Ransomware Attacks Show Significant Fluctuation in March 2025, According to NCC Group’s Threat Pulse Report
In a recent release by NCC Group, the incidence of ransomware attacks saw a noteworthy decrease of 32% month-over-month in March 2025, totaling 600 reported cases. This statistic is part of the organization’s latest Threat Pulse report, which provides insights into the ever-evolving landscape of cyber threats.
Despite this marked decline compared to the preceding month, the report highlighted a concerning trend: ransomware incidents surged by an alarming 46% year-over-year. This juxtaposition prompts questions regarding the current state of cyber threats and the underlying factors driving these trends.
Matt Hull, the Head of Threat Intelligence at NCC Group, commented on the report’s findings, suggesting that the decrease in March may be misleading. He referred to the dip as a “red herring,” pointing out that it followed a period characterized by unprecedented levels of attacks in the months leading up to March. Hull warned that cybercriminals continue to innovate, diversifying their tactics and employing increasingly complex methodologies to maintain their edge in the ransomware arena. “As ever, we are seeing threat actors diversifying and leveraging increasingly complex and sophisticated attack methods to stay ahead – not only to cause mass disruption but to gain attention in the ransomware world,” he noted, underscoring the challenges facing organizations in protecting their digital assets.
A stark regional analysis revealed that North America experienced the brunt of these attacks, accounting for approximately 48% of total incidents in March. The NCC Group attributed this significant proportion to escalating geopolitical tensions, particularly those involving the United States and Canada. The report indicated that as political divisions continue to fester, particularly under the leadership of President Trump, the risk of cyber-attacks targeting Canada and related international organizations is likely to increase. “It’s likely that attacks in North America will continue to dominate, with rising political tensions and division heightening geopolitical friction,” the report stated.
In a concerning development, the threat actor known as Babuk2 emerged as the most active group during March, claiming responsibility for 84 attacks that comprised 20% of the total ransomware incidents. Originating in January 2025, Babuk2 has recorded 145 attacks in the first quarter of this year. However, NCC Group raised significant doubts over the legitimacy of Babuk2’s claims, highlighting that the group frequently fails to provide verifiable evidence of actual breaches. Moreover, the original Babuk group has publicly disavowed any connection to this new entity. “The security community and ransomware actors alike believe that Babuk 2.0 is a fraudulent group, recycling data from previous breaches and claiming them as their own,” the report asserted.
Following closely behind Babuk2 in the attack frequency rankings were the Akira and RansomHub groups, each reporting 62 claimed attacks, while Safepay completed the list with 42 incidents. The prominence of Akira and RansomHub can be partly attributed to their lucrative ransomware-as-a-service (RaaS) models, which appeal to affiliates seeking to collaborate with these groups. Akira operates on an 80/20 commission split favoring affiliates, while RansomHub boasts an even more enticing 90/10 division.
In a broader analysis of the first quarter of 2025, the Clop ransomware gang was identified as the most prolific actor, responsible for 19% of the total ransomware attacks. Notably, these Clop attacks predominantly stemmed from the exploitation of two zero-day vulnerabilities found in Cleo software late in 2024. Overall, it was reported that a striking 45% of ransomware incidents during the quarter could be attributed to four primary groups: Clop, Akira, RansomHub, and Babuk2.
As organizations navigate this challenging cyber threat landscape, the findings of the NCC Group’s Threat Pulse report serve as a reminder of the constant evolution of ransomware tactics and the need for robust cyber defenses. The intelligence community, along with business leaders, must remain vigilant and proactive in mitigating the risks posed by these ever-adaptive cybercriminals.