NCC Group tracks alarming ransomware surge in January

Last month, NCC Group recorded the highest number of ransomware attacks since the cybersecurity incident response and managed services provider began tracking the threat in 2021.

NCC Group published its "Cyber Threat Intelligence Review of January 2025" Wednesday, which revealed alarming trends across the ransomware landscape. In addition to an influx of ransomware attacks, researchers warned of a potential rise in AI adoption among threat actors and tracked the resurgence of the infamous Clop ransomware gang.

January also continued to break previous records for ransomware activity that NCC Group observed throughout 2024 and into 2025. Therefore, researchers urged organizations to take action to mitigate the increasing risks.

"590 ransomware attacks were recorded in January, the highest number reported since we began monitoring in 2021. This surge continues the upward trend observed in 2024 and suggests that ransomware will remain a prevalent threat in 2025," NCC Group wrote in the review. "Such high numbers are alarming, notably in January which usually reflects a quieter period."

NCC Group researchers attributed January's surge to two factors. The first was a spike in activity from the Akira ransomware gang, which was the No. 1 most active threat actor group last month. Researchers said Akira accounted for 13% of ransomware attacks in January.

The second factor was the "resurgence of Clop," according to the report.

The prolific ransomware gang is known for exploiting zero-day vulnerabilities in file transfer software products to claim hundreds of victim organizations at once. Most notable is Clop's attack against Progress Software's MoveIt Transfer product in 2023. While the group has been mostly quiet over the past year, NCC Group tracked it as the third most active threat actor group in January.

Regarding emerging groups, NCC Group highlighted the FunkSec ransomware group. Researchers referred to it as the "most prolific threat actor in December," with 103 ransom claims. While FunkSec dropped to the fifth most active threat actor spot in January, NCC Group expressed concerned that the group represents a dangerous new trend.

While researchers said there is little information on the group, they noted that threat actors may be using AI to develop malware. Prior to their emergence, NCC Group observed previous cases of AI focused only on improving phishing content.

"Funksec's emergence underscores the reality that even ransom groups lacking advanced technical skills can cause significant disruption. The proliferation of AI and widely available malware development resources present multifaceted challenges for organisations. Such groups can use these resources to conduct successful and high impact ransoms," the report said.

Ransomware activity heavily targeted the industrial sector. NCC Group researchers found that

industrials accounted for 25% of ransomware attacks in January. The findings align with a report Dragos published Monday that warned that ransomware attacks against industrial organizations skyrocketed 87% between 2023 and 2024.

Informa TechTarget contacted NCC Group for additional comment, but the company was unavailable at press time.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.