Full Report
New data from Comparitech reported that in the first half of this year, 3,627 ransomware attacks were logged,... The post New Comparitech analysis finds 47% spike in ransomware, raising concerns for critical infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Global Ransomware Attack Trends - H1 2025 Analysis
## Executive Summary
The first half of 2025 saw a significant escalation in global ransomware activity, marked by a 47% increase in logged attacks compared to H1 2024, reaching 3,627 incidents. Technology and Retail sectors experienced massive surges in targeting. While the number of confirmed records breached was lower initially, significant, unconfirmed large-scale breaches impacted healthcare, government, and corporate bodies worldwide. Response efforts are ongoing, guided by threat intelligence detailing prolific groups like Akira, Clop, and Qilin.
## Incident Details
- Discovery Date: Ongoing reporting throughout H1 2025 (Data publicized circa mid-2025)
- Incident Date: January 1, 2025 – June 30, 2025
- Affected Organization: 3,627 total claimed attacks; 445 confirmed by targeted organizations (including organizations like Episource, Hoken Minaoshi Honpo Group, Malaysia Airports Holdings, Cleveland Municipal Court, etc.)
- Sector: Technology (88% increase), Retail (85% increase), Legal (71% increase), Transportation (66% increase), Manufacturing (64% increase). Healthcare saw only a 5% increase.
- Geography: Global (Specific major incidents noted in US, Japan, Canada, Ireland, Slovakia, Malaysia, Hungary, Kenya, Philippines, Germany, UK, Italy).
## Timeline of Events
### Initial Access
- Date/Time: Occurrences spread across H1 2025, with major breaches noted in January and February.
- Vector: Not explicitly detailed for the aggregate data, but implied via typical ransomware entry points (e.g., exploiting vulnerabilities, phishing, RDP compromise).
- Details: Specific group vectors varied; Qilin often hit businesses and government (21/9/8 split in confirmed attacks), while INC heavily targeted healthcare (8 confirmed) and government (7 confirmed).
### Lateral Movement
- Details: Not explicitly detailed in the summary data, but evident in the scale of data exfiltration requiring internal network access (e.g., Malaysia Airports Holdings losing 2 TB of data).
### Data Exfiltration/Impact
- Data Stolen: Over 17 million records breached across 445 confirmed attacks (as of reporting date). Examples include 5.4M records (Episource, US), 5.1M (Hoken Minaoshi Honpo Group, Japan), and 2TB (Malaysia Airports Holdings).
- Impact: Significant operational disruption documented, such as weeks of system outages at Cleveland Municipal Court. Average ransom demands exceeded $1.6 million.
### Detection & Response
- Detection: Varied widely. Some breaches were confirmed by targets (445 incidents), while others were only discovered when claimed on ransomware leak sites (over 3,182 unconfirmed).
- Response Actions: Response actions are fragmented across numerous independent incidents. Reactive measures included organizations facing down large demands (e.g., Slovakia government refusing $12M payment, Malaysia Airports refusing $10M payment).
## Attack Methodology
- Initial Access: Varied by threat actor (e.g., Qilin, RansomHub, Akira were highly active).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed, though the success rate suggests attackers were effective at evading defensive measures long enough to conduct large data exfiltrations.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed, but necessary for the scale of data theft reported.
- Collection: Significant data collection occurred across diverse entities, affecting patient records, financial data, and public infrastructure data.
- Exfiltration: Data exfiltration was a core component, with several groups like Devman claiming terabytes of data stolen (2.5 TB claimed against Kenya's NSSF).
- Impact: Primarily financial via ransom demands, and regulatory/reputational due to large-scale data exposure.
## Impact Assessment
- Financial: Average ransom demanded was > $1.6 million. High-profile demands included $12M (Slovakia), $10M (Malaysia Airports), and $10M (Hungary National Museum).
- Data Breach: 17 million+ records confirmed breached across 445 incidents (H1 2024 saw 279.6 million across 744 confirmed incidents). High risk to sensitive PII/PHI noted in healthcare breaches.
- Operational: Severe operational disruptions reported, notably system outages affecting Cleveland Municipal Court for weeks.
- Reputational: Major public entities targeted globally, causing significant public scrutiny (e.g., Sanrio Entertainment, Malaysia Airports).
## Indicators of Compromise
(Note: As this summary covers aggregate data across multiple actors, specific IoCs are not provided in the source material. Analysis must focus on actor names.)
- Network indicators: N/A (Aggregated Data)
- File indicators: N/A (Aggregated Data)
- Behavioral indicators: Ransomware activity associated with established groups: **Akira (347 victims), Clop (333 victims), Qilin (318 victims), RansomHub (222 victims), Play (214 victims), SafePay (186 victims).**
## Response Actions
- Containment: Incident-specific (e.g., Nova Scotia Power mobilized IR teams; Cleveland Municipal Court experienced system outages).
- Eradication: Incident-specific.
- Recovery: Incident-specific. Key pattern: Many high-profile victims (Slovakia, Malaysia Airports, Cleveland Court) refused to pay ransoms, necessitating manual system restoration.
## Lessons Learned
- Persistence of Threat: Ransomware remains the primary threat vector, with overall activity rising sharply (47% YoY increase).
- Sector Vulnerability: Technology and Retail sectors present rapidly growing targets for attackers.
- Attribution Challenges: A high volume of attacks (over 88% based on claims vs. confirmation) remain unverified, complicating threat intelligence analysis.
- Timing Lag: The true scope of data loss often only becomes evident months after the initial attack, requiring long-term monitoring postures.
## Recommendations
- Enhanced Vulnerability Management: Prioritize remediation in rapidly increasing target sectors like Technology and Retail, closing known exploitation vectors used by prolific TTPs associated with Akira, Qilin, and Clop.
- Improve Internal Verification Processes: Develop faster internal validation processes to confirm or deny ransomware group claims, improving overall threat visibility beyond relying solely on public leak sites.
- Harden Critical Systems: Focus detection and response capabilities on preventing large-scale data exfiltration, as evidenced by multibillion-dollar ransom demands leveraged against government and public utilities.