- Global ransomware volume reached 594 attacks in October marking a 41% increase from September
- Qilin continues to be the most active threat group, responsible for almost a third (29%) of all attacks
- Industrials remained the most targeted sector, with 28% (167) of all attacks
- Over three-quarters (79%) of attacks took place across North America and Europe
Ransomware attacks rose sharply in October, increasing 41% month-on-month to 594 incidents, according to global cyber security firm NCC Group’s monthly Threat Intelligence Report. The surge indicates that threat actors are intensifying their operations ahead of what is typically the most active period for cyber crime. The fourth ‘golden quarter’ of the year sees peak consumer spending from Black Friday, Cyber Monday, and Christmas, presenting greater opportunity for cyber threat actors.
This escalation follows several months of relative stability in the number of attacks from April to August, including a dip between April and June. Activity began to pick up at the end of the summer, with September recording a 28% month-on-month increase – momentum that has now accelerated into October’s spike.
Industrials remain under fire
The Industrials sector continued to bear the brunt of ransomware activity, accounting for 28% (167) of all attacks in October. Consumer Discretionary (which includes automotive manufacturers, retail businesses, and leisure facilities) closely followed with 124 attacks, while Healthcare moved to third place with 64 attacks.
North America suffers over half of global attacks
North America and Europe accounted for more than three-quarters (79%) of all global attacks in October, totaling 473. North America was hit hardest, suffering over half of these incidents (62%), compared to Europe (17%) and Asia (9%).
Qilin extends dominance
Qilin, the most prominent actor last month and throughout Q3, remains the most prolific ransomware actor in October with 29% (170) of all attacks attributable to the group. Known for its precision targeting and double-extortion techniques, Qilin continues to dominate the threat landscape, leveraging tactics to maximise impact and pressure victims into compliance.
Sinobi followed with 15% of attacks (65), closely trailed by Akira, which ranks among the top three most active ransomware groups in 2025, accounting for 15% (64).
New alliances ramp up ransomware levels
Although Qilin held the top spot, new players and alliances between ransomware groups contributed to the overall increase in ransomware attacks in October.
The Gentlemen ransomware group has become a more prevelant player in the threat landscape and with the return of LockBit, there is a growing number of active players that are targeting key sectors. Having made 21 public ransomware attack claims globally, the group has targeted sectors including healthcare, financials, IT and consumer discretionary.
And as part of its return with the launch of LockBit 5.0, the group has appeared to align with other prominent RaaS groups DragonForce and Qilin. Alliances between threat groups enable the sharing of tools, infrastructure and tactics. Although no coordinated attacks have been confirmed yet, suspicions may work as a useful tool for attracting additional groups, and in turn, complicate attacks similar to those we have seen from Scattered Spider and ShinyHunters.
Matt Hull, head of Threat Intelligence at NCC Group, said: “October marks a seasonal shift in the ransomware landscape as we enter one of the more active periods of the year for cyber criminals. The surge has been fueled by the rise of new groups such as The Gentlemen and an expanding range of ransomware variants, with over 200 identified so far this year.
“As ransomware activity accelerates and notable attacks continue to cause widespread economic and operational disruption, vigilance is more critical than ever. Organisations should use this moment to reinforce their security measures and test incident response plans. Proactive monitoring, staff awareness, and secure backups remain key as we move into the year’s peak threat season.”
Read the report: Cyber Threat Intelligence Reports | NCC Group
