Global Ransomware Attacks Surge 32% in 2025, With Manufacturing and U.S. Organizations Hit Hardest In 2025, global ransomware attacks reached 7,419 incidents, marking a 32% increase from the 5,631 recorded in 2024, according to a report by Comparitech. Of these, 1,173 attacks were confirmed by targeted organizations, while the remaining were claimed by ransomware groups via data leak sites. Collectively, the confirmed attacks breached 59.2 million records, though this figure is expected to rise as delayed reports emerge. ### Key Trends and Sector Impacts - Manufacturing saw the sharpest rise in attacks, surging 56% to 1,466 incidents, with average ransom demands more than doubling from $523,000 in 2024 to $1.2 million in 2025. - Legal firms experienced a 54% increase in attacks, alongside a 60% jump in ransom demands, averaging $610,000. - Healthcare and education saw stable attack volumes, with only 2% increases in incidents, suggesting a potential shift in attacker focus or improved defenses in these sectors. ### Geographic Breakdown The U.S. remained the most targeted country, accounting for 3,810 attacks (51% of the global total), a 33% increase from 2024. Other heavily affected nations included: - Canada: 392 attacks (31% increase) - Germany: 303 attacks (62% increase) - U.K.: 251 attacks (5% decrease) - France: 178 attacks (39% increase) - South Korea: 64 attacks (540% increase), driven largely by attacks on asset management firms following Qilin’s breach of a third-party provider. ### Ransomware Groups and Data Theft - Qilin was the most active group, responsible for 1,034 attacks (14% of the total), including 172 confirmed incidents. The group claimed to have stolen 31.2 petabytes of data, primarily from a single U.S. manufacturer. - Akira ranked second with 765 attacks, while SafePay was linked to the largest number of breached records (16.15 million), nearly all from its attack on Conduent. - DragonForce exposed 6.5 million records, mostly from its attack on the U.K.’s Co-operative Group, which resulted in £206 million ($276 million) in lost revenue. ### Notable Breaches in 2025 - Conduent (U.S.): 15.9 million records exposed in a SafePay attack, with 8.5 terabytes of data allegedly stolen. - Episource (U.S.): 5.4 million records compromised in an unidentified ransomware attack. - University of Phoenix (U.S.): 3.49 million records breached via a Clop attack exploiting an Oracle zero-day vulnerability. - DaVita (U.S.): 2.69 million records exposed in an Interlock attack, with 1.5 terabytes of data stolen. - Sanrio (Japan): 2 million records affected. - Asahi Group (Japan): 1.9 million records compromised. ### Sector-Specific Trends - Businesses bore the brunt of attacks (6,292 incidents, 35% increase), with 43 million records exposed in confirmed cases. Average ransom demands held steady at $1.09 million. - Government entities faced 374 attacks (27% increase), with 2.19 million records compromised. Ransom demands fell 15% to $1.55 million. - Healthcare saw 444 attacks (2% increase), with 10.1 million records exposed. Ransom demands plummeted 84% to $615,000. - Education recorded 252 attacks (2% increase), with 3.9 million records breached. Ransom demands dropped 34% to $457,200. The data underscores a strategic shift in ransomware targeting, with attackers prioritizing high-value commercial and public-sector entities while maintaining pressure on traditionally vulnerable sectors. Despite the surge in attacks, average ransom demands declined overall, dropping 26% to $1.04 million. However, select industries particularly manufacturing and legal services saw significant increases in both attack frequency and ransom demands.

