NCC Group Data: 2025 Was a Record Year for Global Ransomware

[Ahmet Ö.]

## NCC Group Data: 2025 Was a Record Year for Ransomware Attacks

2025 set a new record with a 50% increase in global ransomware attacks, reaching a total of 7,874 incidents worldwide.

According to the latest data from NCC Group, 2025 saw an extraordinary surge in ransomware activity. Major brands in the retail sector, such as M&S, Co-op, and Harrods, were targeted, indicating a rapidly escalating global threat.

### Shift in Threat Actors

In 2025, Qilin, which claimed responsibility for the attack on Japanese beer giant Asahi, emerged as the most active threat actor, carrying out 1,022 attacks (13%). Akira followed with 755 attacks, and CL0P with 517 attacks. LockBit 3.0, previously the most prolific attacker, fell out of the top 10 groups after operations by international law enforcement.

### Ransomware Attacks and Their Impacts

Attacks were particularly concentrated in the industrial sector, which has complex, global supply chains. This sector experienced 2,190 attacks, a 54% increase compared to 2024, leading to operational disruptions and prolonged shutdowns.

The retail sector was the second most targeted, with 1,774 attacks. The attack on South Korean retailer Coupang posed significant operational and reputational threats.

### Regional Concentration

In 2025, 56% of attacks occurred in North America. Europe experienced 22% of attacks, and Asia 12%. North America continued to be a primary target for ransomware operations due to its concentration of large businesses and critical infrastructure.

### Role of Law Enforcement

Globally, law enforcement agencies exerted significant pressure on criminals through operations targeting ransomware infrastructure. The activities of groups like Scattered Spider were temporarily disrupted. Additionally, major incidents such as the Collins Aerospace attack were addressed.

Matt Hull, Vice President of Cyber Intelligence and Response at NCC Group, states, "In 2025, cyber threats grew with existing techniques being used in more destructive ways." Hull emphasizes that the industrialization of ransomware attacks and the use of AI-powered tools are accelerating the threat.

### Characteristics of 2025 Ransomware Attacks

• Total number of attacks: 7,874
• Annual increase rate: 50%
• Most active threat actor: Qilin (1,022 attacks)
• Secondary threat actors: Akira (755), CL0P (517)
• Most targeted sector: Industrial (2,190 attacks, 54% increase)
• Second most targeted sector: Retail (1,774 attacks)
• Regional distribution: North America 56%, Europe 22%, Asia 12%
• Significant impacts: Prolonged shutdowns, reputational damage
• Law enforcement operations: Server and domain takedowns, international arrest warrants

If businesses and public institutions do not enhance their cyber resilience in 2026, serious operational and financial risks will arise. As the ransomware threat rapidly grows, effective cybersecurity strategies are becoming inevitable.