Global ransomware activity showed minimal change in July, with a marginal 1% increase in reported incidents compared to the prior month, according to a new report by NCC Group.
The research found that there were 376 ransomware cases worldwide in July, up from 371 in June. Despite this relative stability in incident figures, experts caution that the apparent plateau should not be viewed as a period of reduced risk.
Sector focus
The Industrials sector continued to experience the highest frequency of attacks, with 27% of all ransomware incidents – equivalent to 101 cases – targeting this field. This was the most affected sector across all regions during July. In contrast, the Consumer Discretionary sector, including retail, recorded a slight rise in incidents, moving from 76 in June to 82 in July. Information Technology reported 31 incidents, while Healthcare was only marginally behind with 30 attacks noted in the same period.
INC Ransom activity
Intensified activities from various ransomware groups were observed. The threat actor known as INC Ransom accounted for the highest share of attacks, responsible for 14% of global incidents. According to the report, INC Ransom’s attack numbers have been increasing in recent months, rising from 14 in May, to 24 in June, and up to 54 recorded cases in July. The group has reportedly targeted critical national infrastructure (CNI) throughout 2025.
Other major threat actors identified in the report include Qilin and Safepay, each accounting for 11% of attacks with 40 incidents apiece. Akira was the next most active group, responsible for 10% of attacks (37 cases) during the month.
Geographic concentration
The majority of ransomware attacks in July were directed at North America, which suffered 204 incidents – representing 54% of all global cases. While this showed a 3% decline compared to June, the region remains far more heavily targeted than others. Europe accounted for 21% of attacks with 78 incidents, remaining steady compared to previous months and evidencing a continued gap in threat levels between North America and Europe. In addition, Asia maintained a 12% share of global attacks (43 incidents), and South America followed with 6% (22 cases).
Geopolitical impacts
Several geopolitical developments during July have the potential to influence the cyber threat landscape, the NCC Group report noted. The BRICS summit saw Brazil’s President criticise United States tariff threats, reinforcing BRICS nations’ exploration of alternatives to Western-led financial systems. According to the report, this could result in increased hacktivist activities targeting Western institutions.
There were also developments concerning US technology exports, with American authorities reversing export restrictions on NVIDIA artificial intelligence chips to China. The report notes that this raised concerns about national security and opened the possibility for Chinese threat actors to further develop their capabilities.
The United States set a new ceasefire deadline concerning the conflict between Russia and Ukraine, reinforcing its support for Ukraine and NATO. This move, according to the report, may provoke increased Russian cyber and hybrid attacks.
Another factor adding complexity to the global cyber landscape is the rise in famine-related deaths in Gaza. The resulting pressure on Israel has prompted key allies to threaten recognition of a Palestinian state, a development that may further alter cyber threat dynamics in the region.
Expert view
While ransomware activity remained relatively flat in July, this lull should not be mistaken for a reduced threat. We saw a similar dip during the summer months last year, yet the overall threat level remained high.
This was stated by Matt Hull, Global Head of Threat Intelligence at NCC Group, in reference to the current trends identified in the report. He continued,
Looking ahead, we anticipate the return of previously disrupted groups, likely in collaboration with social engineering actors in order to start launching more sophisticated and coordinated attacks. Now is not the time for complacency.
The NCC Group report also explores Qilin’s recent activities and the evolution of Malware-as-a-Service, noting that while overall attack numbers are stable, the composition and tactics of threat actors may continue to evolve, requiring constant vigilance from both public and private entities.