Qilin Ransomware Gang Escalates Attacks in 2025, Targeting Critical Sectors Worldwide The Qilin ransomware gang has become one of the most prolific cybercriminal operations in 2025, compromising hundreds of organizations, including major corporations, government entities, and healthcare providers. In October alone, the suspected Russia-based group claimed over 185 victims, including Japanese beverage giant Asahi, the Texas city of Sugar Land, a North Carolina county government, and multiple Texas power companies. Cybersecurity firm Cisco Talos reported that Qilin has been publishing data from roughly 40 victims per month in the second half of 2025. Active since July 2022, the group has expanded its operations under a ransomware-as-a-service (RaaS) model, enabling rapid scaling and increased attack success rates. Nearly a quarter of its attacks target the manufacturing sector, followed by professional and scientific services (18%) and wholesale trade (10%). Qilin’s intrusion methods vary, but stolen administrative credentials often sourced from the dark web have been used to breach VPNs in multiple incidents. Comparitech tracked over 700 Qilin-related attacks in 2025, with 118 confirmed, predominantly affecting the U.S. (50%), alongside France, Canada, South Korea, and Spain. The group has also escalated ransom demands, including a $10 million extortion attempt against Kuala Lumpur International Airport in March and a $4 million demand following an attack on Cleveland’s Municipal Court in February. Despite law enforcement scrutiny after a 2024 attack on a British healthcare provider, Qilin has continued its operations, targeting entities like the government of Palau and a major U.S. newspaper chain.

2025: A Year of Rising Costs—and Escalating Cyber Threats for UK Businesses As 2025 draws to a close, UK businesses and charities have faced a surge in financial pressures—from soaring employment costs and supply chain disruptions to oil and tariff shocks. Yet, one of the most damaging expenses has been the fallout from cyberattacks, which have hit nearly half of British companies and 30% of charities over the past year. High-profile victims include retail giants Marks & Spencer, Adidas, and the Co-op Group, as well as Heathrow Airport, Harrods, and Jaguar Land Rover (JLR). The public sector hasn’t been spared either: Germany’s parliament and the UK Foreign Office (breached in October) were among those targeted. Attacks ranged from phishing scams to full-scale digital shutdowns, with some incidents costing hundreds of millions. The scale of cybercrime has reached staggering proportions. Cybersecurity Ventures estimates the global cost of cyberattacks in 2025 at $10.5 trillion (£7.8 trillion)—a figure that would rank cybercrime as the world’s third-largest economy, trailing only the US and China. The financial and operational toll underscores the growing threat to organizations across sectors.

Asahi Group Holdings Ltd., Japan’s largest brewer, suffered a ransomware attack that crippled its internal order and shipment systems, forcing a manual fallback (phone, fax, in-person). Over a month later, operations remain at just 10% capacity, severely disrupting supply during December—its peak sales month (12% of annual volume from Super Dry alone). The attack caused stockouts in bars, restaurants, and gift markets, leading rivals (Kirin, Sapporo, Suntory) to seize market share by replacing Asahi’s dispensing units and glassware. Financial losses include a projected ¥15 billion core operating loss in Q4, a 13% miss on full-year guidance, and delayed earnings reports due to inaccessible financial data. The breach exploited vulnerabilities in Asahi’s fragmented legacy systems (from acquisitions), compounding recovery challenges. While retail shelves show partial availability, on-premise sales (bars, izakayas) face long-term loyalty risks, with some outlets permanently switching brands. The incident also disrupted Japan’s corporate gifting tradition, further damaging revenue and reputation during the critical year-end season.

Asahi, Japan’s leading brewer with 40% market share, suffered a ransomware attack attributed to the Qilin group, forcing it to halt production at most of its 30 factories, including six breweries. The attack crippled its computer systems, reducing operations to manual processes (pen, paper, and fax), severely limiting order processing and shipments. This caused widespread shortages of its products—beer (e.g., Asahi Super Dry), soft drinks, bottled teas, and food items—across convenience stores (FamilyMart, 7-Eleven, Lawson), liquor stores, and restaurants nationwide. Wholesalers reported receiving only 10–20% of normal supply, with disruptions expected to last at least a month. While European subsidiaries (Peroni, Grolsch, Fuller’s) remained unaffected, the attack exposed Asahi’s legacy system vulnerabilities and data leaks (suspected stolen data found online). The incident underscored Japan’s broader cybersecurity gaps, including reliance on outdated infrastructure and low digital literacy, prompting government intervention under the new Active Cyber Defense Law (ACD). The financial and reputational damage extends beyond Asahi to retailers, suppliers, and consumers, with no confirmed timeline for full recovery.

