Ransomware attacks steady at 328 as cyber gangs join forces
A new report from NCC Group shows that global ransomware activity declined by 13 percent in August, with 328 reported attacks, marking the fifth consecutive month with less than 500 recorded incidents.
The consultancy's findings suggest a relative stabilisation in ransomware attack volumes compared to early 2025 spikes, particularly February and March, when the cyber gang Cl0p released data on a large group of victims which led to a marked increase in attack numbers. The report cautions, however, that despite the apparent lull, average attack numbers from April to August this year have nearly matched the same period in 2024, indicating the persistent risk posed to organisations worldwide.
Sector breakdown
Industrial organisations remained the most targeted sector in August, experiencing 121 attacks. This represents a 10 percent increase from July, amounting to 37 percent of all incidents. The consumer discretionary sector, comprising automotive, retail, and leisure businesses, was the second most affected, registering 66 attacks. Information Technology followed as the third most targeted sector with 31 incidents. A significant case noted in the report was the attack on Miljödata, a provider of HR systems for approximately 80 percent of Sweden's municipalities, which led to service disruptions across 200 local governments.
Active threat groups
The analysis notes that Qilin emerged as the most active ransomware group last month, taking responsibility for 16 percent of all attacks, which equates to 53 incidents. Qilin's activity saw a resurgence after its ranking had fallen in July following a prominent rise in June. Safepay and Akira were identified as the second and third most dominant groups, with 26 and 43 attacks reported, respectively.
Collaboration among threat actors
The report highlights evolving tactics among certain cybercriminal networks, with a particular focus on Scattered Spider, which has been collaborating with Ransomware-as-a-Service (RaaS) operators. This approach allows Scattered Spider to deploy sophisticated social engineering methods, while the technical elements of ransomware deployment are handled by RaaS partners. The report suggests that Scattered Spider's choice of RaaS collaborator is often influenced by financial incentives, as some groups, including ALPHV, RansomHub, DragonForce, and Qilin, offer affiliates a commission of at least 80 percent.
This merging of technical skills and social engineering expertise can increase the impact and disruption caused by ransomware attacks, as well as help sustain criminal operations during periods of law enforcement scrutiny. The study notes that if one RaaS group is disrupted, another can continue operations, underscoring the challenges faced by law enforcement agencies in curbing the ransomware ecosystem.
Geopolitical context and motivations
According to NCC Group, developments in international relations, such as new US tariffs on Indian imports introduced in August and subsequent boycotts of US goods in India, may contribute to heightened cyber risk. The report observes that in periods of global political volatility, cybercriminal groups frequently exploit tensions and weakened diplomatic ties. The growing cooperation between India, China, and Russia is specifically noted as a factor that could influence the threat landscape.
Expert perspective
Matt Hull, Head of Threat Intelligence at NCC Group, commented: "There's more than meets the eye to attack levels plateauing in recent months. Spikes earlier in the year have dwarfed today's numbers, but the volume is far from low. Despite how the graphs look at first glance, criminal partnerships signify why cyber resilience must be a first port of call for businesses and governments.
"Scattered Spider is accumulating headlines from its attacks and signature, sophisticated social engineering techniques. But its collaboration with Ransomware-as-a-Service (RaaS) operators is key in its disruption of global giants. The ransomware landscape operates in a ruthless, business-like structure, which needs to be considered when defences are being implemented."
The NCC Group report also discusses technical threats such as HTML smuggling, noting its relevance in the current cyber threat landscape, although this aspect was not detailed in the summary.
