Last year was a record-breaker for ransomware activity globally, according to a cyber firm. Attacks rose 50 per cent year-on-year, reaching 7,874 incidents worldwide – including notable attacks on UK retailers M&S, Co-op and Harrods, according to NCC Groupโs Annual Threat Monitor Report.
February and December proved particularly active months. AI-enabled tooling, automation frameworks and commoditised ransomware kits have lowered barriers to entry, allowing less technically sophisticated actors to scale operations more quickly, according to the firm. As for who are carrying out the attacks, Qilin, which claimed to be behind the attack on Japanese brewer Asahi, emerged as the most active threat actor, responsible for 1,022 attacks (13pc) in 2025. Akira followed with 755 attacks, and CL0P with 517.
‘Staggering’ increase
Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said: โRisk emerges when capability and intent meet opportunity. That dynamic defined the cyber landscape last year, and 2025 was a year of rapidly expanding opportunity. Many of the major incidents we observed relied on techniques that have existed for years: credential theft, social engineering and the abuse of trusted access. The difference wasnโt innovation alone; it was how much damage those wellโworn techniques could now inflict across complex, interconnected organisations.”
โAs we approach the one-year anniversary of the M&S, Co-op and Harrods retail sector cyber attacks, NCC Groupโs data shows that 2025 saw a staggering 50 per cent increase in attack volume. Putting this volume into perspective – Scattered Spider, which led this wave of high-profile retail attacks, didnโt even make the top ten ransomware groups by volume.
โNearly 8,000 ransomware attacks in a single year suggest that disruption at this scale is becoming normalised. The top players may change, but the threat is accelerating, not slowing. Whatโs different now is the industrialisation of ransomware. AI-driven tools and commoditised kits mean the barrier to entry has collapsed, and attackers can scale faster and adapt more quickly.
“Organisations that treat cyber resilience as optional in 2026 are putting themselves at serious operational and financial risk.โ
By region
North America was the most targeted region in 2025, accounting for 56 per cent of recorded attacks. Europe represented 22pc of claimed incidents, followed by Asia at 12pc. North Americaโs concentration of large enterprises and critical infrastructure continues to make it a primary focus for ransomware operators, according to the software firm.