In September 2025, Japan’s largest brewery, Asahi Group Holdings, fell victim to a Qilin ransomware attack that crippled its entire digital infrastructure over a weekend. By Monday, all 30 factories shut down, halting production of flagship products like Super Dry beer. The attack locked every computer system, forcing employees to revert to manual processes—taking orders by phone, handwriting shipment instructions, and relying on fax machines to communicate with warehouses and distributors. Analysts projected an 83% domestic profit loss if the outage persisted. While six breweries gradually restarted in early October, many systems remained unrecovered weeks later, with operations running primarily on paper and fax. The incident exposed critical vulnerabilities in digital dependency, as the company spent weeks rebuilding IT infrastructure from scratch while struggling to meet market demand and avoid reputational damage.

Verizon’s 2026 DBIR Reveals Shifting Cyber Threat Landscape, with Vulnerability Exploitation Now Leading Breach Entry Point The latest Verizon 2026 Data Breach Investigations Report (DBIR) highlights a dramatic shift in cyberattack tactics, with the exploitation of software vulnerabilities overtaking stolen credentials as the primary initial access vector for breaches accounting for 31% of incidents. This marks the first time vulnerability exploitation has surpassed credential abuse, which fell to 13%, signaling a growing focus by threat actors on direct system weaknesses rather than human error. The report warns that AI-assisted attacks are accelerating the speed of exploitation, compressing the window between vulnerability disclosure and attack from months to mere hours. This rapid weaponization of known flaws has created a capacity crisis for security teams, with only 26% of critical vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog fully remediated in 2025 a decline from 38% the previous year. The median time to resolve vulnerabilities also increased to 43 days, while organizations faced 50% more critical vulnerabilities requiring patching compared to the prior period. Ransomware remains a dominant threat, involved in 48% of all breaches (up from 44% in 2025). However, fewer victims are paying ransoms, with 69% refusing demands a trend contributing to a drop in the median ransom payment to $139,875. Third-party and supply chain risks have surged, with breaches involving external partners rising 60% year-over-year, now accounting for 48% of all incidents. Remediation of third-party security gaps, such as missing multifactor authentication (MFA) or weak passwords, often takes nearly eight months, leaving organizations exposed. Generative AI is reshaping the threat landscape, with attackers leveraging AI across multiple stages of cyber operations from targeting to malware development. The median threat actor used AI in 15 documented attack techniques, though most AI-assisted malware remains tied to established methods. Less than 2.5% of observed AI-driven malware involved novel or rare techniques. Human-focused attacks persist as a major vulnerability, with the "human element" involved in 62% of breaches. Mobile-centric social engineering, including SMS and voice-based phishing, has proven 40% more effective than traditional email campaigns. Pretexting where attackers manipulate victims through fabricated scenarios now accounts for 6% of breaches, often serving as an entry point for ransomware and extortion. Sector-Specific Findings - Manufacturing & Industrial Sectors: Breaches continue to rise, driven by ransomware, which accounted for 61% of incidents in this vertical. System intrusion, social engineering, and web application attacks made up 91% of confirmed breaches. A late-2025 ransomware attack on Japan’s Asahi Group Holdings forced production shutdowns and shipment suspensions, illustrating the cascading financial and operational impacts of such incidents. In the U.K., a ransomware attack on Jaguar Land Rover caused a five-week production halt, resulting in an estimated £1.9 billion in damages the costliest cyber incident in the country’s history. - Regional Trends: - North America: Recorded 12,371 incidents and 8,426 confirmed breaches, with system intrusion, social engineering, and web application attacks comprising 87% of cases. Financial motives drove 98% of breaches, and vulnerability exploitation led initial access at 30%. - Asia-Pacific: Saw 5,229 incidents and 2,855 confirmed breaches, with external actors responsible for 99% of attacks. Vulnerability exploitation dominated at 42%, followed by credential abuse (25%) and phishing (15%). - Europe, Middle East & Africa (EMEA): Reported 8,245 incidents and 6,060 confirmed breaches, with vulnerability exploitation accounting for 47% of initial access. - Latin America & Caribbean: Documented 813 incidents and 718 confirmed breaches, with vulnerability exploitation leading at 44%. The report underscores that while AI and faster exploitation tactics are intensifying threats, foundational security practices such as timely patching, MFA enforcement, and third-party risk management remain critical to resilience. The data also reveals a persistent gap in remediation efforts, with organizations struggling to keep pace with the volume and velocity of emerging vulnerabilities.

