SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Dim uk office night red lock screens shadowy usb insider theft
#
Ransomware
#
Endpoint Protection
#
PAM

NCC warns of surge in ransomware & insider threats

Fri, 30th Jan 2026
Author image
By Catherine Knowles, News Editor

NCC Group reported a sharp rise in ransomware activity in December, with the Qilin gang the most active threat group and a notable increase in attempts to recruit insiders.

The consultancy said global ransomware attacks rose 13% in December compared with November, reaching 783 incidents. It said ransomware levels increased for the fourth consecutive month. NCC Group linked the rise to a seasonal pattern, with gangs targeting organisations during the holiday period.

Qilin accounted for 22% of all attacks recorded in December, according to NCC Group. The group's activity rose 68% during the month, the report said.

Akira ranked as the second most active group in December with 10% of attacks. NCC Group said Qilin recorded 92 more attacks than Akira during the month, which it described as a 12% gap in share. Akira's activity fell 4% compared with November, the consultancy said.

LockBit5 was responsible for 9% of attacks in December, according to the report.

NCC Group said industrials saw the largest share of ransomware attacks in December at 29%. Consumer Discretionary accounted for 22% and Information Technology 10%.

Insider recruitment

NCC Group said ransomware-as-a-service gangs have expanded structured affiliate models and have increased efforts to recruit employees, contractors and trusted partners inside targeted organisations. It said this approach gives criminals legitimate access to credentials, systems and internal processes.

The firm said criminals often focus on staff with wide-ranging access, including IT and technical roles. It said a single compromised account can provide multiple routes through an organisation's systems.

NCC Group also said financial incentives drive recruitment. It said gangs offer large commissions and promised anonymity to encourage collaboration.

The report cited an incident from September 2025 involving the Medusa ransomware gang. It said Medusa attempted to recruit a BBC employee and offered 15% of a future ransomware payment in exchange for access to internal systems. It said the offer later increased to 25%.

Matt Hull, VP of Cyber Intelligence and Response, NCC Group, comments, "Targeting high-profile organizations like the BBC is both financially attractive and commercially strategic. Even limited success against a well-known brand can generate notoriety and credibility, helping groups attract future affiliates and opportunities. Well-resourced groups like Medusa and Qilin can afford to use financial incentives to attract insiders, but smaller gangs often lack the means to compete.

"For organizations, this shifts the focus from purely technical defence to human risk management. Insider threat programmes, strong access governance and robust offboarding processes are critical to reducing the risk that current or former employees become part of the ransomware supply chain."

Professionals involved

NCC Group said recruitment efforts also extend to cyber security professionals. It cited a case in December 2025 in which two cyber security professionals pleaded guilty to collaborating with BlackCat/ALPHV. NCC Group said they admitted involvement in ransomware attacks against five US-based organisations, including companies in healthcare and manufacturing.

The consultancy said the case appeared to be among the first documented examples of cyber professionals using technical expertise and knowledge of security processes to support ransomware-as-a-service activity.

Hull said "Ransomware has evolved into an organized business model. These groups now think in terms of recruitment, incentives, scale and growth, rather than just attacks.

"What's striking is that these tactics aren't new. Trust, deception, social engineering and financial pressure have always worked, they're just being organized and scaled in new ways. The recruitment of cyber security professionals shows how far this has gone: Ransomware groups are exploiting expertise, access and human trust to operate like structured criminal enterprises," said Hull.

NCC Group said its report also covers geopolitical developments and authorisation sprawl, alongside its assessment of ransomware trends.

Related stories
Flare sees rapid MSSP uptake of external threat intel
Palo Alto revamps NextWave to reward AI security platforms
Chainguard hits 500m container manifests with AI boost
DigiCert sees record UltraDNS DDoS surge in December 2025
Arctic Wolf named Chubb’s preferred MDR cyber partner

Top stories

Siemens unveils virtualised substation protection platform
Cayosoft, XMS to bolster US War Department identity
Sygnia uncovers global law firm recovery scam network
Guardsquare buys Verimatrix XTD to boost mobile security
Acronis extends Manchester City data protection deal