NCC Group Monthly Threat Pulse – Review of February 2025

Ransomware attacks up 50% in February marking shift towards data theft and extortion tactics

• Ransomware cases in February rose by 50% from January with 886 attacks
• Cl0p was most active threat group, responsible for 37% of attacks
• Consumer Discretionary becomes most targeted sector, with 31% of attacks
• 83% of all cases globally took place in North America and Europe

March 2025 – Global levels of ransomware attacks broke records once again in February, increasing month-on-month and year-on-year, according to NCC Group's February Threat Pulse. February attacks reached an all-time monthly high of 886, an increase of 50% from January 2025 (590) and a 119% increase compared to February 2024 (403).

Cl0p leads as most aggressive threat actor  

The threat group Cl0p drove ransomware activity in February, responsible for a staggering 330 attacks, a 460% increase from January (59). Cl0p’s figures were unusually high as a result of the bulk release of malware victims following two zero-day exploitations in file transfer software, Cleo, which took place in 2024. Alongside the spike in the release of victims breached in previous months, Cl0p may also exaggerate its own claim to garner attention. So, Cl0p’s number of attacks should be considered carefully.

In second position was RansomHub with 87 attacks, followed by Akira with 77 attacks, and Play in fourth with 43 attacks. 

Consumer Discretionary overtakes Industrials as most targeted sector

Consumer Discretionary claimed the top spot for most targeted sector with 278 attacks in February, accounting for 31% of all attacks. This surge is likely linked to Cl0p and the Cleo vulnerability, as the software is increasingly being utilised by companies within this sector.

Industrials fell to second place for the first time in 14 months, since January 2024, with 191 attacks. Despite its fall, attacks in the sector still increased, rising from 149 in January.

North America top target, with over half of all attacks

North America remained the most targeted region, accounting for 65% of total global attacks (574), significantly more than Europe, as the next region hardest hit with 18% of attacks (159). With ongoing geopolitical tensions and major disruptions to its cyber security standards linking to the Department of Government Efficiency (DOGE), it’s likely that attacks in North America will continue to rise.

Asia took third place with 7% attacks (64), followed by South America with 5% of attacks (42). 

LockBit 4.0 reemergence(?) and the rising power of law enforcement

February marked the first anniversary of LockBit’s seizure. Since Operation Cronos, the group has maintained a low profile, with a significant decrease in victims on its leak site.

However, in December 2024, an alleged group admin announced the anticipated release of LockBit 4.0 in 2025, potentially signalling an effort to revive the group amidst ongoing law enforcement crackdowns. Despite this promise, LockBit has not yet had a significant resurgence in activity.

Law enforcement remains strong in 2025. The takedown of 8Base in February disrupted the group's activities, resulting in multiple arrests and the seizure of its infrastructure. Increasing global coordination is making these efforts more successful and much harder for groups to evade justice.

Matt Hull, Head of Threat Intelligence at NCC Group, said:

“Ransomware victim numbers hit record highs in February, surging 50% compared to January 2025, with Cl0p leading the charge. Unlike traditional ransomware operations, Cl0p’s activity wasn’t about encrypting systems—it was about stealing data at scale. By exploiting unpatched vulnerabilities in widely used file transfer software, much like we saw with MoveIT and GoAnywhere, they were able to exfiltrate sensitive information and will now start to pressure victims into paying.

“This shift towards data theft and extortion is becoming the go-to strategy for ransomware groups, allowing them to target more organisations and maximise their leverage over victims. 

“Meanwhile, law enforcement is ramping up its efforts, and recent takedowns show that international collaboration is having a real impact. But as attackers evolve their tactics, defenders must do the same. Businesses need to move beyond reactive measures and take a proactive stance, ensuring vulnerabilities are patched, data is protected, and incident response plans are ready to go.”