The State of Ransomware 2025

We kicked off 2025 with a record-breaking 92 disclosed ransomware attacks in January, a 21% increase over last year and the highest we’ve recorded since we began tracking ransomware back in 2020. We counted 32 different ransomware groups behind the attacks, with RansomHub leading the way. Some of the bigger news stories included the Codefinger ransomware attack on AWS, the disruption caused to the education sector following a hack on Power Schools, and RansomHub’s claims involving MetLife.

Discover who else made ransomware headlines in January:

1. The threat actor Omid16B claimed responsibility for a breach at UK-based photo company DEphoto, alleging the theft of a large volume of confidential data. The attack which occurred on Christmas day reportedly exfiltrated personal details of 555,952 customers, 429,597 orders with personal and credit card information, as well as customer photographs. A ransom demand of £50,000 was made, but the threat actor did not receive a response. DEphoto began notifying affected customers in late December.
2. Lian Beng Group Ltd, a prominent investment holding company in Singapore, was targeted in a RansomHub attack at the beginning of the year. The notorious ransomware group claimed to have stolen 2TB of data from the company but did not release a ransom demand. The allegedly exfiltrated data included 1,500 employee NRICs, passports, insurance details, bank statements, corporate emails, contracts, and other sensitive business documents.
3. The State Child Protection Society (SCPS) of Madhya Pradesh fell victim to the Funksec ransomware group, which emerged in December of the previous year. Funksec took responsibility for the attack, claiming to have exfiltrated 2GB of sensitive data from SCPS’s systems. While the exact details of the stolen data remain unclear, experts and stakeholders are particularly concerned about the potential exposure of sensitive child welfare information.
4. Westend Dental in Indianapolis agreed to pay $350,000 to enhance its data protection and patient privacy measures following a state investigation into a ransomware attack that led to the unauthorized disclosure of patient information. The company failed to report the October 2020 breach within the HIPAA-mandated timeframe, waiting two years before officially notifying authorities. During the attack, health information was encrypted and then exfiltrated, affecting approximately 17,000 patients.
5. RansomHub claimed responsibility for breaching the Latin American division of insurance giant MetLife on December 31st, though the company denies the incident. The ransomware group asserts it exfiltrated 1TB of data, adding documents written in Spanish as proof of claims to its leak site. A MetLife spokesperson stated that “there is no incident that we’re aware of,” and suggested the breach may be related to an incident involving Fondo Genesis, a MetLife subsidiary.
6. Peikko Group Corporation, based in Finland, experienced a disruptive cyberattack at the end of December 2024. Several tools and systems became unavailable to employees, prompting the company to report the incident to police and other relevant authorities. While the company acknowledged the possibility that some customer-related data may have been accessed and stolen, an investigation is still underway. The Akira group claimed responsibility for the attack, alleging the theft of 30GB of data. On its dark web site, the group suggested the stolen information included internal finance documents, disclosure agreements, employee contact details, and HR records.
7. Modern Automotive Network, a North Carolina car dealership chain, recently confirmed it notified individuals about a data breach that took place in July 2024. The company did not disclose what personal information was compromised in its breach notification. BlackByte ransomware gang claimed responsibility for the attack shortly after it occurred, sharing images of what they claimed were stolen files and directories as evidence.
8. It has been confirmed that a ransomware attack, which the Richmond University Medical Center has been investigating since May 2023, resulted in a data breach affecting over 670,000 individuals . The attack led to major disruptions, with the organization taking several weeks to restore affected services. Investigators found that at least one of the exposed files contained personal information, including PII and PHI. The identity of those responsible for the attack remains unknown.
9. In January, the Hunters International ransomware group added Nikki-Universal Co. Ltd, a major chemical manufacturer, to its list of victims. The organization confirmed the attack, stating that an investigation is ongoing. The ransomware group claimed to have exfiltrated 476,342 files during the incident, totalling 761.8GB. Although a ransom demand was not posted the organization was given until January 10^th to meet the hacker’s demands.
10. The Fraunhofer Institute for Industrial Engineering (IAO) in Stuttgart confirmed that it was the target of a cyberattack on December 27th. The attack compromised certain systems and data, but the full extent of the damage is still unclear. The institute is collaborating with IT security experts and relevant authorities to investigate the incident. It is currently unknown whether personal data was exposed to the attackers.
11. Hunter, Taubman Fischer & Li LLC has reportedly fallen victim to a ransomware attack orchestrated by Lynx. The group allegedly successfully infiltrated the firm’s systems and exfiltrated confidential data. Specific details about the nature and volume of stolen information have not yet been disclosed. The organization has not yet made a public statement addressing these claims.
12. South Portland Public Schools took its network offline to safeguard student data and other sensitive information amid an ongoing cyberattack. While suspicious activity was detected and a firewall was breached, the school district believes that no student or staff data was compromised. It is not yet known who is responsible for the attack.
13. Teton Orthopaedics, a Wyoming clinic, recently confirmed that it notified 13,409 individuals about a data breach that exposed names, addresses, dates of birth, health insurance details, and medical information. In March last year the hacking group DragonForce claimed responsibility for the breach, stating they had stolen 5.5GB of data from the healthcare provider. DragonForce reportedly gave Teton Orthopaedics one week to pay an undisclosed ransom, though it remains unclear whether the organization met these demands.
14. Rhysida listed Canada’s Montréal-Nord borough on its dark web blog, posting several samples of documents it claims were stolen from the borough’s government network. The gang set a four-day deadline for a ransom of 10 BTC (around $1 million), warning that after the deadline they would sell the data to the highest bidder. The proof of claims included illegible files containing an email, administrative contract, and one Canadian passport.
15. Austin’s Financial Solutions became a victim of Kairos ransomware gang, with the gang publishing 147GB of data stolen during the cyberattack. The initial post on the dark web, published in mid-December, included several files as proof of claims including scans of passports, payroll data, and an employee contract. The Australian wealth management firm has not yet publicly addressed these claims.
16. Notorious ransomware gang Clop claimed to have breached US-based mobile and wireless software company Velocitor Solutions. The ransomware group published sensitive data stolen from the organization but at this time there is no further information available.
17. Qilin ransomware group claimed to have exfiltrated 29,843 files, totalling 22GB of data, from Australian freight forwarding firm Globelink International. The dark web posting stated that all company data would be published on 03/01/2025, though no proof of claims was provided. However, the data was uploaded to Qilin’s FTP server as threatened. The data includes details of company’s debtors and creditors, bank statements, and other internal documents.
18. The Indian division of global travel booking agency Thomas Cook experienced a serious cybersecurity incident that disrupted its IT systems. Upon detection, the company promptly launched an investigation to assess the nature and extent of the attack while taking impacted systems offline. At this time, no hacker group has claimed responsibility for the incident.
19. PowerSchool, an education software provider, informed individuals in the U.S. and Canada that their personal information was exposed in a ransomware attack that occurred in late December 2024. During the breach, attackers gained unauthorized access to one of the company’s customer support portals and stole sensitive data from 6,505 school districts. The stolen information included a variety of data including full names, physical addresses, contact details, Social Security numbers (SSNs), medical records, and grades. A threat actor involved in the attack claimed in their extortion demand to have stolen data on 62,488,628 students and 9,506,624 teachers, suggesting the breach affected a significant number of individuals.
20. New York clinic Excelsior Orthopaedics confirmed it notified 357,000 people about a June 2024 data breach that compromised employee and patient information. Initial results of a forensic investigation indicated that the incident had resulted in the compromise of data. Monti took credit for the attack, giving the healthcare provider until July 16^th to pay an undisclosed ransom demand. Excelsior has not verified Monti’s claim.
21. Over 3TB of data was reportedly stolen from Kansas-based healthcare provider Sunflower Medical Group. The Rhysida group posted the organization on its darknet leak site, claiming to have over 400,000 driver’s licenses, insurance cards, Social Security numbers, and an SQL database in its possession. A sample of the allegedly stolen data was shared alongside a ransom demand of 10 BTC, equivalent to just under $10 million.
22. New ransomware group Morpheus claimed to have compromised PUS GmbH on December 20^th. The group who posts victims on its dedicated leak site, claimed that data including technical and personal documents, customer database and backups of customer databases has been stolen during the attack. The organization has not responded to these claims.
23. Termite launched an attack on U.S. hospitality management company, The Huntington Group, in January. The ransomware group alleges that it successfully infiltrated the company’s systems and extracted nearly 39GB of sensitive data. While specific details about the stolen data was not disclosed, various screenshots were added to the dark web post as proof of claims.
24. In Slovakia, the Land Registry Office was crippled by a large-scale ransomware attack. The UGKK experienced disruption, with its services remaining unavailable for a number of days. The UGKK chairman stated that there were no alternations made to the database and that multi-layered backups gave the option to restore data for providing critical systems. It is not yet known who is behind the incident, which is being reported as one of the worst cyberattacks in the country’s history.
25. Addison Northwest School District in Vermont issued a clear public notice on its website, addressing a recent cyberattack. The incident locked district officials, teachers, and other employees out of servers and shut down internet services. One of the compromised servers including old payroll information for employees spanning 2008 to 2022. ThreeAM ransomware group claimed the attack.
26. In Wyoming, the Lamarie County Library System was targeted by a ransomware attack that shut down library servers and immobilized most digital services. The library’s IT team reverted the system to a previous state and was able to resume full services. Patrons’ records were not compromised or accessed by hackers.
27. In October of last year, Australian health and wellness company DBG Health announced a cybersecurity incident on its website, revealing that data had been exfiltrated from its server. The server contained clinical consent forms collected through its clinical services. The Morpheus ransomware group recently claimed responsibility for the attack, naming Arrotex Pharmaceuticals – one of DBG Health’s business units – as a victim. The group stated that the stolen data, totalling 2.5TB, is either ready to be sold or published.
28. A threat actor has claimed responsibility for breaching Gravy Analytics and leaking around 1.4GB of data. The claim was made on a Russian-language forum where screenshots of what is allegedly stolen data from the U.S.-based location tracking company were shared. While the claims have not been verified, the company’s website was offline for an extended period.
29. Rent-2-Own was added to Medusa’s leak site this month, with claims that sensitive data was stolen from the organization. Although no specific details were published on the dark web listing, the group did set a ransom of $200,000 for either the deletion or download of exfiltrated information. A timer counting down a nine day deadline was also added to the post.
30. It was recently disclosed that 360,934 individuals were impacted by a December 2023 ransomware attack on Florida-based medical billing firm Medusind. Upon discovering suspicious activity in its internal server, the company launched an investigation, took all systems offline and notified relevant law enforcement authorities. The investigation concluded that certain files containing PII, PHI and financial information were compromised as a result of the incident.
31. Ransomware group RansomHouse was behind a cyberattack on Cell C that compromised the data of some of its clients. Cell C provided little information about the attack, saying that initial findings suggest that data relating to a limited number of individuals may have been accessed by an unauthorized party. RansomHouse claims to have stolen 2TB of data belonging to the company.
32. BayMark Health Services revealed that a significant data security incident late last year compromised the sensitive personal information of its patients and staff. When suspicious activity caused service disruptions, the healthcare provider immediately launched an investigation to determine the nature and scope of the incident. Compromised data is said to include names, SSNs, insurance documentation and treatment information. In October, RansomHub claimed responsibility for the attack, claiming to be in possession of 1.5TB of confidential data and giving BayMark a deadline of 36 days to fulfil it ransom demand.
33. A new ransomware campaign targeting Amazon Web Services users by a threat actor known as Codefinger dominated the news this month. The attack leveraged AWS’s server-side encryption in order to encrypt data and then demand payment for decryption keys. The attack campaign relies upon obtaining an AWS customer’s account credentials. Amazon stated that it is aware of exposed keys and that customers would be notified.
