State of Ransomware: September 2025

Published 1 October 2025 · ThreatVectr Intelligence

545+4%
Claimed attacks
vs 526 the month before
60
Groups active
62
Countries affected
32
Busiest day
4 September

Ransomware groups claimed 545 attacks on organisations worldwide in September 2025, up 4% on the previous month's 526. 60 distinct groups posted at least one victim during the month, across 62 countries. The busiest single day was 4 September, with 32 victims listed.

Qilin was the most active operation of the month, claiming 80 victims — 15% of all listings. Akira (78) and INC Ransom (37) followed. 7 groups appeared for the first time, including Blackshrantac, MedusaLocker, Alphalocker, Ciphbit.

Manufacturing bore the heaviest targeting, with 79 claimed victims, ahead of Financial Services (66) and Technology (66). By geography, United States accounted for 277 claims — 51% of the month — with Canada (24) and Germany (23) next.

Claims per day — September 2025

Most active groups

  1. 1Qilin·80
  2. 2Akira·78
  3. 3INC Ransom137
  4. 4Play136
  5. 5KillSec3432
  6. 6Lynx925
  7. 7The Gentlemen1518
  8. 8Devman1014
  9. 9Coinbasecartel2611
  10. 10Warlock211

First seen this month:Blackshrantac, MedusaLocker, Alphalocker, Ciphbit, Daixin, Yurei, Lunalock

Most-targeted sectors

  1. 1Manufacturing79
  2. 2Financial Services66
  3. 3Technology66
  4. 4Construction51
  5. 5Business Services48
  6. 6Healthcare36
  7. 7Consumer Services34
  8. 8Agriculture and Food Production21
  9. 9Education21
  10. 10Hospitality and Tourism15

Most-affected countries

  1. 1United States277
  2. 2Canada24
  3. 3Germany23
  4. 4South Korea18
  5. 5Italy13
  6. 6France12
  7. 7United Kingdom12
  8. 8India10
  9. 9Spain7
  10. 10Australia6

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: September 2025”, https://threatvectr.com/ransomware-tracker/reports/september-2025

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr