SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Malware
#
Ransomware
#
AI

Ransomware attacks down 31% but retail sector hit hard

Today
Author image
By Catherine Knowles, Journalist

Ransomware attacks declined globally by 31% in April, as reported by cybersecurity consultancy NCC Group.

NCC Group registered 416 attacks during the month, marking the second consecutive monthly decline after what analysts described as a record-breaking start to the year for ransomware-related incidents. Despite this downturn, cybersecurity professionals caution that the threat landscape remains complex, with targeted attacks continuing against key industries and high-profile organisations.

The retail sector was thrust into the spotlight in April as several prominent UK companies became victims of ransomware attacks. Supermarkets such as M&S and the Co-op, along with luxury retailer Harrods, experienced disruptions. These incidents highlighted the persistent risk to retailers, a sector attractive to cybercriminals because of the potential impact of operational disruption, the value of customer data, and the prospect of large ransom payments.

Scattered Spider, a cybercriminal collective, claimed responsibility for attacks on both M&S and the Co-op. The group has actively publicised its actions, raising pressure on affected businesses and attracting attention among other threat actors.

The NCC Group report notes a significant shift in the ransomware landscape among criminal organisations. Akira became the most active threat group in April, responsible for 65 attacks and accounting for roughly 16% of all cases that month. Its activity rose slightly from 62 attacks attributed to the group in March.

Qilin was identified as the second most active group, carrying out 49 attacks, followed by Play, which was responsible for 42 incidents over the same period.

Babuk2, which led ransomware activity in March with 84 recorded attacks, saw activity drop sharply to 16 in April, an 81% decrease. The report suggests this decline could be linked to increased scepticism within the cybercriminal community regarding the group's legitimacy. There are doubts about Babuk2's claims that it represents the original Babuk ransomware group, which may have led to a reduction in activity as the group sought to avoid scrutiny.

Industrial companies continued to face the highest levels of targeting, with 32% of all April attacks affecting the sector. Consumer Discretionary businesses, which include many retailers, experienced 73 attacks. This represents a decline from 124 such incidents in March, but supply chains and significant holdings of customer data continue to make the sector a valuable target for criminals.

The report also examined evolving tools and tactics, drawing attention to the growing use of weaponised PDFs in cyberattacks. PDFs, commonplace in business communications, are increasingly used to exploit software vulnerabilities, distribute malware, and deceive users. The sophistication of such attacks is rising, with spear phishing campaigns now deploying malicious PDF files tailored to individuals and organisations, sometimes using zero-day exploits and advanced evasion techniques.

The adoption of artificial intelligence is further complicating the picture, with attackers using AI to create more convincing phishing lures. The widespread shift to remote work environments has also made it more difficult to secure the boundaries between personal and professional digital activity, increasing the risks around everyday document handling.

Matt Hull, Head of Threat Intelligence at NCC Group, commented: "While the number of reported ransomware victims declined further in April, it would be a mistake to assume that this is a sign that the threat is fading. The recent attacks on the UK retail sector have laid bare just how disruptive and far-reaching these incidents can be. This is only a glimpse of the broader threat landscape. Globally, many ransomware cases still fly under the radar, and are under-reported or deliberately kept quiet."

He added: "Geopolitical and economic uncertainty is also adding fuel to the fire, providing more lucrative targets and opportunities for attackers to strike. And with increasingly convincing methods of attacks, such as weaponised PDFs, it's only getting harder for individuals and organisations who need to be forever alert."

"In this climate, a strong and embedded security culture is no longer optional; it is a critical enabler of organisational resilience. It's more important than ever for organisations to maintain a strong security culture, respond quickly to emerging threats, and adapt to shifting tactics - all the while staying ahead of adversaries that never stop evolving."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Google DeepMind reveals new strategy to defend Gemini 2.5 AI
Google enhances agent toolkit & unveils updates for secure AI
Google unveils Gemini 2.5 upgrades for reasoning & security
Fintech sector faces mounting third-party security breach risks
IP Fabric unveils upgrade to boost firewall visibility & compliance
Top stories
Exclusive: CyXcel urges UK firms to rethink supply chain risk
Silent Push unveils Chrome tool for real-time threat response
AI-driven threats prompt IT leaders to rethink hybrid cloud security
Malicious memes: How cybercriminals use humour to spread malware
Google unveils SynthID Detector to verify AI-generated content