A year on from the wave of retail sector cyber attacks, new data reveals 2025 was a record year for global ransomware
- Global ransomware attacks increased by 50% year-on-year
- Qilin was the top threat actor, causing 13% of attacks
- Industrials was the target of 28% of attacks in 2025
- North America victim to 56% of global attacks
March 2026 - Approaching a year on from the cyber attacks that signalled a wave of disruption across the retail sector, new data from NCC Group shows that 2025 was a record-breaking year for ransomware activity globally. Attacks rose 50% year-on-year, reaching 7,874 incidents worldwide - with attacks on retailers M&S, Co-op and Harrods in quick succession illustrating the rapidly escalating international threat landscape.
According to NCC Group’s Annual Cyber Threat Intelligence 2025, February and December proved particularly active months, contributing significantly to the year’s total. The data highlights how ransomware campaigns have evolved toward high-impact, operationally disruptive attacks targeting complex global supply chains and critical industries.
Threat actor shake-up
Qilin, which claimed to be behind the attack on Japanese beer giant Asahi, emerged as the most active threat actor, responsible for 1,022 attacks (13%) in 2025. Akira followed with 755 attacks, and CL0P with 517.
Compared to 2024, there was a major shakeup in threat actors. Notably, LockBit 3.0, previously the most prolific group, dropped out of the top 10 following sustained international law enforcement action.
At the same time, AI-enabled tooling, automation frameworks and commoditised ransomware kits have lowered barriers to entry, allowing less technically sophisticated actors to scale operations more quickly.
Despite the chaos caused by Scattered Spider, which has been linked to high-profile attacks in the UK and US, including M&S, the group did not rank among the top 10 groups by volume. This reinforces that a small number of strategically executed attacks can have a disproportionate economic and reputational impact.
Industrials sector faces highest disruption
Industrials was the most targeted sector in 2025, accounting for 2,190 attacks - a 54% increase compared to 2024.
The sector’s reliance on highly interconnected global supply chains amplifies the operational impact of attacks, making it a prime target for threat actors seeking maximum disruption. Attacks affecting major manufacturers, alongside multiple logistics and industrial services firms, led to shutdowns lasting days or even weeks.
Global ransomware activity in 2025 heavily affected the retail sector, with incidents such as the attack on South Korean retailer Coupang highlighting how attackers can exploit operational and reputational vulnerabilities in major retailers worldwide. The sector’s operational interdependence, combined with valuable consumer data, helps explain why Consumer Discretionary was the second most targeted sector in 2025, with 1,774 recorded attacks.
Threat actors are increasingly prioritising organisations where operational downtime translates directly into financial pressure, which accelerates ransom negotiations and increases the likelihood of payment.
North America remains primary focus
North America was the most targeted region in 2025, accounting for 56% of recorded attacks. Europe represented 22% of claimed incidents, followed by Asia at 12%.
The region’s concentration of large enterprises and critical infrastructure continues to make it a primary focus for ransomware operators. State-owned organisations were also not immune, with agencies in the State of Nevada among those targeted in ransomware attacks during the year.
Law enforcement action increases pressure on threat actors
In 2025, law enforcement across the globe stepped up efforts against ransomware and cybercrime, targeting the infrastructure and affiliates behind high-profile attacks. Groups such as Scattered Spider were temporarily disrupted as authorities dismantled hundreds of servers and domains and issued international arrest warrants.
These coordinated operations also included responses to other major incidents, such as the Collins Aerospace attack, which impacted airports across Europe. They made criminal activity riskier and more fragmented, temporarily disrupting some groups’ operations and demonstrating the global reach and impact of law enforcement in countering high-profile ransomware campaigns.
Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said: “Risk emerges when capability and intent meet opportunity. That dynamic defined the cyber landscape last year, and 2025 was a year of rapidly expanding opportunity. Many of the major incidents we observed relied on techniques that have existed for years: credential theft, social engineering and the abuse of trusted access. The difference wasn’t innovation alone; it was how much damage those well‑worn techniques could now inflict across complex, interconnected organisations."
“As we approach the one-year anniversary of the M&S, Co-op and Harrods retail sector cyber attacks, NCC Group’s data shows that 2025 saw a staggering 50% increase in attack volume. Putting this volume into perspective - Scattered Spider, which led this wave of high-profile retail attacks, didn’t even make the top 10 ransomware groups by volume.
“Nearly 8,000 ransomware attacks in a single year suggest that disruption at this scale is becoming normalised. The top players may change, but the threat is accelerating, not slowing.
“What’s different now is the industrialisation of ransomware. AI-driven tools and commoditised kits mean the barrier to entry has collapsed, and attackers can scale faster and adapt more quickly.
"Organisations that treat cyber resilience as optional in 2026 are putting themselves at serious operational and financial risk”