Ransomware Surges 41% as Cybercriminals Kick Off the ‘Golden Quarter’

Ransomware crews didn’t wait for Black Friday to get busy. New data from NCC Group shows global attacks spiked 41% in October, surging to 594 incidents — an abrupt jump that signals cybercriminals are already gearing up for the year’s most profitable stretch.

October traditionally marks the beginning of ransomware’s “golden quarter,” when the mix of holiday shopping, frantic IT teams, and supply-chain pressure creates an unusually rich attack surface. This year’s early wave suggests threat actors are moving faster and coordinating more aggressively than they have for most of 2025.

A Sudden Break in the Calm

From April through August, ransomware activity hovered at relatively stable levels — even dipping briefly at the start of summer. But by September the gears started turning again, with a 28% rise that now looks more like the warm-up act. October’s leap shows that groups are accelerating operations in lockstep with seasonal consumer demand and strained enterprise systems.

Industrials Stay in the Crosshairs

Manufacturers and industrial suppliers remain the most targeted organizations, holding 28% of all attacks in October. These victims are particularly vulnerable: sprawling OT/IT networks, legacy systems that can’t be patched quickly, and high uptime requirements give extortion crews maximum leverage.

Right behind Industrials were Consumer Discretionary businesses — automakers, retailers, travel and entertainment firms — which collectively suffered 124 attacks. Healthcare moved into third place with 64 incidents, continuing an alarming trend of targeting hospitals and care providers heading into winter.

North America Absorbs the Blow

Nearly four out of five ransomware attacks last month hit organizations in North America and Europe, with North America alone suffering 62% of global incidents. That imbalance isn’t new, but the gap is widening: U.S. and Canadian organizations remain prime targets for crews seeking high payouts, fast responses, and organizations heavily reliant on digital operations.

Qilin Tightens Its Grip

Qilin — one of the most aggressive double-extortion groups operating today — maintained its lead with 29% of all recorded attacks. The group’s specialization in high-value victims and surgical operations has made it the defining threat of late 2025.

Sinobi and Akira followed closely, each responsible for around 15% of attacks. Akira’s persistence this year keeps it firmly in the top tier of global ransomware operators.

Alliances and Newcomers Push Volumes Higher

While Qilin continues to dominate, the broader ransomware ecosystem is getting messier. Fresh crews like The Gentlemen are quickly carving out space, and the return of LockBit — now pushing version 5.0 — is reshaping alliances among established RaaS networks.

LockBit’s apparent alignment with DragonForce and Qilin has raised alarms among incident-response teams. Even without confirmed joint operations, shared tooling and infrastructure can dramatically amplify attack efficiency. It also echoes the loose, opportunistic alliances behind high-impact operations from groups like Scattered Spider and ShinyHunters.

The Gentlemen group, which claimed 21 attacks in October alone, is broadening the field further by striking healthcare, finance, IT, and consumer brands — the exact sectors most susceptible to operational disruption.

A Warning Shot for the Peak Season

“October marks a seasonal shift in the ransomware landscape as we enter one of the more active periods of the year for cyber criminals,” said Matt Hull, head of Threat Intelligence at NCC Group. “The surge has been fueled by the rise of new groups such as The Gentlemen and an expanding range of ransomware variants, with over 200 identified so far this year.”

Hull added that the escalating pace should serve as a wake-up call for organizations:“As ransomware activity accelerates and notable attacks continue to cause widespread economic and operational disruption, vigilance is more critical than ever. Organizations should use this moment to reinforce their security measures and test incident response plans. Proactive monitoring, staff awareness, and secure backups remain key as we move into the year’s peak threat season.”

With holiday spending about to hit full throttle, defenders may be facing the busiest — and most chaotic — ransomware season yet.