The number of ransomware attacks observed worldwide held steady in July, increasing by just 1% to 376 recorded cases, according to the latest monthly Threat Pulse figures from cyber security services firm NCC Group.
This comes in the wake of an unfortunate record-breaking start to 2025, but as NCC’s analysts observed, the more stagnant summer should not give security teams cause to rejoice, for the threat remains as persistent as ever. In July, this held especially true for the industrial sector, which bore 101, or 27%, of recorded attacks.
The consumer discretionary sector, including retail, was the second most attacked sector in July, with attacks rising from 76 to 82, followed by IT with 31 reported incidents, and healthcare with 30.
As ever, the majority of these attacks unfolded in the North American theatre, which accounted for 54% of incidents, down 3% month-on-month, followed by Europe with 21%, Asia with 12%, and South America with 6%.
NCC’s global head of threat intelligence, Matt Hull, urged organisations to fix the roof while the sun is still shining.
“While ransomware activity remained relatively flat in July, this lull should not be mistaken for a reduced threat. We saw a similar dip during the summer months last year, yet the overall threat level remained high,” he said.
While ransomware activity remained relatively flat in July, this lull should not be mistaken for a reduced threat Matt Hull, NCC Group
“Looking ahead, we anticipate the return of previously disrupted groups, likely in collaboration with social engineering actors to start launching more sophisticated and coordinated attacks. Now is not the time for complacency.”
Broken out by threat actor activity, INC Ransom emerged as the leader of the pack in July, accounting for 54 attacks, or 14% of the total. INC Ransom’s attacks have been on a steady upward trend since the spring, targeting providers of critical national infrastructure (CNI).
INC Ransom is noteworthy in the UK for being behind a spate of NHS-linked intrusions towards the end of 2024, and in the US for its attack on Ahold Delhaize, the Benelux-based parent of the well-known Food Lion and Giant supermarket chains.
It is also known for targeting Citrix products and services, several new flaws in which were reported in the past few months.
Other particularly active gangs in July were Qilin and Safepay, with 40 attacks apiece, and Akira with 37. DragonForce, used to great effect against Marks & Spencer in the UK, accounted for just under 20 incidents in July.
Qilin time
This month’s Threat Pulse report also offered a deeper dive into the Qilin ransomware operation. Qilin was the gang behind the June 2024 attack on NHS pathology lab services provider Synnovis, but since then, it has grown into the most active ransomware crew seen by NCC in June 2025, and, with almost 300 recorded victims so far this year, is easily one of the most formidable foes currently operating.
The predominantly Russian-speaking gang aggressively targets known vulnerabilities in widely used enterprise software tools from the likes of Fortinet, SAP and Veeam, and like many of its peers, makes a sport of targeting CNI organisations.
Regarded as a master of the ransomware-as-a-service (RaaS) crime model, Qilin swept up many homeless affiliates following the closure of RansomHub, and has gone out of its way to catch the eyes of less technically minded affiliates, said NCC.
The operation stands out for its technical proficiency and user-friendly interface that enables affiliates to easily build their payloads to target specific systems and manage victim negotiations and payments. It also has a competitive commission structure, with between 80% and 85% of payouts going to the affiliate, and even offers them legal services – after a fashion – to help guide them in their negotiations.
“The emergence of Qilin has been a product of wider trends observed throughout the ransomware landscape,” wrote NCC’s analysts.
“Threat actors engaging in specialised roles within the RaaS ecosystem offer affiliates a wide range of choices.
“RaaS platform developers can specialise in creating a service that attracts affiliates and produces profits for them as well. This has resulted in technically proficient developers and affiliates operating in major gangs like Qilin,” they added.
