Top 10 Ransomware Attacks of 2025

The Top 10 Ransomware Attacks of 2025 show that ransomware grew not just larger, but fundamentally different. In 2025, the threat landscape shifted in ways that went beyond normal evolution Ransomware moved beyond isolated IT incidents and became a systemic risk, capable of disrupting national supply chains, critical services, and entire industries. This shift is reflected in long-term projections, with Cybersecurity Ventures estimating that the global cost of ransomware will reach $275 billion annually by 2031, driven by downtime, data loss, recovery efforts, and lost productivity, not just ransom payments.

In 2025, ransomware became a question of impact. As highlighted in Top 20 Ransomware Statistics You Should Know (2025), the average cost of a disclosed extortion or ransomware incident climbed to $5.08 million, reflecting investigation costs, downtime, legal exposure, and reputational damage. Threat actors increasingly targeted single points of failure such as logistics providers, automotive manufacturers, healthcare systems, and enterprise SaaS platforms, where disruption cascades far beyond the initial victim. At the same time, the decline of dominant groups like LockBit and ALPHV (BlackCat) weakened traditional rivalries and encouraged looser coordination, shared infrastructure, and cartel-like behavior. This blog looks at ten ransomware and data extortion incidents that remained relevant in 2025. While some began in 2024, their effects persisted into 2025 and continued to influence how these attacks were understood and discussed.

What are the Top 10 Ransomware Attacks of 2025?

1. Salesforce Ecosystem – The SaaS Supply Chain Blind Spot

Victim: Salesforce ecosystem customers (technology, aviation, luxury sectors)

Threat Actor: Scattered Lapsus$ Hunters (Scattered Spider & ShinyHunters)

Date: Mid–Late 2025

Estimated Impact: Tens of millions of customer records exposed; multi-sector operational disruption

Data Stolen: OAuth tokens, CRM data, customer records, support and travel data

In mid-to-late 2025, ransomware and extortion activity shifted decisively into cloud-native environments. Instead of breaching Salesforce directly, attackers targeted the trust relationships surrounding it. The Scattered Lapsus$ Hunters coalition orchestrated a large-scale campaign against third-party applications deeply integrated with Salesforce, exploiting a fundamental weakness in SaaS ecosystems: implicit trust between platforms.

Using aggressive social engineering and vishing campaigns, the attackers compromised developers and support staff at Salesforce-integrated vendors such as Salesloft Drift and Gainsight. Stolen OAuth tokens and signing credentials allowed them to perform “island hopping,” moving silently from one compromised vendor into the Salesforce environments of shared customers. Because OAuth traffic appears as legitimate machine-to-machine access, the intrusions bypassed traditional security controls and identity monitoring.

The victim list spanned some of the most security-mature organizations in the world, including Palo Alto Networks, Zscaler, Cloudflare, Google, BeyondTrust, and global luxury brands such as Chanel and Pandora. Gainsight later acknowledged that the number of affected customers was significantly higher than initially disclosed, underscoring the difficulty of fully tracing OAuth abuse.

The aviation sector was hit particularly hard. Qantas disclosed that a third-party customer service platform breach exposed the data of 5.7 million passengers, including travel history and frequent flyer details. Intelligence linked the initial access to a Manila-based call center compromised via vishing. After a ransom refusal, data belonging to 23 million Vietnam Airlines customers was leaked in October 2025, creating one of the largest regional phishing risk pools of the year.

This campaign marked a turning point in ransomware and extortion strategy. No malware was required, no perimeter was breached, and no SaaS provider was directly exploited. Instead, identity abuse and OAuth token theft turned trusted integrations into systemic attack paths, proving that in 2025, the SaaS supply chain itself had become the new ransomware battlefield.

