Key Insights:
- Q3 2025 saw a surge in ransomware activities, with 85 active ransomware and extortion groups identified, marking a decentralized ecosystem.
- 1,590 victims were reported across 85 leak sites, indicating sustained activity despite law-enforcement efforts.
- 14 new ransomware brands emerged in the quarter, showcasing the agility of affiliates in reorganizing post-takedowns.
- LockBit’s comeback with version 5.0 hints at potential re-centralization after a period of fragmentation.
The third quarter of 2025 witnessed a significant increase in ransomware incidents, with a record 85 active ransomware and extortion groups detected. The landscape, once dominated by a few large ransomware-as-a-service (RaaS) entities, has now shifted to numerous smaller, transient operations.
This proliferation of leak sites signifies a fundamental change in the ransomware ecosystem. The pressures from law enforcement and the market that disrupted major RaaS groups have led to the rise of decentralized actors, many of whom were formerly affiliates operating independently.
Access the complete Q3 2025 Ransomware Report
Record Number of Active Groups
Among over 85 monitored leak sites, ransomware operators disclosed:
- 1,592 new victims in Q3 2025.
- An average of 535 disclosures per month.
- A significant shift in power: the top ten groups accounted for only 56% of victims, down from 71% earlier in the year.
Smaller groups now reveal fewer than ten victims each, indicating a rise in independent operations outside traditional RaaS structures. Many of these entities emerged following the collapse of RansomHub, 8Base, and BianLian. The quarter alone saw the introduction of 14 new groups, bringing the total for 2025 to 45.
This level of fragmentation diminishes predictability, which was once an advantage for cybersecurity professionals. With the dominance of large RaaS brands fading, security teams struggle to track affiliate activities and infrastructure reuse. The multitude of ephemeral leak sites makes attribution fleeting and intelligence based on reputation less reliable.
 |
| Share of total victims by top 10 ransomware groups, Q1–Q3 2025 |
Access the full Q3 2025 Ransomware Report.
Impact of Law Enforcement Actions
Despite several high-profile crackdowns targeting groups like RansomHub and 8Base, ransomware activities have not significantly decreased. Affiliates displaced by these operations quickly transition to new identities or affiliations.
The issue lies in the structure of these takedowns. Law enforcement actions typically target infrastructure or domains rather than the actual perpetrators of attacks. When a platform is disrupted, the operators disperse and regroup within days. This results in a more resilient and widespread ecosystem that resembles decentralized finance or open-source communities rather than a traditional criminal hierarchy.
This diffusion also undermines the reliability of the ransomware market. Smaller, short-lived groups have little incentive to uphold ransom agreements or provide decryption keys. Payment rates, estimated at only 25 to 40 percent, continue to decline as victims lose faith in the promises of attackers.
LockBit’s Resurgence and Re-centralization
In September 2025, the reappearance of LockBit 5.0 marked the comeback of a prominent cybercrime brand.
The administrator, LockBitSupp, had hinted at a return for months following the 2024 dismantling under Operation Cronos. The latest version introduces:
- Enhanced Windows, Linux, and ESXi variants.
- Quicker encryption and improved evasion techniques.
- Individual negotiation portals for each victim.
Within the first month, at least a dozen victims fell prey to the campaign. This initiative showcases renewed confidence among affiliates and an enhanced level of technical sophistication.
By aligning with a recognizable brand like LockBit, attackers gain something that smaller groups cannot offer: credibility. Victims are more inclined to pay when they believe they will receive decryption keys, a trust that major RaaS programs meticulously maintain.
If LockBit succeeds in attracting affiliates seeking structure and credibility, it could potentially re-centralize a significant portion of the ransomware economy. Centralization has a dual impact—it simplifies tracking but also escalates the potential for coordinated attacks on a large scale.
 |
| LockBit 5.0 ransom note from an attack |
DragonForce and Strategic Branding
DragonForce exemplifies another survival tactic: brand visibility. In September, the group publicly announced alliances with both LockBit and Qilin on underground forums. While no shared infrastructure has been confirmed, these partnerships seem more symbolic than operational.
These developments underscore ransomware’s evolution towards corporate-style marketing. DragonForce promotes itself through:
- Affiliate partnership declarations.
- Data audit services for analyzing stolen data and enhancing extortion leverage.
- Public relations efforts to project strength and reliability.
The group’s messaging reflects a competitive environment where image and credibility hold as much value as encryption speed.
 |
| DragonForce audit example |
Geographic and Industry Trends
In Q3 2025, global targeting patterns largely mirrored previous quarters but with notable regional and sectoral variations.
- The United States represented approximately half of all reported victims, maintaining its status as a prime target for financially motivated threat actors.
- South Korea entered the global top ten for the first time, primarily due to Qilin’s focused campaign against financial institutions.
- Europe remained active, with Germany and the United Kingdom facing ongoing pressure from Safepay and INC Ransom.
Access the complete Q3 2025 Ransomware Report
On the industrial front:
- Manufacturing and business services each accounted for around 10% of recorded incidents.
- Healthcare remained at 8%, with certain groups like Play avoiding the sector to minimize scrutiny.
These trends underscore how ransomware operations are influenced by business considerations rather than ideological motives. Threat actors target sectors and regions with valuable data and limited tolerance for operational disruptions.
Looking Ahead
Q3 2025 highlights the structural resilience of ransomware. Enforcement actions and market pressures no longer suppress overall activity but rather reshape the landscape. Each takedown disperses threat actors who quickly resurface under new guises or affiliations.
The resurgence of LockBit introduces a new layer of complexity, prompting speculation about a potential consolidation phase in the ransomware landscape. If LockBit regains dominance, it could restore some predictability while enabling large-scale, coordinated campaigns beyond the reach of smaller groups.
For cybersecurity professionals, the key takeaway is clear. Monitoring brands alone is insufficient. Analysts must track affiliate movements, infrastructure intersections, and economic incentives—the underlying factors that sustain ransomware despite its fragmentation.
🔗 Access the complete Q3 2025 Ransomware Report →
