Ransomware in 2025 truly ran rampage across sectors and countries. It continued to evolve beyond “encrypt-and-extort.” Many of the year’s most consequential incidents blended intrusion with data theft and extortion pressure. In several cases, the business impact far outweighed any disclosed ransom demand. Some attacks directly hit critical infrastructure and human life, while others went as far as targeting personal information of children.
In October 2025 alone, ransomware attacks rose by 30% from September 2025, illustrating the exponential growth of the biggest scourge in global cybersecurity. As per a report by KELA, nearly 50% of the total ransomware attacks in the year hit critical sectors like manufacturing, energy, health and transport and also had a direct impact on national security in many cases.
Qilin was one of the most operationally damaging ransomware groups of the year, causing considerable damage across healthcare, manufacturing and finance. Akira, RansomHub and Cl0p were close on its heels exploiting vulnerabilities, unleashing high-volume attacks and exploiting zero-days for large-scale data theft.
Below are five of the most significant ransomware cases of 2025. We’ve chosen the below based on a mix of metrics - scale of disruption, victim profile, and/or the magnitude of downstream damage.
If you feel we’ve missed any which match the below in terms of intensity or victim profile, do write to us at info@cm-alliance.com.
In April 2025, Marks & Spencer (M&S) suffered a major ransomware-linked cyber attack that disrupted core operations and customer services for weeks. The attack carried out by the Scattered Spider hacking group, reportedly used DragonForce ransomware. It had a massive business impact to say the least.
M&S publicly estimated roughly £300 million in lost operating profit tied to the incident and its recovery. This attack not just compromised an iconic brand, it also became emblematic of the massive UK Retail Cyber Siege that ensued. It underscored in the most resounding way how ransomware can become a board-level financial event and reputation event.
To understand the details of this devastating attack, don’t forget to download our detailed Marks and Spencer Cyber Attack Timeline. You may also want to delve into our comprehensive timeline of the UK Retail Attacks.
Healthcare ransomware remains uniquely high-stakes because downtime can directly affect patient care. In April 2025, dialysis provider DaVita disclosed a ransomware attack that encrypted parts of its network and disrupted certain operations.
As investigations progressed, reporting indicated the incident impacted millions of individuals. This included approximately 2.7 million whose sensitive personal data was compromised. This attack highlighted the “double hit” of ransomware today: operational disruption as well as data exposure.
This attack reiterated that in healthcare, resilience is not optional. Rapid response capabilities matter as much as prevention.
A major ransomware attack on Nevada’s state systems (discovered in August 2025) disrupted public services such as licensing and background checks. An after-action report cited the incident’s recovery cost at least $1.5 million.
This case illustrates why ransomware remains so damaging for government: legacy systems, sprawling vendor footprints, and fragmented security ownership can create conditions where a single foothold turns into statewide disruption.
This incident makes it to our list of the biggest attacks of 2025 because of its high public impact. It also highlights how public sector ransomware isn’t just a “cyber incident”. It’s a service continuity crisis. Stronger detection and centralised incident coordination seem to be becoming more critical every day. What remains most important, however, is rehearsed decision-making through regular cyber tabletop exercises to reduce the time-to-recover.
In 2025, NASCAR, the premier stock car racing organisation suffered a ransomware incident. The incident was claimed by the Medusa ransomware group which allegedly stole 1TB of data from the company. That wasn’t all - the group publicly demanded a ransom of $4 million on its dark web leak site.
NASCAR later confirmed that data of an “unknown” number of individuals was indeed stolen in this attack. It also said that the threat actors had managed to exfiltrate files containing personal information, including names and social security numbers.
This attack highlighted yet again that ransomware may not always lead to a collapse of core operations. But it will create a mountain of other massive issues for your organisation - from notification obligations, credit monitoring to brand damage.
We believe this attack was one of the most significant given the high-profile nature of the victim with a mass audience. The explicit and very public ransom demand also brought this incident into the spotlight. It also underlined a worrying trend - of ransomware groups increasingly behaving like media operations. They now actively leverage leak sites, publish deadlines, and create reputational pressure. Optimised crisis communications protocols and legal workflows become critical in such attacks, apart from technical incident response playbooks.
One of 2025’s most important trends was the scale of mass exploitation against widely used enterprise platforms. Google’s threat intelligence reporting described a large-scale extortion campaign under the “CL0P” brand associated with exploitation of an Oracle E-Business Suite zero-day. This attack reflected a hallmark pattern - exploit broadly, steal data, then pressure many victims at once. This matters because it shifts ransomware economics. Attackers don’t need to deploy encryption on every network if they can reliably steal sensitive data and extort at scale.
This attack made headlines because of its huge blast radius. Organisations across diverse industries were exposed. The impacted organisations reportedly included industrial giants like Schneider Electric and Emerson, tech manufacturers such as Logitech, Harvard University and South Africa’s Wits University, American Airlines’ subsidiary Envoy Air and even The Washington Post.
