On a month-by-month basis, recorded ransomware attacks dropped by 32% in March 2025, to 600 in total, according to NCC Group’s latest monthly Threat Pulse data, but the decline appears to be very much a red herring, and likely the result of large, one-off events in previous months that yielded multiple victims, such as Clop/Cl0p’s attacks on Cleo.
Indeed, according to NCC, ransomware incidents are in fact up by 46% compared with March 2024. Note, as always, that these data are drawn from NCC’s own telemetry, and do not necessarily reflect the true scale of the problem.
“The slight decline in attacks in February is a bit of a red herring given the unprecedented levels we have seen over the past months, with the volume of incidents year-on-year increasing 46% in March,” said NCC threat intelligence head Matt Hull.
“As ever, we are seeing threat actors diversifying, and leveraging increasingly complex and sophisticated attack methods to stay ahead, not only to cause mass disruption, but to gain attention in the ransomware world.”
Last month, Babuk 2.0 appeared to be the most active threat group, accounting for 84, about 20% of recorded attacks, up 33% on January. Second place was shared by Akira and RansomHub, which both scored 62 victims, slightly down on February. In fourth place was the Safepay crew, which conducted 42 observed attacks after experiencing something of a fallow period.
However, there may be a second red herring in the barrel, observed Hull, as the emergence of Babuk 2.0 in particular is raising questions as to the legitimacy of their alleged attacks.
The original Babuk gang has claimed no connection to the new operation, and security researchers are generally united in the belief that Babuk 2.0 is fraudulent – more fraudulent than usual, at least – and is possibly recycling old leaked data and trying to use it to scare victims into paying out. Such tactics were similarly observed following the 2024 disruption to LockBit.
Broken down by sector, industrials was the most targeted last month, with 150 attacks – 27% of the total – observed. Consumer discretionary came in second with 124 attacks, down 55% on February.
By geography, North America remained the top target, with almost half of all observed attacks taking place in the region – more than double the number seen in EMEA, which saw 26% of attacks. APAC saw 14% of attacks, and South America 7%.
Hull said North America would likely remain a key focus for cyber criminal gangs in the coming months, given rising geopolitical tensions, and division stoked between the US and Canada, which may make Canadian organisations more likely to be victimised.
Emerging trends
This month’s Threat Pulse also includes insight into malvertising and its increasing importance in the cyber threat ecosystem.
Malvertising is best described as when malware, even ransomware, hides behind online ads that seem harmless at face value, or until clicked upon. This attack vector saw a notable surge last year, and apparently the momentum shows no sign of letting up.
Indeed, recent statistics from Microsoft’s threat intel teams found nearly a million devices globally implicated in a large-scale malvertising campaign in March. Those behind it exploited GitHub repositories, Discord servers and Dropbox to run things.
Hull said malvertising was becoming more complex, with cyber criminals using trusted platforms – as seen – and turning to generative artificial intelligence tools, like DeepSeek, to activate more sophisticated attacks while lacking technical skills.
This trend will make the need to get a firm grasp on threat intelligence particularly relevant to security decision-makers in the near-term, said Hull, and proactive measures and collaboration with others will also be key to staying ahead.
“It’s a unique and challenging time for organisations, facing evolving tactics, like AI-enabled malvertising, and a turbulent geopolitical landscape,” said Hull.
“So, it’s more important than ever for organisations and individuals alike to remain vigilant and be adaptive to keep pace with these fast-changing threats.”