34. The government of Turks and Caicos reported progress in its recovery following a pre-Christmas ransomware attack. The impact of the incident caused widespread issues and outages on the islands, with the government confirming that several segments of its network had been compromised. Attackers gained access to the government’s revenue collection and payment systems, impacting numerous business operations. No ransomware group has taken credit for the attack.
35. Funksec ransomware group preyed on Indian edtech platform Wissenhive, accessing and exfiltrating data from the company. The attackers claim to have leaked over 32,000 records containing sensitive data from 2021 to 2022. The leak involves data such as emails, contact names and other identifying information.
36. According to claims made by Everest ransomware group. 50GB of data was exfiltrated from applied behaviour science firm Evidn. The gang posted its claim on its darknet leak site on January 9^th, adding that a company representative should follow the instructions before the two week countdown runs out. A ransom was not disclosed on the post, nor was any evidence of the hack provided. Evidn is yet to publicly address these claims.
37. Popular US-based cannabis company, Stiizy, suffered a third-party breach that exposed its customers’ ID information and transaction history. Personal information, passport numbers and signatures were also among the data types stolen. It was confirmed that Everest was behind the leak after the dispensary disregarded its ransom demands.
38. It was confirmed that the City of West Haven in Connecticut experienced a cyberattack that forced the IT department to shut down all of its systems. Impacted systems were backed up and disruption was limited to a few days, but it was suggested that data might have been compromised. Qilin took credit for the attack and gave the city until January 19^th to pay an undisclosed ransom amount. Officials from West Haven have not verified the gang’s claims.
39. Bangladeshi private commercial bank, City Bank PLC, confirmed that sensitive client financial statements were exposed during a significant cybersecurity breach. The breach was traced back to a vulnerability in the bank’s session management system, allowing threat actors to gain access to client account statements. Funksec claimed the attack on January 21^st but did not disclose the nature or volume of data stolen.
40. RansomHub claim to have launched a cyberattack on Community Health Northwest Florida on Christmas Eve, exfiltrating information during the attack. The ransomware gang claimed to have stolen 68GB of data, giving CHNWF one week to pay an undisclosed ransom amount. The healthcare provider acknowledged that it had been hit by a cyberattack which disrupted phones, internet and servers, preventing patients from making appointments and filling prescriptions.
41. Although Spectrum Medical Imaging were unaware that it had been targeted by a cyberattack, INC ransomware gang claims to have infiltrated the radiology practice’s systems and exfiltrated data. The data reportedly includes financial and customer information, with the claims backed up by screenshots of documents with names and medical information. The Australian company stated that it had not been contacted by threat actors and that in the event of a ransomware incident, its policy is not to pay.
42. Following a summer cyberattack, students and parents at Natomas Unified School District were informed that they would temporarily lose access to their school accounts due to annual IT maintenance. Following the discovery of suspicious activity, the school district was forced to shut down its network system, WiFi network. VPN services and phone lines. These services stayed down for a number of weeks over the summer while the IT department attempted to resolve the issues. Investigations recently revealed that there was no evidence that data was accessed or taken during the incident.
43. EuroCert released an official statement on its website addressing a cyberattack that took place overnight on 12^th The confirmed ransomware attack resulted in a breach of personal data protection due to the malicious software encrypting files stored in the company’s servers. Upon discovery of the incident, necessary measures were taken, relevant authorities notified, and an investigation was launched. The company also stated that there was a possibility that PII, government issued ID information and photographs were exfiltrated, but that this could not be confirmed initially. RansomHub claimed the attack two days later, allegedly stealing 65GB of data from the Polish technology company.
44. In Australia, construction company Novati was claimed by Lynx, with the ransomware gang adding the company to its leak site on January 15^th. The group claimed to have exfiltrated data including contracts, financial information and incidents. The organization was given a four day deadline to pay an undisclosed ransom amount. Alongside the claims, the leak site posting contained several documents as evidence of the hack, including planning emails and correspondence, tender results and a death certificate.
45. RansomHub claimed to have exfiltrated 1TB of data from the Musicians Institute, a prestigious music school in Hollywood, California. The group added the school to its leak site as a victim on 13^th January, giving a four day deadline to meet an undisclosed ransom demand. A sample of the data shared by the group contained alleged documents and images, some of which are invoices which could include personal information.
46. Gateshead Council in the UK confirmed that police were investigating a cybersecurity incident which took place on January 8^th. This statement was made a few short hours after Medusa ransomware gang added stolen documents belonging to the council to the dark web. A spokesperson confirmed that personal data had been “infringed.” Medusa added a 31-page slide show of various documents to its dark web site, all of which included some form of PII. Job applications, department budgets and reports about individuals’ eligibility for public housing were among the data types on display. The council’s investigation is still ongoing.
47. Major Spanish multinational telecommunications company Telefónica had its internal ticketing system compromised by Hellcat through information-stealing malware and social engineering tactics. The infiltration of the Jira platform was achieved through infostealer theft of credentials belonging to over a dozen of the firm’s employees was followed by the targeting of employees with admin privileges. This resulted in the eventual exfiltration of 24,000 employee names and emails, 5000 internal files and half a million internal Jira issue summaries.
48. Tennessee- based Mortgage Investors Group had customers’ data exposed following a network cyberattack claimed by Black Basta. A breach notice on the lender’s website stated that information such as full names and financial data were compromised during the incident. The breach notice did not specify the nature of the intrusion, or the number of customers affected.
49. Fog ransomware group allegedly hacked the University of Oklahoma, claiming to have exfiltrated 91GB of sensitive data belonging to employees and senators. The stolen data is said to include employee contact information, financial records (such as audits, payment details, and reports) and contact details of state senators. The university has not publicly disclosed a ransomware attack or verified claims made by the threat actors.
50. Law firm Wolf Haldenstein confirmed that it notified 3,445,537 people of a December 2023 data breach. The attack compromised SSNs, employee ID numbers, medical diagnoses, and medical claim information. Black Basta claimed the attack shortly after it occurred, giving the law firm just over two weeks to pay an undisclosed ransom before the data was sold to a third party. Most of those individuals impacted have been notified, but in December a small subset of potentially affected people unable to receive direct notice, was identified.
51. On the 11^th January, American cycling clothing company Primal Wear discovered a ransomware attack which was carried out by RansomHub in late December. The ransomware attack resulted in the unauthorized access to and exfiltration of 10,513 files, amounting to more than 17GB of data. This data allegedly included financial records, employee information, sales data and invoice documentation. The company claims that there is currently no indication that customer data was affected by the breach.
52. Safepay added New Zealand law firm Bell & Graham to its victim list, claiming to have exfiltrated 15GB of data. The published dataset appeared to include legal correspondence and a large amount of identification documents. Bell & Graham confirmed that it identified the issue and its IT provider and a specialist cyber incident response team worked together to respond. Actions taken included restricted access to elements of its IT system while remediation and containment was completed.
53. A threat actor named “Omid16B” reported to several news outlets that it had exfiltrated 561GB of databases from MedSave Health Insurance in India. Data including corporate, accounts, employee’s info, sales and personal health data relating to 10,617,943 people is among the files stolen. A screenshot was attached the claim as proof of hack. The TPA has not yet comment on or respond to the claims made.
54. Taylor Regional Hospital in Georgia became a victim of INC ransomware attack in late December 2024. The incident forced hospital staff to resort to paper medical charts in order to maintain levels of patient care. The hospital stated that it had no indication that patient records were compromised but that investigations are still ongoing. INC posted screenshots of hospital documents on its leak site as proof of claims.
55. Italian management solutions company Divimast was claimed as a victim of an Akira ransomware attack on January 17^th. The group claimed to be in possession of 8GB of data including private corporate documents, confidential agreements, internal finances and HR documents. Personal information belonging to employees and customers is also at risk of being exposed. Divimast has not yet publicly acknowledged Akira’s claims.
56. Blacon High School in the UK had to temporarily close following a ransomware attack in mid-January. The school informed parents and students that it would remain closed for at least two days while a cybersecurity firm investigates the data breach. No additional details about the attack have been released at this time.
57. 3TB of sensitive information belonging to Zuk Group was stolen by Handala, as the group targeted the company’s owner Moshe Zuk, a senior officer in the Israeli Mossad. The group reported that the data included financial and intelligence data such as secret transactions and covert operations. The group also claimed to have wiped and destroyed over one thousand employee systems.
58. Morrison Community Hospital recently agreed to a $675,000 settlement to resolve a lawsuit filed in response to a 2023 ransomware attack and data breach. In September 2023 BlackCat encrypted files on the healthcare provider’s network after exfiltrating sensitive data. It was reported that 122,488 current and former patients were impacted by the breach. A lawsuit was then brought forward by affected patients, with Morrison Community hospital agreeing to pay claims of up to $5,000 for class members.
59. Non-profit opioid treatment provider CODAC Behavioral Health began issuing data breach notifications following a cyberattack in July 2024. The notification states that suspicious activity was detected in the network environment and certain information was accessed and copied without authorization. The data compromised included personal information of patients along with some medical data. Qilin claimed the attack, suggesting it had stolen 9GB of data and adding documentation as proof of claims. CODAC has not confirmed the ransomware gang’s claims or how many people were impacted in total.
60. The Levy Group of Companies announced that on November 1^st,2023, Levy was the target of a ransomware attack. In response, Levy reported the incident to law enforcement and launched an investigation though which it learned that certain files containing confidential information has been accessed. Compromised files have since been reviewed and this month personalized data breach letters were sent out to those affected by the data security incident.
61. Some Pick n Pay clients have had their personal information leaked on the dark web following a cyberattack on one of its service providers. Claim Expert recently announced that an incident occurred in July when a document containing personally identifiable information was exposed online. Bashe ransomware gang threatened Pick n Pay with releasing the data unless the company pay an undisclosed ransom. With the company failing to pay, personal information of 100,000 customers was published on the dark web.
62. Marina Family Medical, located in Queensland, became the target of a successful Money Message ransomware attack. Although Money Message claimed responsibility for the hack, their dark web post offered minimal details, only showing the phrase “wait for data” and a brief company description. The healthcare provider has not yet publicly acknowledged the possibility of a ransomware attack.
63. Australian auto parts manufacturer, Clutch Industries, confirmed it was the victim of a cyberattack days after Lynx listed the company on its darknet leak site. The organization released a statement acknowledging the claims made by Lynx, stating that it believes the potentially compromised data is limited to company and operational information. The ransomware group responsible has claimed to have stolen 350GB of data, which allegedly includes user and business data, employee details, and financial information. The group also leaked shared folders, purchasing and stock data, engineering files, and sales and marketing information.
64. More than 60,000 individuals were impacted by a ransomware attack on Avery Products Corporation in December last year. The company stated that it became aware of an attack on its network on December 9^th which prompted them to launch an investigation to determine the nature and scope of the incident. The investigation determined that credit card information was stolen alongside customers personal information.
65. Canadian foam manufacturer Jacobs & Thompson Inc became a victim of notorious Lynx ransomware group. The attack was confirmed via social media, highlighting that the company’s systems were compromised, potentially exposing sensitive corporate data. The full extent of the breach remains unknown.
66. One of the first high-profile victims of 2025 was American Standard, one of North America’s leading kitchen and bathroom manufacturers. RansomHub added the organization to its leak site on 22^nd Jan, with a countdown clock displaying just over five days left on it. The gang claims to have stolen 400GB of data from American Standard network services, but this has not yet been confirmed by the organization.
67. US-based missile system and aerial weapons manufacturer Stark Aerospace was added to INC ransomware group’s dark leak blog. The threat actors claimed to have 4TB of data including source code, design plans, employee passports, and firmware for all the UAV’s produced. INC also posted a proof pack containing close to 40 files samples allegedly exfiltrated from the aerospace company.
68. Bashe ransomware gang added ICICI Bank, a major financial institution in India, to its victim site on the dark web. Bashe threatened to release customer data unless its demands were met before January 31^st. A sample of data appears to include names, phone numbers, addresses, ages, genders, types of credit cards and timestamps from March 2024. ICICI Bank has not confirmed the attack.
