BlackFog, which provides ransomware prevention and anti data exfiltration (ADX) services, revealed new findings on ransomware activity, Jan.-Mar., spanning disclosed and non-disclosed attacks.
Data from BlackFog’s The State of Ransomware 2025 report showed that publicly disclosed ransomware attacks in Q1 reached their highest level for this period since BlackFog’s records began in 2020.
Key findings included:
- Q1 witnessing 278 incidents, up 45 percent Y2Y.
- March seeing 107 attacks, up 81 percent Y2Y.
- January (22 percent) and February (36 percent) both up Y2Y.
- Healthcare (57), services (44) and government (30) were most-targeted sectors, accounting for 47 percent of all disclosed incidents.
- 2,124 undisclosed attacks for quarter, up 113 percent Y2Y. This highlights that companies are largely still failing to publicly disclose ransomware incidents.
- The services industry was the hardest hit (475), accounting for 22 percent of all undisclosed attacks in Q1.
- RansomHub was among the most active ransomware groups, responsible for nine percent of disclosed attacks in Q1 (24), followed by Qilin (15) and Akira (14).
- Data exfiltration rates continue to rise, with 95 percent of all publicly disclosed attacks involving data exfiltration.
“Ransomware incident volumes are reaching unprecedented levels,” said BlackFog founder and CEO, Darren Williams. “This presents ongoing challenges for organizations dealing with attackers focused on disruption, data theft and extortion. Different groups will emerge and disband, but they all focus on the same end goal, data exfiltration.”
This report was generated in part from data collected by BlackFog Enterprise between January and March 2025, and includes anonymized information about data movement across hundreds of organizations and should be used to assess risk associated with cybercrime.