This ransomware incident exposed the industrialised extortion model style that seems to be where ransomware is heading. The defining feature of this style is that it’s repeatable and scalable. Campaigns look more like a combination of platform exploitation and extortion than a single victim event.
The attack illustrated yet again how every business’ cyber resilience rests precariously on its third-party and enterprise application exposure as much as its own endpoints.
The above list of 5 major ransomware attacks is literally the tip of the iceberg. The damage that ransomware attacks have caused in 2025 is unprecedented. And the writing on the wall is clear - ransomware hackers are going nowhere. They’re only coming back stronger and more malicious with every passing month.
In order to protect your business, its data and reputation, the only solution right now is robust ransomware prevention and response strategies. Apart from strengthening your security infrastructure, with specific attention to third-party security, you need to beef up your response strategy. Having strong ransomware response protocols is non-negotiable in 2026.
These protocols must be regularly rehearsed through professionally conducted ransomware tabletop drills. These ransomware tabletop exercises must see participation from the executive and business leaders so they can rehearse decision-making and also pre-define answers to questions like - who will negotiate with the attackers or will the organisation agree to pay a ransom (though this is something that’s never ever recommended).
Below are the primary steps, in our opinion, that every organisation must take at the earliest for protecting themselves against ransomware crime in 2026.
Ransomware incidents no longer unfold over days. They escalate in minutes to hours. No organisation can afford confusion around decision-making or escalation paths. Any chaos in the midst of an attack directly translates into wider encryption and data theft.
You have to be prepared for the inevitable in 2026 no matter how strong you think your security infrastructure is. Having a strong Cyber Incident Response Plan and Ransomware Response strategies that are well-rehearsed are absolutely indispensable. When hackers put a spanner in the works for your operations, you cannot afford to have internal debates about who should isolate networks or who can take critical platforms offline. These are questions whose answers should already be defined and all key stakeholders should be aware of them.
Run executive tabletop exercises using real ransomware scenarios. Double extortion, cloud lockouts and identity takeover were some of the most common ransomware tactics in 2025 and every business must be prepared for them in 2026. Incident Response Playbooks must be updated after every exercise in the interest of continuous improvement.
Remember that malicious threat actors are refining their game every second. Your business cannot afford to get complacent.
Based on the trends of 2025, it is now clear that cyber criminals are increasingly first targeting backup systems. They steal credentials to delete or encrypt backups at the onset and wait weeks before detonating ransomware.
A “successful backup” means nothing if restoration fails under pressure. A resilient backup is defined by its immutability. It’s important to have offline or logically isolated copies. It is also critical to have systems in place for backup integrity validation. This means that you should be able to confirm that the data is usable and not corrupted or incomplete.
Restore testing the backups is the real benchmark and time to restore is an important yardstick. If your plan says 8 hours but tests show 3 days, your plan is fiction and you need to work on improving it with urgency.
Ransomware is increasingly becoming identity-led. Attackers are compromising identities and using legitimate access to avoid detection. They move laterally with admin tools instead of using a malware-first approach.
This has made effective segmentation critical in 2026. Using microsegmentation, especially around crown jewels, is a safe practice that businesses must adopt now. It’s also important to separate user networks from server networks.
Privileged Access Management is now more important than ever. Time-bound and just-in-time access are essential to avoid ransomware attacks in 2026. Even if the attack is successful, its blast radius can be controlled and encryption may not become enterprise-wide within hours.
Ransomware groups have heavily exploited known vulnerabilities with available patches in 2025. They have also leveraged SaaS misconfigurations and unpatched third-party apps to their advantage. Patching everything is of the essence now.
You can adopt a risk-based prioritisation, patching internet-facing systems and actively-exploited CVEs first. When patching isn’t immediately possible, it is important to disable vulnerable features. You can increase monitoring around exposed systems and restrict access via network rules.
But it’s relevant to remember that regulatory expectations are increasingly revolving around patch management. The first question that is asked in case of an incident by insurers is - was it patched and if not, then why. For the sake of your business, its financial continuity and your reputation, it’s important that you have a solid answer to these questions in the event of a ransomware attack.
Ransomware is as much a trust crisis as a technical one. Poor communication if you’re attacked amplifies reputational damage. It triggers regulatory scrutiny and definitely undermines customer confidence. This has brought Crisis Communications into the limelight in 2025 - a trend that is likely to continue into 2026 and way beyond that.
For strong Crisis Communications that offer clarity and build confidence, you need a well-written and pre-defined playbook. This should contain pre-written templates for customers, regulators, partners and suppliers and the media. When you’re in the heat of an attack, it’s impossible to get messaging consistent and cohesive. Pre-thought-out and approved templates make all the difference in the midst of chaos.
Your playbook should also outline clear approval workflows - who signs off messages, who engages regulators and who speaks publicly. Testing these protocols is critical during tabletop exercises. Cyber drills will also help you align legal, PR, compliance and executive teams ensuring message consistency under pressure.