Safepay Surges as Top Ransomware Threat Amid Declining Global Attack Volumes

After a blistering start to 2025, global ransomware activity is now showing signs of cooling—at least on paper. According to NCC Group’s latest threat intelligence snapshot, ransomware attacks dipped by 6% in May, with 393 recorded incidents. It’s the third straight month of decline. But beneath the surface, the threat landscape is far from stable.

The numbers tell one story. Emerging threat actors and geopolitical volatility suggest another entirely.

Safepay Overtakes the Ransomware Leaderboard

The most disruptive development in May wasn’t the drop in volume—it was the arrival of Safepay. This previously unknown group was responsible for 18% of global attacks, catapulting to the top of the leaderboard with 70 recorded incidents. Their sudden prominence has prompted speculation across the security community.

“There’s growing chatter that Safepay could be a rebrand,” said Matt Hull, global head of Threat Intelligence at NCC Group. “If they are indeed operating with the infrastructure and tactics of groups like LockBit or AlphV, then this is not a rookie threat actor—it’s a seasoned operator with a fresh label.”

That theory could explain Safepay’s ability to launch high-volume, high-speed attacks within months of emerging. The group's surge has also added pressure on defenders already fatigued by the constantly shifting ransomware ecosystem.

Industrials Still a Prime Target—but Retail Surges

The industrials sector continued to bear the brunt of ransomware activity, accounting for 30% of attacks. However, consumer discretionary sectors—particularly retail—saw an alarming spike, jumping from 73 incidents in April to 102 in May.

This escalation coincided with headline-grabbing attacks against household names including Adidas, Victoria’s Secret, and Cartier. Analysts point to the dual appeal of retail data: the opportunity to disrupt payments and operations for maximum leverage, and access to troves of consumer information for resale or follow-up scams.

Meanwhile, Scattered Spider, one of the most enigmatic threat groups in operation, took credit for targeting UK giants Marks & Spencer and the Co-op. Google’s Threat Intelligence Group and Mandiant noted signs that the group is shifting its operations toward U.S. retail targets—a troubling trend as the summer shopping season ramps up.

North America and Europe Remain Hot Zones

Regionally, North America bore the brunt of May’s ransomware activity with 193 attacks—roughly half of all global cases. Europe followed with 112 incidents (29%), while Asia and South America saw comparatively modest activity.

This geographic distribution reflects a broader strategy shift among ransomware groups: go where the money and leverage are. High-value targets in developed economies remain the low-hanging fruit.

AI Systems Under Siege: The Rise of Prompt Injection Attacks

While ransomware groups fight for dominance, a parallel threat vector is quietly gaining traction: prompt injection attacks on AI systems.

Prompt injection, a method of manipulating large language models (LLMs) via cleverly crafted inputs, is becoming an increasingly viable tool for cybercriminals. Recent studies show that over half of tested AI models are vulnerable—exposing healthcare, finance, and critical infrastructure systems to tampering, data exfiltration, or unintended behaviors.

“Prompt injection attacks exploit the very architecture of LLMs,” Hull explained. “Current defenses like input validation and monitoring aren't keeping pace with the sophistication of adversaries.”

To counteract these threats, cybersecurity teams are experimenting with adversarial training, robust memory isolation, and AI-human co-supervision. But without standardized regulation, the race between offense and defense remains neck-and-neck.

Strategic Threats on the Horizon

Looking ahead, experts warn that ransomware may only be the tip of the spear. Geopolitical tensions—including escalating U.S.-China friction, UK-EU data diplomacy, and renewed U.S. involvement in the Middle East—could lead to more state-sponsored cyber activity, corporate espionage, and attacks against critical infrastructure.

“Even with a temporary lull in ransomware numbers, the broader context is worrying,” Hull said. “New alliances, political instability, and disruptive technologies are colliding. Organizations need to think beyond firewalls—they need to consider resilience at the national and sectoral levels.”

With new players like Safepay rewriting the rules and LLM vulnerabilities exposing the AI underbelly, the cyber threat landscape may be quieter—but it’s certainly not safer.