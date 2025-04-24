Ransomware attacks plummeted by 32% month-over-month in March 2025, with a total of 600 claimed incidents, according to NCC Group’s latest Threat Pulse report.

Despite the drop compared to February 2025, the firm noted that ransomware cases in March increased by 46% year-over-year.

Commenting on the findings, Matt Hull, Head of Threat Intelligence at NCC described the month-over-month fall in March as a “red herring,” as it followed unprecedented levels of attacks in the preceding months.

“As ever, we are seeing threat actors diversifying and leveraging increasingly complex and sophisticated attack methods to stay ahead – not only to cause mass disruption but to gain attention in the ransomware world,” Hull warned.

North America was targeted in around half (48%) of all attacks in March.

NCC Group linked this high proportion to rising geopolitical tensions associated with the US and Canada.

“It’s likely that attacks in North America will continue to dominate, with rising political tensions and division between Canada and the US under President Trump’s leadership heightening geopolitical friction. This suggests an increased risk of cyber-attacks targeting Canada and related international organizations,” the firm wrote.

Doubts Over Legitimacy of Babuk2

The threat actor Babuk2 claimed responsibility for the highest number of attacks in March at 84, making up 20% of the total.

The group, which emerged in January 2025, has claimed a total of 145 attacks in Q1 2025.

However, NCC noted that there are significant doubts over the legitimacy of Babuk2’s claims. This is because the group often fails to provide genuine evidence of an actual breach.

In addition, the original Babuk group has claimed no connection to the new operation.

“The security community and ransomware actors alike believe that Babuk 2.0 is a fraudulent group, recycling data from previous breaches and claiming them as their own,” the report said.

Akira and RansomHub were the second most active groups in March, with 62 claimed attacks each. This was followed by Safepay with 42 attacks.

Clop Responsible for Most Attacks in Q1

The Clop ransomware gang was responsible for 19% of ransomware attacks in Q1, making it the most prolific actor.

Overall, 45% of attacks in the quarter were attributed to four groups – Clop, Akira, RansomHub and Babuk2.