Retail ransomware attacks surge 40% as Safepay tops threats

Ransomware attacks targeting the retail sector increased by 40% in May compared to April, according to findings released by NCC Group.

The research noted that global ransomware activity decreased by 6% in May, with 393 attacks recorded worldwide. This marked the third consecutive month of decline following elevated attack volumes earlier in 2025. However, security analysts warn that a reduction in numbers does not equate to a lowering of risk amid shifting cybercriminal tactics and ongoing geopolitical tensions.

Retail under pressure

While the industrial sector continued to experience the highest level of ransomware targeting—comprising 30% of reported cases in May, or 118 incidents—the consumer discretionary sector, including retail, saw a notable surge. Retail-related attacks rose from 73 in April to 102 in May. The report attributes this increase to the appeal of high-value targets in the sector, driven by the disruption of payment systems, access to consumer data, and prospects for substantial ransom payments.

Several high-profile retailers were reportedly targeted during the period, including Victoria's Secret, Adidas, Cartier, and Peter Green Chilled. In addition, the group known as Scattered Spider claimed responsibility for attacks on Marks & Spencer and the Co-op during May. Observers from Google Threat Intelligence Group and Mandiant have noted a shift in Scattered Spider's focus toward the US retail sector, where the abundance of large companies increases the field of potential victims. Despite difficulties in precisely attributing individual attacks to Scattered Spider, the group's techniques were observed in several US-based incidents.

Safepay rises to prominence

Safepay accounted for 18% of all recorded ransomware attacks in May, making it the most active threat actor of the month with 70 reported incidents. NCC Group described this as the first occasion Safepay has appeared among the top ten most prolific threat groups since becoming active in November 2024.

Researchers noted suggestions within the security community that Safepay could represent a rebranding of other prominent groups such as LockBit, Alph V, or INC Ransomware. If correct, this would shed light on the rapid rise in activity and the group's apparent capacity and sophistication.

Other observed trends included the Play gang moving up to second place with 44 attacks, an increase from its previous ranking, and Qilin dropping to third position with 42 incidents. Akira, which led in April, experienced a 46% decline in reported cases, falling to 35 attacks in May.

Regional focus: North America and Europe

The report found that most ransomware activity remained concentrated in North America, which accounted for 50% of all incidents, or 193 attacks. Europe experienced 29% of attacks (112), with Asia comprising 13% (49) and South America recording 4% (17). In total, North America and Europe represented 79% of global ransomware cases.

AI and prompt injection risks

The study also addressed an emerging trend: the vulnerability of artificial intelligence systems to prompt injection attacks. As large language models are more widely adopted across sectors such as healthcare and finance, threat actors have begun to exploit weaknesses using carefully crafted prompts to bypass standard security controls, access sensitive data, or manipulate AI outputs.

According to NCC Group, 56% of AI models tested displayed susceptibility to prompt injection attacks. Current defensive measures, such as input validation and monitoring, face challenges in keeping pace with increasingly sophisticated attack methods. Suggestions for strengthening defences include adversarial training, advanced detection, secure memory management, and human-AI oversight. Regulatory bodies are urged to develop best practice guidelines for AI system security.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: "Although reported ransomware incidents declined in March, April, and May, cyber security efforts must be strengthened, not scaled back. Seasonal fluctuations, with summer approaching, may partly explain the dip. However, the rise of new threat actors like Safepay and the emergence of critical vulnerabilities in AI highlight the ongoing volatility of the ransomware landscape. This underscores the need for sustained cyber investment across both industry sectors and national defence. The focus on the UK's retail sector has shone a light on why cyber security is integral to business resilience. "On a broader level, rising global instability, ongoing tensions between the US and China, and evolving alliances are all contributing to threat levels. Trump's involvement in the Middle East could spur deeper collaboration in advanced technologies between the US and Gulf nations, and new efforts to strengthen UK-EU relations could make involved organisations prime targets for espionage by state-sponsored adversaries. With these factors in play, cyber threats remain a persistent and evolving risk."