SAN FRANCISCO, Oct. 16, 2025 – BlackFog, the leader in ransomware prevention and anti data exfiltration (ADX), revealed findings from its analysis of global ransomware activity from July to September 2025 across both publicly disclosed and non-disclosed attacks.
Manufacturing emerged as the hardest hit sector for undisclosed ransomware incidents, accounting for 22% of all hidden attacks. The findings reveal the ongoing operational and supply chain vulnerabilities that continue to make the sector a prime target for cybercriminals, with major disruptions, including the Jaguar Land Rover attack in August, underscoring the real-world impact on production and recovery timelines.
The report also underscores the growing scale of data theft: 96% of disclosed attacks involve data exfiltration, the highest level recorded to date.
For manufacturers operating complex, interconnected environments, the findings emphasize the need to protect data at its source to maintain production continuity, safeguard intellectual property and preserve supply chain resilience.
The findings show that publicly disclosed attacks continued to set new records, with 270 attacks–a 36% increase compared to the same quarter, Q3, in 2024 (198 attacks). This also represents a 335% increase since Q3 2020, underscoring the continued rise in ransomware attacks over the last five years.
Additional key findings for July–September:
Increase in publicly disclosed attacks year on year
Compared to the same period in previous years, the following monthly increases were observed:
- A 50% increase in July with a total of 96 attacks
- A 37% increase in August with a total of 92 attacks
- A 27% increase in September with a total of 85 attacks
Qilin topped as the most active group; DEVMAN made an impact
Between July and September, publicly disclosed attacks were attributed to 54 ransomware groups. As in Q2, the Qilin ransomware gang–which recently claimed responsibility for the attacks on the Asahi Group–was the most active, responsible for 20 incidents during this period. Notably, approximately 40% (107) of reported attacks have not yet been attributed to any known ransomware group.
The quarter also saw the emergence of 18 new ransomware groups, several linked to high-profile incidents targeting large organizations. Among these, the newcomer DEVMAN made a significant impact, with 19 attacks across Asia, Africa, Europe, and Latin America. It was also behind a $91 million demand against Chinese real estate giant Shimao Group, one of the largest demands seen this year.
Undisclosed attacks: Manufacturing sector hit hardest
When looking at attacks that are not disclosed publicly, the manufacturing sector was hit hardest, accounting for 22% of all incidents.
Close behind was the services sector, with 333 incidents, while the construction industry entered the top three for the first time with 143 attacks. The legal sector also saw a surge, recording 79 attacks–its highest level to date.
Disclosed attacks: Healthcare sector persists as most targeted
In terms of publicly disclosed attacks, healthcare was once again the most targeted sector with 86 attacks–accounting for 32% of all incidents. This was followed by the government and technology sectors, each reporting 28 attacks.
Lack of reporting remains a challenge
In Q3 2025, nearly 85% of all ransomware attacks (estimated at 1,510) went unreported, representing a 21% increase compared with the same period in 2024. Qilin was also the most active in this segment, responsible for 16% of cases.
Data theft remains the dominant tactic used by attackers, with 96% of all disclosed cases involving data exfiltration, marking the highest level recorded to date.
Commenting on the findings, Dr. Darren Williams, founder and CEO of BlackFog, said: “This has been a quarter in which the fallout of cyberattacks has continued to have a long and lasting impact. From grounded aircraft and stranded passengers to manufacturers forced to halt production, the disruption has been significant. Operations at Jaguar Land Rover, for instance, only recently resumed following the August incident, while numerous smaller suppliers are still counting the cost.
At the other end of the scale, we’ve seen attackers pulling no punches when it comes to the type of company and data they target. The attack on a UK nursery chain, Kido, in September marked a new low when it emerged that information on children, parents, and carers was taken.
As ransomware volumes show a continued upward trend, the best option for organizations is to make it as hard as possible for cybercriminals to take advantage of them. That means protecting data so that they have no leverage for extortion and, critically, no incentive to return.”
Methodology
This report was generated in part from data collected by BlackFog Enterprise over the specific report period July to September 2025. It highlights significant events that prevented or reduced the risk of ransomware or a data breach and provides insights into global trends for benchmarking purposes. This report contains anonymized information about data movement across hundreds of organizations and should be used to assess risk associated with cybercrime.
Industry classifications are based upon the ICB classification for Supersector used by the New York Stock Exchange (NYSE).
All recorded events are based upon data exfiltration from the device endpoint across all major platforms.
About BlackFog
Founded in 2015, BlackFog is a global AI based cybersecurity company that has pioneered on-device anti data exfiltration (ADX) technology to protect organizations from ransomware and data loss. With 95% of all attacks involving some form of data exfiltration, preventing this has become critical in the fight against extortion, the loss of customer data and trade secrets.
BlackFog recently won a Gold Globee award for AI-Driven Data Protection Solution and the coveted Cybersecurity Breakthrough Award for AI-based Cybersecurity Innovation of the Year. BlackFog also won Gold at the Globee awards in 2024 for best Data Loss Prevention and the State of Ransomware report which recognizes outstanding contributions in securing the digital landscape.
Trusted by hundreds of organizations all over the world, BlackFog is redefining modern cybersecurity practices.
