The attack on a UK nursery chain, Kido, in September marked a new low when it emerged that information on children, parents, and carers was taken.

As ransomware volumes show a continued upward trend, the best option for organizations is to make it as hard as possible for cybercriminals to take advantage of them. That means protecting data so that they have no leverage for extortion and, critically, no incentive to return.”

Methodology

This report was generated in part from data collected by BlackFog Enterprise over the specific report period July – September 2025. It highlights significant events that prevented or reduced the risk of ransomware or a data breach and provides insights into global trends for benchmarking purposes. This report contains anonymized information about data movement across hundreds of organizations and should be used to assess risk associated with cybercrime.

Industry classifications are based upon the ICB classification for Supersector used by the New York Stock Exchange (NYSE).

All recorded events are based upon data exfiltration from the device endpoint across all major platforms.

BlackFog’s State of Ransomware report for July–September 2025 can be accessed here:

https://www.blackfog.com/2025-q3-ransomware-report/

About BlackFog

Founded in 2015, BlackFog is a global AI based cybersecurity company that has pioneered on-device anti data exfiltration (ADX) technology to protect organizations from ransomware and data loss. With 95% of all attacks involving some form of data exfiltration, preventing this has become critical in the fight against extortion, the loss of customer data and trade secrets.

BlackFog recently won a Gold Globee award for AI-Driven Data Protection Solution and the coveted Cybersecurity Breakthrough Award for AI-based Cybersecurity Innovation of the Year. BlackFog also won Gold at the Globee awards in 2024 for best Data Loss Prevention and the State of Ransomware report which recognizes outstanding contributions in securing the digital landscape.

Trusted by hundreds of organizations all over the world, BlackFog is redefining modern cybersecurity practices. For more information visit blackfog.com.