2. Oracle E-Business Suite: Zero-Day Supply Chain Extortion

Victim: Oracle E-Business Suite customers (global enterprises)
Threat Actor: Cl0p Ransomware group
Date: July–October 2025
Estimated Impact: Hundreds of organizations; multi-billion dollar aggregate exposure
Data Stolen: Payroll, HR, finance databases; employee PII and corporate records

In late 2025, Cl0p executed one of the largest software-centric extortion campaigns since MOVEit, targeting Oracle E-Business Suite rather than a single organization. By weaponizing a zero-day flaw, CVE-2025-61882, and chaining it with older Oracle EBS vulnerabilities patched earlier in July, the group achieved unauthenticated access and remote code execution on core ERP servers. This provided direct access to what many enterprises consider their most sensitive systems: payroll, HR, and financial databases.

Intelligence indicates that Cl0p had access to some victim environments as early as July or August 2025, exfiltrating data quietly for weeks before public disclosure and patching in October. This meant that even organizations that applied Oracle’s emergency updates immediately were already compromised. The campaign cut across sectors without discrimination. Victims included media organizations such as The Washington Post, where personal and financial data of nearly 10,000 employees were exposed, technology firms like GlobalLogic (Hitachi Group), and even UK healthcare infrastructure, with NHS trusts observed as targets.

The view of Cl0p’s data leak site showing the latest alleged victims listed

Cl0p again avoided large-scale encryption, relying instead on pure data extortion. By attacking a ubiquitous enterprise platform, the group multiplied its impact with minimal operational noise. The Oracle EBS campaign became a textbook example of the 2025 ransomware shift: zero-day exploitation, months-long dwell time, and leverage derived from stolen data rather than locked systems. It also exposed the growing “patch gap” problem, where traditional patch management alone is no longer sufficient against adversaries operating ahead of disclosure.

3. Jaguar Land Rover Ransomware Attack: Britain’s Costliest Cyberattack Ever

Victim: Jaguar Land Rover (UK-based automotive manufacturer)

Threat Actor: Scattered LAPSUS$ Hunters

Date: August 31 – September 2025

Estimated Impact: £1.9 billion ($2.5 billion)

Data Stolen: Internal documents and schematics accessed

The Jaguar Land Rover (JLR) incident ranks as the one of the most economically damaging cyberattack in UK history and one of the most impactful ransomware-related events of 2025. The campaign unfolded in stages. In March 2025, the Hellcat ransomware group claimed responsibility for an initial breach involving the theft of more than 350GB of sensitive data, including source code, internal documents, and employee information. At this stage, the operation centered on data theft and extortion rather than operational disruption.

The crisis escalated on August 31, 2025, when JLR shut down its global IT environment to contain an active intrusion. Production stopped for nearly a month at plants in the UK, Slovakia, China, and India, halting the manufacture of approximately 1,000 vehicles per day. JLR reported severe financial losses, while broader analysis estimated a £1.9 billion shock to the UK economy.

Attribution became increasingly complex. While Hellcat was tied to the initial data breach, the production-stopping phase was also claimed by actors associated with Scattered Spider and ShinyHunters under the Scattered Lapsus$ Hunters umbrella. Central to this overlap was the alias “Rey,” a Hellcat administrator who later collaborated with Scattered LAPSUS$–aligned actors and held an administrative role in related Telegram channels. This convergence strongly suggests coordinated operations rather than unrelated attacks.

Threat actor card of Scattered Lapsus$ Hunters

The UK Cyber Monitoring Centre classified the incident as a systemic cyber event, affecting more than 5,000 downstream organizations and exposing how just-in-time manufacturing can amplify cyber risk at a national scale. Even without a publicly confirmed ransom payment, the JLR attack demonstrated how ransomware-driven operations can trigger macroeconomic disruption far beyond a single victim.