69. RansomHub claimed responsibility for a December 2024 data breach at Mission Bank in California. The bank notified an undisclosed number of people that information including PII, passport numbers and financial account numbers was compromised. The bank also confirmed that an unauthorized third party gained access to certain systems within its network. RansomHub claims to have stolen 2.7TB of data relating to both employees and customers from the bank.
70. A ransomware attack on Topackt IT Solutions impacted 45 schools in various cities and districts in Germany. The external IT service provider appeared on LockBit’s darknet leak site, with claims that the gang exfiltrated 3TB of data. A deadline of January 30 was given to the organization to pay undisclosed ransom demands. At this time Topackt has not publicly acknowledged the claims made by LockBit.
71. BWFG Business and Forensics GmbH, an Austrian association of forensic experts was hit by a Cloak ransomware attack. In late November, Cloak initially hinted at its breach, posting about an unidentified victim, using a partially masked domain name. This month, the group confirmed that BWFG was the victim, claiming to have exfiltrated 102GB of data. Leaked data reportedly contains highly sensitive information such as confidential forensic reports and client details.
72. Healthcare facility management company HCF Management reportedly fell victim to a RansomHub ransomware attack, with the organization’s data now leaked on the dark web. In October RansomHub added HCF Inc to its leak site, claiming to have exfiltrated 250GB of files. Since January 9^th 23 HCF facilities have filed reports for the HHS, indicating that at least 70,089 patients have been impacted by the breach.
73. Argentina’s public healthcare system was dealt a severe blow when the Medusa ransomware gang announced Hospital El Cruce as a victim. The attack resulted in the compromise and loss of over 760GB of data. The ransom demanded by Medusa for the deletion of stolen files is $200,000 in BTC, with a deadline of February 6^th . The ransomware gang provided a sample of very sensitive medical information but stated that although it locked some files, it did not lock anything that would affect the hospital’s operations.
74. Matagorda County’s Emergency Operation Center published a statement warning that a cybersecurity breach had been discovered involving a virus that had affected several systems. Several services throughout the Texas county remained offline for a number of days. The county is still investigating the cause of the disruption, and no hacking group has publicly taken credit for the attack.
75. Kill ransomware gang claimed to have gained unauthorized access to Let’s Secure Insurance Broker’s data. There is limited information available about this attack, and Let’s Secure has yet to acknowledge the incident.
76. Leading Chinese data management company AISHU Technology Corp has reportedly fallen victim to a RansomHouse ransomware attack. The threat actors breached the company’s security defenses and gained access to and exfiltrated around 500GB of data. The sensitive data reportedly includes valuable proprietary information, customer data and confidential business documents.
77. Weeks, Brucker & Coleman Ltd was added to the leak site of notorious ransomware gang Everest this month. Everest claim to have infiltrated the firm’s systems, exfiltrating approximately 150GB of sensitive data. The group have threatened to publish the stolen information within the next ten days if undisclosed ransom demands are not met.
78. Ransomware gang INC claimed responsibility for a December 2024 attack on the International AIDS Vaccine Initiative (IAVI). IAVI started issuing breach notices in January, though the organization is yet to disclose the total number of people impacted and what data was compromised. Initial findings suggest that certain HR resources may have been involved in the attack. INC provided a number of screenshots of confidential documents as proof of claims.
79. Space Bears claim to have compromised NSW-based Christian Community Aid, threatening to release data if demands were not met before the 10 day deadline expired. Although the dark web post did not contain a lot of information about the attack, it did state that the group is in possession of “valuable information” in various file types including documents, images and PDFs.
80. This month, Florida real estate developer Stock Development confirmed that a data breach in 2023 and 2024 had compromised names, SSNs and bank account information. Stock stated that it discovered the breach in 2024 but believes that attackers first infiltrated its systems in April 2023. LockBit claimed the attack in March 2024, reportedly stealing 1TB of data and demanding $155,000 in ransom. Images of what seemed to be files and directories were posted as proof of claims.
81. Smiths Group, a global engineering firm, reported a cybersecurity incident involving unauthorized access to its systems. The London-listed company stated that it was managing the incident by isolating affected systems and activating its business continuity plans. The organization is working with cybersecurity experts to recover affected systems and determine any wider impact the incident may have on the business. No ransomware group has yet stepped forward to claim the attack.
82. Frederick Health Hospital’s systems were taken offline and ambulances diverted to other emergency departments due to a ransomware attack. The healthcare provider is working closely with third-party cybersecurity experts to get its systems back online as quickly as possible. A hospital spokesperson would not comment on if any data was compromised during the attack and no ransomware group has yet claimed the incident.
83. On January 26, New York Blood Center Enterprises identified suspicious activity impacting its IT systems. The organization immediately engaged third-party cybersecurity experts to investigate the activity, and it was confirmed that it was a result of a ransomware attack. Immediate steps were taken to contain the threat, and experts are working to restore systems as quickly and safely as possible.
84. A ransomware attack was responsible for the data breach that crippled Starkville-Oktibbeha Consolidated School District’s network in late December. The incident left students, faculty and staff without internet access on district campuses. The school district did not comment on whether student and employee data was accessed during the breach. The attack has been credited to Safepay.
85. Kansas law firm Berman & Rabin recently confirmed it notified 151,944 people about a July ransomware attack that compromised SSNs and financial account information. Although attackers first breached the firm in July, the breach was not discovered until October. No cybercriminal group has publicly claimed responsibility for the attack.
86. In late January, Omid16B tweeted that a US healthcare provider had been hacked, all the data within the server deleted and that all data would be published in 48 hours. Although posting information about Cardinal Health, the real victim of the attack was Apex Custom Software. The threat actor claims to have been in Apex’s network for four days, with the organization oblivious to its presence and the exfiltration of data. The amount of data stolen was not disclosed, but the group did post a number of documents as proof of hack including medication listings. According to the Omid16B, the organization responded but only offered $1,000, which was deemed unacceptable by the hackers.
87. RansomHub targeted the South African Weather Service’s IT systems in a recent attack. SAWS systems went down as a result of the attack, with the organization reporting that it was the second cyberattack that it had been targeted with within a two day period, after the first attempt failed. According to the SAWS, RansomHub has not demanded a specific amount for a file decryptor and protection against a further leak. Critical services were not impacted by the attack.
88. 20,997 people were notified of an August 2024 data breach involving Mississippi electric utility Yazoo Valley Electric Power Association. An investigation concluded that a limited amount of personal information was accessed by an unauthorized third party in connection with the incident. The process of obtaining information on those impacted ended in December 2024. Akira took credit for the attack, claiming to have stolen SSNs, internal corporate information, and financial records.
89. A recent attack on Health Centre, a network of cardiology clinics in Australia was claimed by DragonForce. The group claims to have breached the healthcare provider’s IT systems, successfully encrypting the data on the servers and exfiltrating approximately 5GB of documents. The documents allegedly included sensitive information such as patient data, diagnoses and other protected health data. The group specified that it had also stolen database backups, suggesting a significant compromise of the hospital’s IT infrastructure.
90. Community Health Center, which runs dozens of facilities across the state of Connecticut, announced that 1,060,936 current and former patients had data stolen during a cyberattack in early January. The cybercriminals did not delete or lock any of the data meaning that daily operations were not disrupted. The hacker accessed health records that included PII , treatment details, health insurance information and SSNs.
91. ARDEX Australia was listed as a victim on Medusa’s dark web leak site in late January, with the group claiming to have stolen a trove of business documents. The group posted a comprehensive sample of exfiltrated data including spreadsheets, product lists, prices, renumeration documents, employment information, policy documents and other information some of which was marked confidential. Medusa set a countdown for the release of data in roughly 22 days. The price to purchase or delete the information was set at $300,000.
92. A ransomware attack affected some IT assets at Tata Technologies Limited. According to a company statement, the ransomware incident led to the temporary suspension of some IT services, but client delivery services were not affected. Suspended services have since been restored. A detailed investigation is underway in consultation with experts to assess the root cause of the attack. It is not yet known who is responsible for the attack.

In February, we recorded the highest number of attacks ever for the month, reaching a total of 77, marking a 35% increase compared to last year. Government was the hardest hit sector, closely followed by the healthcare and services. Twenty-five different gangs claimed responsibility for attacks this month, with RansomHub taking the top spot for most active variant, accounting for nearly 10% of the victims.

Find out who made ransomware headlines in February:

1. It was announced that Douglasville-Douglas County Water and Sewer Authority was hit by a malware attack in late 2024. Upon discovery of the incident immediate action was taken and the Emergency Response Plan was activated, ensuring minimal customer impact. The framework has since been rebuilt with minimal data loss. Lynx ransomware gang claimed the attack.
2. CESI announced that it had been notified of a cybersecurity incident on February 1. A crisis unit was immediately activated, and internet access was cut off as a precautionary measure to contain the incident. Cybersecurity experts are working with CESI to analyse the impact and gradually restore services under optimal security conditions. Classes were not impacted by the attack. Termite ransomware group claimed responsibility for the attack.
3. Details of a May 2024 cyberattack on Delta Health Memorial Hospital District finally came to light following a breach notification to the HHS. The healthcare provider stated that detection of the event occurred on May 30^th and that those impacted had been notified before the end of July. It was reported that 148,363 individuals were impacted by the event. External counsel for the healthcare provider also filed a breach notification, but some of the details between the two notices were contradictory.
4. Two years after the incident took place, individuals have begun to be notified about personal information exposed during a ransomware attack on the City of Hayward. On December 30^th, 2024, officials learned that individual’s personal information including names, DOBs, SSNs, financial information, government IDs and healthcare information had been impacted. The attack disrupted aspects and components of computer systems and networks. As a response, impacted systems were taken offline for more than two weeks.
5. Cicada3301 took responsibility for a ransomware attack on Rivers Casino Philadelphia, claiming to have stolen 2.56TB of confidential information. The casino acknowledged that it had fallen victim to unauthorized access to its computer services and later learned that some information may have been exfiltrated. Individuals whose SSNs and bank account information may have been compromised have been notified.
6. Japanese sportswear company Mizuno confirmed that it had fallen victim to a ransomware attack orchestrated by BianLian. Malicious activity was first detected by Mizuno in November with a further investigation revealing that systems had been infiltrated since August, resulting in the exfiltration of individual’s PII. The number of individuals impacted has not yet been publicly released by Mizuno.
7. In Texas, the city of McKinney informed thousands of residents that a cyberattack in October exposed sensitive information. The city stated that its government systems were breached on October 31^st, but security systems didn’t discover the attack until November 14. The city’s IT team “severed” unauthorized activity and contacted appropriate law enforcement. The city said that 17.751 of its 213,00 residents have been impacted by the breach. No ransomware gang has yet claimed responsibility for the incident.
8. Prominent Indian technology design and systems engineering company Mistral Solutions Pvt. Ltd fell victim to a ransomware attack at the hands of Bashe. There is very little information available about this attack, but it has been reported that the ransomware gang gave Mistral Solutions around 7 days to pay an undisclosed ransom amount.
9. Ransomware gang BianLian claimed responsibility for a November 2024 data breach at Clair Orthopaedics and Sports Medicine. The Michigan-based healthcare provider notified an undisclosed number of patients that data including PII, PHI, and financial information had been compromised as a result of the attack. BianLian claimed to have stolen 1.2TB of data from St. Clair.
10. Birmingham-based engineering firm IMI revealed that it was stuck by a cyberattack involving unauthorized access to its systems. IMI declined to disclose what data had been accessed in the attack, but it is understood that systems in several of its locations worldwide were impacted. This incident was announced just one week after IMI’s rival Smith’s Group admitted to being victimized by a ransomware attack.
