Top 5 Ransomware Cases of 2025

Ransomware as the Top Cyber Threat in 2025

In 2025, ransomware attacks have continued to cause widespread damage across different sectors worldwide, targeting government institutions, critical infrastructure organizations, and private companies. Below, we examine five of the most significant confirmed ransomware incidents of 2025. For each case, we describe the victim’s background and sector, information about the attackers, the ransom demand, the impact of the attack, and the likely motive.

Attack on Slovakia’s Land and Cadastre System

Victim: The Geodesy, Cartography and Cadastre Authority of Slovakia (ÚGKK), a state institution that manages land ownership and property records.
Attackers: The ransomware was confirmed to have originated from outside Slovakia. Local media linked the attack to a possible hacker group named Kapor, but authorities have not officially identified the attackers. Officials also pointed to signs suggesting a possible link to Ukraine, which caused political tension since Slovakia had recently criticized Ukraine’s gas transit policies. However, no solid evidence about the attackers’ origin has been presented.
Ransom demand: Hackers demanded about 12 million US dollars, one of the largest disclosed ransom requests this year. The Slovak government refused to pay.
Impact: The attack crippled the entire cadastre system, making e-services unavailable and forcing physical offices to close. Property transactions and registry services across the country came to a halt. Real estate sales, loan processes and even related services such as issuing parking permits in Bratislava were temporarily suspended. Experts warned that restoring the full functionality of the registry from backups could take months. The case highlighted the vulnerability of critical national infrastructure.
Likely motive: The primary motive was financial extortion. The large ransom amount suggests the attackers believed the registry was valuable enough to yield high profits. At the same time, the attack triggered geopolitical speculation due to its timing and accusations against Ukraine, raising suspicions of political pressure. Still, it is most likely that financially motivated criminals targeted a critical state service hoping the government would pay for data recovery.

Ransomware Halts Kuala Lumpur International Airport

Victim: Malaysia Airports Holdings Berhad, the largest airport operator in Malaysia and the company managing Kuala Lumpur International Airport (KLIA), one of Asia’s biggest transport hubs.
Attackers: The ransomware group Qilin, also known as Agenda, claimed responsibility. Qilin is a Russia-linked cybercriminal group that began operations in 2022 and is known for infecting high-profile victims through phishing emails. In this case, Qilin publicly admitted carrying out the attack.
Ransom demand: The group demanded about 10 million US dollars. They also claimed to have stolen up to 2 terabytes of data from the airport’s internal network, including sensitive business information. The operator confirmed the attack and declared a crisis but refused to pay.
Impact: The attack caused major operational disruption at Malaysia’s largest airport. Starting March 23, 2025, flight information screens, check-in counters, and baggage handling systems were offline, forcing staff to use manual workarounds. For example, departing flight details were temporarily written on boards. Although flights continued, passengers and staff experienced significant delays and inconvenience. The disruption lasted several days until systems were restored from backups. Fortunately, no passenger data leaks were reported, and critical security systems were said to be unaffected.
Likely motive: The motive was financial extortion. Qilin is profit-driven and likely chose the airport because operational downtime could be extremely costly, increasing pressure to pay. In this case, the airport did not pay, but the attack gained the group international attention.

Kettering Health: Ransomware Hits Hospital Network

Victim: Kettering Health, a large healthcare network in Ohio, USA, consisting of 14 hospitals and multiple clinics serving hundreds of thousands of patients annually.
Attackers: The ransomware group Interlock claimed responsibility. Interlock emerged in 2024, but little is known about them. They may be a new formation of an older group or an entirely new gang. In Kettering’s case, the attackers contacted the hospital with demands and hinted at having stolen sensitive data.
Ransom demand: Unknown, but considering the scale of the attack, it was likely in the millions of dollars. Kettering Health confirmed it did not pay. In the US, hospitals often keep ransom negotiations confidential to avoid encouraging further attacks.
Impact: The attack had a direct effect on patient care. Ransomware infiltrated the hospital network, disabling IT systems across 14 hospitals, including electronic health record systems, internal phone lines and channels for clinical data. As a result many planned procedures had to be canceled and emergency patients were redirected to other hospitals since digital systems were inaccessible. Kettering also confirmed that sensitive data, including financial information and likely patient records, had been stolen. Significant resources were spent on cleanup, system restoration, patient notifications and data breach investigations.
Likely motive: Financial extortion. Healthcare remains an attractive target because disruptions in hospitals can put lives at risk, creating strong pressure to pay. The stolen medical data may also be monetized later, for example, by selling it on the black market.

Hello Kitty Theme Park Data Breach in Japan

Victim: Sanrio Entertainment Co., a Japanese entertainment company operating popular Hello Kitty theme parks Sanrio Puroland (Tokyo) and Harmonyland (Ōita Prefecture). These parks attract millions of visitors annually and are part of the global Sanrio brand empire.
Attackers: On January 21–22, 2025, Sanrio Entertainment’s networks suffered a major breach. While the investigation is ongoing, the attack strongly resembled a ransomware case. Criminals gained unauthorized access and disrupted services in a way consistent with extortion. No specific group has claimed responsibility, which may indicate that negotiations took place or that the situation was resolved before data was released.
Ransom demand: The company has not disclosed the amount. Given the theft of data and service disruptions, the ransom was likely significant. Since no group has published the data on leak sites, it is possible that payment was made or attempted.
Impact: The attack temporarily disrupted operations at both Sanrio theme parks. Between January 21 and 22, outages prevented Puroland and Harmonyland from issuing pre-purchased ticket codes or selling new annual passes. Visitors were notified of system failures through Puroland’s website. A limited version of ticket sales continued until the end of the month, when full functionality was restored. Alongside service outages, data from up to 2 million customers, employees, and partners was stolen, including names, postal addresses and Japanese national ID numbers (My Number). Sanrio was forced to issue a public apology.
Likely motive: Financial extortion. The attackers targeted the entertainment sector during a period when digital services were critical for revenue. This increased pressure on the company to pay. Entertainment companies often avoid publicizing ransom payments due to the importance of protecting their brand image.

Kenya Pension Fund NSSF Extortion

Victim: Kenya National Social Security Fund (NSSF), the state-run pension and social security fund managing pension contributions and personal data of millions of Kenyan workers and employers. It plays a critical role in the country’s financial system.
Attackers: In May 2025, NSSF was attacked by a newly emerged ransomware group called Devman. The group claimed on its leak site that it had full control of the fund’s systems. They also stated that they had direct contact with Kenyan authorities and had issued specific demands.
Ransom demand: Devman demanded 579 million Kenyan shillings, about 4.5 million US dollars. They claimed to have stolen around 2.5 terabytes of sensitive information from NSSF’s systems and threatened to publish the data within 24 hours if their demands were not met. The government and NSSF denied paying and downplayed the scale of the incident.
Impact: The attackers’ claims sparked public concern in Kenya, as NSSF holds virtually all workers’ personal and financial records, including IDs, pension entitlements and payment history. Many feared their information would end up on the black market. NSSF issued a press release denying a major breach, stating that only an image server was targeted and that core systems remained secure. According to officials, no member data was stolen. Observers suggested that such denials may have been aimed at preventing panic. Still, NSSF was forced to implement stronger security measures and launch an internal audit.
Likely motive: Financial extortion. Social security data is highly valuable not only for ransomware groups but also for identity thieves. Even without ransom payments, stolen data could be sold for significant profit on the black market.