4. Ingram Micro Ransomware Attack: Global IT distribution paralyzed

Victim: Ingram Micro
Threat Actor: SafePay Ransomware group
Date: July 3–10, 2025
Estimated Impact: Up to $136 million per day in lost revenue
Data Stolen: 3.5 TB (customer and internal data)

The July 2025 ransomware attack on Ingram Micro demonstrated how cyber extortion can sever the core arteries of the global technology supply chain. As the world’s largest IT distributor, Ingram Micro sits between major vendors such as Apple, Microsoft, Dell, and Cisco and tens of thousands of resellers worldwide. When its systems went offline, order processing, cloud licensing, and hardware distribution halted almost instantly across multiple regions.

Ingram Micro listed on SafePay ransomware leak site

SafePay operators gained access to Ingram Micro’s network through the GlobalProtect VPN environment using stolen credentials, rather than a confirmed software vulnerability. Although Palo Alto Networks later stated there was no product flaw involved, the attackers established deep persistence and encrypted critical transactional systems. To contain the breach, Ingram Micro shut down large portions of its global IT infrastructure for nearly a week.

The operational impact was severe. Analysts estimated daily revenue losses of up to $136 million during the outage, while thousands of reseller partners experienced shipment delays and service interruptions. SafePay also claimed the exfiltration of approximately 3.5 TB of sensitive data, increasing regulatory and legal exposure. The incident was formally disclosed in an SEC 8-K filing and stands as one of the clearest examples in 2025 of ransomware being used to disrupt global commerce at scale, not just individual enterprises.

5. Co-operative Group: UK retail sector siege continues

Victim: Co-operative Group
Threat Actor: Scattered Spider / DragonForce
Date: April–May 2025
Estimated Impact: £206 million ($277 million) in lost revenue
Individuals Affected: 6.5 million members

The attack on Co-operative Group marked a continuation of a coordinated ransomware and extortion campaign against the UK retail sector in 2025, following similar incidents affecting Marks & Spencer and Harrods. While Co-op’s physical stores remained open, the intrusion forced the shutdown of back-office and call center systems, disrupting membership services, logistics, and internal operations for weeks.

Threat actor card for DragonForce Ransomware

Threat intelligence linked the intrusion to Scattered Spider affiliates using DragonForce ransomware infrastructure, reflecting the growing division of labor between access brokers and ransomware operators. During the attack, adversaries exfiltrated sensitive member data, including names, contact details, membership numbers, and dates of birth. No evidence of payment card data theft was disclosed, but the scale of exposed personal data significantly increased the risk of follow-on fraud and targeted phishing.

Financial disclosures confirmed a £206 million revenue impact for Co-op alone. When combined with losses reported by other UK retailers targeted during the same period, the total sector-wide impact was estimated between £270 and £440 million. The campaign demonstrated how a single threat actor coalition could systematically disrupt an entire retail vertical, turning ransomware into a sector-level economic weapon rather than an isolated corporate incident.

6. PowerSchool: Education Sector Extortion at Unprecedented Scale

Victim: PowerSchool (K–12 education software provider)
Threat Actor: Initially unknown; later linked to a 19-year-old attacker
Date: December 2024 – January 2025 (secondary extortion in 2025)
Estimated Impact: $2.85 million ransom paid; major legal and recovery costs
Data Stolen: Student and staff records of 62 million students and 9.5 million teachers

The PowerSchool incident  stands out as one of the most significant education-sector data extortion cases to date.. Attackers accessed PowerSchool’s cloud environment by compromising credentials for its customer support portal, which included remote maintenance tools used to access school district databases. This single point of failure allowed intrusion into thousands of school systems.

After exfiltrating massive volumes of student and staff data, the attackers demanded and reportedly received a ransom of approximately $2.85 million. Despite this payment, the stolen data was not deleted. In mid-2025, attackers reused the same data to extort individual school districts directly, proving that payment did not neutralize the threat.

The breach triggered lawsuits from over 100 school districts and drew law enforcement attention, becoming a defining example of the failure of ransom payments in protecting sensitive data. PowerSchool’s case highlighted how identity compromise and trusted access paths can expose entire sectors, especially education, to systemic risk.

7. Synnovis – Healthcare Disruption with Confirmed Patient Harm

Victim: Synnovis (UK healthcare diagnostics provider)

Threat Actor: Qilin (Agenda) Ransomware

Date: June 2024 attack, impact formally confirmed November 2025

Estimated Impact: Prolonged NHS disruption; confirmed patient harm

Data Stolen: Patient records, test results, internal systems

The ransomware attack against Synnovis occurred in mid-2024, but its inclusion in a 2025 ranking is deliberate. In November 2025, UK authorities formally confirmed that the incident contributed to direct patient harm, marking one of the first cases where ransomware was officially linked to real-world medical outcomes. That confirmation shifted how the incident has been viewed since.

Qilin’s victim listing of Synnovis

Qilin’s intrusion crippled Synnovis’ pathology systems, disrupting blood testing, transfusion matching, cancer diagnostics, and routine laboratory services across multiple NHS trusts in London. Hospitals were forced to cancel procedures, revert to manual processes, and divert patients. While the attack itself followed a familiar ransomware playbook, its consequences extended far beyond IT downtime.

What elevates Synnovis into the 2025 top-tier list is precedent, not timing. The delayed confirmation reframed ransomware from a financial or operational threat into a patient safety risk with kinetic consequences. From that point on, healthcare ransomware incidents were no longer assessed only in terms of data loss or recovery time, but in terms of clinical outcomes and mortality risk.

Synnovis stands as a watershed moment. It proved that ransomware can cross the boundary from cybercrime into public health impact.

8. DaVita: Ransomware Hits Critical Healthcare Infrastructure

Victim: DaVita (U.S. kidney dialysis provider)
Threat Actor: Interlock Ransomware
Date: March–April 2025
Estimated Impact: $13.5 million in direct incident costs
Data Stolen: Personal and medical data of 2.7 million patients

In spring 2025, DaVita experienced one of the most serious healthcare ransomware incidents of the year. Interlock operators infiltrated the company’s network weeks before detection, likely through stolen credentials or an exposed server, and gained access to laboratory systems. On April 12, DaVita identified unauthorized activity and later confirmed that data had been exfiltrated before encryption was triggered.

Interlock’s victim listing of DaVita

Interlock claimed to have stolen more than 20 TB of data, including hundreds of millions of lab records. Exposed information included names, dates of birth, Social Security numbers, insurance details, and sensitive clinical data related to dialysis treatments. When DaVita initially refused to pay, portions of the data were published on the group’s leak site.

Operationally, DaVita avoided the worst-case scenario. Dialysis services across more than 3,000 clinics continued by shifting to manual processes, preventing disruption to life-sustaining care. Financial and legal consequences were still significant. By Q2 2025, DaVita reported approximately $13.5 million in response and recovery costs and faced multiple class-action lawsuits. The incident triggered alerts from U.S. authorities and reinforced how ransomware targeting healthcare can threaten patient safety even when systems remain partially operational.

9. Asahi Group: Manufacturing Halt Exposes IT–OT Convergence Risk

Victim: Asahi Group Holdings (global beverage manufacturer)
Threat Actor: Qilin Ransomware group
Date: September 2025
Estimated Impact: Major production losses; soft drink sales down 40%
Data Stolen: 27 GB (financial contracts, budgets, employee personal data)

In September 2025, Asahi Group Holdings suffered a ransomware attack that halted production at six breweries and multiple soft drink factories, making it one of the clearest examples of how IT compromises can cascade into Operational Technology disruption. The attack, claimed by Qilin, spread from corporate IT systems into production and logistics environments, forcing Asahi to shut down key operations to contain the incident.

Qilin’s victim listing of Asahi Group

With core ordering and shipping systems encrypted, Asahi reverted to manual processes, including fax and handwritten order handling. This sudden loss of automation caused severe fulfillment delays and an immediate drop of nearly 40% in soft drink sales. Qilin also claimed to have exfiltrated sensitive corporate and employee data, using the threat of public disclosure to increase pressure.

