Ransomware attack volumes fell slightly in November but security researchers observed a sharp rise in new methods and collaboration between criminal groups, according to new data from NCC Group.
The consultancy recorded 583 global ransomware incidents in November, a decrease of 2% from October. Analysts said the headline volume masked significant shifts in how threat actors gained initial access and executed attacks.
ClickFix surge
NCC Group highlighted the emerging ClickFix technique as the second most common attack method in November, behind phishing. The method, also known as ClearFake, focuses on manipulating victims into manually carrying out malicious actions using built-in system tools.
Use of ClickFix surged by 517% in the first half of 2025, following its first identification in 2023. The approach moves execution from automated payloads or malicious attachments to the user’s own actions. This targets human behaviour and allows threat actors to sidestep some automated security controls.
The report found that the evolution of methods coincided with growing collaboration between ransomware groups and affiliates. NCC Group said groups such as DragonForce had formed alliances with skilled affiliates from networks including Scattered Spider. These partnerships allow attackers to alter their methods quickly for different environments and industries.
Industrials most hit
The Industrials sector remained the most targeted industry in November. It accounted for 25% of all tracked ransomware attacks and has held the top position throughout 2025.
Consumer Discretionary organisations were the second most targeted, followed by Information Technology firms in third place. The pattern extends the focus on sectors with complex supply chains and operational technology, which often face pressure to restore services quickly after disruption.
Qilin’s lead continues
The criminal collective Qilin held its position as the most prolific ransomware group for the fourth consecutive month. It accounted for 17% of all attacks in November, the highest share of any single group.
Qilin’s activity declined from an October high and returned to what NCC Group described as more typical levels. The group’s sustained lead over several months underlined its current prominence in the ransomware ecosystem despite the broader plateau in overall volumes.
CL0P spike
Alongside Qilin’s dominance, NCC Group recorded a sharp month-on-month rise in attacks linked to the CL0P gang. Ransomware incidents attributed to CL0P increased by 654% between October and November.
Analysts said the spike highlighted the fluid nature of the ransomware landscape, where individual groups can ramp up activity over short periods. The rise followed a year in which several large-scale exploitation campaigns, including attacks on file transfer and enterprise technologies, drew attention to CL0P’s tactics.
Security pressure
The findings come against a backdrop of heightened scrutiny of cyber security in major markets. Recent breaches at large consumer-facing businesses have prompted renewed questions about resilience and incident response planning at board level.
Matt Hull, Global Head of Threat Intelligence at NCC Group, said companies faced a risk of misreading the slight fall in overall ransomware volumes.
“Attack volumes may have steadied as we approach year-end, but business leaders cannot afford to become complacent. Threat groups are rapidly evolving, sharing tools and techniques, and already exploiting the festive period when vigilance often drops,” said Hull, Global Head of Threat Intelligence, NCC Group.
He added that recent policy moves and incidents had shifted expectations for organisations.
“With the new Cyber Security and Resilience Bill and high-profile breaches at M&S, Co-op and JLR this year, organizations are under growing scrutiny to prove they have robust defences and incident response plans in place. As the holidays approach, staying alert to suspicious activity and strengthening security posture is as important as ever,” said Hull.
