Ransomware levels hold steady in July despite persistent risks
- Global ransomware attacks remained stable increasing 1% month-on-month in July, with 376 cases
- INC Ransom was the most active threat group in July, responsible for 14% of attacks
- Industrials remained the most targeted sector with 27% of attacks
- 75% of all cases globally took place in North America and Europe
July 2025 – Following a record-breaking start to the year, ransomware activity showed little movement in July, with just a 1% increase from 371 cases in June to 376. While the numbers appear stable, stagnation should not be mistaken for safety.
No relief for Industrials as ransomware assaults persist
Industrials remained the top targeted sector for ransomware in July, bearing the brunt of 27% of all attacks (101 incidents), the highest of any sector.
Consumer Discretionary, which includes Retail, retained its position as the second most targeted sector, with ransomware attacks rising slightly from 76 in June to 82 in July. Information Technology followed in third place with 31 reported incidents, closely trailed by Healthcare, which recorded 30 attacks.
INC Ransom takes lead as most active threat actor
INC Ransom led the charge in July 2025 with 14% of all attacks (54). The groups’ attack numbers have been on the rise in recent months, up from 14 in May and 24 in June. In 2025, INC Ransom has been observed to particularly target CNI.
Qilin and Safepay placed in joint second with 40 attacks respectively, closely followed by Akira with 37.
Ransomware attacks continue to target the West
North America remained the most targeted region in July, accounting for 54% of all global ransomware attacks (204 incidents) - a slight decline of 3% compared to June.
Europe held steady at 21% (78 attacks), with fewer than half the number of incidents recorded in North America, highlighting a continued disparity in regional threat levels. Asia also maintained a 12% share of attacks (43), while South America followed with 6% (22).
Geopolitical developments influence the cyber landscape
Several notable geopolitical events in July could influence the global cyber risk. Tensions rose at the BRICS summit, as Brazil’s President criticised US tariff threats. The remarks reinforced BRICS’ drive for alternatives to Western-led finance and could fuel hacktivist activity against Western institutions.
Meanwhile, the US reversed export restrictions on NVIDIA AI chips to China, raising concerns over national security credibility and the opportunity for Chinese threat actors to enhance their capabilities. The US also set an aggressive ceasefire deadline for Russia and Ukraine, signaling continued support for Ukraine and NATO, which may provoke further Russian cyber and hybrid attacks.
Rising famine-related deaths in Gaza have also intensified global pressure on Israel, with key allies threatening recognition of a Palestinian state, adding further complexity to the geopolitical cyber landscape.
Matt Hull, Global Head of Threat Intelligence at NCC Group, said:
“While ransomware activity remained relatively flat in July, this lull should not be mistaken for a reduced threat. We saw a similar dip during the summer months last year, yet the overall threat level remained high.
“Looking ahead, we anticipate the return of previously disrupted groups, likely in collaboration with social engineering actors in order to start launching more sophisticated and coordinated attacks. Now is not the time for complacency.”
About NCC Group:
NCC Group is a people-powered, tech-enabled global cyber security and software escrow business.
Driven by a collective purpose to create a more secure digital future, 2,000 colleagues across Europe, North America, and Asia Pacific harness their collective insight, intelligence, and innovation to deliver cyber resilience for over 14,000 clients across the public and private sector.
With decades of experience and a rich heritage, NCC Group is committed to developing sustainable solutions that continue to meet clients’ current and future cyber security challenges.