Lessons Learned from Top 10 Ransomware Incidents in 2025

To no surprise, ransomware continued to disrupt organizations across every sector in 2025.

Although each incident looked different, most shared the same root causes: weak access controls, overly trusted internal networks, and limited protection around sensitive data systems.

Listed below ten of the year's most significant ransomware incidents, followed by the patterns behind them and the security gaps they exposed — and how Mamori.io helps organizations strengthen resilience where it matters most.

TABLE OF CONTENTS

Top 10 Ransomware Incidents of 2025

Similarities & Patterns Across These Attacks

Security Gaps Exposed — and How Mamori.io Helps Close Them

No Cost, Big Protection.

Download Mamori Freemium and begin securing your network, users, and databases with zero-trust.

1. Jaguar Land Rover (UK)

When: Early September 2025

Impact: Severe Operational Impact and Economic Damage

A cyberattack caused weeks-long shutdowns across multiple UK manufacturing plants. Analysts estimate over $2.5 billion in economic damage, making it one of the UK’s most expensive cyber events ever. A stark reminder of how operational technology (OT) can be crippled by ransomware-related breaches.

2. Marks & Spencer (UK)

When: Infiltrated in February, Ransomware in April 2025

Impact: Major Business Disruption

Attackers infiltrated M&S as early as February, stole Active Directory password data, cracked credentials, and shut down online ordering. The attack caused hundreds of millions in losses and a significant drop in market value — all starting from a help-desk social-engineering exploit.

3. Asahi Group (Japan)

When: Late September 2025

Impact: High Data Exposure Risk

A ransomware attack affected ordering, distribution, and customer support across Japan. Over 1.5 million customer records may have been exposed, with operational recovery expected to extend into 2026.

4. CodeRED (United States)

When: November 2025

Impact: Critical Public Safety Outage

The emergency-alert platform used by thousands of local governments was compromised by ransomware, leading to nationwide disruptions. Even worse: backups were over six months old, forcing permanent data loss. The incident highlighted ransomware’s ability to threaten public safety infrastructure.

5. Nevada State Government (United States)

When: August 2025

Impact: Statewide Service Interruption

A state employee inadvertently downloaded a spoofed administrative tool infected with malware — triggering a statewide ransomware incident. DMV systems, background checks, and other services were offline for nearly a month. Recovery cost ~$1.5M and required 28 days despite the state choosing not to pay ransom.

6. Collins Aerospace / European Airports (EU)

When: September 2025

Impact: International Travel Disruption

Ransomware at Collins Aerospace disrupted the MUSE operations platform used by multiple European airports. Check-in systems went offline, manual processing caused travel chaos, and the incident revealed how deeply ransomware can spread through supply-chain software.

7. Kettering Health (United States)

When: May 2025

Impact: Healthcare Service Outage + Data Theft

A ransomware attack on Kettering Health in Ohio forced hospitals into emergency routing mode, cancelled elective procedures, and later confirmed that sensitive patient data had been stolen. The incident demonstrated again why healthcare remains one of ransomware’s most targeted industries.

8. DaVita Dialysis (United States)

When: April 2025

Impact: Large-Scale Data Breach

The Interlock ransomware group stole 1.5 TB of data from DaVita’s systems, affecting more than 900,000 patients. Even without visible encryption or downtime, the massive data-theft operation underscores ransomware’s shift to “extortion-first” business models.

9. Dairy Farmers of America (United States)

When: June 2025

Impact: Food Supply Chain Disruption

The Play ransomware group targeted North America’s largest dairy cooperative. Manufacturing operations were disrupted, and personal data from thousands of employees and members was leaked. The attack showed how food supply chains remain a prime and vulnerable target.

10. Union County, Ohio (United States)

When: September 2025

Impact: Significant Local Government Data Exposure

A ransomware attack exposed personal and financial records for roughly 45,000 residents and employees. As with many local governments, limited resources made response and recovery more difficult.

When analyzing the top ransomware events of 2025, we can see several clear patterns. They reflect systemic weaknesses in how organizations manage identity, data, and third-party access.

1. Attackers used simple entry points

Attackers rarely rely on advanced exploits. They relied on human error and weak credentials such as:

• Phishing

• Social engineering of IT help desks

• Stolen or cracked credentials

• Exposed ports or misconfigured services

2. Privileged access was the key target

Attackers focused heavily on administrative accounts. Once they obtained privileged access, they could move unhindered across internal systems. They targeted:

• Active Directory (AD)

• Password vaults

• Database credentials

In several attacks, once AD was compromised, the attackers effectively owned the entire environment.

3. Data theft and extortion is part of nearly every attack

Ransomware is no longer just about encrypting systems. They almost always:

• Steal and encrypt data

• Encrypt and lock systems

• Threaten public leaks

• Sometimes add DDoS for pressure

Healthcare and local government victims suffered particularly severe exposure and compliance risks.

