Ransomware Attacks Hit Record Highs in 2025 and Healthcare Remains Ground Zero
The numbers are in, and they’re alarming. According to Black Fog’s 2025 State of Ransomware Report, disclosed ransomware attacks surged 49% year-over-year to a record 1,174 attacks, while undisclosed attacks climbed 37%, with 7,079 victims posted to dark web leak sites. Perhaps most striking is that an estimated 86% of ransomware attacks globally go undisclosed by victims.
Healthcare, once again, bore the brunt of these attacks, accounting for 22% of all disclosed incidents — the most targeted sector for yet another year. And the financial toll continues to mount: in 2025, the average cost of a healthcare data breach reached $7.42 million, nearly double the global average of $4.44 million.
The ransomware ecosystem is evolving rapidly. Black Fog tracked 130 active ransomware groups in 2025, with 52 new groups emerging throughout the year. Several of these newcomers, including Sinobi, Insomnia, and Devman, have disproportionately targeted healthcare organizations. Meanwhile, established groups like Qilin, Akira, and Play dominated the landscape, with Qilin alone claiming over 1,115 victims across disclosed and undisclosed incidents.
Two of the year’s most impactful healthcare attacks were attributed to Qilin. The breach of ApolloMD, which compromised more than 626,500 patient records, and the attack on Covenant Health, ultimately affecting 478,188 patients, far exceeded the 7,864 initially reported. These cases illustrate a troubling pattern of attackers exfiltrating data rapidly, while organizations struggle for months to understand the true scope of the damage.
As Black Fog CEO Dr. Darren Williams put it: “Attackers aren’t just breaking in — they’re intent on stealing data to power extortion. By weaponizing AI they can outpace defenders at a new scale and use stealthy targeted techniques to slip past traditional security measures.”
In 2025, a staggering 96% of ransomware attacks involved data exfiltration before file encryption, meaning that even organizations with robust backup strategies face massive regulatory, legal, and reputational exposure. Encryption is no longer the only weapon, and data theft is the primary lever of extortion.
This reality demands a fundamental shift in how organizations think about ransomware defense and recovery. Perimeter and endpoint protections alone are not enough. Organizations need active defense across production storage environments, backup repositories, and the healthcare databases that house their most sensitive patient data.
Gartner defines cyberstorage as technology that provides active defense of storage systems and their data against cyberattacks through early detection, attack blocking, and analytics-driven recovery capabilities. Index Engines is proud to be recognized by Gartner as a key vendor in the cyberstorage space, and our CyberSense solution embodies this approach.
Continuous data integrity validation across your storage environment. CyberSense uses AI-driven, full-content inspection to continuously monitor data across production storage, backup infrastructure, and critical healthcare databases. By analyzing data at the byte level and tracking over 200 content-based statistics, CyberSense detects the subtle signs of corruption, encryption, and tampering that signature-based tools and metadata checks miss. This is cyberstorage in action: active defense embedded directly at the storage layer.
Knowing what was compromised and what wasn’t. When attacks like the Covenant Health breach take months to scope, organizations are left in the dark. CyberSense provides forensic-level reporting that identifies exactly which files, databases, and records were affected, enabling targeted recovery rather than costly, time-consuming full-environment restores.
Accelerating ransomware recovery with confidence. CyberSense pinpoints the last known clean backup or snapshot — verified through data integrity validation — so organizations can restore critical systems faster without the risk of reintroducing compromised data into production. In healthcare, where downtime directly impacts patient care, recovery speed and certainty are paramount.
Closing the gaps that attackers exploit. As Dr. Williams noted, “Putting protections in place to close these gaps and prevent data exfiltration has to take priority.” CyberSense complements prevention strategies by ensuring that when defenses are breached — and the data shows they inevitably will be — organizations have the intelligence to recover decisively with 99.99% accuracy in ransomware corruption detection.
The 2025 ransomware landscape makes clear that attacks are accelerating, healthcare is squarely in the crosshairs, and data theft is the new default. Organizations can no longer afford to treat storage security as an afterthought. With cyberstorage and data integrity validation, you gain the confidence to know your data is clean, your recovery is sound, and your operations can resume without compromise.
