Global ransomware attacks have plummeted by 43% in Q2 2025, according to new findings from NCC Group . This decrease is largely attributed to law enforcement actions and internal conflicts among groups .
Specifically, 1180 attacks were recorded from April to June, compared to 2074 attacks in Q1 . The firm also observed that claimed ransomware attacks fell for the fourth consecutive month in June 2025, down by 6% from May to 371 .
The slowdown in Q2 followed a dramatic rise in attacks in the first three months of the year, which was driven by aggressive campaigns from dominant groups such as Clop, RansomHub and Akira . However, recent law enforcement activity has disrupted some key ransomware operators, including targeting Clop and RansomHub affiliates . Notably, Clop and RansomHub disappeared from the top 10 list of active ransomware groups in Q2 . NCC Group researchers noted that these disruptions likely caused a ripple effect across the ransomware group's ecosystem, forcing affiliates to regroup or shift to emerging ransomware groups .
The report, dated July 23, also highlighted internal leaks and conflicts between different ransomware actors as a possible factor in the slowdown . In May, insider information from the notorious LockBit group was leaked . Meanwhile, researchers have observed DragonForce fighting a “turf war” with rival ransomware operators as it seeks to assert its dominance in the cybercrime marketplace . DragonForce appears to have been responsible for RansomHub's infrastructure outage in late March 2025, curtailing operations .
Another possible factor for the fall in attacks is due to seasonal slowdowns in Q2 from global holidays such as Easter and Ramadan .
Matt Hull, global head of threat intelligence at NCC Group, puts it plainly: “The volume of victims being exposed on ransomware leak sites might be declining, but this doesn't mean threats are reduced” . That's not just industry caution — it's a reality check . Threat actors aren't vanishing; they're reorganizing, rebranding and leveling up . Take Qilin, for example — the most active threat group in June . They're not just launching attacks; they're offering legal assistance to affiliates to help negotiate with victims and dodge law enforcement . That's ransomware-as-a-service taken to a disturbingly mature, businesslike level .
The sector that suffered the highest number of attacks in Q2 was industrials with 353 attacks, making up 30% of the total . In second place was consumer discretionary, with 251 attacks making up 21% of the total .