4. Supply-chain, critical infrastructure, and governments are becoming prime targets

Ransomware increasingly targeting entities where disruption can impact thousands of customers or residents. In other words, they are targeting sectors where disruption is most costly:

• Downtime affects public safety

• Legacy systems are common

• Operational recovery is slow

• Organizations feel pressure to respond quickly

Because downtime in these sectors is extremely costly, organizations face greater pressure to pay the ransom in order to restore operations quickly.

5. Backups often failed in practice

Several organizations had backups that failed. As a result, recovery took weeks — and in some cases, critical data was lost. The average recovery ranged from weeks to months — even among large global brands. The biggest failures came from:

• Outdated backups

• Backups stored on reachable networks

• Lack of tested RTO/RPO

• Inability to assess what needed restoring

The CodeRED incident is the clearest case: losing six months of data permanently.

6. Internal networks were too open

Once attackers gained entry, they had few obstacles preventing movement to other systems. Most internal environments still assume that anything inside the perimeter is trustworthy.

• They faced few barriers to move laterally

• They could reach critical systems directly

• Database servers were often accessible from broad internal ranges

• Monitoring of internal movement was limited or nonexistent

A trusted internal network creates the perfect conditions for ransomware to spread.

These incidents make one thing clear: organizations need stronger controls around identity, access, and data — especially at the database layer. Traditional perimeter security is not enough. Attackers are already finding ways around it.

Mamori.io focuses on areas most often exploited during ransomware events: privileged access, database access, and lateral movement into sensitive systems.

Below are the key gaps and how Mamori.io addresses them.

1. Trusted internal network models

Most networks environments still treat internal networks as inherently safe, which makes lateral movement easy.

How Mamori.io helps:

• Enforces Zero Trust Network Access and microsegmentation for every network access

• Enforces Zero Trust Database Access to secure all connections to the database

• Enforces Zero Trust Data Access by enforcing privacy rules by column, row, and more

• Requires MFA and authorization for every session

2. Uncontrolled privileged access

Forgotten, unused admin credentials create unnecessary risk. If attackers obtain them, they gain full access to critical systems without you even knowing.

Mamori.io provides:

• On-demand (just-in-time) privileged access with time-bounded permissions

• MFA-protected database sessions

• Automatic termination of AD account based on policy

• Access controls based on SQL commands, executable, tables, rows and columns

• Dynamic data masking that controls what data can be seen

3. Direct database access from internal networks or VPNs

Corporate VPNs are insecure. Many attackers can circumnavigate the system to reach sensitive databases.

Mamori.io blocks this by:

• Enforcing zero-trust data access

• Enforcing SSO & 2FA for direct database access

• Securing remote database connections using web browsers instead of VPNs

• Forcing all DB access through privilege policy checks

• Microsegmentation of networks to prevent lateral movements and reduce attack surface

4. Limited visibility into what users do inside the database

Organizations often struggle to determine what data was accessed or exfiltrated.

With Mamori.io, organizations get:

• Full session recording for every privileged DB session

• Full audit logs for every session by user, device, and activity

• Real-time blocking and alerts on unusual access patterns

• Real-time monitoring of sensitive queries and data access patterns

• Anomaly detection to stop unusual data access patterns or behavior

This makes investigations faster and prevents data exfiltration from going unnoticed.

5. Vendor access with broad permissions

Vendors often have far more access than needed, and organizations rarely monitor their activity closely.

Mamori.io introduces:

• Microsegment network for 3rd party vendors to prevent attacker’s lateral movement

• Controlled vendor access by privilege, time, and policies using zero-trust

• On-demand (just-in-time) privileged access granted by request

• Recording of every vendor session by network and database

Closing Thoughts

The most significant ransomware incidents of 2025 reveal a consistent theme: attackers entered through simple mistakes, escalated privileges, and moved directly toward sensitive data.

Implementing zero trust data access while strengthening defenses at the database and privileged-access layers is one of the most effective ways to reduce risk. Mamori.io brings zero trust principles directly to your data, limiting what attackers can reach and giving you full visibility into every high-risk action.

About Mamori.io

Mamori.io is an all-in-one solution that provides zero-trust security on multiple layers – from the network, servers, all the way down to the database. The same system can also help organizations comply with privacy regulations, reduce cyber insurance premiums, and automate ISO 27001.

For small businesses, Mamori.io has all the features to completely secure their data. For large businesses, Mamori.io covers security gaps, secures external vendor access, and provides access controls to the database.

Schedule a demo with Mamori.io or request your free trial. If you’re a small business with $10 million USD in gross revenue or less, you can use 20 free Mamori.io licenses.