High-Profile Ransomware Incidents Affecting Leading UK Retailers Continue to Grab Headlines, but in the background, total ransomware attack Volumes appear to have eased off over the past few weeks, according to NCC Group's Latest monthly threat pulse report.
NCC's Extensive Telemetry observed 416 ransomware attacks in April 2025, Down 31% month on month, with 78% Occurring in europe and north America, the industry remedry remedry Sector, and the Akira Cyber Crime Crew The Most Active Group on the Scene, Accounting for 16% of these.
However, although the statistics tell one story, the impact of ransomware was felt much more keenly in general, with incidences abschent the consumer discretionary category – that is to say, in the right -in, and in compachar Ongoing Attack on Marks and Spencer (M&S), Co-op and Harrods Putting ransomware at the forefront of Britain's national discourse.
These incidents, and a fourth development attack at Peter Green Childe-A Supplier of Cold-Chain Transit and Stock Management Services to the Supermarket Sector-HAS SPOTLIGHTED THERTED THERTERALS to the Retail Sector, Which is already of interest to cyber criminals for several reasons, such as its high-profile nature and high-high-impact potential for disruption, Said Matt Hull, NCC THCCHCHCHCECE SHCT HULL, NCCHCHCECE
While the number of reported ransomware victims declined further in April, it would be a mistake to assuve that this is a sign that the threat is fading, “said hull.
“The Recent Attacks on the UK Retail Sector Have Laid Bare Just how disruptive and far-residents can be. The Reality is that this is that this is only a glimpse of the broader. Ransomware cases still fly under the radar, are under-respected or deliberately kept quiet, ”He added.
The Recent Attacks on the UK Retail Sector Have Laid Bare Just how disruptive and far-record these [ransomware] Incidents can be
Matt Hull, NCC Group
“Geopolitical and Economic Uncertainty is also also adding fuel to the fire, providing more lucrative targets and opposites for attackers to strike.”
Active Akira, Blustering Babuk
April Saw the anime-Reference Akira Ransomware Gang Scoop the Dubious Acclade for Highest Volume of Attacks, Accounting for 65 of that that recorded by NCC's Systems. This was followed by Qilin with 49, Play with 42 and Lynx with 27.
Meanwhile, Babuk 2.0, which Raised Questions earlier in the year As to bes or not it was conducting new attacks or merely recycling data from old ones, dropped away, with just 16 hits to its name.
NCC said it has found that babuk 2.0 was indeed likelike falsifying its data, which is not in and of itself a new strategy. Other gangs have tried this in the past, in general there looking to inflate their notorite, and this may have been the case here.
The researchers explained that babuk 2.0's ransomware claims of attacks on prominent government institutions, and even the lines of amazon and chinese shopping platform taobao, ware bold ons, but like Nonsense given none of that “affected” confirmed any breaches and have significant security Resources of their own. It would also be Difacity for Any Ransomware Gang to Breach Multiple Large Organizations in this way in such a short space of time.
“Babuk 2.0's Lack of Credibility Makes Such Attacks Questionable. Upon Further Investigation by NCC, 119 Out of 145 Claims Made by Babuk 2.0 in Q1 2025 WERE RANOCIARE GROPARE GROTHER GROTHER GROP Could be linked to a Previous Large-Scale Breach, “said the results.
Actions like this exemplife how ransomware gangs change up their tactics in the hope of scoring a payout, leveraging public relations technique to atTract media aTTENIQUES to Attract Media And damaging their public image. When these tactics work, said NCC's Researchers, it is more often than not because the Victim is Embarrassed Into Handing Over Money to make the problem Go Away.
Weaponised pdfs
This month's report also also highlighted an emerging danger in the ransomware infection chain – the use of weaponised pdf files, which are beginning to be used at scalle to explite to explite Users and Spread Malware. According to check point statistics, 22% of Malicious Email Attachments Now Arrive in the form of a pdf.
It's more important than ever for organisations to mainten a strong security culture, Respond Quickly to Emerging Threats, And Adapt to Shifting to Shifting Tactics – All the While Staying Ahead of Adverts That Nest Stop evolving
Matt Hull, NCC Group
NCC Said Such Documents are decided more Decept and Technically Advanced, with the help of generative artificial intelligence (genai). Many Threat Actor are Now Embedding Malicious PDFS Tailored to Individual Recipients Into their Phishing Campaigns.
Unfortunately, this trend looks set to go mainstream, said NCC, BeCause Users Seem Wiling to Trust PDFS More Than Other Documents, Such as Microsoft Office Files.
Security Teams Should Consider Adapting Their Policies and Educating Users on the Potential Dangkers of PDF Files, and Consider Deplying tools Such As Email Gateways with Sandboxing and Behaviral Analysis Features, Using Endpoint Detection and Response (EDR) to Monitor PDF Readers, Disableing Unneed Javascript Functions, And Patching Adobe Vulnerabilites as They Arise – a sequence of three floation Acrobat reader Discovered in March Likely contributed to the problem.
“It's only getting harder for individuals and organisations, who need to be forever alert,” said hull. “In this climate, a strong and embedded security culture is no longer optional; it is a critical enabler of organisational resilience Security Culture, Respond Quickly to Emerging Threats and Adapt to Shifting Tactics – All the while Staying ahead of Adversaries that Never Stop Evolving. “