11. 14,207 people have been notified about a October 2024 data breach involving Crystal Lake Elementary District 47. The district stated that it experienced network disruption in mid-October, with an investigation revealing that certain information was accessed by unauthorized individuals. The school has not publicly disclosed what personal information was compromised, nor if it belonged to students or staff. RansomHub claimed the attack, allegedly exfiltrating 600GB of data.
12. Community High School District 117 notified 18,830 people about a June 2024 data breach, claimed by BlackSuit ransomware gang. The notice issued by the district acknowledged that unauthorized access to its network occurred between June 2 and June 12, 2024, but did not confirm the claims made by the ransomware group.
13. A ransomware attack shut down the internet and telephone systems at the University of The Bahamas, forcing changes on administrators, professors and students. The attacks began on February 2^nd and impacted all online applications including email platforms and systems used for classwork, forcing all online classes to be cancelled. The university worked to contain the spread of the attack and launched an investigation into the full scope of the incident. No ransomware group has yet taken credit for the attack.
14. Sanrio Entertainment, owners of Puroland, announced that it was investigating a cyberattack which led to a site outage. IT personnel discovered that the site had been hacked and infected with ransomware. It has been reported that records of up to two million customers, as well as information of employees and clients, may have been leaked. Currently the attack remains unclaimed by a ransomware gang.
15. Safepay added West Virginia’s Harrison County Board of Education to its leak site, claiming to have allegedly stolen 26GB of data. A statement from the Board of Education announced that it suffered a “cybersecurity incident” that involved unauthorized access to some of its computer systems. The incident caused disruption to schools for several days. Harrison County Board of Education has not confirmed Safepay’s claims, and it is not known what types of data may have been compromised.
16. Australian accounting firm Hall Chadwick was targeted by BianLian ransomware group, with the threat actors claiming to have exfiltrated 700GB of information. The stolen information is said to include personal data, accounting, budget and financial information, emails, contract data, files from the CFO’s PC and operational and business files. Although no ransom demand or deadline was given, a BianLian spokesperson stated that data will be “published block by block.”
17. A December 2024 attack on Wayne-Westland Community Schools was claimed by RansomHub this month. Although the attack took place in late 2024, recovery remained ongoing throughout January, with key systems being brought back online on January 9th. Public information about this attack is limited.
18. In Alabama, the City of Tarrant had to shut down all of its government services following a cyberattack. Systems breached during the incident included the city’s police department. Upon discovering the incident, city officials immediately followed cybersecurity protocols and notified relevant federal authorities. IT contractors were able to take down the servers, make repairs and restore services. No cybercrime group has claimed the attack to date.
19. The IT systems of the Secretariat of the German Bishops’ Conference fell victim to a cyberattack on 10^th Upon discovering the attack, emergency plans were immediately activated, IT systems were disconnected, and relevant authorities were informed. A forensic investigation is currently underway. Qilin claimed responsibility for the attack, allegedly stealing 500GB of information including client and staff data.
20. Qilin took responsibility for a cyberattack on Lee Enterprises which caused widespread network outages, disrupting many of the company’s 70-plus newspapers and other publications. A SEC filing stated that threat actors had unlawfully accessed the organization’s network, encrypted critical applications and exfiltrated certain files. The organization also commented that many operations including distribution, billing, collection and vendor payments had been impacted by the incident. Qilin claimed to have stolen 350GB of data including investor records and financial arrangements that would allegedly raise some questions.
21. 1TB of data has allegedly been stolen from the Israeli Police following a ransomware attack by Handala. Compromised files reportedly include personnel records, weapons inventory, medical and psychological profiles, legal case files, weapons permits and identity documents. Handala stated that it has publicly disseminated 350,000 of the stolen files. The Israeli Police have denied any direct penetration of their systems, but an investigation is currently underway.
22. Mewborn & DeSelms recently began to notify 12,941 individuals of an April 2024 cyberattack which compromised their personal data. According to the notification, the law firm discovered network disruption and promptly initiated an investigation. The investigation has since revealed that certain files containing names and SSNs were access during the attack. BlackSuit claimed responsibility for the incident in May last year, reportedly stealing business data, employee data, financial data, and other data taken from shares and personal folders. The law firm has not confirmed BlackSuit’s claims.
23. RansomHub took credit for a ransomware attack on the Sault Ste. Marie Tribe of Chippewa in Michigan. The attack forced multiple computer and phone systems out of operation for an indefinite period in a number of organizations including casinos, health centers and various other businesses. The threat actors claimed to have exfiltrated 119GB of confidential information from the tribe, with some news outlets reporting that the ransom demand stood at $5million.
24. Prominent architectural, engineering and planning firm, O&S Engineers & Architects, was hit by a ransomware attack orchestrated by DragonForce. The ransomware gang added the organization to its leak site, claiming to have stolen 388.24GB of data. The group also added an eight-day deadline to the posting. It is not clear what type of data has been impacted by this incident or if a ransom was demanded by the group.
25. Wong Fleming confirmed that personal data belonging to KeyBank clients, which was stored within its systems, may have been viewed or obtained by a third party. In response to the law firm’s notification, KeyBank began an investigation into the allegedly accessed data, determining the types of information accessed varied with each individual. RansomHub added Wong Fleming to its leak site this month, claiming to have stolen 500GB of information from the firm.
26. Fog ransomware gang claimed responsibility for a cyberattack impacting the University of Notre Dame Australia. The university confirmed that it had experienced a cybersecurity incident but due to an ongoing investigation it could not comment any further. Fog claimed to have exfiltrated 62.2GB of data including contact information of students and employees, student medical documents, and other confidential information. The hackers did not list a ransom demand or ransom deadline.
27. Cisco repudiated the reported compromise of its internal network by the Kraken ransomware operation, which proceeded to post sensitive information allegedly stolen from its systems. The ransomware gang claimed to have stolen Cisco’s Windows Active Directory environment credentials, usernames, related domains and accounts’ unique relative identifiers. Cisco reported that the stolen credentials had been leaked during a cyber incident in May 2022.
28. Nature Organics confirmed that it was aware of a cybersecurity incident claimed by Medusa and was taking appropriate actions in its aftermath. Medusa listed the Australian manufacturer on its leak site alongside claims that it has stolen 142.85GB of data. A proof of hack was also added to the leak site including passport and driver’s licenses belonging to employees, bank account transaction histories, confidentiality agreements, internal communications and employee payslips. The group demanded a $150,000 ransom in exchange for the deletion of the data.
29. Data breach notifications were issued by Muscogee County School District following a cyberattack in December 2024. MCSD stated that suspicious activity was detected on its networks during the holiday period and that some data belonging to employees may have been obtained. Safepay took credit for the attack in late January, claiming to have stolen 382GB of data from the school district. The ransomware group’s claims have not been confirmed by MCSD.
30. Sarcoma claimed responsibility for an attack against the Unimicron printed circuit boards (PCB) maker in Taiwan. On its leak site, Sarcoma claimed to be in possession of 377GB of SQL files and documents exfiltrated from Unimicron. The cybercriminals also published samples of files allegedly stolen during the attack. On February 1^st, Unimicron confirmed it had suffered disruption due to a ransomware attack, but did not confirm a data breach.
31. In Australia, the Albright Institute was added to Kill’s dark web blog in mid-February. The ransomware gang did not set a ransom demand but did state that it would publish the data in less than six days from the time the listing was posted. A sample of data containing passport scans, study offer letters, payment plan documents and other personal data was added as a proof of claims. The Albright Institute is yet to publicly address claims made by Kill.
32. Obex Medical, based in New Zealand was also added to Kill’s dark web leak site, alongside claims that data had been exfiltrated from the company’s networks. Like other listings, Kill did not set a ransom demand but did set a timer for less than 8 days. A sample of data including tax invoices was added to the listing. At this time, it does not appear that any personal data has been exposed.
33. BianLian claimed to have infiltrated Aspire Rural Health System’s networks, exfiltrating a variety of data. In early January, the organization stated that it was experiencing a “technical outage” impacting its network and phone systems but has not confirmed a cyberattack. BianLian claims to have stolen data including patient records, financial information, and email correspondence.
34. Tokyo-headquartered steel-making company Nippon Steel allegedly suffered a ransomware attack at the hands of BianLian. The ransomware group claims to have stolen 500GB of data, with exfiltrated sensitive information including accounting data, client financial and personal data, network users’ personal folders and fileserver data.
35. Lynx ransomware gang announced that it had stolen 170GB of data from Australian truck dealership Brown and Hurley. The data allegedly includes sensitive documents relating to HR, business contracts, customer information, and financial records. Lynx published a pair of documents as evidence of the hack; one was correspondence from an insurance company and the other was a service agreement with a third party.
36. Qilin claimed to have breach the Bethany Lutheran Church in Wisconsin, listing the church on its victim leak site in mid-February. The dark web post provided no specifics about the attack or any proof to support the claim. Bethany Lutheran Church are yet to issue a public statement addressing the group’s claims.
37. A ransomware attack forced a number of systems offline at SimonMed Imaging in Arizona. A company representative stated that SimonMed “interrupted” hackers, and that no data was encrypted. Ransomware gang Medusa claimed the incident, saying that it was in possession of 212GB of data belonging to the healthcare providers. The ransomware gang was seeking $1 million in BTC in exchange for the data.
38. Australian National University investigated claims of an alleged ransomware attack after it was added to FSociety’s darknet leak site. The group claimed to have exfiltrated all data from the institutions servers before encrypting it. A seven-day deadline to meet undisclosed demands was set. The university has provided no further update on the attack.
39. Embargo claimed Anne Grady Services, a non-profit organization in Ohio, as a victim in February. This is not the first attack this organization has faced, with RansomHub claiming to have stolen 107GB of data. Anne Grady Services has not made any public statement addressing these attacks.
40. Now-defunct Australian media company Regency Media was added to Akira’s dark web leak site, with the threat actors claiming to have stolen 16GB of information. The “essential data” reportedly contains NDAs, driver’s licences, passports, contact information belonging to employees and clients, financial data and more.
41. North Carolina law firm Allen & Pinnix P.A. was targeted by a cyberattack, which has since been claimed by Akira ransomware group. The threat actors claim to have obtained 29GB of information from the firm’s network. The compromised data allegedly includes NDAs, medical records, contact information of employees and clients, as well as personal identification documents such as passports and birth certificates.
42. Switzerland’s top industry association for mechanical and electrical engineering companies, Swissmem, has fallen victim to a major ransomware attack by Hunters International. The attackers claim to have stolen 456GB of data including proprietary technical specifications, financial records, and details of member organizations. The group gave a five-day deadline to meet undisclosed demands.
43. INC ransomware group reportedly targeted Kibbutz Lavi Hotel in Israel, though no evidence has been presented to substantiate this claim. The group is said to have exfiltrated 174GB of sensitive data, consisting of 119,128 files. No additional details about the attack have been disclosed publicly.
44. German manufacturer Südkabel issued a press release confirming that it had fallen victim to a cyberattack which resulted in IT disruption. The communication channels were among the impacted services, with the production processes facing very minor disruption. The organization stated that it is currently assessing if any data had been affected by the incident. Akira took credit for the attack, claiming to have stolen 27GB of information including NDAs, financial data, and employee and customer contact information.
45. In San Antonio, Consultants in Pain Medicine recently confirmed it notified 2,062 Texans of a June 2024 ransomware attack which led to patient information being breached. The compromised information includes PII, financial account information, medical info and health insurance policy documentation. INC ransomware gang claimed responsibility for the attack in August, posting several images as evidence.
46. The Pulmonary Physicians of South Florida was named as a victim on Brian Cipher’s dark web leak site. The group claims to have exfiltrated sensitive patient information including personal details and medical history. The healthcare provider was given until March 2 to meet undisclosed demands.
47. RansomHub claimed responsibility for an attack on Riverdale Country School, alleging that it had stolen 42GB of data. The dark web posting included a five-day deadline to meet ransom demands before data was leaked. Riverdale has not yet publicly addressed these claims.
