Ransomware Attacks Surge 36% in Q3 2025, Data Stolen in 96% of Cases

BlackFog Report: Ransomware Attacks Rose 36% in Q3 2025, Qilin Most Active Group

HIGH
October 17, 2025
October 18, 2025
4m read
RansomwareThreat IntelligenceThreat Actor

Related Entities(initial)

Threat Actors

Qilin

Organizations

BlackFog

Other

Asahi GroupShimao GroupRansomware

MITRE ATT&CK Techniques

T1486Impact

Data Encrypted for Impact

T1048Exfiltration

Exfiltration Over Alternative Protocol

T1566Initial Access

Phishing

T1190Initial Access

Exploit Public-Facing Application

Full Report(when first published)

Executive Summary

Ransomware attacks reached record levels in the third quarter of 2025, with a 36% year-over-year increase in publicly reported incidents, according to a new threat report from BlackFog. The data shows a significant evolution in attacker methodology, with data exfiltration now being a standard component of attacks, occurring in 96% of cases. This 'double extortion' tactic—encrypting data and threatening to leak it—maximizes pressure on victims to pay. The Qilin ransomware group emerged as the most prolific, while the healthcare sector continued to be the most frequently victimized public sector. These findings confirm that ransomware is not only increasing in volume but also in the severity of its impact, making data exfiltration prevention a critical defense priority.

Threat Overview

The Q3 2025 report documents 270 publicly disclosed ransomware attacks, a staggering 335% increase since the same period in 2020. This highlights a consistent and accelerating trend.

  • Key Statistic: 36% YoY increase in attacks.
  • Dominant Tactic: Data exfiltration (T1048 - Exfiltration Over Alternative Protocol) was involved in 96% of incidents, the highest percentage ever recorded. This indicates that nearly all ransomware attacks are now also data breaches.
  • Top Threat Actor: The Qilin ransomware gang was the most active group with 20 publicly attributed incidents. However, a large portion (40%) of attacks were not attributed, suggesting the involvement of many smaller or newer groups.
  • Most Targeted Sectors:
    • Publicly Disclosed: Healthcare was the most targeted sector, with 86 attacks (32%).
    • Non-Disclosed: Manufacturing was the hardest-hit sector, accounting for 22% of incidents.

Technical Analysis

The shift to a 96% rate of data exfiltration demonstrates that the Ransomware-as-a-Service (RaaS) ecosystem has fully industrialized the double-extortion model. The attack lifecycle now consistently includes the following phases:

  1. Initial Access: Gaining a foothold through phishing, exploiting vulnerabilities, or using compromised credentials.
  2. Reconnaissance & Lateral Movement: Mapping the network and gaining access to high-value data.
  3. Data Staging & Exfiltration: Identifying, collecting, compressing, and exfiltrating large volumes of sensitive data to attacker-controlled infrastructure.
  4. Encryption for Impact: Deploying the ransomware payload to encrypt systems, causing operational disruption.
  5. Extortion: Demanding a ransom payment for both the decryption key and a promise to delete the stolen data.

The high percentage of data theft means that even if a victim can restore from backups, they still face the threat of a public data leak, creating immense pressure to pay.

Impact Assessment

The report confirms that ransomware is a global problem affecting 93 countries. The impact is not just financial but also operational and societal.

  • Healthcare: Attacks on healthcare organizations (e.g., hospitals) can disrupt patient care, cancel appointments, and put lives at risk.
  • Manufacturing: Attacks on manufacturing can halt production lines, leading to significant financial losses and supply chain disruptions.
  • Data Breach Consequences: With data theft being standard, all victims must now also manage the consequences of a data breach, including regulatory fines, legal liability, and loss of customer trust.

Detection & Response

Given the prevalence of data exfiltration, detection efforts must focus on identifying this activity before encryption begins.

