In May 2025, the cyber threat landscape became noticeably more turbulent. According to data published by Acronis, we saw one of the most intense months in terms of cybercriminal activity in recent times. The numbers are clear: not only has the number of detected threats and blocked suspicious sites increased, but there have also been more successful attacks, including ransomware and data breaches.
While spikes in incidents are nothing new to the industry, the speed and scale of the increases may be cause for concern.
Increase of several tens of percent in one month
Acronis, which specialises in data protection and cyber security, reports that its systems blocked more than 10.8 million unsafe URLs in May – 22% more than in April. At the same time, the number of malware attacks detected increased by a staggering 36% to over 800,000 cases.
Such activity points to an increase in the effectiveness of phishing campaigns and the growing activity of botnets that distribute malware on a massive scale. Importantly, these increases are global, but specific outbreaks of threats are occurring in specific regions.
At the centre of the digital storm
The global average malware detection rate was 6.7%. High cyber threat activity was reported in Germany, Vietnam, India, Peru, Brazil, Spain and the United Arab Emirates.
This geographical distribution indicates that cybercriminals are increasingly targeting not only the technical ability to penetrate a given market, but also its vulnerability to inadequate security and low organisational maturity in the area of cyber security.
Lumma, Remcos, AsyncRAT – classics with new tricks
Three types of malware were particularly prevalent in May: Lumma, Remcos and AsyncRAT. These are well-known tools in the cybercriminals’ arsenal – used to remotely take over a system, steal data and further spread infections. Importantly, they are difficult for traditional AV systems to detect, making them attractive to large-scale criminals.
This is another indication that classic antivirus software without the support of solutions based on behavioural analysis or artificial intelligence cannot effectively defend an organisation.
Ransomware – a consistently profitable attack model
Although malware dominated the statistics, ransomware remains the most costly and disruptive threat. Three active groups – SafePay, Silent RansomGroup and Quilin – were collectively responsible for nearly 200 known attacks in May. Their modus operandi is system encryption and ransomware extortion, often supported by additional blackmail based on data disclosure.
From the companies’ point of view, any such attack is not only an operational problem, but also a reputational risk, financial penalties (in the case of RODO breaches) and the need for costly infrastructure restoration.
Data breaches: not just a side effect
The increase in attacks was also followed by data breaches. More than 580 of these were recorded in May – 80 more than the month before. This is a clear sign that cyber attacks are increasingly ending not only in an attempt to encrypt data or take over a system, but also in the actual leaking of information – both personal and business.
The increase in incidents of this type is increasing regulatory pressure on companies, and boards are increasingly having to consider cyber security as an integral part of risk management and corporate governance.
Pressure on prevention is growing
The conclusions of the Acronis report are not new, but today they ring louder than usual: prevention is the only real way to limit losses. Regularly changing passwords, encrypting sensitive data, implementing AI-based tools, keeping systems up-to-date and protecting email communications are now the bare minimum.
In the context of an ever-evolving threat landscape, companies need to invest not only in tools, but also in IT team competencies, user education and a systemic approach to incident management.
May’s statistics are not just a set of numbers – they are a wake-up call for the entire market. Protecting against cyber threats is no longer a task for IT specialists alone. Digital risk management is entering the boardrooms, compliance and finance departments.
For technology providers, integrators and IT sales channel companies, this means a growing demand for comprehensive, scalable security solutions – not only technical, but also organisational and educational.