48. It was reported that RansomHouse claimed responsibility for stealing data from the Supreme Administrative Court of Bulgaria. The group published documents, including lists of employee names, personal data, and leave applications, as evidence of the breach. Acting Chairman of the Supreme Administrative Court confirmed that the system had been infected with ransomware and that human error may have led to the attack. He acknowledged that a ransom had been demanded but firmly denied that data had been lost from the Unified Case Management Information System.
49. Paratus Namibia’s MD confirmed that the company detected unusual activity on its network in mid-February and immediately isolated affected systems. The organization enlisted international cybersecurity experts to assist with recovery efforts and have since invested in advanced security solutions to prevent future incidents. An investigation into the full extent of potential data compromise is ongoing.
50. Great Plains Bank in South Dakota confirmed it notified 7,767 people about a November 2024 cyberattack which led to names and SSNs being compromised. The bank stated that an investigation is ongoing but has confirmed that some personal information was accessed by an unauthorized party. Akira claimed the incident stating it had stolen 18GB of data. The group went on to say that it had exfiltrated internal corporate documents including NDAs, driver’s licenses and contact information belonging to employees and customers.
51. London-based entertainment management company, The Agency, disclosed that they had been impacted by a cyberattack following claims made by Rhysida ransomware group. Rhysida allegedly exfiltrated files including internal information, spreadsheets, and other client data. The group’s leak site also noted a $678,035 bitcoin ransom demand issued to The Agency.
52. Almost 2.3TB of data belonging to HCRG Care Group was held to ransom by Medusa ransomware gang. HCRG, which runs child and family health and social services in the UK, was added to the ransomware gang’s leak site alongside a demand of $2 million in exchange for the stolen data. Samples of the data, totalling 35 pages, has already been released and contains passports, driving license scans, staff rotas, birth certificates, and data from background checks. HCRG is currently investigating these claims.
53. Safepay claimed responsibility for a January 2025 ransomware attack on IT giant Conduent. The organization confirmed it suffered an outage on January 22^nd which disrupted electronic money transfers and EBT payments for two days. The ransomware group claimed to have stolen 8.5TB of data, but these claims have not yet been verified by Conduent.
54. Qilin claimed to have successfully hacked the Palau Ministry of Health and Human Services in a leak post on February 20. On the dark web posting, Qilin stated that all data will be available to download on 27.02.2025, before sharing details of the victim. MHHS confirmed that it had been targeted by a cyberattack and that an investigation to determine the extent of the attack is ongoing. No further details on the hack have been made public.
55. Persante Health Care, a leading provider of sleep management services, was targeted in a cyberattack that led to the leak of several patient sample videos from its facility. The INC ransomware group added the healthcare provider to its leak site, posting the videos as proof of their claims. Persante Health Care has not yet issued a public statement regarding the leak.
56. Anne Arundel County government systems were disrupted by a cyberattack. Although some services were down, all emergency services remained fully operational. The county released a statement confirming that an ongoing cyber incident of external origin was impacting public services. There is no further information on this attack currently available.
57. The Hong Kong government’s investment promotion arm, InvestHK, stated that it was checking whether any personal information had been compromised following a ransomware attack on its computer systems. Preliminary findings revealed that the attack had impacted internal customer relationship management systems, the intranet and sections of its website. It was also revealed that basic information on clients could have been exposed as part of the attack. No ransomware group has yet claimed responsibility for the incident.
58. Major Australian IVF firm Genea Fertility revealed that it discovered suspicious activity on its network in mid-February, with the clinic disabling some systems to contain a breach. According to an update given by the organization, it is believed that personal information within its patient management system was accessed and stolen by threat actors. Both PII and PHI could be involved in the breach, but the organization is yet to confirm the types of data stolen. Termite ransomware group claimed responsibility for an attack on the IVF clinic in early February.
59. Hunters International issued an ultimatum to Comisiones Obreras (CCOO), giving them a one-week deadline to meet financial demands and avoid the leak of sensitive information. The group claims to have extracted 570GB of information from the union’s servers. Although there is no information about how the information was accessed or when the event occurred, the threat actors set a deadline of March 2^. to meet undisclosed demands.
60. Lynx ransomware group claimed to have compromised Xepa-Soul Pattinson Sdn Bhd, a leading pharmaceutical manufacturing enterprise in Southeast Asia. The attack allegedly resulted in the exfiltration of 500GB of sensitive data including internal operation documents, financial records, contractual agreements, patent filings, and HR information. There is not further information currently available about this attack.
61. Medusa claimed responsibility for a cyberattack on Laurens County School District 56 in South Carolina. The gang gave the school district two weeks to pay a $320,000 ransom or it will release 2.4TB of the school’s private information. A sample of documents was provided by the group on its leak site. District 56 has not verified the claims made by Medusa but did confirm that there had been a security breach impacting its systems.
62. Siberia’s largest dairy plant was reportedly disrupted by a LockBit ransomware attack. The attack on the Semyonishna plant, which took place in December, involved an unidentified hacker group encrypting the company’s systems using a LockBit ransomware strain. The hackers used remote access software AnyDesk to spread the ransomware across the company’s network. It was confirmed that the targeted system lacked antivirus protection.
63. Detroit PBS disclosed that a cyberattack on the local TV station resulted in the exfiltration of sensitive information. The data breach was detected back in September, with an investigation revealing that certain Detroit PBS systems had been infected with malware, which prevented access to certain files. The stolen files included the personal information of at least 1,694 individuals. Qilin ransomware group claimed the attack, a post on the gang’s dark web site stated that it was in possession of 345GB of data.
64. Akira listed Thornton Engineering on its dark web leak site in late February, claiming to have exfiltrated personal and business files from the organization. The group stated that it was ready to upload 11GB of corporate documents including contact information and financial data. Thornton Engineering is yet to respond to these claims.
65. Chicago-based law firm Dinizulu Law Group Ltd became the victim of a Morpheus ransomware attack in late February. The breach exposed confidential legal documents, financial records, employee and client personal data, business plans, and videoconference recordings tied to active court cases. The law firm is yet to publicly acknowledge the incident.
66. Cleveland Municipal Court was closed for at least three days following a cybersecurity incident. The court stated that it has not confirmed the nature and scope of the incident but that all internal systems and software platforms would be shut down until further notice. No further information on this incident is available.
67. Australian adult website, Adult XXX Reviews, confirmed that a limited amount of user data was leaked, with a hacker offering a 94,000-strong dataset for sale on a hacking forum. The hackers posted that they were selling the data for $300 in BTC. A sample of dozens of sets of user data, including names, addresses, passwords and membership details were added to the post on the hacking site. The matter has been referred to relevant cybersecurity authorities.
68. Orange Group has confirmed that one of its non-critical apps was breached in an attack on its Romanian operations. This admission was given after a member of HellCat ransomware gang allegedly exfiltrated thousands of internal files with user records and employee details. The theft of almost 6.5GB of corporate data, including 12,000 files, was the result of the infiltration of Orange’s systems for more than a month via the exploitation of Jira software and other vulnerabilities.
69. The Anubis ransomware gang claimed Australia based Pound Road Medical Centre (PRMC) as a victim, claiming to have exfiltrated extensive medical data. In an article published on its leak site, Anubis names specific patients, medical histories, and incidents within the medical centre to highlight just how detailed the exfiltrated data was. The ransomware group also claimed it had access to reports that highlight cases of malpractice within PRMC. PRMC posted a data breach notification on November 13^th stating that investigations had identified that patient data had been accessed and stolen from its systems.
70. VectraRx Mail Pharmacy Services disclosed a significant data breach that compromised the sensitive personal and protected health information of 109,383 individuals. The breach, which was discovered in mid-December, involved unauthorized access to the company’s systems, exposing names, SSNs and other personal information. It has not been confirmed which cybercrime group is responsible for the incident.
71. Heartland Community Health Center in New York reported a data breach that exposed sensitive personal and protected health information of individuals. The breach, discovered in October 2024, prompted an investigation that concluded on January 10th, confirming that an unauthorized third party had accessed the data. Medusa claimed responsibility for the attack this month and issued a ransom demand of $180,000 for the stolen information.
72. Leading Chinese semiconductor manufacturer National Technology Co, confirmed it suffered a devastating ransomware attack carried out by the RansomHouse group. Over a span of 72 hours, the threat actors exfiltrated 3TB of sensitive data including proprietary R&D blueprints, customer financial records and industrial IoT firmware.
73. A DragonForce ransomware attack targeted Al Bawani, a prominent Riyadh-based real estate and construction firm, resulting in the exfiltration of 6TB of sensitive information. Threat actors announced the breach on February 14, demanding a ransom before publishing the stolen information through a dedicated leak site.
74. Ligentia issued a statement on its website confirming that it had been subject to a cybersecurity incident caused by an unauthorized third-party which impacted some of the company’s systems. Immediate steps were taken to address the incident and business continuity procedures were implemented to minimize disruption to customers. Relevant authorities were informed. Termite has claimed responsibility for the attack.
75. RansomHub claimed responsibility for a January 2025 cyberattack on the Town of Bourne in Massachusetts. RansomHub gave town officials one week to pay an undisclosed ransom amount before it will auction off 100GB of allegedly stolen data. Although Bourne officials have not confirmed RansomHub’s claim, the town and local police did announce that it had been hit by a cyberattack on January 11.
76. Auckland-based law firm Hudson Gavin Martin confirmed that it had fallen victim to a RansomHub ransomware attack. RansomHub posted details of the attack in late February, claiming to have stolen 30GB of data. A spokesperson from the law firm stated that they were aware of the cyber incident that resulted in an unauthorized third party accessing a limited part of the company’s IT system. It was revealed that personal information belonging to a handful of employees and a small number of clients had been affected.
77. DragonForce listed Auckland-based car dealership Tristram European as a victim on its darknet leak site. The hackers reported that 33.73GB of data was stolen, publishing the full amount at the time of posting. The data included employee pay details, financial data, maintenance information and a database containing details of the dealership’s gold-level customers. Tristram European is yet to publicly address these claims.

March marked a historic milestone, becoming the first month ever to exceed 100 publicly disclosed ransomware attacks, reaching a total of 107. This represents an 81% increase compared to the same month last year. The healthcare sector remained the most targeted, with 22 attacks, followed by manufacturing with 13. A total of 39 different ransomware variants were responsible for the attacks, with Qilin, Clop, and Akira leading the way.

Here is the list of organizations who made ransomware headlines in March:

1. Akira added Austria-based Forstenlecher Installationstechnik to its victim site at the start of March, claiming to have exfiltrated 41GB of confidential information from the company. Compromised data allegedly included contact information belonging to employees and customers, HR documents including SSNs, financial data such as audit and payment information, and confidential licenses, agreements and contracts. The organization has not yet publicly confirmed Akira’s claims.
2. Turkish restaurant group BNS Food confirmed that a data security breach affected its Japanese food chain, Sushi Co. It was confirmed that unauthorized access had compromised certain customer information including names, contact details and order history. BNS Food assured customers that no financial data was impacted. An investigation into the nature and scope of the incident has been launched and it’s not currently known who was behind the attack.
3. Internet access and all critical systems have now been restored at Rainbow School District after being down for several days. A statement from the school board confirmed that data acquired by unauthorized individuals was deleted and has not been shared. Although it has not been confirmed, this statement suggests that the organization paid a ransom payment to the unknown threat actors.
4. Medusa claimed to have stolen 219.5GB of data from Bell Ambulance, demanding a ransom of $400,000 from the Wisconsin ambulance company. The attack caused significant disruption to operations and the organization launched an investigation to determine if any information was affected.
5. Parents from Penn Harris-Madison Corporation School District received a notification that the district had suffered a ransomware attack. The incident impacted Skyward and Canvas, two systems students rely on to turn in assignments. As a precaution all network connected desktops were shut down. PMH technology team consulted experts to investigate the situation and the ransomware gang responsible for this incident has yet to be named.