The Asahi Group, a Tokyo-based multinational beverage and food company, fell victim to a ransomware attack by the Qilin ransomware group. The attackers claimed to have exfiltrated 27 GB of sensitive data, including personal details of employees, financial documents, budgets, contracts, business development plans, and forecasts. The breach caused significant operational disruptions, forcing Asahi to suspend order and shipment operations in Japan, as well as shut down call center and customer service desks. While the company is gradually resuming operations through manual processes, the incident highlights severe data exposure risks and business continuity threats.The Qilin group, known for its technically mature RaaS (Ransomware-as-a-Service) model, has been highly active, accounting for 16% of global ransomware attacks in August 2025. This attack follows a pattern of targeting Japanese firms, with Asahi being the latest high-profile victim. The stolen data includes both internal employee records and critical business intelligence, raising concerns over long-term financial, reputational, and competitive damage. Asahi has not publicly confirmed or denied the ransom demands, but the operational halt underscores the severe impact on core business functions.

Japanese beverage giant Asahi suffered a cyberattack leading to a system failure that severely disrupted its operations in Japan. The incident forced the company to halt order processing, shipments, and call center services, crippling customer support and logistics. While Asahi confirmed no personal or customer data was leaked, the attack caused operational paralysis, affecting its ability to fulfill deliveries and manage business communications. The company, which owns global brands like Peroni and Grolsch and operates 30 factories in Japan, reported over $9 billion in revenue for H1 2025. No ransomware group claimed responsibility, and Asahi did not confirm the attack type, but the prolonged outage—with no estimated recovery timeline—highlights significant business continuity risks. The incident aligns with a rising trend of cyberattacks on beverage manufacturers, with prior ransomware strikes on breweries in Europe and Russia.

Japanese beer maker Asahi Group suffered a ransomware attack by the Qilin group, leading to the exposure of personal data from over 1.5 million individuals. The attackers infiltrated the company’s network via on-site equipment, deploying ransomware on servers and employee PCs while exfiltrating data. The compromised information likely includes names, genders, postal addresses, phone numbers, and email addresses of customers who contacted Asahi’s service centers (affecting ~1.525M people). Additionally, data from 300,000 external contacts, employees, and their family members may have been exposed. While Asahi confirmed no evidence of data misuse or public leakage, Qilin listed the company on its dark web leak site, indicating a high risk of future exploitation. The attack was contained to Asahi’s Japanese operations, with no confirmed financial or operational disruptions beyond data theft.

Cyberattacks Surge in Japan as Ransomware Cases Hit Record Highs The Tokyo Metropolitan Police Department has reported a sharp rise in cyberattacks targeting major Japanese corporations, disrupting supply chains and critical operations. Companies like Asahi Group and Askul Corp. have faced severe disruptions, with attacks forcing distribution systems offline and halting retail operations. The incidents highlight vulnerabilities exacerbated by remote work trends and increasingly sophisticated criminal tactics, including AI-driven automation. Japan recorded 116 ransomware attacks in the first half of 2025, matching its previous annual total. The financial and reputational fallout has drawn investor scrutiny, as disruptions to logistics and customer trust threaten profitability. With digital dependence growing, sectors reliant on online platforms face heightened risk, potentially impacting valuations if security measures fail to keep pace. The attacks underscore broader economic risks, as even advanced economies remain vulnerable to cyber threats. Authorities and businesses are under pressure to bolster defenses, with cybersecurity now a critical factor in maintaining economic stability.

