26 June 2025
Ransomware attacks targeting the retail sector increased by 40% in May compared to April, according to recent findings from NCC Group. While global ransomware activity saw a slight decrease of 6% in May — with 393 attacks recorded worldwide — security experts caution that this decline does not equate to diminished risk, especially given evolving cybercriminal strategies and ongoing geopolitical tensions.
The report highlights that the industrial sector continued to be the primary target, accounting for 30% of all ransomware cases in May, or 118 incidents. However, the consumer discretionary sector, including retail, experienced a significant uptick, with attacks rising from 73 in April to 102 in May. Experts attribute this surge to the sector’s attractiveness as a high-value target, given the potential for disrupting payment systems, accessing consumer data, and extracting substantial ransom payments.
Several prominent retailers faced cyberattacks during this period, including Victoria’s Secret, Adidas, Cartier, and Peter Green Chilled. Additionally, the hacking group known as Scattered Spider claimed responsibility for targeted attacks on Marks & Spencer and the Co-op. Industry analysts from Google Threat Intelligence Group and Mandiant have observed a shift in Scattered Spider’s focus towards the US retail sector, where the abundance of large enterprises offers lucrative targets. Although attribution remains challenging, the techniques associated with Scattered Spider were detected in multiple US-based incidents.
In a notable development, Safepay emerged as the most active threat actor in May, responsible for 18% of all ransomware attacks — 70 incidents in total. NCC Group described this as the first time Safepay has ranked among the top ten most prolific threat groups since its emergence in November 2024. Experts suggest that Safepay may be a rebranding of other notorious groups such as LockBit, Alph V, or INC Ransomware, which could explain its sudden surge in activity and sophistication.
Other trends included the Play gang rising to second place with 44 attacks, up from previous rankings, while Qilin dropped to third with 42 incidents. The previously leading group, Akira, experienced a 46% decline, recording 35 attacks in May.
Most ransomware activity continued to be concentrated in North America and Europe, which together accounted for 79% of global incidents. North America alone experienced half of all attacks, with 193 cases, while Europe accounted for 112. Asia and South America represented 13% and 4% of global attacks, respectively.
The report also addressed a rising concern: the vulnerability of artificial intelligence (AI) systems to prompt injection attacks. As AI models become more integrated into sectors such as healthcare and finance, threat actors are exploiting weaknesses through carefully crafted prompts designed to bypass security controls, access sensitive data, or manipulate outputs. NCC Group found that 56% of tested AI models were susceptible to such attacks, highlighting the need for stronger defensive measures. Recommendations include adversarial training, advanced detection techniques, secure memory management, and human oversight, alongside the development of industry guidelines.
"Despite recent declines, the threat landscape remains volatile. The rise of new actors like Safepay and vulnerabilities in AI systems underscore the need for sustained vigilance and resilience across industries and governments,” said Matt Hull, NCC Group’s Global Head of Threat Intelligence.
Hull also highlighted the broader geopolitical context, citing ongoing tensions between the US and China, potential espionage risks, and the evolving threat landscape driven by global instability and international relations.
With cyber threats continuing to evolve rapidly, experts warn that organisations and nations must maintain robust security measures to safeguard critical infrastructure and business operations against emerging risks.
