News from the Wire

Ransomware attacks decline in May, Safepay the top threat actor

Friday, June 27, 2025 — 17:55:41 (UTC)

Manchester, UK, June 25, 2025—Ransomware attacks fell by 6% in May, with 393 cases. This was the third consecutive month in which ransomware attacks dropped, following a record-breaking start to the year, according to new research from NCC Group.

Despite the decline in numbers, geopolitical tensions and high-profile cyber attacks highlight growing instability, potentially heightening the risk of cyber threats.

Consumer Discretionary Attacks Rise as Scattered Spider Makes Headlines

Industrials might still be the most targeted sector month-on-month, with 30% of attacks in May (118), but consumer discretionary, which includes retail, has made a significant jump from 73 attacks in April to 102 in May. This is partly due to the retail sector remaining under the spotlight, with threat actors targeting the likes of Victoria’s Secret, Adidas, Cartier, and Peter Green Chilled. The high cost of disrupting payment systems and operations, access to valuable customer data, and potential high payouts make the sector particularly attractive.

Scattered Spider gained national attention by claiming responsibility for the attacks on Marks & Spencer and the Co-op in May. The ransomware group, known for its sophisticated social engineering techniques, has reportedly now shifted its focus to the US retail sector, according to Google Threat Intelligence Group and Mandiant.

Despite the difficulty in attributing attacks to Scattered Spider, tactics, techniques and procedures associated with the group were observed in US attacks, where the industry size means numerous potential victims.

Newcomer Safepay Surpasses All Other Threat Actors

The newly emerging threat group Safepay was the most active ransomware group, with 18% of all attacks (70). While Safepay has been active since November 2024, this is the first time the group has been listed in the top 10 threat actors. There are suggestions that Safepay may be a rebrand of other well-known actors LockBit, Alph V and INC Ransomware. If this is the case, it would explain how a new group was able to attack in high volumes and at speed, as they would be well-resourced and experienced threat actors under a new name. The report’s Spotlight section explores this.

Play moved up to second place with 44 attacks, rising from third last month, while Qilin dropped to third with 42, after holding second place previously. Akira led the ransomware landscape in April with 65 attacks - but with only 35 in May, it dropped to fourth place. North America Remains Top Regional Target North America remains the hardest-hit region, accounting for 50% of all global attacks (193). Europe experienced 29% of attacks (112), facing just over half the number of incidents recorded in North America. Asia maintained a 13% share of attacks (49), while South America followed with 4% (17). Emerging Cyber Security Trend: Prompt Injection Attacks Expose a Critical Vulnerability in AI

With AI’s rapid evolution and integration into critical industries, vulnerabilities in Large Language Models (LLMs) have introduced new attack vectors for threat actors, posing huge risks to sectors such as healthcare.

Prompt injection attacks (PIAs) exploit AI models by using specially-crafted prompts to bypass security, access sensitive data, and alter responses. Studies show 56% of tested models are susceptible, with advanced attack techniques targeting sectors like healthcare and finance. Current defences - input validation and monitoring - struggle against evolving threats.

To strengthen security, developers are using adversarial training, advanced detection, and secure memory management, while human-AI oversight adds crucial layers of protection. Proactive testing and multi-layered defence strategies are essential to counter adversarial manipulation and safeguard AI-driven systems. Development of best practices by regulatory bodies will ensure consistent mitigation measures.

Matt Hull, global head of Threat Intelligence at NCC Group said: “Although reported ransomware incidents declined in March, April, and May, cyber security efforts must be strengthened, not scaled back. Seasonal fluctuations, with summer approaching, may partly explain the dip. However, the rise of new threat actors like Safepay and the emergence of critical vulnerabilities in AI highlight the ongoing volatility of the ransomware landscape. This underscores the need for sustained cyber investment across both industry sectors and national defence. The focus on the UK’s retail sector has shone a light on why cyber security is integral to business resilience.

“On a broader level, rising global instability, ongoing tensions between the US and China, and evolving alliances are all contributing to threat levels. Trump's involvement in the Middle East could spur deeper collaboration in advanced technologies between the US and Gulf nations, and new efforts to strengthen UK-EU relations could make involved organizations prime targets for espionage by state-sponsored adversaries. With these factors in play, cyber threats remain a persistent and evolving risk.”

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.

Source: Company press release.

Categories: Reports and research