Is Ransomware Dying? Don’t Break Out the Champagne Just Yet
If you’ve been tracking ransomware activity over the last few years, you might feel like you’re watching a rollercoaster with no brakes. But if NCC Group’s newly released June 2025 Threat Pulse is any indication, we may be hitting a stretch of straight track — at least for now. According to their data, global ransomware attacks have declined for the fourth consecutive month, dropping a substantial 43% in Q2 compared to Q1.
That’s a huge drop.
Only 371 attacks were recorded in June, down 6% from May. The Industrials sector continues to bear the brunt, representing 27% of attacks last month, but even there, we’re seeing some leveling off. North America, while still the most targeted region, experienced fewer successful attacks than in previous months. So, what’s going on here?
Is ransomware finally dying?
The Short Answer: No. The Longer Answer: It’s Changing.
We’re not seeing the end of ransomware — we’re seeing the evolution of it. The drop in volume is real. But the reasons behind it are nuanced. Yes, seasonal slowdowns like Easter and Ramadan may have played a part. But so did increased law enforcement activity, better corporate cybersecurity hygiene, and — perhaps most critically — a growing resilience among targeted organizations.
The days of ransomware bringing entire companies to their knees are starting to fade. Organizations are getting savvier about backups, segmentation, and recovery strategies. Business continuity planning is no longer optional; it’s a survival imperative. Cyber insurance providers are also cracking down on lax security standards, forcing organizations to invest in their defenses if they want coverage.
Companies are no longer as easy to extort, and the ROI for attackers is starting to dwindle.
Don’t Celebrate Yet: The Bad Guys are Rearming
If you think this is the final act for ransomware, think again.
Matt Hull, global head of threat intelligence at NCC Group, puts it plainly: “The volume of victims being exposed on ransomware leak sites might be declining, but this doesn’t mean threats are reduced.” That’s not just industry caution — it’s a reality check.
Threat actors aren’t vanishing; they’re reorganizing, rebranding and leveling up.
Take Qilin, for example — the most active threat group in June. They’re not just launching attacks; they’re offering legal assistance to affiliates to help negotiate with victims and dodge law enforcement. That’s ransomware-as-a-service taken to a disturbingly mature, businesslike level. Akira, Play, and the newly suspected rebrand SafePay are all in on the game too, adapting quickly to the changing threat landscape.
And then there’s the geopolitical dimension. Ransomware isn’t just about money anymore. Groups like Handala are weaponizing it as a tool for cyber warfare, targeting Israeli organizations in response to state-level conflicts. Political ransomware is a new frontier — and one that could escalate fast.
AI Is Coming for Ransomware — And That Should Terrify Us
Let’s not forget the elephant in the room: AI.
As companies begin to leverage AI for cyber defense, attackers are doing the same. Expect more sophisticated phishing, faster code obfuscation, automated reconnaissance and polymorphic malware that adapts in real-time to defensive measures. The lull in ransomware activity may simply be the calm before a new, AI-enabled storm.
Source: NCC Group Threat Pulse – June 2025 Report