Ransomware Attacks Escalate in 2026: Rising Costs, Evolving Tactics, and Persistent Vulnerabilities Ransomware remains one of the most disruptive cybersecurity threats in 2026, with attacks growing in scale, sophistication, and financial impact. The average ransom demand has surged to $1.3 million, with over half of payments exceeding $1 million a stark increase from the sub-$1,000 demands of a decade ago. Even when victims refuse to pay, the long-term operational and financial damage can be severe, as seen in high-profile incidents affecting Jaguar Land Rover, Marks & Spencer, and Asahi in 2025. ### Why Ransomware Persists and Worsens Despite being a known threat for years, ransomware attacks are more disruptive than ever due to a combination of poor cyber hygiene, expanding attack surfaces, and AI-driven tactics. #### 1. Exploiting Basic Security Failures Most ransomware attacks succeed by targeting unpatched vulnerabilities, weak or reused passwords, and missing multi-factor authentication (MFA). Excessive user permissions further enable attackers to move laterally across networks undetected. As Etay Maor of Cato Networks noted, "Over 80% of attacks stem from misconfigured or unpatched systems" highlighting that the root issue lies in preventable security gaps. #### 2. Complex IT Environments Expand the Attack Surface Modern enterprise networks spanning cloud infrastructure, AI tools, and remote work systems have grown increasingly difficult to secure. Misconfigured deployments, such as improperly secured AI chatbots or cloud suites, create new entry points for attackers. Cybercriminals also exploit legitimate accounts, making malicious activity harder to detect until it’s too late. #### 3. Social Engineering and AI Amplify Threats Attackers are increasingly using social engineering to bypass security controls. Techniques like ClickFix, which tricks users into running malicious scripts via fake error messages, allow cybercriminals to evade defenses with minimal effort. Meanwhile, AI has lowered the barrier for attackers, enabling them to: - Generate customized phishing lures at scale. - Deploy deepfake audio/video to impersonate executives or IT staff. - Automate ransomware development, allowing even low-skilled threat actors to launch sophisticated attacks. #### 4. The Ransom Payment Dilemma The persistence of ransomware is fueled by victims paying ransoms, which funds further attacks. As Gavin Millard of Tenable warned, "Paying ransoms only enables attackers to invest in faster, more scalable ransomware operations." Instead, organizations are urged to focus on prevention, incident response, and disaster recovery to break the cycle. ### The Path Forward: Prevention Over Payment Experts emphasize that stronger security fundamentals such as patching vulnerabilities, enforcing MFA, and monitoring for unusual account activity can significantly reduce ransomware risks. However, the challenge remains in securing board-level investment for proactive measures, as the cost of prevention is far lower than the fallout of an attack. With ransomware showing no signs of slowing, the battle hinges on closing security gaps before attackers exploit them not just reacting after the damage is done.

Asahi Group Holdings, a major Japanese food and beverage company, suffered a ransomware attack claimed by the hacker group Qilin on October 7, 2024. The attackers allegedly stole over 9,300 data files, including financial records and personal information of employees. While it remains unclear whether customer or business partner data was compromised, the breach forced the company to postpone its Q1–Q3 earnings release (originally scheduled for November 12) due to system disruptions. The company confirmed the leaked data’s presence online the following day, and its systems remain unrecovered, forcing manual order processing. The attack’s financial and operational impact includes delayed reporting, potential reputational damage, and operational inefficiencies, though the full scope of data exposure—particularly regarding customers—is still under investigation. The involvement of ransomware and theft of employee personal data elevates the incident’s severity, with potential long-term consequences for trust and regulatory compliance.

Asahi Group Holdings, the Japanese beverage giant and producer of Asahi Super Dry, suffered a ransomware attack in late September 2024, disrupting its operations. The attack forced the company to delay the release of its full-year financial results (fiscal year ending December 2025) due to ongoing system recovery efforts. While shipments are gradually resuming, the incident caused operational disruptions, including potential delays in production and distribution. The attack was claimed by the Qilin hacker group, allegedly based in Russia, though Asahi has not confirmed the perpetrator’s identity or ransom demands. The incident highlights the growing threat of ransomware against high-profile corporations, with Asahi joining other global victims like Jaguar Land Rover (factory halts) and Muji (online service shutdowns). The financial and reputational impact remains significant, as the company works to restore systems while managing public trust and supply chain stability.

