SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Japan factory night ransomware attack shadow figure network
#
Malware
#
Data Protection
#
Ransomware

Ransomware attacks surge 50% as industrial firms hit hardest

Fri, 6th Mar 2026
Author image
By Catherine Knowles, News Editor

NCC Group has reported a sharp rise in global ransomware activity, with attacks up 50% year-on-year to 7,874 incidents in 2025, alongside a reshuffling of the most active criminal groups.

The figures come from its annual cyber threat intelligence report, which tracks publicly disclosed and claimed ransomware incidents across regions and sectors. February and December were particularly active, contributing heavily to the annual total.

Operators continued to focus on organisations where disruption creates immediate commercial pressure. The data also suggests a shift in victim profiles, with industrial firms topping the list.

Threat actor changes

Qilin was the most active ransomware group in 2025, linked to 1,022 attacks, or 13% of recorded incidents. It has claimed responsibility for several high-profile intrusions, including a reported attack on Japanese brewer Asahi.

Akira ranked second with 755 attacks, a 149% increase compared with 2024. CL0P placed third with 517 attacks, about 7% of the annual total.

The rankings shifted from the previous year. LockBit 3.0, the most prolific group in 2024, fell out of the top 10 in 2025. The report attributes the drop to sustained international law enforcement action.

NCC Group also highlighted the impact of groups that carry out fewer attacks but cause outsized disruption. It pointed to Scattered Spider, linked to high-profile incidents in the UK and US, including attacks affecting M&S, despite not appearing in the top 10 by volume.

Industrial focus

Industrials was the most targeted sector in 2025, accounting for 2,190 attacks, a 54% increase year-on-year. The sector represented 28% of all recorded incidents.

Manufacturing, logistics and industrial services companies often rely on complex networks of suppliers and partners. That interconnectedness can amplify the operational impact of ransomware, particularly when outages spread across production and distribution. Some attacks in the sector led to shutdowns lasting days or weeks, according to the NCC Group.

Retail and consumer-facing businesses also remained under pressure. The report cited activity affecting major retailers, including incidents involving M&S, Co-op and Harrods in close succession. It also highlighted an attack on South Korean retailer Coupang as an example of the sector's exposure.

Consumer Discretionary was the second most targeted sector in 2025, with 1,774 recorded attacks. The report linked the sector's appeal to operational interdependence and the concentration of consumer data.

Law enforcement pressure

Law enforcement activity increased in 2025, with authorities targeting ransomware infrastructure and affiliate networks. NCC Group said some groups, including Scattered Spider, faced temporary disruption after actions that dismantled servers and domains and involved international arrest warrants.

It also pointed to responses to major incidents such as the Collins Aerospace attack, which it said affected airports across Europe. The report said the combined effect increased operational risk for criminal groups and contributed to fragmentation across the ransomware ecosystem.

At the same time, NCC Group said ransomware has become more accessible, citing AI-enabled tooling, automation frameworks and commoditised ransomware kits as factors lowering barriers to entry for less technically sophisticated actors.

Matt Hull, VP of Cyber Intelligence and Response, NCC Group, said, "Risk emerges when capability and intent meet opportunity. That dynamic defined the cyber landscape last year, and 2025 was a year of rapidly expanding opportunity. Many of the major incidents we observed relied on techniques that have existed for years: credential theft, social engineering and the abuse of trusted access. The difference wasn't innovation alone; it was how much damage those well‐worn techniques could now inflict across complex, interconnected organizations.

He continued, "As we approach the one-year anniversary of the M&S, Co-op and Harrods retail sector cyber attacks, NCC Group's data shows that 2025 saw a staggering 50% increase in attack volume. Putting this volume into perspective, Scattered Spider, which led this wave of high-profile retail attacks, didn't even make the top 10 ransomware groups by volume.

"Nearly 8,000 ransomware attacks in a single year suggest that disruption at this scale is becoming normalized. The top players may change, but the threat is accelerating, not slowing. What's different now is the industrialization of ransomware. AI-driven tools and commoditised kits mean the barrier to entry has collapsed, and attackers can scale faster and adapt more quickly."

"Organisations that treat cyber resilience as optional in 2026 are putting themselves at serious operational and financial risk," Hull concluded.

Related stories
Why runtime identity is emerging as the next cybersecurity imperative
Cohesity appoints Nigel Lee to lead APJ technical sales
Tuned Global launches streaming manipulation detection
Anthropic's 'Mythos' signals a new era of AI-driven cyber threats
Sysdig report says cloud security shifts to machine speed

Top stories

Avanade expands in New Zealand on rising AI demand
CrowdStrike expands MSSP push across Japan & Asia Pacific
How MH Enterprise turns trust into cybersecurity success
Proofpoint tracks cargo theft gang's post-breach tactics
Commvault expands Flex with Hitachi Vantara & NetApp