The number of ransomware attacks worldwide rose by 50 percent to nearly 7,900 incidents in 2025, according to the Annual Threat Intelligence Report from NCC Group. Qilin was the most active group, and the industrial sector was the hardest hit. However, there was a changing of the guard: the previously almighty LockBit 3.0 disappeared from the top ten.
In total, NCC Group detected 7,874 ransomware attacks in 2025. February and December saw the most incidents, with 1,093 and 788 attacks respectively. Q1 is traditionally always a busy ransomware period compared to other quarters, as is once again evident now. NCC Group explains the peak in December by deliberate abuse of reduced staffing levels during the holidays, also a well-known phenomenon.
Qilin in the lead, LockBit out of the top ten
Qilin was the most active ransomware group in 2025 with 1,022 attacks, accounting for 13 percent of the total. The group operates via a franchise-like Ransomware-as-a-Service model: affiliates arrange initial access, while the core operators manage negotiations and publications of the leaked data. Akira followed in second place with 755 attacks, CL0P in third with 517.
Noteworthy is the decline of LockBit 3.0. The group, which had been dominant for years, fell completely out of the top ten after sustained international police action. At the same time, AI-driven tools and standardized ransomware kits lowered the threshold for less technically savvy attackers. Scattered Spider, responsible for high-profile attacks on Marks & Spencer and Jaguar Land Rover, among others, did not make the top ten in terms of volume, but caused disproportionately large damage.
Industry hardest hit, retail second
The industrial sector was the most frequent target: 2,190 attacks, an increase of 54 percent compared to 2024. The attack on Jaguar Land Rover led to a production shutdown of more than a month and losses of more than $890 million. Ransomware groups are increasingly targeting underlying infrastructure, such as hypervisors, which can bring down entire virtual environments with a single attack.
The retail sector followed in second place with 1,774 recorded attacks. The M&S incident, which saw online sales halted for more than six weeks and an expected loss of profit of around £300 million, shows how serious the damage can be. Most attacks took place in North America (56 percent), followed by Europe with 22 percent. Asia saw the strongest growth rate: an increase of 59 percent to 906 attacks.
Law enforcement agencies intensify actions
At the same time, international law enforcement increased the pressure on ransomware groups. Operation Endgame dismantled approximately 300 servers and 650 domains in May 2025 and seized €3.5 million in cryptocurrency. Microsoft, together with Europol, dismantled the Lumma Stealer network by taking over more than 2,300 malicious domains. This week saw the demise of phishing service Tycoon 2FA.
“With nearly 8,000 ransomware attacks in a single year, it’s fair to say that disruptions on this scale are becoming ‘normal’,” says Matt Hull, VP of Cyber Intelligence and Response at NCC Group. “The top players may change, but the threat is increasing rather than decreasing.”