NCC Group Monthly Threat Pulse – Review of May 2025

There were a total of 393 attacks globally in May. This marks the third consecutive month in which ransomware attacks have dropped.

Qilin dropped to third place with 42 attacks in May.

Asia experiencec 13% of all global attacks, with 49 incidents in May.

Europe experienced 29% of all global attacks, totalling 112 incidents, in May.

North America remains the hardest-hit region, accounting for 50% of all global attacks, which is 193 incidents in May.

Akira, which led in April with 65 attacks, dropped to fourth place with only 35 attacks in May.

Industrials remained the most targeted sector, accounting for 30% of attacks. This amounted to 118 attacks in May.

Consumer Discretionary saw a significant increase in attacks, rising from 73 attacks in April to 102 in May.

Global ransomware attacks decreased by 6% in May.

South America experienced 4% of all global attacks, or 17 incidents, in May.

Overall, 79% of all attacks globally took place in North America and Europe in May.

56% of tested Large Language Models (LLMs) are susceptible to Prompt Injection Attacks (PIAs)

Safepay emerged as the most active threat group, responsible for 18% of all attacks in May. This translates to 70 attacks attributed to Safepay in May. Safepay has been active since November 2024.

Play moved to second place with 44 attacks in May.

Qilin dropped to third place with 42 attacks in May.