A new record was set for ransomware attacks last year, with disclosed ransomware attacks increasing by 49% year-over-year to a record-high of 1,174 attacks, according to Black Fog’s 2025 State of Ransomware Report. There was also a 37% year-over-year increase in undisclosed attacks, with 7,079 victims added to dark web data leak sites in 2025. The figures indicate that globally, 86% of ransomware attacks are not disclosed by victims.

Data theft almost always occurs with ransomware attacks. In 2025, 96% of attacks involved data exfiltration prior to file encryption, which results in greater organizational harm. Data exfiltration has contributed to the significant increase in breach costs, as data theft results in greater reputational harm and increased regulatory exposure. In 2025, the average cost of a data breach was $4.44 million globally, and $7.42 million for healthcare data breaches. Healthcare retained its position as the sector most targeted by ransomware groups in 2025, accounting for 22% of disclosed attacks. All sectors experienced an increase in attacks in 2025, apart from education, which saw a 13% year-over-year decrease in attacks.

The breakup of large ransomware groups has led to a fragmentation of the ransomware ecosystem, and the number of active ransomware groups continued to increase in 2025. Black Fog tracked 130 different ransomware groups in 2025, of which 52 were new groups that emerged in 2025, a 9% increase from 2024. Several groups that emerged in 2025 have disproportionately targeted the healthcare sector, including Sinobi, Insomnia, and Devman. Devman issued the largest ever ransom demand of $91 million in 2025 for its attack on China’s real estate development company Shimao Group Holdings. World Leaks, widely believed to be a rebrand of Hunters International, has also claimed several healthcare victims, as have all of the top three most prolific and dangerous ransomware groups of the year: Qilin, Akira & Play.

There was a surge in activity by the most prolific ransomware group – Qilin – in 2025, which claimed a total of 1,115 disclosed and undisclosed attacks. Qilin was behind two of the most impactful healthcare ransomware attacks of the year – ApolloMD and Covenant Health. The ransomware attack on ApolloMD was detected in May 2025, yet it took until February 2026 to confirm that the protected health information of more than 626,500 patients was compromised.

The attack on Covenant Health also occurred in May 2025. Initial access was gained on May 18, 2025, and, as was the case with the attack on ApolloMD, sensitive data was rapidly identified and exfiltrated. The Covenant Health attack was detected on May 26, 2025, when the affected systems were shut down to contain the incident. Disruption continued into June, and the attack was initially disclosed a month later, although the initial breach report suggested that the protected health information of just 7,864 individuals was compromised in the incident. As the investigation progressed, it became clear that data theft was far more extensive. In December 2025, when the investigation concluded, Covenant Health confirmed that 478,188 patients had been affected.

Akira was the second-most active group, claiming a total of 776 victims in 2025, with the third most active group – Play – accounting for 405 ransomware attacks. Black Fog identified the emergence of large-scale, AI-enabled attacks last year, when a ransomware group hijacked Anthropic’s Claude model to autonomously perform reconnaissance, exploitation, and data theft – the first time that an AI-led ransomware campaign has been identified.

“The global impact of ransomware across 2025 has been unprecedented. From high street chains to hospitals, ransomware doesn’t respect borders, the size of organization, or the sector you’re in. It’s brought vital services, established companies – and the smaller partners who depend on them – to a grinding halt,” Dr Darren Williams, Founder and CEO of BlackFog said. “The disruption they cause is only part of the story. Attackers aren’t just breaking in – they’re intent on stealing data to power extortion. By weaponizing AI they can outpace defenders at a new scale and use stealthy targeted techniques to slip past traditional security measures. Putting protections in place to close these gaps and prevent data exfiltration has to take priority as attackers focus on targeting organizations’ most sensitive information.”

The post Healthcare Remains the Sector Most Targeted by Ransomware Groups as Attacks Increase 49% YOY appeared first on The HIPAA Journal.