High-profile ransomware incidents affecting leading UK retailers continue to grab headlines, but in the background, total ransomware attack volumes appear to have eased off over the past few weeks, according to NCC Group’s latest monthly Threat Pulse report.
NCC’s extensive telemetry observed 416 ransomware attacks in April 2025, down 31% month on month, with 78% occurring in Europe and North America, the industrials category remaining the most prominent sector, and the Akira cyber crime crew the most active group on the scene, accounting for 16% of these.
However, although the statistics tell one story, the impact of ransomware was felt much more keenly in general, with incidents affecting the consumer discretionary category – that is to say, retail – and in particular the ongoing attack on Marks and Spencer (M&S), Co-op and Harrods putting ransomware at the forefront of Britain’s national discourse.
These incidents, and a fourth developing attack at Peter Green Chilled – a supplier of cold-chain transit and stock management services to the supermarket sector – has spotlighted threats to the retail sector, which is already of interest to cyber criminals for several reasons, such as its high-profile nature and high-impact potential for disruption, said Matt Hull, NCC threat intelligence head.
“While the number of reported ransomware victims declined further in April, it would be a mistake to assume that this is a sign that the threat is fading,” said Hull.
“The recent attacks on the UK retail sector have laid bare just how disruptive and far-reaching these incidents can be. The reality is that this is only a glimpse of the broader threat landscape. Globally, many ransomware cases still fly under the radar, are under-reported or deliberately kept quiet,” he added.
The recent attacks on the UK retail sector have laid bare just how disruptive and far-reaching these [ransomware] incidents can be Matt Hull, NCC Group
“Geopolitical and economic uncertainty is also adding fuel to the fire, providing more lucrative targets and opportunities for attackers to strike.”
Active Akira, blustering Babuk
April saw the anime-referencing Akira ransomware gang scoop the dubious accolade for highest volume of attacks, accounting for 65 of those recorded by NCC’s systems. This was followed by Qilin with 49, Play with 42 and Lynx with 27.
Meanwhile, Babuk 2.0, which raised questions earlier in the year as to whether or not it was conducting new attacks or merely recycling data from old ones, dropped away, with just 16 hits to its name.
NCC said it had found that Babuk 2.0 was indeed likely falsifying its data, which is not in and of itself a new strategy. Other gangs have tried this in the past, in general those looking to inflate their notoriety, and this may have been the case here.
The researchers explained that Babuk 2.0’s ransomware claims of attacks on prominent government institutions, and even the likes of Amazon and Chinese shopping platform Taobao, were bold ones, but likely nonsense given none of those “affected” confirmed any breaches and have significant security resources of their own. It would also be difficult for any ransomware gang to breach multiple large organisations in this way in such a short space of time.
“Babuk 2.0’s lack of credibility makes such attacks questionable. Upon further investigation by NCC, 119 out of 145 claims made by Babuk 2.0 in Q1 2025 were associated with another ransomware group or could be linked to a previous large-scale breach,” said the researchers.
Actions like this exemplify how ransomware gangs change up their tactics in the hope of scoring a payout, leveraging public relations techniques to attract media attention, placing their alleged victims in the spotlight and damaging their public image. When these tactics work, said NCC’s researchers, it is more often than not because the victim is embarrassed into handing over money to make the problem go away.
Weaponised PDFs
This month’s report also highlighted an emerging danger in the ransomware infection chain – the use of weaponised PDF files, which are beginning to be used at scale to exploit software vulnerabilities, fool users and spread malware. According to Check Point statistics, 22% of malicious email attachments now arrive in the form of a PDF.
It’s more important than ever for organisations to maintain a strong security culture, respond quickly to emerging threats, and adapt to shifting tactics – all the while staying ahead of adversaries that never stop evolving Matt Hull, NCC Group
NCC said such documents are becoming more deceptive and technically advanced, with the help of generative artificial intelligence (GenAI). Many threat actors are now embedding malicious PDFs tailored to individual recipients into their phishing campaigns.
Unfortunately, this trend looks set to go mainstream, said NCC, because users seem willing to trust PDFs more than other documents, such as Microsoft Office files.
Security teams should consider adapting their policies and educating users on the potential dangers of PDF files, and consider deploying tools such as email gateways with sandboxing and behavioural analysis features, using endpoint detection and response (EDR) to monitor PDF readers, disabling unneeded Javascript functions, and patching Adobe vulnerabilities as they arise – a sequence of three flaws in Acrobat Reader discovered in March likely contributed to the problem.
“It’s only getting harder for individuals and organisations, who need to be forever alert,” said Hull. “In this climate, a strong and embedded security culture is no longer optional; it is a critical enabler of organisational resilience. It’s more important than ever for organisations to maintain a strong security culture, respond quickly to emerging threats and adapt to shifting tactics – all the while staying ahead of adversaries that never stop evolving.”