A seasonal surge in malicious activity combined with alliances between ransomware groups led to a 41% increase in attacks between September and October. Cybercriminal group Qilin continues to be the most active ransomware paddlers, responsible for 170 of 594 attacks (29%) in October, NCC Group reports.
Sinobi and Akira followed with 15% of ransomware attacks rounding up the top three most active ransomware groups in October 2025.
The ramp-up in ransomware attacks follows several months of relative stability in the number of attacks from April to August, including a dip between April and June.
Activity began to pick up at the end of the Northern Hemisphere summer, with September recording a 28% month-on-month increase – momentum that has now accelerated into October’s spike, NCC reports.
The October surge indicates that threat actors are intensifying their operations ahead of what is typically the most active period for cyber crime. “The fourth ‘golden quarter’ of the year sees peak consumer spending from Black Friday, Cyber Monday, and Christmas, presenting greater opportunity for cyber threat actors,” according to NCC.
NCC Group’s stats are derived from actively monitoring leak sites favoured by each ransomware group. Of the 594 attacks in October, industrials remained the most targeted sector, with 28% (167) of all attacks. Consumer discretionary (which includes automotive manufacturers, retail businesses, and leisure facilities) suffered 124 attacks. Healthcare moved to third place with 64 attacks.
North America was hit hardest by ransomware attacks, suffering over half of these incidents (62%), compared to Europe (17%) and Asia (9%).
An annual study from Guidepoint Security found a 57% year-over-year increase in active ransomware groups. At the same time ransomware victim numbers have stabilized at approximately 1,500-1,600 per quarter since Q4 2024, according to figures from Guidepoint.
Ransomware groups’ alliances: axis of evil
New players and alliances between ransomware groups contributed to the overall increase in ransomware attacks in October.
For example, the newly relaunched LockBit 5.0 group has aligned itself with other prominent ransomware-as-a-service (RaaS) groups DragonForce and Qilin.
Alliances between threat groups enable the sharing of tools, infrastructure and tactics to make their attacks more effective.
“The alliance between LockBit, DragonForce and Qilin combines technical expertise, resources and infrastructure, creating a network capable of sustaining large-scale ransomware operations whilst complicating attribution and response for organisations and law enforcement,” according to NCC.
Although no coordinated attacks have been confirmed yet these loose alliances could act as a recruiting tool for affiliates.
“The partnership is also likely aimed at rebuilding LockBit’s reputation within the cybercrime community, reassuring affiliates of its continued relevance and operational capacity following the 2024 law enforcement disruptions,” NCC adds.
Elsewhere, new entrants in the form of The Gentlemen ransomware group burst onto the threat landscape with 21 attack claims against healthcare, financial services and IT firms, among others.
“Part of the reason we are seeing more ransomware groups and variants in the landscape is the increasingly lowered technical barrier to entry for cyber crime,” according to NCC. “Ransomware builders have been consistently leaked or released, meaning that threat actors with low levels of technical sophistication are still able to conduct effective campaigns.”
Ransomware groups change tactics to evade law enforcement
The latest quarterly study from Rapid7 also found that newly forged alliances are leading to a spike in ransomware activity while adding that tactical innovations, from refined extortion to double extortion and use of zero day, are also playing a part in increased malfeasance.
The quarter also saw 88 active ransomware groups, up from 65 in Q2 and 76 in Q1, signalling an increase in activity as well as highlighting the changing shape of a febrile threat environment.
Groups such as Qilin, SafePay, and WorldLeaks led a wave of alliances targeting industries like business services, manufacturing, and healthcare, Rapid7 reports.
These same groups began experimenting with file-less operations, single-extortion data leaks, and affiliate service offerings such as ransom negotiation assistance, where a more senior member of the group partners with a less experienced player to extort the victim.
Cyber extortion incident response firm Coveware reports that remote access compromise, phishing/social engineering, and software vulnerability exploitation remain at the core of intrusion activity, but the distinctions between them are increasingly blurred.
“Adversaries increasingly obtain access not just by logging into a system, but by convincing someone else to provision it for them,” Coveware explains. “Campaigns that blurred these lines, such as those impersonating SaaS support teams or abusing help-desk processes to gain OAuth authorization, demonstrated how human trust can be engineered into a technical foothold.”
Credential-based intrusions through VPNs, cloud gateways, and SaaS integrations continued to serve as the prime vector of ransomware attacks.
Coveware Q3 2005 ransomware study identified Akira and Qilin as the two most prominent ransomware variants doing the rounds. Some ransomware groups are rebranding as data-theft-only outfit, ditching file encryption as an extortion tactic, Coveware adds.
Review and reinforce cybersecurity measures
Matt Hull, head of threat intelligence at NCC Group, said more than 200 ransomware variants have been identified so far this year.
“As ransomware activity accelerates and notable attacks continue to cause widespread economic and operational disruption, vigilance is more critical than ever. Organisations should use this moment to reinforce their security measures and test incident response plans,” Hull said. “Proactive monitoring, staff awareness, and secure backups remain key as we move into the year’s peak threat season.”
No Responses