6. Qilin ransomware gang added Grammy award-winning Houston Symphony to its leak site in early March. The group claimed to have exfiltrated 300GB of data, adding a five-day deadline and a TOX address for communication to its leak site posting. A short time after it was posted the listing disappeared, suggesting that the organization contacted the cybercriminals and may be attempting to negotiate with them.
7. Singapore-based not for profit HomeTeamNS suffered a ransomware attack which affected some of its servers containing data belonging to current and former employees. Upon discovery of the incident, impacted servers were immediately disabled and isolated from the network. The organization engaged third-party cybersecurity experts to investigate and remediate the incident.
8. Systems Pavers, a construction company based in Santa Ana, recently notified an undisclosed number of individuals of a data breach following a ransomware attack in September 2024. The notice acknowledged the incident, stating that threat actors gained unauthorized access to data between September 20^th and October 4^th. The organization has not disclosed the types of data that was compromised or the group of individuals impacted. Medusa claimed the attack in October 2024, giving the organization a one-week deadline to pay a ransom demand of $1million.
9. Qilin ransomware gang has taken responsibility for a recent ransomware attack on Utsunomiya Central Clinic in Japan, leading to a major data breach. The group accessed the clinic’s servers and exfiltrated about 140GB of sensitive data, including over 178,000 files containing medical records, personal information, X-rays, and ECG data. This breach potentially impacted around 300,000 patients, with a portion of the stolen data already leaked online.
10. A recent cyberattack compromised D. Edri Brothers Ltd., an Israeli construction and infrastructure firm, with threat actors leaking 16GB of sensitive data. The breach exposed extensive personal and business information, including employee records, foreign contractors’ data, internal emails, project specifications, and client contracts. The compromised data includes payroll details and national IDs. Toufan has claimed responsibility for the attack.
11. Chicago Doorways, LLC, a U.S.-based supplier of commercial doors and hardware, became the target of a ransomware attack by the Qilin group. The attackers exfiltrated 46GB of sensitive data before encrypting the company’s systems. A proof of claims pack containing 21 images was added to the listing on the dark web page. The organization is yet to publicly acknowledge these claims.
12. Accountancy firm Legacy Professionals recently disclosed a significant data breach impacting over 190,000 individuals. The breach, which occurred in April 2024, involved the unauthorized access and theft of sensitive data, including Social Security numbers, driver’s license numbers, medical treatments, and health insurance information. LockBit claimed responsibility, demanding an undisclosed ransom and the firm has not confirmed whether the ransom was paid.
13. In Maine, Franklin County recently reported that it had suffered a ransomware attack in February, which caused temporary disruption to its computer systems. Due to the County’s prior investment in robust backup systems, the IT department was able to restore functionality quickly. The County immediately contacted law enforcement and engaged third-party cybersecurity specialists to manage the response. A forensic investigation has been conducted, and the County is working diligently to determine if any personal information was exposed.
14. The Town of Hinton in Alberta recently disclosed that its networks have been declared clear of any malicious activity resulting from cybersecurity incident in February. An unauthorized third party gained access to the Town’s servers, but after a thorough investigation it was determined that no sensitive information was stolen or misused. However, RansomHub claimed to have exfiltrated 92GB of information from the town’s networks.
15. In early March, Adval Tech Group fell victim to a cyberattack that targeted its global IT systems. Upon discovery of the incident, the company immediately shut down all its systems as part of an emergency protocol to protect its infrastructure, resulting in potential production interruptions at various locations. The impact of the attack is still under investigation. Lynx ransomware gang has since taken credit for the attack.
16. Crazy Hunter claimed to have stolen data belonging to Chuanghua Christian Hospital during a February ransomware attack. On its dark web blog, the newly emerged gang announced that data including personnel databases, health insurance claims, consultation records and employee information was among the data stolen. The Ministry of Health and Welfare has created new training guidelines including a framework on how to respond to the incident.
17. Ransomware gang Skira claimed responsibility for a late 2024 data breach at Carruth Compliance Consulting. The attack led to data breaches across at least 36 school districts and colleges, impacting over 110,000 school employees. The stolen data, which reportedly amounts to 469GB, included sensitive personal information such as Social Security numbers, financial details, medical billing information, and tax filings. Although the attack has been acknowledged, the organization has not verified Skira’s claims.
18. Sydney-based tour agency Wendy Wu Tours became a victim of the Kill ransomware group. The attackers listed the company on their darknet leak site, claiming to have exfiltrated sensitive data, including scans of valid passports from residents of Australia, the United Kingdom, and Germany. Along with passport scans, the hackers also released a passenger pre-travel form containing personal details such as names, residential and email addresses, and emergency contacts. Kill threatened to release more data unless the company complied with their demands, though no ransom amount was posted. Wendy Wu Tours has not yet commented on the breach, and the investigation is ongoing.
19. The National Defense Corporation (NDC), a subsidiary of National Presto Industries, was recently targeted in a ransomware attack by the group InterLock, which claimed to have stolen 4,200 GB of data. Despite this breach, NDC chose not to pay the ransom, citing that the stolen data held little value due to the company’s focus on low-tech military products. While the company informed U.S. government agencies about the attack and disclosed it publicly, it confirmed that operations were largely restored, and the attack did not significantly impact financials.
20. Taipei’s Mackay Memorial Hospital apologized to the public for an information leak caused by a cyberattack. The attackers encrypted hospital systems, causing disruptions to over 500 computers. The attack, orchestrated by Crazy Hunter, resulted in the theft of 32.5GB of data, affecting 16.6 million patients. The stolen data, which reportedly includes sensitive personal details of patients from across Taiwan, was allegedly sold online on February 28^th.
21. Fog claimed responsibility for a February 2025 data breach at Williamsburg-James City County Schools in Virginia. The attack caused disruption to the district’s operations, with systems being restored several days after the incident occurred. The ransomware group said it stole 27.7GB of data from WJCC but did not post a ransom demand or any further details on the alleged stolen data. WJCC has not verified Fog’s claims.
22. District officials announced that private information belonging to more than 700,000 current and former Chicago Public Schools students was leaked on the dark web following a ransomware attack in late 2024. The hackers reportedly gained access to CPS data through a weakness in vendor software, facilitating the theft of information including student names, birthdates, and ID numbers. Additionally, for around 344,000 students, Medicaid IDs and eligibility details were compromised. Clop ransomware gang claimed responsibility for the incident but did not post any further information on its leak site.
23. Qilin has claimed responsibility for an attack on the Ministry of Foreign Affairs of Ukraine. The hackers reportedly gained access to the Ministry’s systems and exfiltrated documents, including personal and confidential government files. Qilin demanded a ransom for the data, threatening to release the stolen information if their demands were not met. The Ukrainian government is investigating the breach, working with cybersecurity experts and authorities to assess the full scope of the attack and mitigate its impact.
24. SSK Plastic Surgery in California revealed that it was the victim of a cyberattack with an extortion demand last year. An unknown intruder accessed a limited number of patient documents, including personal information such as names, contact details, and limited health data, including images for virtual consultations. The breach, discovered in January 2025, led to notifications being sent to affected individuals, though the full scope of data exfiltration and any leaks remain unclear.
25. SYMA Austria, a subsidiary of the SYMA Group, suffered a cyberattack that compromised its systems. Play, who claimed the attack, threatened to release sensitive data obtained during the incident. However, with the support of its IT service provider and cybersecurity experts, SYMA was able to restore its operations quickly, with only the Austrian location being affected. The company has notified its customers and is cooperating with law enforcement and relevant authorities in Austria and Switzerland to investigate the attack.
26. In March, Best Collateral filed a data breach notification after discovering that an unauthorized party was able to access portions of its IT network. The company launched an investigation in February after discovering the compromised files. The sensitive customer data accessed includes names, SSNs, driver’s license numbers, biometric data, military IDs, and health insurance details. Rhysida claimed responsibility for the attack.
27. RansomHouse claimed responsibility for a cyberattack on Loretto Hospital in Chicago. The gang reportedly breached the hospital’s systems, stealing sensitive data totalling 1.5TB. The attackers threatened to release the stolen data unless their ransom demands were met. Although the exact nature of the compromised data has not been disclosed, the hospital has acknowledged the attack and is working with law enforcement and cybersecurity experts to mitigate the impact.
28. Funksec targeted Sorbonne University in Paris, exfiltrating 20GB of data from its systems. The group, known for utilizing AI-generated ransomware, demanded an undisclosed ransom and posted the university on their dark web leak site. While Funksec did not specify the type of data stolen, they provided evidence of their access, including a screenshot of a search query conducted on one of the university’s computers. The university is still currently investigating the situation.
29. RansomHub listed coal mining equipment supplier Bis Industries as a victim on its darknet leak site. The organization recently acknowledged the attack which happened in December 2024, stating that it quickly engaged cybersecurity experts to contain the incident and minimize operational impact. RansomHub has allegedly stolen 502GB of data and has leaked the stolen information on its darknet site. Bis Industries is investigating RansomHub’s claims.
30. RansomHub also listed Southern Regional Medical Group (SRMG), a medical provider based in Western Australia, as one of its victims in March. The group claimed to have stolen 19GB of data from the organization, though no specific documents or ransom demands were released. The gang posted the attack on its darknet leak site, threatening to publish the stolen data within five days if their demands were not met. SRMG has not responded publicly to the breach, and the situation remains under investigation.
31. NTT Communications has informed nearly 18,000 corporate clients about a data breach that exposed sensitive customer information. The breach, which occurred earlier in the year, affected the personal and business details of these clients. NTT has not disclosed the full scope of the compromised data but has taken immediate steps to mitigate further risks. The company is working closely with cybersecurity experts to address the breach, investigate its cause, and protect affected customers. It is not yet known who is behind this incident.
32. Safepay has confirmed that it targeted Willms Fleisch, one of Germany’s largest meat producers earlier this year. The company confirmed the breach, commenting that no downtime was experienced, but they have not disclosed specific details about the compromised data. The threat actors, who allegedly exfiltrated 2TB of data, demanded an undisclosed ransom with a deadline of March 13^th. Willms Fleisch decided not to pay the ransom, asserting that the data taken was not critical to their business operations.
33. A breach notification has been made public regarding a data breach at the Center for Digestive Health, which affected 122,437 individuals due to a ransomware attack in mid-2024. The notification revealed that unusual activity was spotted on the center’s IT network in April, leading to an investigation that confirmed unauthorized access to files containing patient data. The BianLian ransomware group claimed responsibility for the attack in May 2024 and subsequently leaked 2.2TB of the healthcare provider’s data.
34. Clop published files allegedly stolen from Rackspace, a major US-based cloud service provider. The group claimed that Rackspace ignored their demands, leading to the release of the data on their dark web leak site. The stolen files were not fully disclosed, and the amount or type of data has not been confirmed.
35. In North Carolina, Pinehurst Radiology Associates remained closed for more than one month following a cyberattack that occurred in late January 2025. The practice detected suspicious activity on its network and launched an investigation, bringing in legal counsel and cybersecurity experts. As of March 12, 2025, some systems remained offline, and services such as mammography and ultrasound appointments have been suspended. The breach has not been attributed to a specific ransomware group, and the practice is working to restore its network.
36. The Asbury Theological Seminary recently confirmed that 15,560 individuals were impacted by a June 2024 data breach that compromised a trove of sensitive personal and financial information. The organization did acknowledge the attack, announcing that a network security incident was responsible for website issues. Fog ransomware gang claimed the breach in back in June last year, stating that it stole more than 10GB of data from the seminary.
37. The City of Fort St. John confirmed that a February cyber incident, which affected its services, was a ransomware attack. The incident disrupted phone, email, and internal systems, bringing down much of the city’s network. Certain services, such as online bill payments, are still down for security reasons. A small amount of data, mostly non-sensitive departmental files, was stolen, but the city asserts that personal information was not compromised. INC ransomware gang has taken credit for the attack.
