Ransomware attacks fell globally for the third consecutive month in May 2025 despite the continued heavy targeting of retailers, according to new figures from NCC Group.
The cybersecurity company recorded 393 attacks in May, a 6% fall from 416 in April.
This follows a significant 31% decline in ransomware attacks in April compared to March. The fall in April is partly thought to be due to infrastructure outages experienced by the RansomHub gang.
The fall in May comes despite a deluge of ransomware incidents affecting high-profile retailers from late April.
The researchers found that the industry category ‘consumer directory’ saw a leap from 73 attacks in April to 102 in May, 26% of all incidents in the month.
Only industrials experienced more attacks at 118, 30% of the total.
The Scattered Spider hacking collective gained national attention in the UK when it was linked to the attacks on Marks & Spencer (M&S), The Co-op and Harrods.
Read now: M&S and Co-op Hacks Classified as Single Cyber Event
Following these incidents, threat actors have reportedly targeted a number of other retailers, including Adidas, Victoria’s Secret and Cartier.
Safepay Emerges as Most Active Group
Safepay was the most active ransomware group in May, with 70 attacks (18% of the total). This is the first time the group, which has been active since November 2024, has been listed in the top 10 threat actors by NCC Group.
It is believed that Safepay may be a rebrand of several other well-known groups – LockBit, ALPHV/BlackCat and INC Ransomware.
“If this is the case, it would explain how a new group was able to attack in high volumes and at speed, as they would in fact be well-resourced and experienced threat actors under a new name,” the researchers noted.
The second most active group was Play, with 44 attacks, followed by Qilin (42 attacks). While Akira recorded the highest number of attacks in April (65), it dropped to fourth place in May with 35 attacks.
The report found that North America was targeted by 50% of ransomware attacks in May, followed by Europe (29%), Asia (13%) and South America (4%).
Commenting on the findings, Matt Hull, global head of threat intelligence at NCC Group, said: “Although reported ransomware incidents declined in March, April and May, cybersecurity efforts must be strengthened, not scaled back. Seasonal fluctuations, with summer approaching, may partly explain the dip. However, the rise of new threat actors like Safepay and the emergence of critical vulnerabilities in AI highlight the ongoing volatility of the ransomware landscape.”
