The number of ransomware attacks observed worldwide remained steady in July, rising just 1% to 376 recorded cases, according to the latest monthly Threat Intelligence figures from cybersecurity services firm NCC Group .
This comes after a poor start to 2025, but as NCC analysts observed, the more stagnant summer should not give security teams cause for celebration, as the threat remains as persistent as ever. This was particularly true in July for the industrial sector, which saw 101, or 27%, of the recorded attacks.
The consumer discretionary sector, including retail, was the second most attacked sector in July, with attacks increasing from 76 to 82, followed by 31 reported incidents and healthcare with 30.
As always, the majority of these attacks occurred in the North American theater, which accounted for 54% of incidents, down 3% from the previous month, followed by Europe with 21%, Asia with 12%, and South America with 6%.
NCC’s Global Threat Intelligence Manager, Matthew Hull, urged organizations to fix their roof while the sun still shines.
“While Ransomware activity remained relatively flat in July, this lull should not be confused with a reduced threat. We saw a similar drop in the summer months of last year, however the overall threat level remained high,” he said.
While ransomware activity remained relatively flat in July, this lull should not be confused with a reduced threat
Matt Hull, NCC Group
“Looking ahead, we anticipate the return of previously disrupted groups, possibly in collaboration with social engineering actors, to begin launching more sophisticated and coordinated attacks. Now is not the time for complacency.”
Driven by threat actor activity, Inc Ransomware emerged as the pack leader in July, accounting for 54 attacks, or 14% of the total. Inc Ransom attacks have been on a steady upward trend since the spring, targeting critical national infrastructure (CNI) providers.
Inc Ransom is notable in the UK for being behind an NHS-related hack in late 2024 and in the US for attacking Ahold Delhaize, the Benelux-based parent of the well-known food lion and giant supermarket chains.
It is also known for targeting Citrix products and services, which have seen several new vulnerabilities reported in recent months.
Other particularly active gangs in July were Qilin and Safepay with 40 attacks apiece, and Akira with 37. Dragonforce, which was a major influence on Marks & Spencer in the UK, accounted for just under 20 cases in July.
Qilin time
This month’s Threat Report also offered a deeper dive into the Qilin Ransomware operation. Qilin was the gang behind the June 2024 attack on NHS pathology laboratory provider Synnovis, but has since become the most active ransomware crew seen by the NCC in June 2025, and with almost 300 recorded victims so far this year, it is easily one of the most powerful adversaries currently operating.
The predominantly Russian-speaking gang has aggressively targeted known vulnerabilities in widely used enterprise software tools such as Fortinet, SAP, and Veeam, and like many of its peers, is making it a target sport for targeted CNI organizations.
Considered a master of the Ransomware-AS-AA (RAAS) crime pattern, Qilin flashed many homeless affiliates after the ransomwarehub shutdown and has gone out of its way to catch the eye of less technically minded affiliates, the NCC said.
The operation stands out for its technical prowess and user-friendly interface, which allows affiliates to easily create their own payloads to target specific systems and manage victim negotiations and payments. It also has a competitive commission structure – 80% to 85% of the cost goes to the affiliate, and it even offers them legal services – in a fashion – to help guide them in their negotiations.
“The emergence of Qilin has been a product of broader trends observed across the Ransomware landscape,” NCC analysts wrote.
“Threats that engage in specialized roles in the RAAS ecosystem offer a wide range of choices.
“RAAS platform developers can specialize in creating services that attract affiliates and generate profits for them as well. This results in technically skilled developers and affiliates operating in larger gangs like Qilin,” they added.
