key takeaways:
- 85 active ransomware and extortion groups Seen in the third quarter of 2025, it represents the most decentralized ransomware ecosystem to date.
- 1,590 victims revealed 85 leak sites are showing high, sustained activity despite law-enforcement pressure.
- 14 new ransomware brands Launched this quarter, proving how quickly allies reorganize after takedowns.
- Lockbit reappears with version 5.0 Suggests possible re-centralization after months of fragmentation.
In Q3 2025, Check Point Research Entered Records 85 active ransomware and extortion groupsHighest seen so far. What was once a concentrated market dominated by a few ransomware-as-a-service (RaaS) giants has fragmented into dozens of smaller, short-lived operations.
This proliferation of leakage sites represents a fundamental structural shift. The same enforcement and market pressures that have disrupted large RaaS groups have fueled a wave of opportunistic, decentralized actors, many of which are run by former affiliates now operating independently.
Read the full Q3 2025 ransomware report
A record 85 active groups
On more than 85 monitored leak sites, the ransomware operators published:
- 1,592 new victims In Q3 2025.
- An average of 535 disclosures per month.
- A major power change: Only 56% of victims were in the top ten groups, down from 71% earlier this year.
Smaller actors are now posting fewer than ten victims a day, reflecting an increase in independent operations outside the traditional RaS hierarchy. Many emerged from the collapse of Ransomhub, 8Base and Bianlian. Fourteen new groups began publication in Q3 alone, bringing the total for 2025 to 45.
Fragmentation at this level destroys predictability, once the advantage of a cybersecurity professional. When large RaaS brands became dominant, security teams could track associated behavior and infrastructure reuse. Now, dozens of ephemeral leak sites make attribution fleeting and reputation-based intelligence much less reliable.
|
| Share of total victims by top 10 ransomware groups, Q1-Q3 2025 |
Read the full Q3 2025 ransomware report.
Limited impact of law enforcement
Several high-profile takedowns this year targeting groups like Ransomhub and 8Base have not led to a meaningful reduction in the amount of ransomware. Displaced affiliates from these operations simply migrate or rebrand.
The problem is structural. Law-enforcement efforts typically destroy infrastructure or seize domains, not the affiliates carrying out the attacks. When a platform collapses, those operators disintegrate and regroup within days. The result is a broader, more flexible ecosystem that mirrors decentralized finance or open source communities more than traditional criminal hierarchies.
This proliferation also undermines the credibility of the ransomware market. Small, short-term parties have no incentive to honor the ransom agreement or provide the decryption key. Payment rates, estimated at only 25 to 40 percent, continue to decline as victims lose faith in attackers’ promises.
Lockbit’s return and re-centralization
In September 2025, Lockbit 5.0 marked the return of one of the most enduring brands of cybercrime.
Its administrator, LockBitSupp, had tried to make a comeback for months after the 2024 takedown under Operation Chronos. The new version offers:
- Updated Windows, Linux and ESXi variants.
- Faster encryption and better evasion.
- Unique conversation portal per victim.
At least a dozen victims were affected in the first month. This campaign demonstrates new associated confidence and technological maturity.
For attackers, joining a recognizable brand like Lockbit offers something smaller parties can’t offer: prestige. Victims are more likely to pay when they are confident that they will actually receive the decryption key, trusting that large RaaS programs carefully maintain it.
If Lockbit succeeds in attracting partners who want structure and reliability, it could re-centralize a significant part of the ransomware economy. Centralization has a double effect. This makes tracking easier but increases the potential scale of coordinated attacks.
|
| Lockbit 5.0 ransom note from an attack |
Dragonforce and display of power
Dragon Force Reflects another survival strategy: visibility through branding. In September, the group publicly claimed an alliance with both Lockbit and Killin on underground forums. No shared infrastructure has been verified, and the alliances appear to be more symbolic than operational.
Still, these steps highlight ransomware’s evolution toward corporate-style marketing. DragonForce promotes itself with:
- Affiliate Partnership Announcements.
- Data-audit services to analyze stolen data and improve extortion leverage.
- The purpose of public relations is to demonstrate strength and credibility.
The group’s message reflects a competitive marketplace where image and credibility are as valuable as encryption speed.
|
| dragonforce audit example |
Geographic and Industry Trends
Global targeting in Q3 2025 largely mirrors previous quarters but with distinct regional and sector variations.
- united states Nearly half of all reported victims are of this type, which remains a prime target of economically motivated actors.
- south korea Entered the global top ten for the first time, almost entirely due to Qilin’s concentrated campaign against financial firms.
- Europe Germany and the United Kingdom remained highly active, with Safepay and INC seeing continued pressure from Ransom.
Read the full Q3 2025 ransomware report
On the industrial side:
- Production And business Services Each represented about 10 percent of recorded cases.
- Health care remained stable at 8 percent, although some groups like Play avoid this area to reduce scrutiny.
These changes show how ransomware is guided more by commercial logic than ideology. Actors pursue sectors and regions with high-value data and low tolerance for downtime.
way forward
Q3 2025 confirms structural resilience of ransomware. Enforcement and market pressure no longer suppress aggregate volume; They simply reshape the landscape. Each expulsion scatters the actors who quickly resurface under new names or join emerging groups.
Lockbit’s return adds another layer of complexity, raising questions about whether the ransomware is entering a new consolidation cycle. If Lockbit re-establishes dominance, it could restore some predictability, but also re-enable large-scale, coordinated campaigns that smaller parties cannot execute.
For cybersecurity professionals, the path is clear. Keeping track of brands is no longer enough. Analysts should monitor associated mobility, infrastructure overlapAnd economic incentives – The underlying forces that make ransomware persist even when its face is fragmented.
🔗 Read the full Q3 2025 Ransomware Report →
