Full Report
NCC Group found that ransomware attacks fell for the third consecutive month in May 2025, despite a surge in incidents impacting retailers
Analysis Summary
# Incident Report: Global Ransomware Trend Analysis (May 2025)
## Executive Summary
Global ransomware attacks saw a third consecutive monthly decrease in May 2025, totaling 393 incidents, according to NCC Group's report. Despite this overall dip, the retail sector ("consumer directory") experienced a significant surge in targeting. The attacks, notably those linked to the **Scattered Spider** hacking collective against high-profile UK retailers, highlight persistent, targeted threats within consumer-facing industries.
## Incident Details
- Discovery Date: Data collected throughout May 2025.
- Incident Date: Throughout May 2025 (reporting period).
- Affected Organization: Multiple global organizations across various sectors, with high-profile UK retail victims mentioned (Marks & Spencer, The Co-op, Harrods).
- Sector: Primarily Industrials (30% of incidents) and Consumer Directory/Retail (26% of incidents).
- Geography: Global trend analysis, with specific high-profile retail incidents noted in the UK.
## Timeline of Events
### Initial Access
- Date/Time: Late April/May 2025 (for specific retail incidents).
- Vector: Not explicitly detailed for the overall May trend, but the Scattered Spider group is known to use **phishing kits** and **tech vendor impersonation** targeting helpdesks for initial entry.
- Details: Retailers were heavily targeted in late April/May.
### Lateral Movement
- Not detailed in the summary, but suggested by the nature of successful ransomware campaigns.
### Data Exfiltration/Impact
- **Retail Impact:** High-profile UK retailers (M&S, Co-op, Harrods) experienced security incidents that resulted in reported **data theft** (M&S specifically noted customer data stolen).
- **Overall Impact:** Encrypted systems or data extortion attempts due to ransomware deployment.
### Detection & Response
- Detection methodology is not specified beyond industry reporting by NCC Group.
- Response actions are not detailed for the summarized incidents.
## Attack Methodology
As the source is a high-level trend report, specific TTPs are generalized based on the mentioned threat actor:
- Initial Access: Phishing/Social Engineering (Implied via context of tech vendor targeting and phishing kits).
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified, though advanced groups like Scattered Spider are known for sophisticated evasion.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Not specified.
- Collection: Data theft confirmed in high-profile retail cases.
- Exfiltration: Implied, often paired with modern ransomware attacks.
- Impact: Ransomware deployment and/or data extortion.
## Impact Assessment
- Financial: Not specified in the summary (costs related to remediation and downtime are implied).
- Data Breach: Confirmed customer data theft at Marks & Spencer. High volume of attacks targeting retail suggests widespread potential exposure.
- Operational: Implied disruption due to ransomware deployment.
- Reputational: Significant reputational damage to high-profile UK retailers mentioned.
## Indicators of Compromise
*Due to the nature of the source document (a summary of trends), specific IOCs are not provided.*
- Network indicators: N/A
- File indicators: N/A
- Behavioral indicators: Increased targeting of the "consumer directory" sector.
## Response Actions
*Specific containment, eradication, or recovery steps are not detailed in the provided text.*
## Lessons Learned
- The retail sector remains a prime target, suggesting that common vulnerabilities or overlooked security controls in front-line customer systems are being exploited.
- The convergence of attacks against multiple major UK retailers (M&S, Co-op) may indicate coordinated efforts or the exploitation of shared vulnerabilities/supply chain weakness.
- Ransomware groups are capable of adapting their operational tempo (e.g., infrastructure outages impacting RansomHub's activity in April).
## Recommendations
- Retail and Industrial sectors must prioritize hardening their security posture against common entry vectors likely exploited by groups like Scattered Spider (phishing, vendor management security).
- Increase monitoring and detection capabilities specifically targeting retail infrastructure during periods of high external visibility or promotional activity.
- Review third-party/vendor access controls, especially concerning tech support systems, given the noted focus on tech vendor impersonation.