NCC Group

The Handala ransomware group, a pro-Palestine group, targeted 17 Israeli organisations between 14th and 30th June 2025. These attacks coincided with the 12-day Iran-Israel war.

Ransomware attacks in the Consumer Discretionary sector (including retail) fell significantly from 102 in May 2025 to 76 in June 2025.

Play dropped to third place of most active threat groups in June 2025 with 29 attacks.

Qilin was the most active threat group in June 2025, responsible for 16% of all attacks, which amounted to 60 cases.

North America was responsible for 52% of ransomware attacks across Q2 2025.

Qilin ranked as the third most active threat group in May 2025 with 42 attacks.

Asia had a 12% share of ransomware attacks (43 cases) in June 2025.

Industrials represented nearly a third (30%) of all ransomware attacks in Q2.

Industrials remained the most targeted sector, accounting for 27% of all attacks in June 2025, which was 102 cases.

North America remained the hardest-hit region, accounting for 58% of all global ransomware attacks (215 cases) in June 2025.

The Information Technology sector came fourth in June with 33 ransomware attacks.

Healthcare ranked third in June 2025 with 42 ransomware attacks, nearly doubling from 22 in May.

Akira was the second most active threat group in June 2025, with 31 attacks, rising from fourth place in May.

Qilin saw a significant rise in Q2 2025 with 151 attacks, up from 95 attacks in Q1.

SafePay dropped to fourth place of most active threat groups in June 2025 with 27 attacks.

Europe experienced an 8% drop in June 2025, accounting for 21% of ransomware attacks (79 cases). This was fewer than half the number recorded in North America.

South America had a 4% share of ransomware attacks (15 cases) in June 2025.

Overall, 79% of all global ransomware cases in June 2025 took place in North America and Europe combined

There were a total of 393 attacks globally in May. This marks the third consecutive month in which ransomware attacks have dropped.

Qilin dropped to third place with 42 attacks in May.

Asia experiencec 13% of all global attacks, with 49 incidents in May.

Europe experienced 29% of all global attacks, totalling 112 incidents, in May.

North America remains the hardest-hit region, accounting for 50% of all global attacks, which is 193 incidents in May.

Akira, which led in April with 65 attacks, dropped to fourth place with only 35 attacks in May.

Industrials remained the most targeted sector, accounting for 30% of attacks. This amounted to 118 attacks in May.

Consumer Discretionary saw a significant increase in attacks, rising from 73 attacks in April to 102 in May.

Global ransomware attacks decreased by 6% in May.

South America experienced 4% of all global attacks, or 17 incidents, in May.

Overall, 79% of all attacks globally took place in North America and Europe in May.

56% of tested Large Language Models (LLMs) are susceptible to Prompt Injection Attacks (PIAs)

Safepay emerged as the most active threat group, responsible for 18% of all attacks in May. This translates to 70 attacks attributed to Safepay in May. Safepay has been active since November 2024.

Play moved to second place with 44 attacks in May.

Qilin dropped to third place with 42 attacks in May.

Europe was the second most targeted region in March. Europe accounted for 27% of attacks and experienced 162 attacks.

Akira and RansomHub shared second place of most active threat group in March, with 62 attacks each.

Industrials regained the top spot for the most targeted sector in March. It accounted for 25% of all attacks in March and experienced 150 attacks in March.

Safepay was the third most active threat group in March, with 42 attacks.

Consumer discretionary was the second most targeted sector in March, with 124 attacks. This was a significant decrease of 55% (278 attacks) for consumer discretionary compared to February.

600 ransomware attacks were recorded globally in March.

Ransomware cases globally dipped by 32% in March (600 attacks) compared to February.

Babuk2 was the most active threat group, responsible for 14% of all attacks in March. Babuk2 drove ransomware activity with 84 attacks in March. This represents a 37% increase for Babuk2 from January (61 attacks).

South America took fourth place with 7% of attacks (39 attacks) in March.

North America remained the most targeted region in March. North America accounted for 48% of total global attacks and experienced 290 attacks.

Ransomware cases increased year-on-year by 46% in March.

Malvertising attacks surged in 2024. Microsoft Threat Intelligence uncovered nearly one million devices globally implicated in a large-scale malvertising campaign in March

75% of all global cases took place in North America and Europe combined in March.

Asia took third place with 14% of attacks (83 attacks) in March.

Cl0p was the most active threat group in February 2025, responsible for 37% of attacks.

83% of all ransomware cases globally took place in North America and Europe in February 2025.

Play was the fourth most active ransomware group, with 43 attacks in February 2025.