Ransomware Activity Flatlines in July but Global Risks Persist

Ransomware groups appear to be treading water. A new analysis from NCC Group shows that global ransomware attacks climbed just 1 percent in July, rising from 371 cases in June to 376. On the surface the figures look stable, but researchers warn that a lull should not be confused with safety.

Industrial Sector Still in the Crosshairs

Industrials once again bore the heaviest burden, absorbing 27 percent of all recorded attacks. That translated into 101 separate incidents in July, continuing a year-long pattern of pressure on manufacturing, engineering, and related supply chains.

Retail and other consumer discretionary businesses followed as the second most targeted vertical, facing 82 attacks, up slightly from June’s 76. Information technology firms tallied 31 cases, while healthcare organizations endured 30 — highlighting how ransomware continues to strike both essential services and commercial enterprises.

INC Ransom Ascends as Dominant Threat Group

One name loomed large in July: INC Ransom. The crew was responsible for 14 percent of global ransomware activity, logging 54 confirmed attacks. That represents a sharp increase from 24 incidents in June and just 14 in May. Analysts say the group has shown particular interest in critical national infrastructure, elevating concerns around public safety and continuity of operations.

Hot on their heels were Qilin and Safepay, with 40 attacks apiece, and Akira, which notched 37. The numbers point to a competitive yet highly active criminal ecosystem.

Western Nations Take the Biggest Hits

Geography continues to shape the ransomware battlefield. North America accounted for 54 percent of incidents, or 204 cases, though that was down slightly compared to June. Europe held steady at 21 percent with 78 cases, while Asia logged 43 and South America reported 22. The figures reinforce a long-standing imbalance: Western economies remain disproportionately attractive to extortion groups due to their digital maturity and financial clout.

Geopolitics Add More Fuel

The cyber landscape is increasingly intertwined with global politics. July saw BRICS leaders openly criticize U.S. trade policies, the Biden administration roll back chip export restrictions to China, and NATO allies harden their stance on Russia. Each of these developments adds volatility to the digital threat environment, with hacktivist campaigns, espionage, and financially motivated crime often converging.

In the Middle East, worsening famine in Gaza and growing pressure on Israel could further destabilize an already fragile region, creating new openings for cyber disruption.

“Not the Time for Complacency”

Matt Hull, global head of Threat Intelligence at NCC Group, cautioned that organizations should avoid mistaking the plateau for progress. “While ransomware activity remained relatively flat in July, this lull should not be mistaken for a reduced threat. We saw a similar dip during the summer months last year, yet the overall threat level remained high,” Hull said.

He added that dormant or disrupted groups are likely to resurface and collaborate with social engineering operators to launch more sophisticated campaigns. “Now is not the time for complacency,” Hull warned.