Excessive-profile ransomware incidents affecting main UK retailers proceed to seize headlines, however within the background, whole ransomware assault volumes seem to have eased off over the previous few weeks, in accordance with NCC Group’s newest month-to-month Risk Pulse report.
NCC’s intensive telemetry noticed 416 ransomware assaults in April 2025, down 31% month on month, with 78% occurring in Europe and North America, the industrials class remaining essentially the most distinguished sector, and the Akira cyber crime crew essentially the most lively group on the scene, accounting for 16% of those.
Nevertheless, though the statistics inform one story, the impression of ransomware was felt way more keenly generally, with incidents affecting the buyer discretionary class – that’s to say, retail – and particularly the continuing assault on Marks and Spencer (M&S), Co-op and Harrods placing ransomware on the forefront of Britain’s nationwide discourse.
These incidents, and a fourth growing assault at Peter Inexperienced Chilled – a provider of cold-chain transit and inventory administration providers to the grocery store sector – has spotlighted threats to the retail sector, which is already of curiosity to cyber criminals for a number of causes, equivalent to its high-profile nature and high-impact potential for disruption, stated Matt Hull, NCC risk intelligence head.
“Whereas the variety of reported ransomware victims declined additional in April, it will be a mistake to imagine that this can be a signal that the risk is fading,” stated Hull.
“The current assaults on the UK retail sector have laid naked simply how disruptive and far-reaching these incidents could be. The fact is that that is solely a glimpse of the broader risk panorama. Globally, many ransomware instances nonetheless fly underneath the radar, are under-reported or intentionally stored quiet,” he added.
The current assaults on the UK retail sector have laid naked simply how disruptive and far-reaching these [ransomware] incidents could be Matt Hull, NCC Group
“Geopolitical and financial uncertainty can also be including gas to the hearth, offering extra profitable targets and alternatives for attackers to strike.”
Energetic Akira, blustering Babuk
April noticed the anime-referencing Akira ransomware gang scoop the doubtful accolade for highest quantity of assaults, accounting for 65 of these recorded by NCC’s programs. This was adopted by Qilin with 49, Play with 42 and Lynx with 27.
In the meantime, Babuk 2.0, which raised questions earlier within the 12 months as as to whether or not it was conducting new assaults or merely recycling knowledge from previous ones, dropped away, with simply 16 hits to its identify.
NCC stated it had discovered that Babuk 2.0 was certainly seemingly falsifying its knowledge, which isn’t in and of itself a brand new technique. Different gangs have tried this prior to now, generally these seeking to inflate their notoriety, and this will have been the case right here.
The researchers defined that Babuk 2.0’s ransomware claims of assaults on distinguished authorities establishments, and even the likes of Amazon and Chinese language procuring platform Taobao, have been daring ones, however seemingly nonsense given none of these “affected” confirmed any breaches and have important safety sources of their very own. It will even be troublesome for any ransomware gang to breach a number of massive organisations on this approach in such a brief house of time.
“Babuk 2.0’s lack of credibility makes such assaults questionable. Upon additional investigation by NCC, 119 out of 145 claims made by Babuk 2.0 in Q1 2025 have been related to one other ransomware group or may very well be linked to a earlier large-scale breach,” stated the researchers.
Actions like this exemplify how ransomware gangs change up their techniques within the hope of scoring a payout, leveraging public relations methods to draw media consideration, inserting their alleged victims within the highlight and damaging their public picture. When these techniques work, stated NCC’s researchers, it’s as a rule as a result of the sufferer is embarrassed into handing over cash to make the issue go away.
Weaponised PDFs
This month’s report additionally highlighted an rising hazard within the ransomware an infection chain – using weaponised PDF information, that are starting for use at scale to use software program vulnerabilities, idiot customers and unfold malware. In keeping with Test Level statistics, 22% of malicious electronic mail attachments now arrive within the type of a PDF.
It’s extra vital than ever for organisations to take care of a powerful safety tradition, reply shortly to rising threats, and adapt to shifting techniques – all of the whereas staying forward of adversaries that by no means cease evolving Matt Hull, NCC Group
NCC stated such paperwork have gotten extra misleading and technically superior, with the assistance of generative synthetic intelligence (GenAI). Many risk actors at the moment are embedding malicious PDFs tailor-made to particular person recipients into their phishing campaigns.
Sadly, this development appears set to go mainstream, stated NCC, as a result of customers appear prepared to belief PDFs greater than different paperwork, equivalent to Microsoft Workplace information.
Safety groups ought to take into account adapting their insurance policies and educating customers on the potential risks of PDF information, and take into account deploying instruments equivalent to electronic mail gateways with sandboxing and behavioural evaluation options, utilizing endpoint detection and response (EDR) to observe PDF readers, disabling unneeded Javascript capabilities, and patching Adobe vulnerabilities as they come up – a sequence of three flaws in Acrobat Reader found in March seemingly contributed to the issue.
“It’s solely getting more durable for people and organisations, who must be eternally alert,” stated Hull. “On this local weather, a powerful and embedded safety tradition is not elective; it’s a important enabler of organisational resilience. It’s extra vital than ever for organisations to take care of a powerful safety tradition, reply shortly to rising threats and adapt to shifting techniques – all of the whereas staying forward of adversaries that by no means cease evolving.”