38. New Zealand-based insurance broker Vercoe confirmed it was investigating a ransomware attack by the DragonForce, which claimed to have stolen 60.67 GB of data. The incident, first reported on March 5, has not yet led to the publication of any stolen files or ransom demands, but DragonForce has threatened to release the data soon. Vercoe quickly restored its systems and stated that the incident had limited impact on its operations. The company is working with external experts to assess the full scope of the breach and has notified regulatory authorities and stakeholders.
39. Ascoma Insurance Advisors, a leading Monaco-based insurance brokerage, was targeted by an Akira ransomware attack. The group reportedly stole 12GB of sensitive data from the company, though specific details on the compromised information have not yet been confirmed. Ascoma has yet to issue an official statement on the matter.
40. It was confirmed that Brydens Lawyers suffered a ransomware attack in late February which led to the theft of over 600GB of sensitive information. The firm confirmed the breach and is actively investigating the extent of the damage. Brydens Lawyers is working with authorities, including the Australian Cyber Security Centre, and has restored its IT systems. No ransomware group has yet claimed responsibility.
41. Lynx ransomware group listed CI Scientific as one of its victims, claiming to have stolen 81GB of sensitive data. The stolen data reportedly includes business contracts, financial records, and human resources information. Despite the claim, no files have been released yet, and there is no ransom demand or deadline indicated. CI Scientific has not yet responded to the claims.
42. A ransomware attack briefly disrupted operations at Ganong Bros in late February. The company discovered the breach on February 22 and immediately took steps to protect its network, involving third-party cybersecurity experts and legal counsel. The investigation is ongoing to determine if personal information was compromised. Play ransomware group has been linked to the attack.
43. Harrell’s, LLC, an agrochemical distributor, fell victim to a ransomware attack by the Lynx group. The threat actors exfiltrated around 100GB of sensitive data, including financial records, proprietary chemical formulas, and employee information. Lynx published screenshots of the stolen data on its dark web leak site and threatened to release more unless a $15 million ransom is paid.
44. On March 11 2025, Babuk ransomware group claimed responsibility for a cyberattack on Lexmark, alleging that they had infiltrated the company’s systems. Lexmark’s cybersecurity team immediately launched an investigation into the claim. However, no evidence was found to support the presence of ransomware in Lexmark’s environment. The company is continuing to monitor the situation and has made efforts to ensure the security of its systems.
45. It was confirmed that Unicorr Packaging Group, a Connecticut-based packaging company, experienced a data breach in January 2025 after unauthorized activity was detected on its network. Upon investigation, the company confirmed that sensitive personal data, including Social Security numbers and credit card information, may have been compromised. Akira took responsibility for the attack, claiming to have stolen 90GB of data from the organization.
46. In mid-March, a ransomware attack targeted the Department of Health Services on the island of Yap, part of the Federated States of Micronesia. The attack forced the department to take its entire network offline, disrupting email communication and digital health systems. Efforts are underway to restore services, determine the extent of the breach, and assess the data compromised. No group has yet claimed responsibility for the attack.
47. Qilin claimed responsibility for a breach of SMC Corporation’s European branch. The threat actors exfiltrated 1.1TB of data, including sensitive corporate documents, employee records, and technical schematics. SMC is investigating the breach and has engaged third-party experts, while also negotiating with the attackers to prevent further data leaks.
48. In Switzerland, Ascom confirmed it was targeted by a cyberattack. The company quickly identified suspicious activity and began investigating the breach. Some of the organization’s internal systems had been compromised, leading to disrupted operations in certain areas. They have engaged cybersecurity experts and are working closely with authorities to address the issue. Hellcat ransomware gang claims to have exfiltrated 44GB of data from Ascom including internal reports, sales documents, confidential agreements, development tools and source code.
49. Hunters ransomware group claimed responsibility for a cyberattack on Courageous Home Care. The attackers exfiltrated approximately 262GB of sensitive data, including patient information, before encrypting the organization’s systems. The breach is believed to have occurred through compromised credentials or unpatched vulnerabilities.
50. An Apos ransomware attack targeted KIU System Solutions, a cloud service provider for the airline industry based in Uruguay. Apos allegedly exfiltrated 2.3TB of sensitive data, including airline software code, client agreements, and backend service credentials. The incident disrupted KIU’s operations, impacting critical aviation services. KIU is working with external cybersecurity experts to investigate and mitigate the damage.
51. A threat actor named Empire claimed to have breached Honda’s Indian division, exfiltrating over 3 million records. The stolen data includes sensitive customer details such as names, billing addresses, phone numbers, purchase dates, and more. The hacker listed the data for sale on a popular hacking forum for $1,500, posting a sample of the compromised information, though some fields appeared incomplete. The data has not been verified by the organization.
52. Western Alliance Bank revealed that a significant data breach had impacted nearly 22,000 individuals due to a vulnerability in Cleo. The breach occurred between October 2024 and January 2025, resulting in unauthorized access to sensitive data. The compromised information includes personal details such as Social Security numbers, financial account numbers, dates of birth, and identification numbers.
53. Ikav Energy, a Luxembourg-based energy investment firm, confirmed that a late 2024 data breach had compromised the personal data of 722 individuals in Texas and 15 in Massachusetts. The breach, which was claimed by the DragonForce ransomware group, resulted in the theft of 177GB of sensitive data including SSNs.
54. Fog ransomware group claimed responsibility for a significant data breach at University Diagnostic Medical Imaging (UDMI), which impacted over 138,000 individuals. The group stole 28.1GB of personal information, including patient data, from the company’s internal systems. The radiology practice immediately launched an investigation, with assistance from external cybersecurity experts, to determine the nature and scope of the incident.
55. Babuk ransomware group took credit for a significant breach at Jingdong, also known as JD.com, one of China’s largest e-commerce platforms. The attackers claim to have stolen over 11GB of data, including sensitive customer information such as names, usernames, passwords, email addresses, QQ numbers, and ID card details.
56. Pinduoduo strongly denies claims that it has fallen victim to a Babuk ransomware attack. The threat actor alleges to have obtained 892GB of data, including sensitive customer details such as names, phone numbers, addresses, and purchase information, from the major Chinese e-commerce platform. The company believes the incident may have been fabricated by a competitor.
57. Hellcat breached Jaguar Land Rover (JLR) by exploiting stolen Jira credentials. The attackers gained access to sensitive internal documents, including development logs, proprietary source code, and a large employee dataset containing personal information. The breach compromised approximately 700 documents and 350GB of additional data, which was later leaked by the attackers.
58. Swedish lock and security company Assa Abloy was targeted in a cyberattack by the Cactus ransomware group. The attackers accessed internal data from local servers in Sweden, demanding a ransom for the stolen information. Although the company has confirmed the breach and is conducting an investigation, it believes the impact on its operations will not be significant. The ransomware group has reportedly stolen 229GB of information and added documents to its leak site as proof of claims.
59. Babuk claimed to have stolen over 2TB of data from Taobao, an e-commerce platform owned by Alibaba. The group allegedly obtained sensitive information relating to approximately 600 million users and more than 8 billion orders, including personal details such as names, phone numbers, and shopping histories. Babuk threatened to sell the data on the dark web, but Taobao has denied the claims, stating that its own internal investigation found no evidence of a breach on their platform.
60. Sitro Group Australia was targeted by an INC ransomware attack this month. INC leaked three documents as proof of the attack, suggesting that sensitive data may have been stolen and encrypted. Currently there is limited information available about this attack.
61. Atchison County in Kansas, experienced a cyberattack that led to the closure of its offices for a day as officials investigated the incident. The attack disrupted the county’s computer network, affecting its services. The authorities worked to determine the scope and impact of the breach, which had significant consequences for the county’s operations. It is not yet known who is responsible for the attack.
62. Also in Kansas, a cyber incident disrupted services and systems as Derby’s police department. Although the city’s officials have kept details scarce, it is believed that a significant portion of their internal systems were compromised. The department has not confirmed the exact nature of the attack, and the situation remains under investigation.
63. 5TB of data was allegedly exfiltrated from French telecommunications giant Orange. Babuk claimed the attack and appear to have stolen information including sensitive customer records, employee details, source code, contracts, invoices, and other personally identifiable information. Babuk threatened to release a quarter of the data if Orange refused to pay the ransom. The claims have not been verified by the organization.
64. Berkeley Research Group (BRG) was targeted by a cyberattack amidst an ongoing acquisition deal. The attack disrupted BRG’s operations, but the full scope of the damage is still under investigation. BRG has not publicly shared details of the incident, and it’s unclear whether any data was stolen. The identity of the attackers remains unknown.
65. California Cryobank (CCB) confirmed a cyberattack that occurred in April 2024, during which unauthorized actors accessed sensitive customer data. The breach occurred over a two-day period and involved the potential exfiltration of files containing personal information such as bank account details, payment card numbers, and health insurance information. The company has not revealed the number of affected individuals or whether its international operations were impacted.
66. Australian fibre installation firm Expert Data Cabling (EDC) was added to INC’s victim list this month. The group allegedly stole and encrypted a range of sensitive data, including driver’s licenses, contractor information, building maps, contracts, and personal details such as names, addresses, and phone numbers. EDC has not publicly commented on the breach, and INC has yet to publicly announce a ransom demand or a date for the data release.
67. The Pennsylvania State Education Association (PSEA) wrapped up an investigation into a July 2024 data breach. The breach involved the theft of personal information such as Social Security numbers, health details, and financial data like account numbers and payment card information. he attackers, suspected to be the Rhysida ransomware group, may have used double extortion tactics, as PSEA’s investigation included attempts to ensure the stolen data was deleted.
68. The Town of Orangeville has been dealing with the aftermath of a February cyberattack, which caused disruption to some of its online systems. Although the full extent of the breach is still under investigation, the town acted swiftly to secure its systems and continue delivering essential services. While some systems remain affected, most critical services, like fire and transit, have continued without interruption. BlackSuit ransomware gang claimed the attack.
69. Ransomware gang Cloak just claimed responsibility for a February 2025 cyberattack on the attorney general of Virginia. The attack led to the shutdown of essential systems, including email, VPN, and the office website. Employees were forced to switch to paper-based filing as a result. Cloak has since posted stolen documents on its data leak site.
70. Ransomware gang Kraken claimed responsibility for a data breach at Klickitat Valley Health in Washington. The attack resulted in the breach of sensitive patient information including Social Security numbers, health insurance details, medical records, and personal identification information. KVH has not verified Kraken’s claims.
71. Parascript, LLC just filed a notice of data breach after experiencing a ransomware attack back in August 2024. The breach was detected on August 16, 2024, after suspicious network activity was observed. An investigation revealed unauthorized access to files containing confidential data between July 29 and August 16, 2024. Compromised sensitive consumer information included names and Social Security numbers.
72. Charles County Ambulance District (SCCAD) notified 1,265 individuals about a security breach caused by a sophisticated malware attack. The attack involved unauthorized access to a user account, exposing sensitive data of individuals who had received treatment or transportation services from SCCAD. The exposed data included names, addresses, dates of birth, and treatment details, with some individuals’ destination hospital information also compromised. Those responsible for this attack have not yet been revealed.
73. Topy America Inc., a manufacturer based in Frankfort, Kentucky, experienced a data breach after unauthorized access to its network was detected. During the incident files were copied from the company’s systems, exposing sensitive information of current and former employees, as well as their beneficiaries and dependents. The compromised data included personal details such as names, addresses, Social Security numbers, medical treatment information, and health plan enrolment data.
74. Clop allegedly hacked MGA Entertainment, a major U.S. toy manufacturer known for brands like Bratz and Little Tikes. The gang listed the company on its dark web leak site but provided few details on the extent of the breach. Clop criticized the company for neglecting customer security, and although no publication date for the stolen data was given, MGA’s operations in multiple countries may have been affected. The company has not yet confirmed the full scope or impact of the attack.
