NCC Group Monthly Threat Pulse – Review of March 2025

Ransomware attacks climb year-on-year as new threat groups and sophisticated attacks emerge

• Ransomware cases in March dropped by 32% from February with 600 attacks but rose year-on-year by 46%
• Babuk2 was the most active threat group, responsible for 20% of attacks
• Industrials regains top spot for most targeted sector, with 27% of attacks
• 75% of all cases globally took place in North America and Europe
• Malvertising spotlight - an emerging cyber security trend accelerated by AI

March 2025 - Global levels of ransomware attacks dipped by 32% in March (600) compared to February. Despite this decline, ransomware cases increased year-on-year by 46%, according to NCC Group's March Threat Pulse.

Babuk2 takes first place as most aggressive threat actor

The threat group Babuk2 drove ransomware activity in March, responsible for 84 attacks, a 33% increase from January (63). The emergence of Babuk 2.0 since January has raised many questions as to the legitimacy of their alleged attacks, with the original Babuk claiming no connection to the new operation.

The security community and ransomware actors alike believe that Babuk 2.0 is a fraudulent group, recycling data from previous breaches and claiming them as their own.

Akira and RansomHub shared second place with 62 attacks each, though both experienced a slight decline in attacks compared to February. Safepay followed with 42 attacks, reemerging in the top ten after a quiet February.

Industrials returns as most targeted sector

Industrials reclaimed the top spot for most targeted sector with 150 attacks in March, accounting for 27% of all attacks.

Consumer discretionary fell to second place with 124 attacks a significant decrease of 55% (278) attacks compared to February.

North America top target, with almost half of all attacks

North America remained the most targeted region, accounting for 49% of total global attacks (296), almost double those in Europe, as the next region hardest hit with 26% of attacks (132). It's likely that attacks in North America will continue to dominate, with rising political tensions and division between Canada and the U.S. under President Trump's leadership heightening geopolitical friction. This suggests an increased risk of cyber attacks targeting Canada and related international organisations.

Asia took third place with 14% of attacks (75), followed by South America with 7% of attacks (41).

Emerging cyber security trend: malvertising

One emerging threat that is dominating the cyber landscape is the rise of malvertising. This is where malware hides behind seemingly harmless online ads and has become a pervasive threat. In 2024, attacks surged, and the momentum shows no signs of slowing in 2025.

Microsoft Threat Intelligence uncovered nearly one million devices globally implicated in a large-scale malvertising campaign in March, which uses GitHub repositories, Discord and Dropbox as its command and control.

Malvertising is becoming more complex, leveraging techniques like AI and trusted platforms. Accessibility to tools like Malware-as-a-Service (MaaS) and DeepSeek AI lowers the gap for attackers to implement sophisticated attacks without high technical skills.

Industries and governments need to strengthen their threat intelligence to tackle the evolving threat. Proactive measures and global cooperation will be key to staying ahead of threat actors. The future of cyberspace depends on our ability to stay one step ahead.

Matt Hull, Head of Threat Intelligence at NCC Group, said:

"The slight decline in attacks in February is a bit of a red herring given the unprecedented levels we have seen over the past months with the volume of incidents year-on-year increasing 46% in March. As ever, we are seeing threat actors diversifying and leveraging increasingly complex and sophisticated attack methods to stay ahead - not only to cause mass disruption but to gain attention in the ransomware world.

"It's a unique and challenging time for organisations, facing evolving tactics, like AI enabled malvertising, and a turbulent geopolitical landscape. So, it's more important than ever for organisations and individuals alike to remain vigilant and be adaptive to keep pace with these fast-changing threats."