Asahi Group Holdings Ltd., Japan’s largest beer brewer, suffered a ransomware attack by the Russian-speaking hacker group Qilin, which disrupted operations for over a week. The attack led to the theft of approximately 27 GB of data, including financial documents, contracts, development forecasts, and employees’ personal information. The breach forced Asahi to halt production at nearly 30 domestic factories, crippling distribution and limiting orders to only its flagship Asahi Super Dry brew. While plants were gradually restored by mid-October, output remained below normal capacity. The stolen data was later found leaked online, though Asahi declined to confirm specifics. The incident caused supply chain disruptions, prompting competitors like Kirin, Sapporo, and Suntory to ramp up production to meet market demand. Qilin, known for double-extortion tactics (encrypting files and threatening to publish stolen data), has previously targeted over 100 companies globally, including a $50M ransomware attack on UK hospital lab provider Synnovis in 2024. The attack underscored Japan’s vulnerability to cyber threats, with ripple effects across factories, retailers, and restaurants.

Asahi Group Holdings, the maker of Asahi Super Dry, suffered a sophisticated ransomware attack in late September 2023, attributed to the Russian-linked hacker group Qilin. The attack disrupted operations for nearly three months, forcing the company to delay financial disclosures (third-quarter and full-year earnings) and halt production across its 30 domestic factories due to system-wide shutdowns. While six beer factories later resumed operations, order processing reverted to manual methods to avoid shortages. The breach caused supply chain disruptions, with shipments resuming gradually as systems were restored. Japanese media reported full recovery would take until February 2024. The CEO emphasized the attack was beyond their cybersecurity measures, describing it as 'cunning' and refusing ransom negotiations. The incident highlights Japan’s broader vulnerability to cyber threats, with a recent survey revealing one-third of Japanese businesses experienced attacks in 2023.

Asahi Group Holdings, a major Japanese beer and beverage company, suffered a ransomware attack by the Qilin group, disrupting production across its six beer plants in Japan. The attack, first disclosed on September 29, forced a temporary halt in operations, with production resuming only on October 2. Qilin claimed responsibility on October 1, publishing 29 images of allegedly stolen internal documents and asserting the theft of over 9,300 files (27 GB) of data. The group operates a ransomware-as-a-service (RaaS) model, extorting victims for financial gain. The incident remains under investigation, with Asahi declining to confirm the authenticity of the leaked data, extortion demands, or negotiations. Qilin, active since 2022, has a history of high-profile attacks, including the June 2024 breach of Synnovis, a UK diagnostic services provider, which indirectly contributed to a patient’s death in 2025. The Asahi attack highlights the growing threat of ransomware disrupting critical industrial operations, risking financial losses, reputational damage, and operational downtime.

Qilin Ransomware Gang Leaks Sensitive Data from San Francisco’s Elite Cal Club The Qilin ransomware operation has exposed nearly 12,000 files containing highly sensitive data from the California Golf Club of San Francisco (Cal Club), an exclusive private club frequented by Silicon Valley executives and high-profile members. The breach, analyzed by Cybernews researchers, includes documents spanning December 2016 to September 2025, revealing members’ personal and financial details such as names, birthdates, phone numbers, home and email addresses, membership statuses, and dues paid. Beyond member data, the leak also disclosed previously undisclosed club information, including employee performance evaluations, 401K details, and salary records. Qilin, which has emerged as one of the most active ransomware groups in the past year, recently claimed responsibility for another high-profile attack on Japanese beer producer Asahi Group Holdings. The incident reflects a broader surge in cyber threats, with the global education sector experiencing a 63% increase in attacks between November 2024 and October 2025, alongside a 73% rise in data breaches and a 75% spike in hacktivist activity, according to Quorum Cyber’s threat intelligence. While Qilin’s focus on Cal Club underscores its targeting of elite organizations, other state-backed threat actors such as North Korean hackers have leveraged AI-generated video calls to target cryptocurrency firms, while suspected Russian operatives have launched phishing campaigns against German officials via Signal.