Full Report
Global ransomware volume decreased by 13% in August, with 328 attacks.
Analysis Summary
# Incident Report: Global Ransomware Activity Analysis - August 2025
## Executive Summary
Global ransomware attack volume decreased by 13% in August 2025, totaling 328 incidents, following a multi-month plateau below 500 attacks. The Industrials sector was the most targeted, and sophisticated collaborative tactics, notably involving Scattered Spider leveraging Ransomware-as-a-Service (RaaS) operators, contributed to significant disruptions, exemplified by the crippling of HR systems for 200 municipalities in Sweden. Response efforts must adapt to these evolving criminal partnerships which enhance attack sophistication and resilience against law enforcement actions.
## Incident Details
- Discovery Date: September 17, 2025 (Date of Report Publication)
- Incident Date: August 2025 (Activity observed across the month)
- Affected Organization: Miljödata (IT provider for 80% of Sweden’s municipalities)
- Sector: Industrials (Most targeted globally); Consumer Discretionary; Information Technology (IT)
- Geography: North America and Europe accounted for over three-quarters (81%) of global attacks.
## Timeline of Events
### Initial Access
- Date/Time: Throughout August 2025
- Vector: Social Engineering (Used by Scattered Spider) and RaaS distribution channels.
- Details: Scattered Spider utilized sophisticated social engineering techniques, coordinating with RaaS affiliates (like ALPHV, RansomHub, DragonForce, Qilin) to deliver the final payload.
### Lateral Movement
- Details: Not explicitly detailed for all 328 attacks, but the collaboration model implies RaaS operators or their affiliates executed the technical aspects of the attack, including movement post-initial compromise.
### Data Exfiltration/Impact
- Date/Time: Varying throughout August
- Impact: Critical systems disruption, especially noted in the Miljödata incident where HR systems across 200 local governments were crippled.
### Detection & Response
- Details: Reporting is based on tracking by NCC Group. Specific public response details for the majority of incidents are not provided, but the overall threat required law enforcement adaptation due to shifting criminal partnerships.
## Attack Methodology
- Initial Access: Sophisticated Social Engineering (Scattered Spider specialty).
- Persistence: Implied through RaaS platform usage, allowing migration between operators if one is taken down.
- Privilege Escalation: Not explicitly detailed, but necessary for executing ransomware deployment.
- Defense Evasion: Partnerships with RaaS groups likely facilitate evasion by using established, less-scrutinized infrastructure.
- Credential Access: Not explicitly detailed, but inferred as necessary for post-access activity.
- Discovery: Not explicitly detailed.
- Lateral Movement: Executed by RaaS affiliates post-initial compromise.
- Collection: Not explicitly detailed.
- Exfiltration: Not explicitly detailed, although the context implies data extortion is a component.
- Impact: Ransomware deployment leading to operational failure (e.g., HR system incapacitation).
## Impact Assessment
- Financial: Not estimated, but implied high due to sector targeting (Industrials).
- Data Breach: Specific data types/volume not detailed, but HR systems were severely impacted for numerous Swedish municipalities.
- Operational: High operational impact demonstrated by the crippling of HR systems for 200 local governments via the Miljödata compromise.
- Reputational: Significant impact on affected entities, especially public service providers (municipalities).
## Indicators of Compromise
*Note: As this is a generalized industry report, specific IOCs are not provided in the source. The focus is on behavioral IOCs.*
- Behavioral indicators: Coordinated activity between social engineering specialists (Scattered Spider) and technical execution groups (RaaS affiliates).
- Behavioral indicators: Threat groups rapidly migrating between RaaS platforms to maintain operation during law enforcement scrutiny.
## Response Actions
- Containment: Not detailed for specific incidents.
- Eradication: Not detailed for specific incidents.
- Recovery: Local governments experienced disruption to HR systems, requiring recovery efforts post-attack.
- *Note on Law Enforcement Response:* Law enforcement actions necessitated adaptation due to the criminal partnership model.
## Lessons Learned
- Criminal partnerships (e.g., Scattered Spider + RaaS) create a more resilient and sophisticated threat landscape, allowing attackers to maintain activity despite law enforcement actions against individual operators.
- The RaaS model, offering high commission rates (e.g., 80%+), incentivizes collaboration among threat actors.
- Cyber resilience must remain a top priority for businesses and governments, even when overall attack volumes appear to be plateauing.
## Recommendations
- Security programs must account for complex, collaborative threat actor behaviors rather than individual group capabilities alone.
- Enhance defenses against sophisticated social engineering campaigns, as this remains a primary initial vector for high-impact groups.
- Organizations should implement robust business continuity and disaster recovery plans, particularly for critical systems like HR, given the demonstrated impact of ransomware on operational continuity.