State of Ransomware: July 2025

Published 1 August 2025 · ThreatVectr Intelligence

500
Claimed attacks
58
Groups active
61
Countries affected
36
Busiest day
15 July

Ransomware groups claimed 500 attacks on organisations worldwide in July 2025. 58 distinct groups posted at least one victim during the month, across 61 countries. The busiest single day was 15 July, with 36 victims listed.

Qilin was the most active operation of the month, claiming 55 victims — 11% of all listings. Akira (45) and INC Ransom (43) followed.

Business Services bore the heaviest targeting, with 85 claimed victims, ahead of Manufacturing (70) and Technology (64). By geography, United States accounted for 242 claims — 48% of the month — with Italy (17) and France (16) next.

Claims per day — July 2025

Most active groups

  1. 1Qilin·55
  2. 2Akira·45
  3. 3INC Ransom·43
  4. 4DragonForce·23
  5. 5Play·21
  6. 6Everest·19
  7. 7Lynx·18
  8. 8Worldleaks·17
  9. 9Global·14
  10. 10SafePay·14

Most-targeted sectors

  1. 1Business Services85
  2. 2Manufacturing70
  3. 3Technology64
  4. 4Construction36
  5. 5Healthcare32
  6. 6Consumer Services31
  7. 7Financial Services26
  8. 8Education20
  9. 9Agriculture and Food Production19
  10. 10Public Sector17

Most-affected countries

  1. 1United States242
  2. 2Italy17
  3. 3France16
  4. 4Canada15
  5. 5United Kingdom15
  6. 6Germany14
  7. 7Brazil11
  8. 8Japan9
  9. 9Spain8
  10. 10Sweden7

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: July 2025”, https://threatvectr.com/ransomware-tracker/reports/july-2025

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr