Black Fog Reports 36% More Ransomware Attacks

by

Cybersecurity company Black Fog has published its Q3 2025 State of Ransomware Report. According to the report, ransomware attacks are higher by 36% than in the same quarter last year. Every month during the quarter, attacks increased in comparison to the corresponding month in 2024. The worst month was July with 50% more attacks. The whole quarter had 270 ransomware attacks reported, though Black Fog remarks that most attacks are not reported. In Q3, around 1,510 ransomware attacks were not reported, an increase of 21% than the last quarter.

Healthcare is still a main target for ransomware groups, with 86 attacks representing 32% of all reported attacks. Healthcare ransomware attacks are twice as many attacks in the government and technology sectors, with 28 reported attacks. Black Fog states that 85% of ransomware attacks aren’t reported. The manufacturing sector had 1,510 unreported attacks, which is 22% of the total number. Despite having HIPAA reporting requirements, healthcare still ranked fifth for unreported attacks, which indicates that healthcare companies fail to report ransomware attacks. Ransomware groups also target law agencies with at least 79 attacks, the highest number since Black Fog began releasing its reports in 2020.

Data theft almost always happens along with ransomware attacks. Some groups have stopped encryption completely. Black Fog mentions a new record in Q3 regarding data exfiltration. 96% of ransomware attacks involve data theft. The Identity Theft Resource Center reported in its Q3 analysis of data breaches that 71% notifications sent to victims do not state the real cause of the attack, for instance, whether involving ransomware that puts victims in danger of identity theft and fraud. In Q3, 2025, Black Fog found 449 victim listings on the dark web data leak sites with 527.65 GB of exfiltrated data per victim. Companies must be more proactive in discovering the indications of data exfiltration by identifying uncommon patterns in outbound traffic, irregular MFA behaviors, and abrupt file movement, because when files are encrypted, the harm caused by an attack is usually permanent.

The Qilin ransomware group retained its status as the number one ransomware group with 20 reported attacks and 242 unreported attacks (16%). INC Ransom is number two with 18 reported attacks and 111 unreported attacks. Akira has 139 unreported attacks. In Q3, 18 more ransomware groups appeared; hence, the total number of active ransomware groups is 80.

One prominent newbie is the Devman ransomware group, which executed 19 attacks in only a couple of months. The group is unique because, as a new group, it has a high number of attacks and excessively high ransom demands, which include a $93 million ransom demand on Shimao Group, a Chinese real estate company.

With the increasing ransomware attacks, companies should make it difficult for cybercriminals to exploit them. That means securing data to avoid extortion. That could mean enhancing monitoring and HIPAA encryption of stored information.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone