Government Ransomware Attacks Surge 41% in 2025 — Despite Quarterly Decline

According to new research from Comparitech, ransomware attacks on government organizations jumped sharply in 2025 — even as quarterly totals showed signs of decline. The firm’s latest analysis recorded 276 attacks on government entities worldwide between January and September 2025, marking a 41 percent increase from the same period in 2024 (196).

Of those, 147 attacks have been confirmed by the victims themselves — nearly identical to last year’s confirmed total (146). Comparitech researchers note that the number of verified incidents will likely rise as more governments disclose breaches in the months ahead.

A Paradoxical Trend: Rising Yearly Totals, Falling Quarterly Counts

Comparitech’s data reveals a paradox: overall attacks on governments are up year-over-year, but each quarter of 2025 has seen fewer new attacks than the one before it. The firm attributes this to a shifting threat landscape, where ransomware groups are targeting fewer—but higher-value—victims, maintaining a steady level of confirmed incidents despite a slowdown in overall volume.

“This pattern may indicate that threat actors are becoming more selective,” the report suggests, “focusing on critical infrastructure and high-impact systems rather than broad, opportunistic campaigns.”

Infrastructure in the Crosshairs

Public utilities, in particular, remain under siege. Comparitech logged 10 confirmed attacks on utility companies in 2025’s first nine months, five of which occurred between July and September. One of the most disruptive: the September attack on Lakehaven Water & Sewer District in Washington State, which temporarily crippled the agency’s payment systems.

The incident, claimed by the Qilin ransomware group, underscores the appeal of critical infrastructure to cybercriminals. As Comparitech notes, these attacks “maximize disruption and visibility,” earning notoriety for gangs while shaking public trust in essential services.

Qilin’s Expanding Footprint

Qilin has quickly emerged as one of 2025’s most aggressive actors in the government threat space. Comparitech’s report names Qilin as the most active ransomware strain targeting public institutions this year, responsible for 31 attacks and 19 confirmed breaches.

In October, Qilin claimed responsibility for a major assault on Region Hauts-de-France, disrupting internet and network access at 80% of the region’s public high schools. The group boasted of stealing 1.1 terabytes of data from the education authority — one of the largest exfiltrations in Europe this year.

Global Breakdown: The U.S. Leads, Europe Rebounds

The United States remains the most frequently targeted country, accounting for 103 of the 276 total attacks — an 8% increase compared to 2024. Brazil and Canada follow with 10 each, while Spain and India each logged nine.

Comparitech found striking regional shifts:

• France, Canada, and Brazil saw declines in attack volume (-22%, -17%, and -9% respectively).

• Spain, India, and Germany experienced explosive growth (+80%, +800%, and +600%).

Among confirmed incidents, the U.S. had 64, including the unprecedented attack on the entire State of Nevada — the first time an entire state government has been hit by ransomware.

Ransom Economics: The Price of Extortion

Comparitech estimates the average ransom demand across all government-targeted attacks in 2025 was $1.95 million, but that figure jumps to $2.86 million for confirmed cases.

The five largest ransom demands of 2025 so far include:

• Thailand Ministry of Labour – $15M (Devman)

• Slovakia Geodesy & Cadastre Office – $12M (unknown)

• Hungarian National Museum – $10M (RansomHub)

• Kenya National Social Security Fund – $4.5M (Devman)

• Cleveland Municipal Court, USA – $4M (Qilin)

Data Theft Leaders: INC and Qilin

While Qilin has dominated in confirmed volume, Comparitech’s data shows INC leading in data exfiltration. The group’s April 2025 attack on the Pierce County Library System in Washington exposed 336,826 individual records — accounting for the majority of the 443,522 breached records tallied this year.

INC also claims to have stolen 13.9 TB of data across all its attacks, including 5.7 TB allegedly taken from the Pennsylvania Office of Attorney General. Qilin trails slightly with 8.2 TB exfiltrated in total, including 4–5 TB from its attack on Spain’s Melilla region.

Confirmed vs. Unconfirmed: Comparitech’s Attribution Criteria

Comparitech classifies attacks as “confirmed” only when a government agency publicly acknowledges the incident or when a ransomware gang’s claim aligns with an official disclosure. Unconfirmed attacks remain in limbo — either due to false claims or victims’ silence.

Because confirmation timelines vary and disclosure laws differ by country, Comparitech warns that attack counts may shift retroactively as new confirmations emerge. “Many ransomware claims surface weeks or months after the initial compromise,” the researchers write. “That’s why transparency remains one of the most critical—and most uneven—defenses.”

The Takeaway

Comparitech’s findings paint a sobering but nuanced picture: while total ransomware volume against governments is easing quarter-over-quarter, the attacks that do occur are more targeted, more disruptive, and more expensive than ever.

The report concludes that “governments may be facing fewer attacks, but not safer ones,” as cybercriminals double down on exploiting critical systems that can’t afford downtime — and where paying a ransom might still look like the least bad option.