Global ransomware attacks fell to 635 incidents in February, down 8% from January, according to NCC Group.
Even so, the figures showed sharp shifts among individual threat groups. Attacks attributed to CL0P rose 72% between January and February, while activity linked to The Gentlemen increased 97% over the same period.
Qilin remained the most active ransomware actor in February despite a 12% month-on-month decline, accounting for 15% of all recorded incidents. Akira also declined, with attacks down 38% from January. Despite the overall drop, the data pointed to a ransomware market that continues to shift quickly as groups gain or lose momentum from one month to the next.
On an annual basis, February’s total was 42% lower than in the same month a year earlier. That comparison was distorted by unusually high volumes in February 2025, when 1,099 attacks were recorded after batch listings by CL0P drove a spike in published incidents.
The Industrials sector remained the most targeted part of the economy, accounting for 31% of ransomware attacks in February. North America was the main regional focus, with 52% of attacks, followed by Europe at 21%.
Threat Shifts
One of the more notable changes in the latest data was the emergence of The Gentlemen among the three most active groups, underscoring how newer actors can expand quickly even as the broader number of incidents falls.
The report also highlighted several attacks and vulnerabilities that shaped the threat landscape during the month. Rome’s La Sapienza University was hit by a BabLock ransomware attack linked to the Russian cybercrime group Femwar02, disrupting major IT systems for days. Romania’s oil operator Conpet was targeted by Qilin in an incident that affected parts of its technology infrastructure and took its website offline.
Separately, attackers were found exploiting a critical BeyondTrust remote access vulnerability to gain unauthorised control, deploy malicious tools and carry out ransomware-related intrusions against organisations.
New Variant
NCC Group also drew attention to Reynolds, a newly identified ransomware variant that surfaced in February. Researchers said the malware includes a built-in bring-your-own-vulnerable-driver element, allowing it to use a vulnerable Windows driver to disable security tools before encrypting systems.
Public reporting on the group’s activity remains limited, with one listed victim on its leak site, Falcon Management. Even so, the approach stood out because the defence-evasion element was embedded in the main ransomware payload rather than deployed as a separate tool.
That design can shorten the attack chain and reduce the time defenders have to respond before encryption begins. At the same time, the report noted that driver-based methods can still be disrupted if security teams maintain and enforce vulnerable driver blocklists.
Conflict Risks
Beyond ransomware counts, the report linked the cyber threat picture to a more volatile geopolitical environment. It pointed to escalating tensions involving the US, Israel and Iran, as well as pressure over Chinese-linked operations at Panama Canal ports, as developments likely to increase the risk of espionage, retaliation and politically motivated cyber activity.
Cyber activity linked to the Israel-Iran tensions included distributed denial-of-service attacks, website defacements, exaggerated breach claims and AI-driven misinformation. Most of it was high in volume but limited in direct operational impact.
NCC Group warned that organisations with a presence in Israel, or with commercial or governmental ties to the US government, should expect elevated risk. It added that infrastructure and companies tied to strategic trade routes could face cyber attacks that appear criminal on the surface but may be driven by geopolitical motives.
AI Exposure
Another concern was the growth of AI-enabled platforms and low-code or no-code automation tools. These systems are becoming more common in business workflows, but they can create new openings for attackers through remote code execution, command injection, credential theft and insecure default settings.
The report cited recently disclosed vulnerabilities in the automation platform n8n and in OpenClaw, an autonomous AI assistant, as examples of how tools with broad integrations and privileged access can become attractive targets. Because such systems often sit between internal databases, software services and large language models, a single compromise can provide access to multiple connected environments.
Matt Hull, Vice President of Cyber Intelligence and Response at NCC Group, said: “The past month has seen significant geopolitical turbulence. Given the complexity of global supply chains, even regionally focused cyber activity can have wider implications. Organisations worldwide must remain vigilant, as interconnected systems increase the risk of disruption and exposure to information warfare.
“At the same time, rapid AI adoption across sectors is creating new security challenges. While ransomware volumes have decreased compared to both January and February last year, AI-enabled threats and an increasingly volatile landscape mean organizations must ensure their cyber resilience strategies can adapt to evolving risks.”
