Ransomware Attacks Rise for the First Time in Six Months
Ransomware attacks have risen for the first time in six months, increasing by 28% month-on-month to 421 attacks. While overall attack volume remained below 500, the uptick may signal a renewed escalation heading into the year’s most active period for cyber criminals.
The Industrials sector continued to bear the brunt of ransomware activity, accounting for29% (120) of all attacks in September. Also, the most targeted sector for Q3, with 30% (342) of attacks, it’s clear that Industrials is a highly attractive target for cyber criminals, even as public attention remains on consumer-facing breaches.
Consumer Discretionary (which includes automotive manufacturers, retail businesses, and leisure facilities) followed with 76 attacks, while Financials moved to third place with 47 attacks. The continued targeting of financial institutions highlights attackers’ strategic focus on accessing financial data, and reflects a broader trend of ransomware campaigns to maximize monetary gain.
North America and Europe accounted for three quarters (75%) of all global attacks, amounting to 317 last month. Notably, the ransomware attack on major European airports led to significant disruption. Airlines were forced to switch to manual operations, which caused delays, cancellations, and passenger congestion. The attack is a stark reminder of the vulnerability of critical infrastructure.
Qilin led the pack in September, taking responsibility for 14% (58) of attacks. The group also remained the most prominent threat actor for the quarter, with 13% (151) of all attacks. Its focus on data-centric, financially lucrative, and supply-chain dependent industries - such as Industrials and Consumer Discretionary - suggests an intent to maximize operational disruption and leverage extortion.
Throughout the quarter, new groups, including The Gentlemen and Interlock, emerged. New players signal a shift in the threat landscape, where the smaller actors now leverage shared infrastructure and leaked builder kits to establish their scale. This demonstrates how the threat ecosystem continues to diversify and evolve.
Geopolitical tensions in September intensified global cyber risks. China’s summit with non-Western leaders signaled a direct challenge to the US-led order, while Russian military drills and ransomware attacks on European airports exposed the rising threat of hybrid warfare. And in the Middle East, Israeli strikes in Qatar and growing recognition of Palestine further deepened international divisions. Together, these events highlight a volatile global landscape where ransomware and cyber operations are increasingly used as tools of strategic influence and disruption.
Matt Hull, Head of Threat Intelligence at NCC Group:
“From high-profile supply chain breaches and persistent ransomware activity, to the influence of geopolitical tensions on cyber operations, organizations are facing increasingly adaptive and sophisticated threat actors.
“The rise in attacks in September could be a sign that the decline we’ve seen recently is now over. As we approach the busy season for attackers – with Black Friday and Christmas fast approaching – organizations can’t be complacent. Recent attacks on the transport and retail sector, specifically, have shown just how severe the disruption can be. So, organizations need to ensure they have robust third-party risk management, rapid incident response, and proactive security strategies.”