top of page
Search

Ransomware Resurgence: After Months of Decline, Attacks Jump 28% in September

In what many in the cybersecurity world feared might happen, the global ransomware threat has begun to rev back into gear. According to research from NCC Group, after a sustained slide in attack volume, September saw a 28 % month-on-month increase in ransomware incidents—421 attacks globally, up sharply from lower levels in the preceding months.


The Anatomy of the Surge


While 421 attacks is still below half a thousand, the increase is significant primarily for what it signals: a potential shift in momentum. Cyber-criminals may be preparing for what remains the busiest period of the year—when retail, travel and industrial supply chains become especially vulnerable.


Key patterns from the data:


  • The industrials sector remains ground zero. In September, 120 of the attacks (≈ 29 %) hit businesses in this category. Over the full third quarter, industrials absorbed 30 % (342 attacks) of the global total.


  • Regionally, North America and Europe continue to dominate: three quarters (≈ 75 %) of all observed attacks happened in these two zones alone.


  • On the threat actor front, the ransomware group Qilin stands out. In September they claimed 58 attacks—≈ 14 % of that month’s total—and across Q3 they were responsible for 151 attacks, about 13 % of all.


  • Behind the scenes, smaller, newer groups are surfacing. Emerging names like The Gentlemen and Interlock suggest the affiliate-economy of ransomware is expanding, enabling lower-entry adversaries to scale quickly.


Why the Focus on Industrials—and Why That Matters


For years now, industrial firms—manufacturers, processors, logistics operators—have borne the brunt of ransomware campaigns. But the September data shows that even as public attention is skewed toward consumer-facing breaches, the deeper operational targets are under siege.


Why industrials? Several overlapping reasons:


  • Their operations are often mission-critical and time-sensitive. A disruption translates to immediate business risk, making them tempting targets for extortion.


  • They tend to have large, complex supply chains and legacy systems—environments that are harder to lock down aggressively.


  • Disrupting infrastructure (rather than just data exfiltration) often raises the stakes—and the ransom value.


In short, attacking industrials means more leverage.


Qilin’s Rise: What It Signals


Qilin’s comfortable lead in the September attack count is not just a statistic—it’s emblematic of how ransomware-as-a-service (RaaS) models are evolving. Analysts note that Qilin is refining its affiliate offerings, tooling, and negotiation frameworks in ways that mirror legitimate tech-platform dynamics.


This maturation enables affiliates to jump in and launch attacks without owning the full stack—or without having deep in-house tooling or brand recognition. It also means that even as law-enforcement pressure mounts, new entrants can plug into existing infrastructure and scale.


Geopolitics, Disruption & A Return to Risk


While purely criminal motivations still dominate most ransomware campaigns, the broader context matters: rising geopolitical friction, supply-chain disruption, and a shift toward hybrid cyber operations all create fertile conditions for ransomware spikes.


One executive from NCC Group, Matt Hull, commented:


“From high-profile supply chain breaches and persistent ransomware activity, to the influence of geopolitical tensions on cyber operations, organizations are facing increasingly adaptive and sophisticated threat actors.”
“The rise in attacks in September could be a sign that the decline we’ve seen recently is now over. As we approach the busy season for attackers – with Black Friday and Christmas fast approaching – organizations can’t be complacent. Recent attacks on the transport and retail sector, specifically, have shown just how severe the disruption can be. So, organizations need to ensure they have robust third-party risk management, rapid incident response, and proactive security strategies.”

Hull’s warning resonates: ransomware is no longer just a data-theft game—it’s increasingly a disruption game, timed and orchestrated to hit when operations are most exposed.


What Organizations Should Do Now


Given where the threat landscape appears to be heading, companies must act on multiple fronts:


  1. Third-party risk management: Since many supply-chain partners are weak links, visibility and remediation at that level become mission-critical.


  2. Incident-response readiness: Time-to-detection and time-to-contain are decisive. Organizations should rehearse ‘ransomware drills’ and ensure clear escalation paths.


  3. Proactive security strategies: Rather than just reactive controls, firms need to invest in threat hunting, anomaly detection, and system-resilience planning.


  4. Operational resilience: Especially for industrial players, assume that attacks will happen. Have backup processing, manual workarounds and clear continuity plans.


  5. Beyond prevention—preparedness: Many firms still treat ransomware like an IT problem; in fact, it’s a business-continuity problem and increasingly a national-security problem.


The Bottom Line


The uptick in September isn’t huge in absolute numbers—but it may mark a turning point. What looked like a multi-month slide is now flattening and potentially reversing. As the holiday and peak-processing season looms, adversaries may see both higher pay-off and more opportunity.


For security teams, the message is clear: don’t rest on the recent quieter quarters. The threat is shifting, maturing, and gearing up for a fresh round.

bottom of page