Research from Comparitech identified a total of 479 ransomware attacks in April 2025. This represents a decrease from the figures the researchers tracked in Q1 of 2025, with 530 attacks logged in January, 973 in February, and 713 in March. It worth noting that ransomware appeared to decrease in April of 2024 as well, which a report at the time noted as atypical.

According to researchers, this year’s decline appears to be the result of RansomHub’s lack of activity. RansomHub, the most prolific ransomware group, appeared to go dark after March 31, 2025. In April, the most prolific ransomware group was Qilin, with 67 claims (an increase from last month’s claims at 45). Some suggest that RansomHub affiliates have shifted to Qilin due to the rise in claims from the group. 

While April had less ransomware attacks logged, the month saw some of the largest attacks of 2025 so far, with attacks on United Kingdom retailer Marks & Spencer and United States kidney dialysis company DaVita. 

Of the 479 attacks logged, 39 were confirmed. Out of these 39 confirmed attacks: 

• 21 targeted businesses
• 9 targeted government entities 
• 6 targeted healthcare organizations 
• 3 targeted educational institutions 

Among the 440 unconfirmed attacks: 

• 396 targeted businesses
• 16 targeted government entities 
• 16 targeted healthcare organizations
• 11 targeted educational institutions 
• 1 targeted an unknown company and could not be assigned to a specific industry