News from the Wire
Ransomware attacks fall by almost half in Q2 2025
Wednesday, July 23, 2025 — 16:48:00 (UTC)
Manchester, UK, July 23, 2025 – Despite a record-breaking start to the year, June was the fourth month in a row in which ransomware attacks dropped globally, declining by 6% with 371 cases. Q2 as a whole experienced a 43% decline from Q1 due to seasonal slowdowns such as Easter and Ramadan, and increased law enforcement disruption of key operators.
However, the decline created space for new threat actors to exploit global instability and, looking ahead to Q3, we can expect disrupted groups to return in collaboration with social engineering actors, conducting more advanced attacks.
Consumer Discretionary falls following retail attack headlines
Industrials came under fire again in June, accounting for 27% (102) of all attacks, the highest of any sector. It has frequently led in monthly attack volume, representing nearly a third (30%) of all attacks in Q2.
Meanwhile, in the Consumer Discretionary sector, which includes retail, attacks fell significantly from 102 in May to 76 in June. The drop coincides with a reduction in activity from the ransomware group Scattered Spider, which grabbed headlines in May after claiming responsibility for high-profile attacks on Marks & Spencer and the Co-op.
Healthcare ranked third with 42 attacks, nearly doubling from 22 in May. In June, the Information Technology sector came fourth with 33 attacks. Qilin reigns supreme across June and Q2
Qilin led the charge in June with 16% of all attacks (60), after coming third in May (42). After 95 attacks in Q1, it experienced a meteoric rise in Q2 (151), as part of a growing trend of ransomware operators targeting the Industrials and IT sectors.
Qilin now offers legal assistance to its affiliates to navigate law enforcement risks and improve negotiations to pressure victims to pay up, making it more appealing to work with. This unique feature reflects the increasing business-like infrastructure within ransomware-as-a-service.
Akira came in second place (31) in June, rising from fourth place in May, and was closely followed by Play, who dropped to third (29). SafePay, which is suspected to have rebranded from a previous group, dropped to fourth place with only 27 attacks in June.
North America battered by over half of all attacks
North America remained the hardest-hit region, accounting for 58% of all global attacks (215) in June, and for 52% across Q2.
Europe, on the other hand, experienced an 8% drop in June with 21% of attacks (79) - fewer than half the number recorded in North America. Asia had a 12% share of attacks (43), while South America followed with 4% (15).
Ransomware-as-a-tool: cyber warfare tactics grow more intelligent
Amidst tense global conflicts, ransomware emerged as a tool for pushing political messaging in June. The Handala ransomware group, a pro-Palestine group, targeted 17 Israeli organisations between 14th and 30th June, coinciding with the 12-day Iran-Israel war. The attacks, which commenced the day after Israel’s strikes on Iran, are likely retaliatory in nature. The group’s motives suggest that ransomware is playing a larger role in cyber warfare, which could provoke other politically motivated groups to follow in its footsteps.
Recognising the critical need to protect key national interests, the UK Government launched its Industrial Strategy in June which highlighted the integral role of cyber security. As cyber warfare increases state-level responses and further complicates international security, we could see this cyber-first approach being adopted more globally.
Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “The volume of victims being exposed on Ransomware leak sites might be declining but this doesn’t mean threats are reduced. Law enforcement crackdowns and leaked ransomware source code is possibly a contributing factor as to a drop in activity, but ransomware groups are using this opportunity to evolve through rebranding and the use of advanced social engineering tactics.
“We’ve already tracked 86 new and existing active attack groups this year, and we’re on course to surpass 2024’s record. The increased number of attackers means a broader range of attack methods that businesses need to be prepared for. Both organisations and nations should take this as a sign to remain vigilant. Investing in cyber security and intelligence-led defences is the key to staying ahead of increasingly agile threat actors.”
ENDS
About NCC Group:
NCC Group is a people-powered, tech-enabled global cyber security and software escrow business.
Driven by a collective purpose to create a more secure digital future, 2,000 colleagues across Europe, North America, and Asia Pacific harness their collective insight, intelligence, and innovation to deliver cyber resilience for over 14,000 clients across the public and private sector. With decades of experience and a rich heritage, NCC Group is committed to developing sustainable solutions that continue to meet clients’ current and future cyber security challenges.
Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.
Source: Company press release. 
Categories: Reports and research
