State of Ransomware: August 2025

Published 1 September 2025 · ThreatVectr Intelligence

526+5%
Claimed attacks
vs 500 the month before
57
Groups active
65
Countries affected
35
Busiest day
29 August

Ransomware groups claimed 526 attacks on organisations worldwide in August 2025, up 5% on the previous month's 500. 57 distinct groups posted at least one victim during the month, across 65 countries. The busiest single day was 29 August, with 35 victims listed.

Qilin was the most active operation of the month, claiming 87 victims — 17% of all listings. Akira (55) and Play (36) followed. 7 groups appeared for the first time, including Anubis, KillSec, Gunra, Datacarry.

Manufacturing bore the heaviest targeting, with 87 claimed victims, ahead of Business Services (75) and Technology (60). By geography, United States accounted for 283 claims — 54% of the month — with United Kingdom (32) and Germany (27) next.

Claims per day — August 2025

Most active groups

  1. 1Qilin·87
  2. 2Akira·55
  3. 3Play236
  4. 4INC Ransom129
  5. 5DragonForce127
  6. 6SafePay427
  7. 7Sinobi827
  8. 8Warlock1020
  9. 9CephalusNew18
  10. 10Worldleaks216

First seen this month:Anubis, KillSec, Gunra, Datacarry, Desolator, Weyhro, Underground

Most-targeted sectors

  1. 1Manufacturing87
  2. 2Business Services75
  3. 3Technology60
  4. 4Healthcare56
  5. 5Construction50
  6. 6Financial Services38
  7. 7Consumer Services23
  8. 8Education23
  9. 9Public Sector20
  10. 10Transportation/Logistics18

Most-affected countries

  1. 1United States283
  2. 2United Kingdom32
  3. 3Germany27
  4. 4Canada16
  5. 5Australia11
  6. 6Italy11
  7. 7Japan11
  8. 8Brazil8
  9. 9France7
  10. 10Taiwan7

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: August 2025”, https://threatvectr.com/ransomware-tracker/reports/august-2025

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr