State of Ransomware: October 2025
Published 1 November 2025 · ThreatVectr Intelligence
Ransomware groups claimed 772 attacks on organisations worldwide in October 2025, up 42% on the previous month's 545. 62 distinct groups posted at least one victim during the month, across 71 countries. The busiest single day was 14 October, with 59 victims listed.
Qilin was the most active operation of the month, claiming 187 victims — 24% of all listings. Akira (70) and Sinobi (57) followed. 6 groups appeared for the first time, including Tengu, Vect, Tridentlocker, Radiant.
Manufacturing bore the heaviest targeting, with 129 claimed victims, ahead of Business Services (107) and Technology (89). By geography, United States accounted for 377 claims — 49% of the month — with Canada (45) and France (27) next.
Claims per day — October 2025
Most active groups
- 1Qilin·18724%
- 2Akira·709%
- 3Sinobi12577%
- 4Play·344%
- 5INC Ransom2324%
- 6DragonForce6203%
- 7Devman1192%
- 8Ransomhouse41182%
- 9Blackshrantac7172%
- 10Medusa3172%
First seen this month:Tengu, Vect, Tridentlocker, Radiant, Kryptos, Nasirsecurity
Most-targeted sectors
- 1Manufacturing129
- 2Business Services107
- 3Technology89
- 4Healthcare70
- 5Consumer Services55
- 6Construction53
- 7Financial Services35
- 8Transportation/Logistics32
- 9Agriculture and Food Production30
- 10Education30
Most-affected countries
- 1United States377
- 2Canada45
- 3France27
- 4Germany25
- 5Spain23
- 6United Kingdom18
- 7Australia15
- 8Japan15
- 9Brazil10
- 10UAE9
Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.
Cite this report
This report is free to cite and reproduce with attribution. Suggested citation:
ThreatVectr, “State of Ransomware: October 2025”, https://threatvectr.com/ransomware-tracker/reports/october-2025
Journalists and researchers: for questions about the data or methodology, contact the newsdesk.
Most ransomware starts with one email
The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.