NCC Group Report: Ransomware Attacks Soar 41%

Ransomware attacks rose sharply in October, increasing 41% month-on-month to 594 incidents, according to global cybersecurity firm NCC Group's monthly Threat Intelligence Report. The surge indicates that threat actors are intensifying their operations ahead of what is typically the most active period for cyber crime. The fourth 'golden quarter' of the year sees peak consumer spending from Black Friday, Cyber Monday, and Christmas, presenting greater opportunity for cyber threat actors.

This escalation follows several months of relative stability in the number of attacks from April to August, including a dip between April and June. Activity began to pick up at the end of the summer, with September recording a 28% month-on-month increase - momentum that has now accelerated into October's spike.

The Industrials sector continued to bear the brunt of ransomware activity, accounting for 28% (167) of all attacks in October. Consumer Discretionary (which includes automotive manufacturers, retail businesses, and leisure facilities) closely followed with 124 attacks, while Healthcare moved to third place with 64 attacks.

North America and Europe accounted for more than three-quarters (79%) of all global attacks in October, totaling 473. North America was hit hardest, suffering over half of these incidents (62%), compared to Europe (17%) and Asia (9%).

Qilin, the most prominent actor last month and throughout Q3, remains the most prolific ransomware actor in October with 29% (170) of all attacks attributable to the group. Known for its precision targeting and double-extortion techniques, Qilin continues to dominate the threat landscape, leveraging tactics to maximise impact and pressure victims into compliance.

Sinobi followed with 15% of attacks (65), closely trailed by Akira, which ranks among the top three most active ransomware groups in 2025, accounting for 15% (64).

Although Qilin held the top spot, new players and alliances between ransomware groups contributed to the overall increase in ransomware attacks in October.

The Gentlemen ransomware group has become a more prevalent player in the threat landscape and with the return of LockBit, there is a growing number of active players that are targeting key sectors. Having made 21 public ransomware attack claims globally, the group has targeted sectors including healthcare, financials, IT and consumer discretionary.

And as part of its return with the launch of LockBit 5.0, the group has appeared to align with other prominent RaaS groups DragonForce and Qilin. Alliances between threat groups enable the sharing of tools, infrastructure and tactics. Although no coordinated attacks have been confirmed yet, suspicions may work as a useful tool for attracting additional groups, and in turn, complicate attacks similar to those we have seen from Scattered Spider and ShinyHunters.

"October marks a seasonal shift in the ransomware landscape as we enter one of the more active periods of the year for cyber criminals. The surge has been fueled by the rise of new groups such as The Gentlemen and an expanding range of ransomware variants, with over 200 identified so far this year," said Matt Hull, head of Threat Intelligence at NCC Group. "As ransomware activity accelerates and notable attacks continue to cause widespread economic and operational disruption, vigilance is more critical than ever. Organisations should use this moment to reinforce their security measures and test incident response plans. Proactive monitoring, staff awareness, and secure backups remain key as we move into the year's peak threat season."