NCC Group, one of several major cybersecurity firms to publish annual threat intelligence reports, said in its Annual Cyber Threat Intelligence Report for 2025 that global ransomware activity rose 50% year over year to 7,874 recorded incidents, with industrial organizations taking the largest share of attacks and North America accounting for 56% of the total.
NCC argues that enterprise risk is now shaped less by the initial breach alone than by what attackers can do once they gain access to valid credentials, trusted relationships and internal permissions.
This view is reflected in broader industry data. Verizon’s 2025 Data Breach Investigations Report said exploitation appeared in 20% of breaches, approaching credential abuse as an initial access vector, while attacks targeting edge devices and VPNs within exploitation activity rose to 22%.
NCC’s report places those two trends together rather than treating them as separate stories: attackers are still exploiting software flaws, but the damage increasingly compounds once credentials, trust relationships and internal permissions are abused.
Ransomware’s industrial concentration and the JLR benchmark
Ransomware remained the clearest expression of that shift from perimeter-first security to identity-centric risk. NCC said the industrial sector accounted for 28% of global ransomware attacks in 2025, and it used the Jaguar Land Rover incident as its clearest example of how a cyber event can spill beyond one victim into suppliers, logistics networks and downstream operations.
The UK Cyber Monitoring Centre later said the JLR incident appeared to be the most economically damaging cyber event to hit the UK, estimating £1.9 billion in financial impact and disruption across more than 5,000 UK organizations.
How ransomware groups are organizing — and how law enforcement responded
The NCC report argues that ransomware groups are becoming more operationally organized, not just more prolific. The firm identified Qilin, Akira and Cl0p as the three most active groups by its count, and highlighted Qilin’s “Call a Lawyer” feature as evidence that extortion is becoming more structured and more capable of applying regulatory and reputational pressure during negotiations.
That claim sits alongside a more active law-enforcement picture: Microsoft said a May action against Lumma disrupted about 2,300 malicious domains, while Treasury separately sanctioned Zservers and later Aeza for providing bulletproof hosting tied to ransomware and broader cybercrime.
Nation-state actors: Prepositioning, telecom and persistence
NCC’s report says Chinese and Russian actors showed a preference for patient access, telecom compromise and long-term persistence.
That assessment aligns with a late-August CISA-led advisory on Chinese state-sponsored compromises of networks worldwide, including major telecommunications infrastructure, in activity associated with Salt Typhoon.
It also aligns with DOJ actions in June against North Korean remote IT-worker schemes that had infiltrated more than 100 U.S. companies, showing how state-linked access can blend espionage, revenue generation and enterprise compromise.
AI as amplifier, not autonomous threat — yet
NCC describes AI as an amplifier of existing threats rather than a fully transformative offensive shift. That assessment fits a wider pattern in 2025 threat reporting, where AI is showing up less as a fully autonomous offensive leap and more as a force multiplier that also introduces new governance and data-security exposures.
Google Threat Intelligence Group said in November 2025 that it had identified malware families including PROMPTFLUX and PROMPTSTEAL using LLMs during execution but described parts of that activity as nascent or experimental.
Anthropic said a group it assessed with high confidence as Chinese state-sponsored used Claude Code in attempts against roughly 30 global targets, succeeding in a small number of cases.
Together, the reports suggest AI use in cyber operations remains uneven and still short of a broadly demonstrated autonomous offensive model across the wider threat landscape.
Instead, the pattern across the cited reports is that AI is making reconnaissance, scripting, phishing and iteration faster, while defenders still face design problems such as prompt injection that the UK’s NCSC warned may not be fully solvable in the way SQL injection was gradually contained.
The rapid contraction of the exploitation window
The report’s most urgent operational point may be the one on vulnerability speed. NCC said CVE disclosures rose to 48,448 in 2025 and that average time-to-exploit fell from five days in 2024 to about one day in 2025.
Verizon’s report similarly said edge-device vulnerabilities became a much larger share of exploitation activity, while NCC argued that some enterprise-relevant flaws were weaponized within hours or days. Taken together, those findings narrow the room for security teams to rely on patching cadence alone.
The report’s larger message is that resilience now depends on identity controls, supplier visibility and faster operational response as much as on perimeter hardening.