New Comparitech data showed a sharp rise in attacks on government agencies during the first half of 2025. Researchers logged 208 ransomware incidents targeting government entities worldwide, marking a 65% jump compared to the same period in 2024, which saw 126 attacks, and a 25% increase over the second half of 2024, which recorded 167. Of the 208 attacks in early 2025, 104 were confirmed by the affected organizations.
In its ‘Government Ransomware Roundup,’ Comparitech identified that the numbers underscore how government bodies remain a top target for ransomware actors, outpacing other critical sectors. By contrast, Comparitech’s recent healthcare sector analysis found only a four percent increase in attacks from the first half of 2024 to the same period in 2025, and a nine percent decline compared to the second half of 2024.
“Attacks against governments are frequently reported on by news outlets, which can add to a gang’s notoriety. 50 percent of all attacks in H1 were confirmed by the agency involved,” Rebecca Moody, head of data research at Comparitech, wrote in a Thursday news post. “In education, that figure is just 31 percent, in healthcare it was 32 percent, and across all other businesses it was just eight percent.”
She also highlighted that several governments banning (or looking to ban) public entities from paying ransoms doesn’t appear to be deterring hackers. “If negotiations fail, most hackers auction off stolen data on the dark web, allowing them to profit even if ransoms aren’t paid.”
Comparitech disclosed that a significant share, 35%, of the 208 ransomware attacks recorded against government organizations in the first half of 2025 targeted entities based in the U.S., accounting for 72 incidents. Of these, 44 attacks were officially confirmed by the affected government agencies. Other countries that ranked among the top five most targeted included Brazil and India with nine incidents each, followed by Canada with eight. France, Spain, and Indonesia each reported five attacks.
Of the nine ransomware attacks targeting Brazilian government entities, five were confirmed. None were claimed on hacker leak sites. Among the victims were the city halls of Ivinhema, Chapadão do Sul, São José do Rio Preto, and Porto Nacional, along with the Instituto de Pesquisas Energéticas e Nucleares (IPEN). Both Chapadão do Sul and Porto Nacional confirmed they did not pay the ransom, with Chapadão do Sul disclosing a demand of $266,000. IPEN reported losses of 2.5 million reais, roughly $450,000.
In Canada, four attacks were confirmed, each attributed to a different ransomware group. Three took place in February 2025, when RansomHub hit the Town of Hinton, INC targeted the City of Fort St. John, and BlackSuit struck the Town of Orangeville. In March, Medusa claimed responsibility for the attack on MRC de Maskinongé, demanding $100,000.
France also saw multiple incidents. Mairie de Berson and Mairie de Ostheim were both attacked by unknown groups in February 2025; neither paid a ransom. In April, NightSpire targeted Commune d’Ardon.
Spain recorded several disruptive attacks. Badajoz and La Rinconada were hit in April 2025, though no group stepped forward. In May, Devman targeted Níjar and allegedly stole 250 gigabytes of data. The most severe case was in June, when Qilin struck Melilla, demanding $2.1 million. Melilla refused to pay, and it took the city about three weeks to recover.
None of the attacks reported in India or Indonesia were confirmed, likely due to limited public disclosure or reporting in these regions.
Elsewhere, Belgium confirmed four government-related ransomware incidents. The U.K. and Colombia each confirmed three. In the U.K., Medusa attacked Gateshead Council in January 2025, demanding $600,000. In May, Interlock claimed responsibility for an attack on West Lothian Council, saying it stole 2.63 terabytes of data. The British Horseracing Authority was also hit in June 2025, though the threat actor remains unidentified.
Comparitech identified the biggest ransom demands made against government organizations in the first half of 2025. Slovakia’s Geodesy, Cartography, and Cadastre Office, known as Úrad geodézie, kartografie a katastra SR, was hit in January. Hackers demanded $12 million, but the government did not pay. In February, RansomHub targeted Hungary’s National Museum, specifically its National Archaeological Institute, and claimed to have stolen 180 gigabytes of data. The group demanded $10 million.
Furthermore, Kenya’s National Social Security Fund was attacked in May. Devman claimed responsibility and demanded $4.5 million in exchange for 2.5 terabytes of allegedly stolen data. The Cleveland Municipal Court in the United States was attacked in February. Qilin claimed responsibility and reportedly demanded $4 million. The city refused to pay. Also, Oregon’s Department of Environmental Quality was hit in April by Rhysida, which demanded $2.6 million after claiming to have stolen 2.5 terabytes of data. Four of these five incidents ranked among the largest ransomware demands across all sectors during the first half of the year.
While some ransomware gangs strike across sectors, others show a notable focus on government agencies. Qilin made 17 claims against government targets, representing five percent of its total activity. Thirteen of those were confirmed, accounting for 27% of its verified attacks. INC filed 16 claims against government entities, or 12% of its overall attacks. Eight were confirmed, making up 32% of its verified operations. RansomHub was linked to 12 government attacks, five percent of its total claims. Eight of these were confirmed, or 25% of its verified attacks.
Additionally, Funksec also made 12 claims involving government agencies, representing 18% of its total activity, though only one was confirmed. Medusa reported eight attacks on governments, eight percent of its overall claims. Five were confirmed, representing 28% of its verified incidents. SafePay was also linked to eight government-related attacks, four percent of its total. Three were confirmed, or 15% of its known attacks. Babuk was not included, as none of its alleged attacks on government systems were confirmed.
While Funksec and INC appear to prioritize government targets, INC and Qilin stand out for the percentage of attacks that have been verified. INC has the highest confirmation rate at 32%, followed by Qilin at 27%. Both groups also show strong activity in the healthcare sector. INC is responsible for the largest breach by record volume, driven by its attack on the Pierce County Library System, which accounts for the majority of government-related records compromised in 2025. Qilin has claimed the highest total of stolen data. It alleges more than 5.3 terabytes were exfiltrated across six incidents. Nearly 4 terabytes of that was taken in the Melilla attack, noted earlier.
Earlier this month, Comparitech reported that in the first half of this year, 3,627 ransomware attacks were logged, marking a 47% increase from the 2,472 attacks recorded in the first half of last year. Organizations have experienced a 50% rise in attacks, but some industries have been hit even harder. Technology saw an 88% increase, retail jumped 85%, legal rose 71%, transportation climbed 66%, and manufacturing grew 64%. However, utilities was the only sector to report a decline, down 31%.
