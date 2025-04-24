On a month-by-month basis, recorded ransomware attacks dropped by 32% in March 2025, to 600 in total, according to NCC Group’s latest monthly Threat Pulse data, but the decline appears to be very much a red herring, and likely the result of large, one-off events in previous months that yielded multiple victims, such as Clop/Cl0p’s attacks on Cleo.

Indeed, according to NCC, ransomware incidents are in fact up by 46% compared with March 2024. Note, as always, that these data are drawn from NCC’s own telemetry, and do not necessarily reflect the true scale of the problem.

“The slight decline in attacks in February is a bit of a red herring given the unprecedented levels we have seen over the past months, with the volume of incidents year-on-year increasing 46% in March,” said NCC threat intelligence head Matt Hull.

“As ever, we are seeing threat actors diversifying, and leveraging increasingly complex and sophisticated attack methods to stay ahead, not only to cause mass disruption, but to gain attention in the ransomware world.”

Last month, Babuk 2.0 appeared to be the most active threat group, accounting for 84, about 20% of recorded attacks, up 33% on January. Second place was shared by Akira and RansomHub, which both scored 62 victims, slightly down on February. In fourth place was the Safepay crew, which conducted 42 observed attacks after experiencing something of a fallow period.

However, there may be a second red herring in the barrel, observed Hull, as the emergence of Babuk 2.0 in particular is raising questions as to the legitimacy of their alleged attacks.

The original Babuk gang has claimed no connection to the new operation, and security researchers are generally united in the belief that Babuk 2.0 is fraudulent – more fraudulent than usual, at least – and is possibly recycling old leaked data and trying to use it to scare victims into paying out. Such tactics were similarly observed following the 2024 disruption to LockBit.

Broken down by sector, industrials was the most targeted last month, with 150 attacks – 27% of the total – observed. Consumer discretionary came in second with 124 attacks, down 55% on February.

By geography, North America remained the top target, with almost half of all observed attacks taking place in the region – more than double the number seen in EMEA, which saw 26% of attacks. APAC saw 14% of attacks, and South America 7%.

Hull said North America would likely remain a key focus for cyber criminal gangs in the coming months, given rising geopolitical tensions, and division stoked between the US and Canada, which may make Canadian organisations more likely to be victimised.