Cyber attack methods evolve in November despite attack volume plateauing

• Global ransomware attacks fall by 2% in November (583) 
• Industrials account for a quarter (25%) of all ransomware attacks 
• Qilin remains the most prolific ransomware group for the fourth month in a row, accountable for 17% of attacks 
• ClickFix attacks prove popularity, after a surge in use by 517% in H1 2025 

17 December 2025 - Global ransomware attack volumes plateaued in November, according to NCC Group’s latest Cyber Threat Intelligence Report. While overall activity dipped slightly month-on-month by 2%, threat groups continued to evolve, demonstrating increasing sophistication through collaboration and the adoption of new tactics. 

Attack methods evolve and collaboration still at play 

The emerging ClickFix technique - where victims are manipulated into manually executing malicious actions using built-in system tools - was the second most common attack method in November, behind phishing. Also known as ClearFake, use of the tactic surged by 517% in the first half of 2025, following its initial identification in 2023 (ESET Threat Report H1 2025). By shifting execution to the user rather than relying on automated payloads or malicious attachments, ClickFix exploits human vulnerabilities and enables threat actors to bypass automated security controls. 

Alongside the adoption of new techniques, ransomware groups are increasingly collaborating to enhance attack effectiveness. Groups such as DragonForce have formed alliances with highly skilled affiliates from networks including Scattered Spider, allowing attackers to rapidly adapt their methods to different environments and targets. 

Industrials remain most targeted sector 

The Industrials sector accounted for 25% of all ransomware attacks in November, maintaining its position as the most targeted sector throughout 2025. Consumer Discretionary followed as the second most targeted sector, with Information Technology ranking third.  

The West makes up over three-quarters of all ransomware attacks  

North America was the most targeted region in November, accounting for 57% of global ransomware attacks, followed by Europe at 20%. Asia ranked third, representing 12% of all reported attacks. 

Qilin holds top spot as most active threat group  

For the fourth consecutive month, Qilin remained the most active ransomware group. Despite keeping top spot, its attack volume declined in November and returned to more typical levels following an October peak.  

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “Attack volumes may have steadied as we approach year-end, but business leaders cannot afford to become complacent. Threat groups are rapidly evolving, sharing tools and techniques, and already exploiting the festive period when vigilance often drops.  

“With the new Cyber Security and Resilience Bill and high-profile breaches at M&S, Co-op and JLR this year, organisations are under growing scrutiny to prove they have robust defences and incident response plans in place. As the holidays approach, staying alert to suspicious activity and strengthening security posture is as important as ever.”