Listen to this Post
A Surprising Downturn in Global Cybercrime
Despite a sharp focus on major retailers and the rise of new ransomware groups, the number of ransomware attacks worldwide has declined for the third straight month in May 2025. Data from cybersecurity giant NCC Group revealed a notable drop, even in the face of a surge in incidents targeting big-name brands. While the surface-level trend looks positive, cybersecurity experts caution that this lull might not last. The entry of aggressive new players and evolving attack strategies point to an unpredictable threat landscape.
A Global Dip Amid Targeted Retail Chaos
Ransomware activity dipped globally in May 2025, with 393 recorded incidents — a 6% reduction from April’s 416 attacks. This decline continues a downward trend that began in March, when ransomware incidents plummeted by 31% in April. However, cybersecurity analysts warn that this isn’t necessarily a sign of lasting relief. The April drop was partly influenced by outages within the RansomHub gang, which temporarily disrupted its operations.
Interestingly, May’s decline occurred even as retailers came under heavy fire. Attacks on high-profile consumer brands surged, with the “consumer directory” sector experiencing a rise from 73 incidents in April to 102 in May, accounting for 26% of all global ransomware activity. Only the industrials sector saw more attacks, leading with 118 incidents (30%).
One of the most alarming developments involved the Scattered Spider collective, which gained notoriety in the UK after being linked to cyberattacks on Marks & Spencer, The Co-op, and Harrods. These coordinated incidents were eventually classified as a single cyber event. More recently, threat actors have reportedly targeted brands such as Adidas, Victoria’s Secret, and Cartier — signaling that retailers remain firmly in the crosshairs.
A new player, Safepay, emerged as the most active ransomware group in May with 70 attacks, representing 18% of all incidents. Safepay’s sudden rise is suspiciously rapid; cybersecurity researchers speculate it could be a rebrand of notorious groups like LockBit, ALPHV/BlackCat, or INC Ransomware. If true, this would explain their ability to execute attacks at high volume and speed due to pre-existing infrastructure and expertise.
Other major ransomware groups in May included Play (44 attacks), Qilin (42), and Akira (35). Interestingly, Akira led in April but dropped significantly in the rankings. Regionally, North America bore the brunt of these attacks, accounting for 50% of the total, followed by Europe (29%), Asia (13%), and South America (4%).
NCC Group’s global head of threat intelligence, Matt Hull, urged caution despite the falling numbers. He highlighted that seasonal trends, like summer slowdowns, might explain the dip, but also warned of emerging threats driven by AI vulnerabilities and new ransomware factions like Safepay. The current climate, he emphasized, remains volatile and demands strengthened cyber defenses.
What Undercode Say:
Behind the Numbers: Strategic Pause or Tactical Shift?
The consistent drop in ransomware activity may appear as a victory for global cybersecurity, but the reality is more complex. Three straight months of decline could point to internal reorganizations among threat actors, seasonal slowdowns, or increased defensive measures by targeted industries. However, the spike in retail sector attacks raises a red flag.
Retailers are prime targets due to their extensive customer databases, complex supply chains, and frequent digital transactions. The 26% spike in ransomware incidents targeting consumer brands in May — just as overall numbers fell — suggests that attackers are becoming more selective and strategic. Rather than launching indiscriminate attacks, threat actors are zeroing in on sectors where disruption guarantees leverage and high ransom potential.
Safepay’s sudden rise deserves special scrutiny. The possibility of it being a rebranded version of LockBit or ALPHV means we might be witnessing a deceptive shell game, where threat actors merely swap identities to evade law enforcement or reputation damage. If Safepay is indeed a seasoned actor in disguise, their activity could increase sharply in the coming months, especially with critical infrastructure and high-value retail chains still vulnerable.
Moreover, the geopolitical spread of attacks reveals that North America remains ransomware’s primary battleground. The region’s digital maturity makes it both a lucrative and exposed target. Europe, too, saw nearly a third of all attacks, hinting at rising vulnerability across mid-sized economies and digital retail ecosystems.
The drop in Akira’s activity is noteworthy. Whether due to internal disruptions, external takedowns, or operational pivots remains unclear. But their temporary decline creates a power vacuum that new players like Safepay and Qilin are clearly eager to exploit.
Scattered Spider’s involvement in UK attacks indicates a return to high-profile campaigns designed to destabilize trust and make headlines. Their targeting of iconic British retailers shows the psychological warfare element of ransomware — it’s not just about data, but disruption.
Lastly, the possible connection between the current decline and AI-driven vulnerability exploits is crucial. As organizations adopt AI tools for automation, customer service, and analytics, threat actors are simultaneously probing those tools for weaknesses. Future ransomware campaigns may be more AI-driven and harder to detect or defend against.
🔍 Fact Checker Results:
✅ Ransomware attacks have decreased for three consecutive months globally
✅ Retail sector saw a significant spike in targeted attacks despite the overall decline
✅ Safepay emerged as the most active ransomware group in May 2025
📊 Prediction:
As summer unfolds, ransomware activity may temporarily slow due to operational shifts and regional vacations, but this lull is deceptive. Groups like Safepay are likely recalibrating for more aggressive campaigns in Q3 2025. Retailers and digitally integrated enterprises should brace for targeted attacks disguised behind new names and tactics. AI vulnerabilities will increasingly serve as both a vector and shield, making the next wave of cyber threats harder to predict and counter. 🔐🧠
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
