Ransomware Attacks Surge in October, With America and Europe Driving the Majority of Global Incidents

Ransomware attacks saw a significant global spike in October, increasing by 41% compared to the previous month, with 594 recorded incidents.

The surge comes as threat actors intensify operations ahead of a period of heightened cyber crime, correlating with peak consumer spending events.

Attack trends

October’s escalation follows several months of comparatively steady ransomware activity. After a dip in attack volumes between April and June and a rebound in September, the number of incidents accelerated notably. The latest figures show the persistence and adaptability of cybercriminal groups as they capitalise on seasonal vulnerabilities.

Sector focus

The Industrials sector endured the highest concentration of attacks, accounting for 28% of incidents in October. A total of 167 attacks targeted manufacturers, utilities, and industrial businesses. The Consumer Discretionary category, which includes automotive, retail, and leisure companies, faced 124 attacks. Healthcare organisations were impacted in 64 known incidents, placing third in the most targeted sectors during the period.

Geographic distribution

More than three-quarters of all ransomware activity in October focused on North America and Europe, underscoring their outsized share of global targeting. These regions collectively suffered 473 attacks, reflecting their concentration of high-value digital assets.

North America experienced the majority, with 62% of the global total, while Europe accounted for 17%. Asia followed with 9%. The prominence of America and Europe in these figures highlights their continued status as prime targets for cybercriminals.

Group activity

Qilin maintained its position as the most active ransomware group, responsible for 29% – or 170 attacks – during the month. Qilin has developed a reputation for precision targeting and employing double-extortion tactics aimed at increasing the pressure on their victims to pay.

Sinobi accounted for 15% of attacks (65), followed closely by Akira with 64 incidents. The presence of these groups in the top tier underscores a persistent and competitive ransomware ecosystem, with several prominent actors operating simultaneously.

Emergence of new actors

The October data highlights growing diversification among ransomware perpetrators, with alliances and the emergence of new groups noticed by threat intelligence observers. The Gentlemen ransomware group has become more active, making 21 public ransomware claims across sectors such as healthcare, financial services, IT, and consumer discretionary.

The return of the LockBit group, alongside its association with Ransomware-as-a-Service operations like DragonForce and Qilin, suggests increased collaboration and tool-sharing between groups. Such alliances contribute to the complexity of the threat environment, enabling attackers to develop and deploy new variations of ransomware at scale.

Outlook and response

The diversity and frequency of ransomware incidents align with ongoing shifts in cyber crime patterns, particularly during periods of increased commercial activity. Over 200 ransomware variants have been identified so far this year, presenting significant challenges for organisations attempting to maintain secure operations in the face of persistent threats.

“October marks a seasonal shift in the ransomware landscape as we enter one of the more active periods of the year for cyber criminals. The surge has been fueled by the rise of new groups such as The Gentlemen and an expanding range of ransomware variants, with over 200 identified so far this year,” said Matt Hull, Head of Threat Intelligence, NCC Group.

“As ransomware activity accelerates and notable attacks continue to cause widespread economic and operational disruption, vigilance is more critical than ever. Organisations should use this moment to reinforce their security measures and test incident response plans. Proactive monitoring, staff awareness, and secure backups remain key as we move into the year’s peak threat season.”