A fog has lifted, and the news about ransomware reveals we fell on black days.
The third quarter of 2025 was marked by widespread ransomware disruptions affecting airlines, automotive firms, governments, and organizations across 93 countries.
According to BlackFog, publicly disclosed ransomware attacks hit a new record high, reaching 270 incidents — a 36% jump compared to the same quarter last year and a staggering 335% increase since Q3 2020.
Dr. Darren Williams, Founder and CEO of BlackFog, said: “This has been a quarter in which the fallout of cyberattacks has continued to have a long and lasting impact. From grounded aircraft and stranded passengers to manufacturers forced to halt production, the disruption has been significant. Operations at Jaguar Land Rover, for instance, only recently resumed following the August incident, while numerous smaller suppliers are still counting the cost.”
He added: “At the other end of the scale, we’ve seen attackers pulling no punches when it comes to the type of company — and data — they target. The attack on a UK nursery chain, Kido, in September marked a new low when it emerged that information on children, parents, and carers was taken. As ransomware volumes show a continued upward trend, the best option for organizations is to make it as hard as possible for cybercriminals to take advantage of them. That means protecting data so that they have no leverage for extortion and, critically, no incentive to return.”
Rising volume of attacks
BlackFog, a ransomware prevention and anti data exfiltration firm, has released its latest analysis of global ransomware activity, covering the period from July to September 2025. The report tracks both publicly disclosed and undisclosed incidents, painting a stark picture of the escalating cyber threat landscape.
Monthly data showed consistent year-on-year growth: July recorded a 50% increase with 96 attacks, August saw a 37% rise with 92 attacks, and September followed with a 27% rise, totaling 85 attacks.
Between July and September, 54 ransomware groups were linked to these incidents. The Qilin group, which recently targeted Asahi Group, was again the most active, responsible for 20 attacks. Roughly 40% of reported incidents have yet to be attributed to any group. Eighteen new ransomware groups also emerged during the quarter, with newcomer DEVMAN making headlines for 19 attacks across multiple continents, including a $91 million ransom demand against China’s Shimao Group.
Healthcare still the top target
In undisclosed cases, the manufacturing industry bore the brunt, representing 22% of all attacks. The services sector followed with 333 incidents, while the construction industry entered the top three for the first time with 143 attacks. The legal sector also saw its highest level to date with 79 incidents.
Among disclosed cases, the healthcare sector remained the most targeted, with 86 attacks — 32% of all incidents — followed by government and technology organizations, each with 28 attacks.
The report noted that nearly 85% of all ransomware incidents, estimated at 1,510, were unreported in Q3 2025, marking a 21% increase from 2024. Qilin also dominated the undisclosed segment, accounting for 16% of such cases. Data theft remained the primary tactic, featuring in 96% of disclosed attacks — an all-time high.
U.S. cybersecurity firm F5 confirmed that it suffered a cybersecurity incident involving a “highly sophisticated nation-state threat actor” that maintained long-term access to certain company systems.
