Ransomware activity worldwide increased 50% in 2025 to 7,874 incidents, according to NCC Group’s latest cyber threat intelligence report.
The analysis, based on claimed and publicly disclosed attacks, points to changes in the most active groups and continued targeting of sectors where operational disruption can quickly lead to financial loss. The data indicates heightened accumulation and business interruption risk, particularly across industrial, logistics, and consumer-facing clients.
Qilin was identified as the most active ransomware group in 2025, linked to 1,022 attacks, or about 13% of incidents recorded by NCC Group, cited by Security Brief. Akira followed with 755 attacks, a 149% increase compared with 2024. CL0P ranked third with 517 incidents, representing around 7% of the total. These rankings differ from 2024, when LockBit 3.0 was the most active group. NCC Group’s report links LockBit 3.0’s reduced activity in 2025 to ongoing international law enforcement operations directed at its infrastructure and affiliates. The report also notes that some groups with relatively low attack volumes have been associated with incidents that caused significant disruption. Scattered Spider is cited in this context, linked to attacks on major retailers in the UK and the US, including M&S, while not appearing in the top 10 groups by number of incidents.
Industrial organisations were the most frequently targeted sector in 2025, with 2,190 reported ransomware attacks, a 54% increase on the previous year. The sector accounted for about 28% of all recorded incidents. NCC Group notes that manufacturing, logistics, and industrial services businesses often rely on complex supply chains and partner networks, which can extend the impact of ransomware when production and distribution are disrupted. Some incidents resulted in shutdowns lasting days or weeks.
Consumer discretionary businesses, including retailers, were also heavily affected. The report records 1,774 attacks on this sector in 2025, making it the second most targeted by volume. Activity included incidents involving M&S, Co-op, Harrods, and South Korean retailer Coupang. NCC Group links the sector’s exposure to operational interdependence and large volumes of customer data. These trends are relevant to assessments of aggregation and business interruption exposure, particularly for insureds with offshore operations, multinational supply chains, or reliance on global logistics and retail platforms.
NCC Group reports ongoing law enforcement efforts in 2025 against ransomware operators, including actions to dismantle infrastructure, seize servers and domains, and pursue affiliates through international arrest warrants. Some groups, including Scattered Spider, experienced temporary disruption following these operations, according to the report. At the same time, the firm notes that tools and services that lower the technical barrier for attackers continue to spread. AI-enabled tooling, automation frameworks, and commoditised ransomware kits are cited as factors enabling less technically experienced actors to conduct ransomware campaigns.
“Risk emerges when capability and intent meet opportunity. That dynamic defined the cyber landscape last year, and 2025 was a year of rapidly expanding opportunity. Many of the major incidents we observed relied on techniques that have existed for years: credential theft, social engineering, and the abuse of trusted access. The difference wasn’t innovation alone; it was how much damage those well‐worn techniques could now inflict across complex, interconnected organisations,” Matt Hull, vice president of cyber intelligence and response at NCC Group, said, as reported by Security Brief.
Hull added: “As we approach the one-year anniversary of the M&S, Co-op, and Harrods retail sector cyberattacks, NCC Group’s data shows that 2025 saw a staggering 50% increase in attack volume. Putting this volume into perspective, Scattered Spider, which led this wave of high-profile retail attacks, didn’t even make the top 10 ransomware groups by volume. Nearly 8,000 ransomware attacks in a single year suggest that disruption at this scale is becoming normalised. The top players may change, but the threat is accelerating, not slowing. What’s different now is the industrialisation of ransomware. AI-driven tools and commoditised kits mean the barrier to entry has collapsed, and attackers can scale faster and adapt more quickly. Organisations that treat cyber resilience as optional in 2026 are putting themselves at serious operational and financial risk.” NCC Group’s analysis points to a changing but persistent threat environment, with implications for pricing, coverage terms, accumulation management, and supply chain-related exposures.
New Zealand’s National Cyber Security Centre (NCSC) has reported higher incident-related financial losses, providing local context to the global ransomware trends. In its Cyber Security Insights report for Quarter 3 2025 (Q3 2025), covering July 1 to Sept. 30, the NCSC said it received 1,249 incident reports. Reported direct financial losses totalled $12.4 million, an increase of 118% from $5.7 million in the previous quarter. Of the total incidents, 110 were triaged for specialist technical support because they were assessed as being of potential national significance, compared with 56 such incidents in Q2 2025, a 96% increase.
The NCSC also reported more incidents involving malicious software over the quarter. The agency’s feature analysis outlines recent developments in malware and recommended protective measures for New Zealand organisations and individuals. Scams and fraud remained the most frequently reported incident category in Q3 2025, with 446 reports. Phishing and credential harvesting formed the second-largest category, with 355 reports. The NCSC also recorded a 50% increase in scams involving employment and business opportunities. These developments reinforce exposure across cyber, financial lines, and crime policies. Business email compromise, fraudulent payment instructions, and malware-as-a-service models are emerging as important drivers of severity, while broader ransomware activity and industrial sector targeting are central to reassessing accumulation, supply chain dependencies, and business interruption triggers across New Zealand and global portfolios.
