A new report out today from information assurance firm NCC Group PLC finds that global ransomware activity plateaued in November even as attackers continued to refine their tactics and collaboration models.
The findings come from the NCC Group November 2025 Cyber Threat Intelligence Report. It found that ransomware incidents dipped slightly month-over-month but remained elevated, as the threat landscape stabilized in volume while becoming more complex in execution.
Some 583 ransomware attacks were tracked by NCC in November, down 2% from October. The most targeted industry was the industrials sector which accounted for 25% of all attacks during the month, followed by the consumer discretionary and information technology sectors.
By location, not surprisingly, companies and organizations in North America were the most popular targets in November, accounting for 57% of all reported ransomware. In second place, Europe accounted for 20% of all ransomware attacks and Asia ranked third at 12%.
Qilin ransomware retained its position as the most active ransomware group for the fourth consecutive month, responsible for 17% of recorded attacks, although its activity did decline from an unusually high peak in October.
The report also highlights the continued rise of the ClickFix attack technique, also known as ClearFake.
As detailed by Microsoft in August, the ClickFix social engineering technique attempts to trick users into running malicious commands on their devices by taking advantage of their target’s tendency to solve minor technical issues and other seemingly benign interactions, such as human verification and CAPTCHA checks.
The usage of the technique surged by 517% in the first half of 2025, which the report notes demonstrates a broader move toward social engineering tactics that bypass automated security controls by exploiting human behavior.
“Attack volumes may have steadied as we approach year-end, but business leaders cannot afford to become complacent,” said Matt Hull, global head of threat intelligence at NCC Group. “Threat groups are rapidly evolving, sharing tools and techniques and [are] already exploiting the festive period when vigilance often drops.”
The report advises that organizations should prioritize strengthening fundamental security controls, improve user awareness and ensure that incident response is ready if an attack should come, as attackers continue to evolve faster than traditional defensive measures.
Image: News/Grok 3
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
