NCC Group Monthly Threat Pulse – Review of January 2025

Ransomware attacks continue to surge as January sets second consecutive monthly record  

• Ransomware cases in January rose by 3% from December, with 590 attacks.
• Akira was the most active threat group, responsible for 13% of attacks.
• Industrials remain the most targeted sector, with 25% of attacks.
• 72% of all cases globally took place in North America and Europe.

January 2025 — Global levels of ransomware attacks broke records in January, increasing both month-on-month and year-on-year, according to NCC Group's January Threat Pulse. January recorded an all-time monthly high of 590 attacks, an increase of 3% from December 2024's 574 and January 2024's 276.

Akira dominates the ransomware threat landscape 

The threat group Akira was the most active in January, responsible for 74 attacks. In second position was Babuk2 with 63 attacks, followed by the resurgence of CL0P with 59 attacks, and Lynx in fourth with 42 attacks. 

Meanwhile, a newer threat group that rose to prominence in December, Funksec, fell to sixth place with 35 attacks.

Industrials remains in the crosshairs 

Industrials bore the brunt of attacks once again, with 149 attacks in January, accounting for 25% of all sectors targeted. This demonstrates the continued threat to Critical National Infrastructure (CNI). 
The Consumer Discretionary sector followed with 122 attacks, and in third position was Information Technology with 81 attacks. 

Almost three quarters of total ransomware targeted North America and Europe.

North America remained the most targeted region, accounting for 50% of total global attacks (296). Europe was the next region hardest hit with 22% of attacks (132). Asia took third place with 75 attacks in January, followed by South America with 46 attacks. 

Geopolitical turbulence continues to threaten global cyber security 

2024 was coined as the year of global elections, and ongoing global instability in January continued to fuel the surge in ransomware attacks. Donald Trump’s inauguration last month was followed by swift executive orders that had repercussions for the global technology landscape - his foreign policies are likely to disrupt international frameworks that are reliant on US support. Cybercriminals and state-sponsored actors have historically thrived in periods of instability, so threat groups that might be able to avoid direct attention from the Trump administration are well-positioned to exploit geopolitical vulnerabilities in this period of change. 

Simultaneously, NATO continues to grapple with suspected Russian sabotage of European undersea infrastructure, raising the risk of unintended military escalations. Nations accusing Russia of sabotage are likely to be more at risk from pro-Russian or state-backed hackers. The intersection of these developments amplifies cyber risks, as actors seek to exploit vulnerabilities amid geopolitical uncertainty. 

Matt Hull, Head of Threat Intelligence at NCC Group, said:

“January broke records once again with the highest volume of ransomware victims that we have ever seen. This unprecedented volume of attacks comes in stark contrast to the usual drop in volume that we have recorded previously in January. 

“There are a range of factors contributing to this high volume of attacks, including a turbulent global geopolitical landscape, the introduction of new threat groups and changes in their methods of attack. The rise of new ransomware groups , like Funksec, and cybercriminal tools, such as infostealer malware, are also making it much easier for cyber attackers to conduct attacks that are causing mass disruption. 

“It’s critical that businesses and governments take note of these record ransomware levels. Taking action to mitigate these risks is more crucial than ever, with continuous monitoring, comprehensive training, and robust cyber security measures proving essential. Organisations must remain vigilant and proactive in their defence strategies to protect against this growing threat."