Ransomware trends and global cyber threat landscape in 2023

The first half of 2025 has observed fascinating trends in ransomware, with a consistent decline in attacks over the past four months in spite of a record breaking start to the year. June saw a 6% drop in ransomware incidents worldwide, recording just 371 cases. The 2nd quarter saw a 43% decline from the 1st, as a result of seasonal slowdowns during Easter and Ramadan, alongside enhanced law enforcement interventions targeting significant operatives.

Yet, this period of reduced activity has opened avenues for new threat actors to harness global instability. Experts anticipate a resurgence of disrupted groups in Q3, potentially collaborating with social engineering actors to execute more sophisticated cyberattacks.

Industrials bore the brunt in June, enduring 27% of all ransomware attacks, exceeding any other sector. It has often led in monthly attack volume. Despite this, Consumer Discretionary, which includes retail, saw a drop from 102 attacks in May to 76 in June. At the same time, the Healthcare sector nearly doubled its attack count (42) from May (22) while the Information Technology sector was close behind (33).

Qilin, a Russian speaking cybercrime group, dominated the ransomware scene in June, accounting for 16% of all attacks (60). This group showcases the rising trend of ransomware operators targeting Industrials and IT. The group now offers its affiliates legal support to manage law enforcement risks and enhance negotiation strategies. This highlights the increasingly business like structure within the ransomware world. 

Groups Akira (31) and Play (29) secured the subsequent positions, while SafePay experienced a drop in activity.

North America remained under immense pressure, accounting for 58% of global attacks in June (215). Conversely, Europe experienced a mild decline, recording 21% of attacks, while Asia and South America saw smaller shares of 12 and 4% respectively.

Ransomware has evolved beyond its financial motives, playing a growing in cyber warefare. The pro-Palestinian Handala group launched retaliation attacks on 17 Israeli organisations within 2 weeks at the end of June, aligning with geopolitical tensions. The attack started the day following Israeli attacks on Iran. Such incidents highlight the growing role of ransomware in conveying political messages.

In alignment with this evolving landscape, the UK's Industrial Strategy reflected a cyber-first approach, spotlighting the importance of cybersecurity amidst intensifying state-level cyber warfare.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “The volume of victims being exposed on Ransomware leak sites might be declining but this doesn’t mean threats are reduced. Law enforcement crackdowns and leaked ransomware source code is possibly a contributing factor as to a drop in activity, but ransomware groups are using this opportunity to evolve through rebranding and the use of advanced social engineering tactics.

“We’ve already tracked 86 new and existing active attack groups this year, and we’re on course to surpass 2024’s record. The increased number of attackers means a broader range of attack methods that businesses need to be prepared for. Both organisations and nations should take this as a sign to remain vigilant. Investing in cyber security and intelligence-led defences is the key to staying ahead of increasingly agile threat actors.”