75. It’s been disclosed that Lake Washington Vascular fell victim to a ransomware attack on February 14, 2025. The Qilin ransomware group claimed responsibility, demanding a ransom, but the center was able to prevent significant damage by restoring files from secure off-site backups. However, the attack encrypted the center’s electronic health record and practice management systems, potentially compromising the data of 21,534 patients. The exposed information may include personal details, medical histories, and treatment data, though financial information was not affected.
76. The City of Mission in Texas, is grappling with the aftermath of a ransomware attack that occurred last month, with recovery efforts expected to last for months. The city has acknowledged the attack but has been cautious about releasing detailed information. The breach involved unauthorized access to the city’s systems, and the ongoing mitigation is aimed at addressing vulnerabilities and preventing further incidents. The city has not disclosed which ransomware group was behind the attack.
77. A ransomware attack on Aztec Municipal School District led to a significant network outage that forced the closure of schools. Interlock claimed the attack which resulted in the theft of 1.3TB of data, including financial documents, tax disclosures, and personal information of employees and students. Interlock posted stolen documents as proof, although the district has not confirmed the full extent of the data breach.
78. MinebeaMitsumi Inc. reported a cybersecurity breach after unauthorized access to its network was detected. The breach involved a third party potentially accessing data from a company file server. In response, MinebeaMitsumi took immediate action by restricting external access and blocking connections from internal to external networks. While the breach is still under investigation, the company has not confirmed any significant business impact. Cicada3001 has claimed the attack, allegedly stealing over 3TB of data.
79. In Pennsylvania, Union County fell victim to a ransomware attack that compromised personal information from its government systems. The attackers stole data related to county law enforcement, court matters, and other county business, potentially including Social Security numbers and driver’s license numbers. The county has notified federal law enforcement and hired cybersecurity experts to assist with recovery. The specific ransomware group behind the attack has not yet been confirmed.
80. A cybersecurity incident at Cargills Bank involved unauthorized access to a system within its infrastructure. The bank acted quickly to isolate the affected components and engage cybersecurity experts to assess the situation and protect customer interests. Despite the breach, there were no disruptions to banking operations. Hunters ransomware group has been credited with the attack, with the group claiming to have exfiltrated 1.9TB of data.
81. Australian skincare manufacturer Baxter Laboratories was targeted by RansomHub, who claimed to have stolen 40GB of data. The attack encrypted part of the company’s IT systems, but Baxter quickly contained the incident and engaged cybersecurity experts to assess the situation. While RansomHub listed Baxter on its dark web leak site, the company has not yet confirmed what specific data was compromised.
82. Tanaka Precious Metals confirmed a cyberattack on its Taiwan production site, Tanaka Electronics Taiwan (TET). The attack resulted in unauthorized external access to servers, with TET quickly responded by cutting off internet connections, suspending infected file servers, and enhancing security measures. Newly emerged ransomware gang NightSpire took credit for the attack, claiming to have exfiltrated 150GB of data.
83. A cyberattack on Fabricaciones Militares, a key state-owned company for the Argentine defense industry, has resulted in the theft of over 300 GB of sensitive data. The compromised data includes plans for cutting-edge weapons projects. Negotiations are reportedly underway to recover the stolen information. Monti ransomware group was responsible for the incident.
84. Cablevision was hit by a cybersecurity incident that disrupted its operations and impacted customers. The company’s website was down at time of writing, displaying a notice about a system outage affecting its computer systems, preventing customers from accessing their accounts, placing orders, or managing billing tasks. Cablevision has acknowledged the issue and is actively investigating the incident while working to restore its systems and services. Hunters has claimed the attack, stealing 66.8GB of data from the organization.
85. 126,580 individuals were recently notified about a data breach on Joseph’s College of Maine caused by a ransomware attack claimed by the Clop group. The breach, which occurred between December 15, 2023, and January 24, 2024, compromised sensitive data, including Social Security numbers. While Clop has listed the college on its dark web leak site, the institution has not confirmed whether it paid a ransom.
86. A ransomware attack targeted a student at Teays Valley Christian School in Putnam County, West Virginia. The student received a threatening email, stating that a “hit list” would be sent from their account unless a file was downloaded. The attack compromised the student’s Discord and Google accounts, with unauthorized access from multiple IP addresses. In response, local law enforcement began investigating the incident.
87. A cyberattack that caused significant delays in operations for Astral Foods, South Africa’s largest chicken producer. The attack led to downtime in processing and delivery, resulting in a loss of about 20 million rand (approximately $1 million). The company quickly implemented its disaster recovery protocols and restored normal operations. Astral Foods confirmed that no sensitive customer or supplier data was compromised, but the exact nature of the attack and the attackers remain unclear.
88. Cross Valley Federal Credit Union experienced a data breach that compromised the personal information of over 17,000 individuals. The breach, which occurred in 2024, exposed sensitive data, though the specific details of the compromised information were not disclosed. LeakedData shared information from this attack in early January 2025.
89. A cybercriminal group called Arkana claimed responsibility for a data breach at WideOpenWest (WOW!), a major American cable company. The group released a music video to boast about stealing sensitive information from 403,000 customers, including usernames, passwords, partial credit card details, and email addresses. Arkana has threatened to sell or leak this data if WOW! does not pay a ransom by the given deadline. The breach occurred after an employee’s computer was infected with malware, allowing the attackers to gain access to WOW!’s backend systems. The group has also warned they could push malware to the company’s customers.
90. In South Carolina, Columbia Eye Clinic reported a data security incident potentially affecting patient information. The clinic disclosed that protected patient health information may have been compromised. While specific details about the exposed data remain unclear, the clinic has initiated an investigation to determine the full scope of the breach and is taking steps to enhance security measures.
91. Meigs County Emergency Medical Services (EMS) recently notified 5,802 individuals about a cyber incident in which patient data was stolen. In late January, unauthorized access was detected in an employee email account, and an investigation confirmed that the account’s contents were downloaded. The exposed information included names, SSNs, medical details, insurance information, and more. The cybercriminals behind the attack are yet to be named.
92. Cottrill’s Specialty Pharmacy in New York recently disclosed a data security incident that affected the personal information of 2,348 patients. Unauthorized access was detected within its network on January 21, 2025, and although the breach was brief, it is possible that sensitive data was stolen. A file review completed in February, confirmed that compromised data included names, dates of birth, SSNs, driver’s license or state ID numbers, medical information, and health insurance details.
93. ALN Medical Management recently disclosed a data breach that was identified back in March 2024. The breach involved unauthorized access to systems hosted by a third-party service provider, with an investigation confirming that various files and folders were accessed or copied. A review process completed in January 2025, revealed that affected data may include names, SSNs, financial details, medical information, and health insurance data. Notification letters to impacted individuals were sent in March this year, though the exact number of affected individuals remains unclear.
94. Heritage South Credit Union in Alabama recently confirmed a data breach that affected an undisclosed number of people. The breach, which occurred in February 2025 was claimed by Embargo, who stole 300GB of sensitive data. This included SSNs, financial account details, debit card information, addresses, and more. The group demanded a ransom, but Heritage South has not confirmed if they paid the attackers.
95. A recent cyberattack targeted Kuala Lumpur International Airport (KLIA), disrupting operations and raising concerns about cybersecurity. The attackers demanded a $10 million ransom, but Malaysia’s Prime Minister Anwar Ibrahim firmly rejected the demand, stating there was “no way” the country would bow to criminal threats. Malaysia Airports Holdings Berhad (MAHB), which operates the airport, confirmed the attack but did not disclose further details about the perpetrators or whether the attack had been fully resolved.
96. Akira claimed to have exfiltrated 54GB of organizational data, potentially exposing sensitive information related to Helbor Empreendimentos S/A’s operations, clients, and projects. Compromised data stolen from the Brazilian real estate developer includes corporate NDAs, internal correspondence, financial data, corporate licenses, agreements and contracts, and employee and customer contact information.
97. Monette Barakett Avocats senc, a prestigious Montreal-based law firm has fallen victim to Akira’s latest cyberattack. The ransomware group claims to have obtained sensitive organizational data, potentially compromising client confidentiality and exposing critical legal information.
98. Concord Orthopaedics (COPA) notified nearly 68,000 patients about a data breach caused by a vendor that handles patient registration and appointment check-ins. The breach, which was discovered back in November 2024, exposed sensitive patient information. The vendor, whose name has not been disclosed, stored unencrypted personal and health data, some of which was later leaked on the dark web.
99. VanHelsing recently listed Compumedics, an Australian medical device company, on its ransomware leak site. The group claimed to have stolen a variety of sensitive data, including passport scans of employees, product and testing data, and other company-related documents. Although the exact amount of data and ransom demands have not been disclosed, the breach also affected Compumedics’ subsidiary, NeuroMedical Supplies.
100. In Georgia, Pineland Behavioral Health and Developmental Disabilities Community Service Board recently reported a data breach that exposed sensitive personal information, including SSNs and medical details, of an undisclosed number of individuals. The breach was claimed by the ransomware group Space Bears who also stole documents and medical histories.
101. Pacific Residential Mortgage confirmed a data breach following a ransomware attack discovered in February. The attack resulted in unauthorized access to sensitive consumer information, including names, addresses, SSNs, dates of birth, driver’s license numbers, and financial details. After securing its network and conducting an investigation, the company identified the affected individuals and began sending notification letters in March this year. Law enforcement was notified, and cybersecurity experts were engaged to mitigate further risks. Lynx ransomware gang claimed the attack.
102. Australian property developer TOGA, was listed as a victim of the Akira ransomware group, who claimed to have stolen over 530GB of sensitive corporate data. The leaked information includes financial records, audit details, employee and customer contact information, and database files. This breach follows a cyber incident affecting TOGA’s subsidiary, TFE Hotels, which caused significant disruption to its operations. Akira has not issued a ransom demand but has warned about releasing the stolen data.
103. Medusa targeted O’Shea Builders, a construction service provider in Central Illinois. The gang reportedly exfiltrated 120.5 GB of data and demanded a ransom of $350,000 within seven days. Medusa also threatened to leak the stolen data, including spreadsheets, diagrams, and invoices, if the ransom was not paid. The organization is yet to publicly address Medusa’s claims.
104. Walmart-owned Sam’s Club is investigating a potential security breach claimed by the Clop ransomware group. The group listed the retailer on its dark web portal, suggesting that Sam’s Club had been targeted after exploiting the Cleo zero-day vulnerability. While no data has been leaked yet, Clop threatened to release the exfiltrated information if a ransom is not paid. The company is looking into the incident, though it has not provided further details.
105. Brighton Australia was recently listed as a victim by the SafePay ransomware group. The hackers claimed to have stolen over 160GB of data, including financial statements, intellectual property, accounting records, and sensitive personnel and customer information. SafePay also posted a ransom note, stating that the breach was due to security misconfigurations and that they had exfiltrated files of interest. While the stolen data has not yet been made public, SafePay threatened to release it unless a ransom is paid.
106. Details of an August 2024 ransomware attack on Cincinnati Pain Physicians have been revealed this month, with Dr Sudasrshan recalling the disruption caused by the incident. Clinic workers were unable to access the computer system before external IT personnel confirmed that the clinic had been hit by ransomware. Helldown provided the clinic with information on how to pay an undisclosed ransom to retrieve stolen data.
107. Rhysida demanded a ransom of 5BTC (approx. $420,000) from the Forrest City School District in Arkansas following a cyberattack in December 2024. The attack, which caused the district to suspend its internet services, resulted in the theft of sensitive data, including student transcripts and internal documents. Rhysida threatened to auction the stolen data if the district did not pay the ransom within a week. Documents were uploaded to the dark web as proof of the incident, but the school district are yet to verify Rhysida’s claims.