Ransomware Retreats—But Don’t Mistake It for Surrender

For the first time in months, defenders can breathe a little easier. Global ransomware attacks fell 43% in Q2 compared to Q1, with a 6% decline in June alone. But beneath the surface of that statistical sigh of relief lies a far more complex battlefield—one where ransomware operators are quietly rearming, rebranding, and realigning for their next wave.

According to the latest threat intelligence from NCC Group, the industrial sector remains the most bruised, absorbing more than a quarter of all attacks in June. Retail, on the other hand, saw a notable dip—likely a ripple effect of reduced activity from Scattered Spider, the group that rattled the UK’s retail giants in May.

Yet even as familiar names like Scattered Spider quiet down, new actors are stepping into the void. “The volume of victims being exposed on ransomware leak sites might be declining,” said Matt Hull, Global Head of Threat Intelligence at NCC Group. “But this doesn’t mean threats are reduced.”

Qilin Ascends the Throne

Qilin, a prolific ransomware group known for its double-extortion tactics, took the top spot in June with 60 recorded attacks—16% of the global total. It’s not just the numbers that are raising eyebrows. Qilin has evolved into a full-fledged criminal enterprise, now offering legal services to its affiliates—yes, you read that right—to help them handle negotiations and dodge law enforcement.

With 151 attacks logged in Q2 alone (up from 95 in Q1), Qilin’s growth signals a new era of ransomware-as-a-service—one where professionalization isn’t just a trend, it’s a competitive edge.

Behind Qilin, Akira and Play rounded out the top three threat groups in June, with 31 and 29 attacks respectively. Meanwhile, SafePay—a group some researchers suspect is a rebrand—slid into fourth with 27.

North America Takes the Brunt

Geographically, ransomware continues to play favorites. North America bore the brunt of the barrage, accounting for 58% of attacks in June and over half in Q2. Europe trailed far behind at 21%, followed by Asia (12%) and South America (4%).

What’s driving the disparity? A potent mix of digital infrastructure, economic targets, and inconsistent cyber policy across borders. It's a reminder that while ransomware is a global threat, its impact is anything but evenly distributed.

When Cybercrime Goes Political

June also saw ransomware’s role in geopolitics come into sharp relief. A pro-Palestinian group known as Handala launched a coordinated campaign against Israeli organizations, striking 17 targets during the height of the Iran-Israel conflict.

It wasn’t just ransomware for profit—it was ransomware for political messaging.

As ransomware evolves from a tool of extortion into a weapon of influence, governments are starting to take notice. The UK’s June rollout of its Industrial Strategy specifically called out cybersecurity as a pillar of national defense. Expect others to follow suit as digital warfare increasingly merges with physical-world tensions.

What Comes Next

So, what’s behind the Q2 downturn? Holiday lulls, for one—Ramadan and Easter tend to slow threat actor operations. Law enforcement crackdowns, leaked source code, and internal turf wars have also disrupted major groups.

But don’t mistake this calm for a ceasefire.

“We’ve already tracked 86 new and existing active attack groups this year, and we’re on course to surpass 2024’s record,” Hull warned. “The increased number of attackers means a broader range of attack methods that businesses need to be prepared for.”

In other words: fewer attacks doesn’t mean safer networks. It means adversaries are adjusting their aim.

The message for defenders is clear: Stay vigilant, invest in intelligence-led defenses, and don’t let the quiet fool you. In the world of ransomware, retreat is often just a pause before the next strike.