News from the Wire

NCC: Ransomware attacks decline in April, but threats remain high

Wednesday, May 21, 2025 — 20:57:16 (UTC)

Manchester, UK, May 21, 2025—Global ransomware attacks decreased by 31% in April, with 416 attacks

Akira was the most active threat group, responsible for 16% of attacks

Industrials remains the most targeted sector with 32% of attacks

78% of all cases globally took place in North America and Europe

April 2025 – Ransomware attacks fell by 31% in April, with 416 cases. This was the second consecutive month where ransomware attacks dropped, following a record-breaking start to the year.

But while numbers fell, cybercriminals remained active, with targeted strikes continuing across key industries and regions.

Retail ransomware attacks making headlines Despite the number of Consumer Discretionary attacks falling month on month, the targets impacted have been both high profile and consequential. Ransomware has been a hot topic in April, notably in the UK, with major retailers such as supermarkets the Co-op and M&S, as well as luxury retailer Harrods all taking a hit. This has spotlighted threats to the Retail sector, a sector already of interest to threat actors given the high cost of disrupting payment systems and operations, the value of customer data, and the potential for high payouts.

Scattered Spider, the ransomware group that has claimed responsibility for the attacks on M&S and the Co-op have been active in marketing the attacks, increasing pressure on the impacted businesses and raising their profile among threat actors.

Akira surges to the top, as Babuk2 activity fades The threat group Akira led the charge for ransomware activity in April, rising from second place – it was responsible for 65 attacks, up slightly from the 62 attacks in March. Qilin came in second place with 49 attacks, closely followed by Play with 42.

Despite dominating the ransomware landscape in March (84), Babuk2 was responsible for only 16 attacks in April. The sharp decline is likely linked to growing skepticism within the cyber community about the group claiming to represent the original Babuk ransomware, with doubts over the legitimacy of its ransomware claims possibly prompting the group to lie low.

Industrials still in the crosshairs Industrials remained the most targeted sector with 32% of attacks in April (133).

Despite high-profile attacks on retailers, Consumer Discretionary came second with 73 attacks, a notable decline from March (124). Still, its vast supply chains and customer data clearly make the sector a tempting target for attackers.

North America remains top regional target North America continues to bear the brunt with 51% of global attacks (211). Attacks on the region are likely to remain dominant due to the turbulent political environment. With the tariff announcements in April, the increased economic uncertainty could lead to an uptick in financially motivated cybercrime, as well as driving increased espionage activity.

With 27% of attacks (110), Europe experience nearly half as many incidents as North America. Asia saw smaller shares with 12% of attacks (51), followed by South America with 5% of attacks (21).

Emerging cyber security trend: Weaponised PDFs You may not think twice about opening a PDF, but attackers are increasingly using these electronic documents to exploit software vulnerabilities, deceive users and distribute malware to a targeted user or organisation.

Weaponised PDFs are becoming even more deceptive and technically advanced. Spear phishing campaigns now embed malicious PDFs tailored to individuals or companies, often leveraging zero-day exploits, clever social engineering, and advanced techniques to evade detection.

The rise of AI is complicating attack methods, generating more realistic lures, while the shift to remote work continues to blur the line between personal and professional device security. Every file must be treated as a potential threat.

Matt Hull, Head of Threat Intelligence at NCC Group, commented:

“While the number of reported ransomware victims declined further in April, it would be a mistake to assume that this is a sign that the threat is fading. The recent attacks on the UK retail sector have laid bare just how disruptive and far-reaching these incidents can be. The reality is that this is only a glimpse of the broader threat landscape. Globally, many ransomware cases still fly under the radar, are under-reported or deliberately kept quiet.

“Geopolitical and economic uncertainty is also adding fuel to the fire, providing more lucrative targets and opportunities for attackers to strike. And with increasingly convincing methods of attacks, such as weaponised PDFs, it’s only getting harder for individuals and organisations who need to be forever alert.

“In this climate, a strong and embedded security culture is no longer optional; it is a critical enabler of organisational resilience. It’s more important than ever for organisations to maintain a strong security culture, respond quickly to emerging threats, and adapt to shifting tactics - all the while staying ahead of adversaries that never stop evolving.”

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.

Source: Company press release.

Categories: Reports and research