Ransomware attacks worldwide declined by 43% in the second quarter, yet threats continue to adapt and evolve according to a new report from NCC Group.
The report found a notable decrease in global ransomware activity, with incidents dropping by six percent month-on-month in June, amounting to 371 cases. Over the quarter, attacks fell by 1180 cases compared with the previous quarter. Experts attribute the reduction to seasonal slowdowns, including holiday observances such as Easter and Ramadan, as well as increased law enforcement interventions disrupting key ransomware operators.
Analysis suggested the downturn may be temporary, with warnings that cybercriminals are likely to use this time to regroup and adopt more sophisticated social engineering strategies. Key disruptions in the ransomware ecosystem have opened opportunities for emerging groups to exploit gaps and continue targeting organisations.
Sectors under attack
The industrial sector remained the most targeted, experiencing 27% of all recorded attacks in June. Across the entire quarter, industrials represented nearly 30% of ransomware incidents, reaffirming the sector’s prominence as a target for cybercriminals. Attacks on the consumer discretionary sector, which includes retail, dropped notably from 102 incidents in May to 76 in June, coinciding with reduced activity from the Scattered Spider group. Previously, Scattered Spider had claimed responsibility for prominent attacks on major retailers such as Marks & Spencer and the Co-op in May.
Healthcare was the third most targeted sector, recording 42 attacks in June, almost double the figures reported in May. The information technology sector followed, with 33 attacks during June.
Threat groups’ activities
In June, the ransomware group Qilin was named the most active, responsible for 16% of all attacks – rising from third place in May – and increasing its activity from 95 incidents in the first quarter to 151 in the second quarter. Qilin has increasingly targeted both industrial and IT sectors and now offers legal assistance to its affiliates, helping them navigate law enforcement risks and improve their ability to pressure victims into paying ransoms. This is seen as indicative of the more structured, business-oriented approach developing within ransomware-as-a-service models.
Akira was the second most active group in June with 31 recorded attacks, rising from its fourth-place ranking in May, while the Play group fell to third with 29 incidents. The SafePay group followed, dropping to fourth place with 27 attacks after suspicions of a recent rebranding.
Geographical impact
North America experienced the highest proportion of ransomware attacks, accounting for 58% of incidents in June and 52% across the entire second quarter. Europe saw a decrease in attacks by 8% to make up 21% of global cases, fewer than half the number reported in North America. Asia was the origin of 12% of attacks, with South America recording the smallest regional share at four percent.
Cyber warfare and political motives
The report observed that ransomware is increasingly being used as part of political and cyber warfare tactics. In June, the Handala group – a pro-Palestine entity – claimed responsibility for targeting 17 Israeli organisations in the aftermath of significant regional conflict between Iran and Israel. The timing of the attacks, which began immediately following Israeli strikes on Iran, indicated a likely retaliatory motivation and suggested that ransomware could become further entrenched as a political tool.
The UK Government’s recent Industrial Strategy has highlighted the importance of cybersecurity in protecting vital national interests. Increased cyber warfare activity is leading to more robust state-level responses and driving the adoption of cybersecurity-focused policies globally.
“The volume of victims being exposed on Ransomware leak sites might be declining but this doesn’t mean threats are reduced. Law enforcement crackdowns and leaked ransomware source code is possibly a contributing factor as to a drop in activity, but ransomware groups are using this opportunity to evolve through rebranding and the use of advanced social engineering tactics. We’ve already tracked 86 new and existing active attack groups this year, and we’re on course to surpass 2024’s record. The increased number of attackers means a broader range of attack methods that businesses need to be prepared for. Both organisations and nations should take this as a sign to remain vigilant. Investing in cyber security and intelligence-led defences is the key to staying ahead of increasingly agile threat actors.”
These comments from Matt Hull, Global Head of Threat Intelligence at NCC Group, reflect ongoing concerns that while raw attack numbers may have declined, the risk from ransomware remains significant due to the continued evolution of both criminal tactics and the number of threat actors.
