NCC Group Monthly Threat Pulse – Review of September 2025

Global ransomware attacks spike by over a quarter after months of decline. 

• Global ransomware volume increased by 28% in September, with 421 attacks
• Qilin was the most active threat group, responsible for 14% (58) of attacks
• Industrials remained the most targeted sector, experiencing 29% (120) of all attacks
• Three quarters (75%) of attacks took place in North America and Europe
• Despite the September surge, attacks in Q3 fell by 5% (1,125) compared to Q2 (1,180)

27th October 2025 – Ransomware attacks have risen for the first time in six months, increasing by 28% month-on-month to 421 attacks. While overall attack volume remained below 500, the uptick may signal a renewed escalation heading into the year’s most active period for cyber criminals.

Industrials under fire

The Industrials sector continued to bear the brunt of ransomware activity, accounting for29% (120) of all attacks in September. Also, the most targeted sector for Q3, with 30% (342) of attacks, it’s clear that Industrials is a highly attractive target for cyber criminals, even as public attention remains on consumer-facing breaches.

Consumer Discretionary (which includes automotive manufacturers, retail businesses, and leisure facilities) followed with 76 attacks, while Financials moved to third place with 47 attacks. The continued targeting of financial institutions highlights attackers’ strategic focus on accessing financial data, and reflects a broader trend of ransomware campaigns to maximise monetary gain.

High-profile ransomware attacks target Europe

North America and Europe accounted for three quarters (75%) of all global attacks, amounting to 317 last month. Notably, the ransomware attack on major European airports led to significant disruption. Airlines were forced to switch to manual operations, which caused delays, cancellations, and passenger congestion. The attack is a stark reminder of the vulnerability of critical infrastructure.

Qilin dominates the ransomware landscape

Qilin led the pack in September, taking responsibility for 14% (58) of attacks. The group also remained the most prominent threat actor for the quarter, with 13% (151) of all attacks. Its focus on data-centric, financially lucrative, and supply-chain dependent industries - such as Industrials and Consumer Discretionary - suggests an intent to maximise operational disruption and leverage extortion.

Throughout the quarter, new groups, including The Gentlemen and Interlock, emerged. New players signal a shift in the threat landscape, where the smaller actors now leverage shared infrastructure and leaked builder kits to establish their scale. This demonstrates how the threat ecosystem continues to diversify and evolve.

Geopolitical spotlight

Geopolitical tensions in September intensified global cyber risks. China’s summit with non-Western leaders signalled a direct challenge to the US-led order, while Russian military drills and ransomware attacks on European airports exposed the rising threat of hybrid warfare. And in the Middle East, Israeli strikes in Qatar and growing recognition of Palestine further deepened international divisions. Together, these events highlight a volatile global landscape where ransomware and cyber operations are increasingly used as tools of strategic influence and disruption.

Matt Hull, Head of Threat Intelligence at NCC Group, said:

“From high-profile supply chain breaches and persistent ransomware activity, to the influence of geopolitical tensions on cyber operations, organisations are facing increasingly adaptive and sophisticated threat actors.

“The rise in attacks in September could be a sign that the decline we’ve seen recently is now over. As we approach the busy season for attackers – with Black Friday and Christmas fast approaching – organisations can’t be complacent. Recent attacks on the transport and retail sector, specifically, have shown just how severe the disruption can be. So, organisations need to ensure they have robust third-party risk management, rapid incident response, and proactive security strategies.”

Read the report