Ransomware attacks fall in April as The Gentlemen rise

NCC Group has published a report showing that ransomware attacks fell to 748 globally in April. The study also found that The Gentlemen became the second most active ransomware group during the month.

Qilin remained the most prolific group, accounting for 14% of all observed attacks in April, or 107 incidents. That was down from 136 attacks in March, a decline of 21%, though it retained the top spot among tracked ransomware actors.

The figures suggest a slight easing in overall volume after March, when global ransomware activity was higher. April's total represented a 7% month-on-month decline, but activity this year has been running at a higher baseline than for much of last year.

Industrials was again the most targeted sector, accounting for 28% of attacks recorded in April. North America remained the most affected region.

The Gentlemen

A notable shift in the latest data was the rapid rise of The Gentlemen, which accounted for 10% of ransomware activity in April. That placed the group second only to Qilin in NCC Group's monthly tracking.

The report described the group as having quickly developed into an operational ransomware-as-a-service actor. Its analysis found that affiliates were increasingly using SystemBC malware to establish covert tunnelling, avoid detection and support rapid lateral movement across corporate networks.

Those methods reflect a broader shift in ransomware operations, with criminal groups and affiliates drawing on shared tools and established intrusion techniques to carry out attacks more quickly. That model has helped sustain a high level of activity even as incident numbers fluctuate from month to month.

Matt Hull, Vice President of Cyber Intelligence and Response at NCC Group, said: "The rise of groups like The Gentlemen demonstrates how affiliates are now combining shared tooling, stealth infrastructure and repeatable intrusion methods to accelerate attacks at scale. Techniques such as covert tunnelling and rapid domain-wide deployment are shrinking the window that defenders have to detect and respond before encryption occurs."

AI debate

The report also examined debate within the cyber security industry about AI-assisted offensive activity. It cited Anthropic's Claude Mythos, described as an advanced large language model that has reportedly been able to identify vulnerabilities and build exploit chains autonomously.

NCC Group said the model could mark a step forward in AI-assisted vulnerability research, but added that its practical effect remains uncertain. The firm pointed to restricted access, controlled testing conditions and open questions about how such systems would perform at scale in live operations.

Hull addressed that uncertainty in a second comment. "Developments around AI models such as Claude Mythos suggest AI-assisted vulnerability discovery and exploitation could further compress attacker timelines in the future. However, the industry should remain cautious about overstating current capabilities, particularly where testing has been limited to controlled environments."

"Regardless, organisations can no longer rely on reactive security measures alone. Continuous attack surface management, strong identity controls and rapid detection of suspicious behaviour are becoming essential to reducing cyber risk."

Wider risks

Beyond criminal ransomware groups, several geopolitical developments could shape cyber activity in the months ahead. The report highlighted China's expanded supply chain security regulations and the strategic significance of NASA's Artemis programme as areas likely to draw attention from state-backed actors.

The assessment said such developments could lead to more espionage, supply chain compromise and intelligence gathering against multinational organisations. That would add pressure on companies already dealing with a ransomware market that remains busy despite April's decline in headline numbers.

The latest figures suggest that while the monthly total has dipped, the threat landscape is still changing quickly, with newer groups gaining share and established actors maintaining a high tempo of attacks across key sectors.

April's 748 recorded attacks and The Gentlemen's 10% share of activity underscored that point.