  • Data Loss Prevention (DLP): Deploy DLP solutions that can detect and block the unauthorized transfer of sensitive data.
  • Network Traffic Analysis (D3-NTA: Network Traffic Analysis): Monitor egress network traffic for unusually large data flows, connections to suspicious domains, or the use of non-standard protocols for data transfer.
  • Behavioral Analysis: Use EDR and SIEM tools to detect the TTPs that precede exfiltration, such as the use of data compression tools (7-Zip, WinRAR) on sensitive servers or reconnaissance commands.

Mitigation

Preventing ransomware requires a defense-in-depth strategy:

  1. Immutable Backups: Maintain offline and immutable backups of critical data. This is essential for recovery but does not solve the data exfiltration problem.
  2. Prevent Data Exfiltration: Implement egress filtering and network traffic analysis to make it harder for attackers to steal data.
  3. Secure Initial Access Points: Enforce MFA, conduct regular phishing training, and maintain a robust patch management program.
  4. Principle of Least Privilege: Limit user and system permissions to only what is necessary, restricting an attacker's ability to move laterally and access sensitive data.

Timeline of Events

1
September 30, 2025
The third quarter of 2025 concludes, with data showing a 36% year-over-year increase in ransomware attacks.
2
October 17, 2025
This article was published

Article Updates

October 18, 2025

New details on Q3 2025 ransomware surge: 1,510 unreported attacks, 527GB data stolen per victim, and 71% of disclosures lack root cause.

Update Sources:
hipaajournal.comCybersecurity Firm Reports 36% YOY Increase in Ransomware Attacks
purpleops.ioRansomware Victims Daily Report 10-18-2025

MITRE ATT&CK Mitigations

Encrypt Sensitive Information

M1041enterprise

While it doesn't stop exfiltration, encrypting sensitive data at rest can make the stolen data useless to attackers if they do not also steal the decryption keys.

Mapped D3FEND Techniques:

D3-DENCRD3-ETD3-FED3-MENCR

Filter Network Traffic

M1037enterprise

Implement strict egress filtering to block outbound connections to known malicious IPs and to restrict the protocols that can be used for outbound communication, making data exfiltration more difficult.

Mapped D3FEND Techniques:

D3-NI

User Training

M1017enterprise

Regular user training on phishing awareness can help prevent the initial access that often leads to ransomware attacks.

D3FEND Defensive Countermeasures

User Data Transfer Analysis

D3-UDTAMaps to MITREM1040
D3FEND

Since 96% of ransomware attacks now involve data exfiltration, detecting this stage is critical. User Data Transfer Analysis is a D3FEND technique focused on monitoring and baselining data movement. Security teams should deploy tools that can monitor file access and network flows, establishing a pattern of normal data transfer for each user and system. The system should alert on anomalies that indicate pre-exfiltration staging, such as a user account suddenly accessing and compressing large volumes of files it doesn't normally touch, or a server initiating a large upload to a cloud storage provider for the first time. Detecting this behavior allows defenders to intervene before the data leaves the network and before the final encryption stage of the attack begins.

File Restoration

D3-FRMaps to MITREM1040
D3FEND

While preventing data exfiltration is key, having a robust recovery capability is still a non-negotiable defense against ransomware. This goes beyond simple backups. Organizations must implement a 3-2-1 backup strategy (3 copies, 2 different media, 1 offsite/offline/immutable). For critical systems, backups should be immutable, meaning they cannot be altered or deleted by an attacker who compromises the production environment. Regularly test the restoration process to ensure backups are viable and that Recovery Time Objectives (RTOs) can be met. While this does not solve the data extortion problem, it provides the organization with the option to refuse to pay the ransom for the decryption key, significantly reducing the attacker's leverage.

Sources & References(when first published)

BlackFog Report Reveals 36% Increase in Q3 Ransomware Attacks YoY
BlackFog (blackfog.com) October 16, 2025
Zero Day Vulnerabilities: Top 2025 Exploits and Mitigation Guide
RSI Security (rsisecurity.com) October 15, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

RansomwareThreat IntelligenceQ3 2025BlackFogQilinData ExfiltrationHealthcare

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next