Recovery proved slow. Asahi projected that full system restoration would extend into early 2026, highlighting how ransomware in manufacturing environments creates long-tail impact due to the complexity of industrial control systems. The incident reinforced a key 2025 lesson: when IT and OT are tightly coupled, ransomware can stop physical production, not just digital services.

10. Collins Aerospace: Ransomware Grounds European Airports

Victim: Collins Aerospace
Threat Actor: Everest Ransomware (claimed responsibility; attribution disputed, BianLian previously suspected)
Date: September 19–21, 2025
Estimated Impact: Multi-airport operational disruption; millions in daily losses across aviation sector
Data Stolen: Alleged 50+ GB (passenger and airline operational data, unconfirmed)

In September 2025, a ransomware attack on Collins Aerospace’s ARINC cMUSE software caused widespread disruption across major European airports, including Heathrow, Berlin, Brussels, and Dublin. The incident forced airlines and airports to abandon automated check-in and boarding systems, reverting to manual processes that led to long queues, flight delays, and cancellations across multiple countries.

Everest’s victim listing of Collins Aerospace

The attack was detected on September 19, prompting immediate containment actions. RTX Corporation, Collins Aerospace’s parent company, confirmed the incident as ransomware in regulatory disclosures. Although software updates were deployed within days, the outage exposed how deeply aviation operations depend on a small number of shared vendors. European regulators, including ENISA, classified the incident as severe due to its cross-border impact on critical transportation infrastructure.

Attribution remained contested. While early suspicion pointed toward BianLian based on past claims, the Everest Ransomware group later asserted responsibility and alleged data exfiltration from the cMUSE environment. Collins Aerospace has not publicly confirmed any data breach. Regardless of attribution, the attack demonstrated that ransomware in 2025 could simultaneously disrupt multiple international transportation hubs through a single third-party dependency, making it one of the most consequential aviation cyber incidents of the year.

Conclusion

The Top 10 Ransomware Attacks of 2025 show that ransomware has moved well beyond encrypted endpoints and isolated incidents. In 2025, the real damage came from attacks that exploited identity, third-party trust, and shared infrastructure to create sector-wide disruption. Manufacturing, logistics, healthcare, retail, aviation, and SaaS platforms were targeted because they function as economic choke points, not because they were technically weak.

Across these incidents, several patterns repeat. Initial access often began with stolen credentials or social engineering rather than advanced exploits. Supply chains amplified impact, turning a single breach into hundreds or thousands of downstream failures. Data theft and operational paralysis mattered more than encryption, and in some cases, the true consequences only emerged months later through regulatory findings or confirmed human impact.

To defend against this model, organizations need visibility beyond their internal networks. This is where SOCRadar plays a practical role:

• Threat Actor Intelligence: Tracks active ransomware groups, their affiliates, infrastructure, and behavior on leak sites and forums, helping teams understand who is targeting which sectors and how tactics are shifting.
• Attack Surface Management: Identifies exposed internet-facing assets, cloud services, VPNs, and forgotten subdomains that frequently serve as initial access points in ransomware campaigns.
• Vulnerability Intelligence: Connects external exposure with real-world exploitation and Dark Web chatter, allowing teams to prioritize vulnerabilities that ransomware groups are actively weaponizing.
• Dark Web Monitoring: Detects mentions of company domains, credentials, IP ranges, and third-party access being sold or discussed before an attack escalates.
• Supply Chain Intelligence: Monitors vendors, MSPs, SaaS providers, and logistics partners for breaches or leaks that could cascade into your environment.

SOCRadar’s Supply Chain Intelligence

The lesson from 2025 is clear. Ransomware is no longer a problem that can be handled after detection. It is a continuous, ecosystem-level risk. Organizations that combine operational resilience with external threat intelligence will be far better positioned to detect early signals, limit blast radius, and avoid becoming the next systemic case study in 2026.