Cyber Hackers

Which Cyber-Criminal Gang is Hitting English Businesses Most?

Cyber News / Leave a Comment
There isn’t one single gang, because the biggest volume is commodity crime

If you mean who attacks English businesses most often, the honest answer is: phishing-led cybercrime, run by lots of loosely connected criminal operators (scam crews, credential thieves, access brokers), not one stable “organisation”.

The UK Government’s Cyber Security Breaches Survey 2025 shows phishing remains the most common type of attack, reported by 37% of businesses in the last 12 months (down from 42% in 2024). 

So, by sheer volume, “the group” is basically: everyone with a phishing kit and a Wi-Fi connection.

If you mean the most impactful criminal ecosystem: ransomware-as-a-service

For English businesses, the most damaging, board-level threat is still ransomware-as-a-service (RaaS): a platform model where a core group provides tooling/infrastructure and affiliates break in and deploy attacks.

The NCSC says that despite the disruption of LockBit, the ransomware threat “remains high” and is diversifying(rebranding and shifting tactics in response to pressure). 

A defensible “name” right now: Qilin (aka Agenda)

If you force a single brand that’s been unusually prominent in late-2025/early-2026 reporting, Qilin keeps showing up near the top:

  • NCC Group reported Qilin was responsible for 22% of all attacks in December 2025, far ahead of its nearest follower (Akira), in its monthly “Threat Pulse” tracking. 
  • Multiple summaries of 2025 ransomware victim postings also place Qilin as the most prolific by victim count in parts of 2025. 
  • Reuters describes Qilin as a ransomware-as-a-service operation and quotes cybersecurity experts calling it “highly aggressive and disruptive”. 

Journalist-safe framing:

  • Most common attack type: phishing/credential theft (many criminals). 
  • Most impactful ecosystem: RaaS. 
  • Most prominent single “brand” in recent reporting: Qilin (with the caveat these leaderboards change fast). 
https://www.ncsc.gov.uk/static-assets/images/guidance/Phishing-attacks-defending-your-organisation-infographic.png

How successful have they been?

Phishing: still the main way criminals get in

Even with the survey’s year-on-year drop in the proportion of businesses reporting phishing, the scale remains huge, and phishing is still the default initial access method for most crime types (fraud, account takeover, ransomware staging). 

Ransomware: “success” often shows up as extortion victim counts

Ransomware groups increasingly measure “wins” by:

  • a named victim on a leak site,
  • stolen data,
  • operational disruption,
  • payment (sometimes).

Public reporting based on leak-site victim postings indicates 2025 hit record levels (thousands of named victims), which strongly implies the overall ransomware “strike rate” stayed high even after takedowns and arrests. 

NCSC’s own position is basically: the market absorbs pressure and keeps going

Is hacking intensity against English businesses increasing or decreasing?

Phishing volume: mixed signals (rate down, threat still dominant)
  • Businesses reporting phishing fell from 42% (2024) to 37% (2025) in the Breaches Survey. 
    That’s a decrease in the share of firms saying they were hit, but it doesn’t mean attackers got bored and took up knitting. It can also reflect detection/reporting variance and the fact that a lot of phishing never gets recognised as “an incident”.
Ransomware intensity: broadly increasing over the last couple of years, with short-term dips

On the ransomware side, most reporting points to an expanding ecosystem (more groups, more claimed victims), even though any given month can spike or dip.

  • Record high victim-posting counts in 2025 (a strong signal of increased activity overall). 
  • NCC Group’s monthly tracking shows fluctuations (some months down), but also highlights periods of sustained growth and changing tactics, rather than a clean decline. 
  • NCSC assessment: ransomware remains high and is diversifying, which is consistent with “pressure hasn’t reduced the threat enough”. 

Net:

  • Commodity attacks (phishing) remain the most common entry point. 
  • Ransomware/extortion activity looks structurally elevated compared with a few years ago, even if month-to-month charts wobble. 

What you can publish as a clean conclusion

The most accurate “who” + “how successful” + “trend” summary
  • Who attacks English businesses most (by volume): phishing-led commodity cybercrime (many actors, not one gang). 
  • Who causes the most serious business disruption: ransomware-as-a-service ecosystems. 
  • Most prominent named ransomware brand in recent tracking: Qilin, cited as leading by share/volume in late 2025 reporting. 
  • Intensity trend: phishing remains dominant; ransomware activity has been structurally high and widely reported as growing in ecosystem size and victim counts, despite takedowns. 

We have created Professional High Quality Downloadable PDF’s at great prices specifically for Small and Medium UK Businesses our main website. Which include various helpful Cyber related documents and real world scenarios your business might experience, showing what to do and how to protect your business. Find them here.

Share

More Posts