Important points:
We observed 85 active ransomware and extortion groups in Q3 2025, reflecting the most decentralized ransomware ecosystem ever. 1,590 victims were exposed across 85 breached sites, indicating high levels of continued activity despite law enforcement pressure. This quarter saw the launch of 14 new ransomware brands, proving how quickly affiliates can rebuild after removal. The re-emergence of LockBit in version 5.0 signals a possible re-centralization after months of fragmentation.
In Q3 2025, Check Point Research recorded 85 active ransomware and extortion groups, the highest number on record. What was once a concentrated market dominated by a few large ransomware-as-a-service (RaaS) companies has now splintered into dozens of small, short-lived operations.
This increase in leak locations represents a fundamental structural change. The same enforcement and market pressures that disrupted large RaaS groups are fueling a wave of opportunistic, decentralized entities, many of which are run by former affiliates and now operate independently.
Read the full Q3 2025 Ransomware Report
Recorded 85 active groups
Across over 85 monitored leaked sites, ransomware operators published the following information:
There were 1,592 new victims in the third quarter of 2025. An average of 535 disclosures per month. Significant power shift: The top 10 groups account for just 56% of victims, down from 71% earlier this year.
Small-scale threat actors now post fewer than 10 victims each, reflecting an increase in independent activity outside of traditional RaaS hierarchies. Much of it came from the collapse of RansomHub, 8Base, and BianLian. In the third quarter alone, 14 new groups started publishing, bringing the total for 2025 to 45.
This level of fragmentation undermines the predictability that cyber security professionals have. When the big RaaS brands were dominant, security teams could track affiliate behavior and infrastructure reuse. Currently, with dozens of temporary leaked sites, attribution is temporary and reputation-based intelligence is much less reliable.
Percentage of total victims by top 10 ransomware groups (Q1-Q3 2025)
Read the full Q3 2025 Ransomware Report.
Limited influence of law enforcement
Although there have been some high-profile takedowns this year targeting groups like RansomHub and 8Base, the volume of ransomware has not decreased significantly. Affiliates replaced by these operations simply migrate or rebrand.
The problem is structural. Law enforcement typically dismantles infrastructure and seizes domains rather than affiliates carrying out attacks. If the platform collapses, the operators will scatter and regroup within a few days. The result is a broader and more resilient ecosystem that reflects decentralized finance and open source communities more than traditional criminal hierarchies.
This proliferation also undermines the credibility of the ransomware market. Small, short-lived crews have no incentive to honor ransom agreements or provide decryption keys. Payout rates, estimated at just 25-40%, continue to decline as victims lose faith in the attackers’ promises.
LockBit Reinstatement and Recentralization
In September 2025, LockBit 5.0 marked the return of one of cybercrime’s most enduring brands.
Its administrator, LockBitSupp, had been hinting at a comeback for months after its destruction in 2024 during Operation Kronos. The new version provides:
Updated versions of Windows, Linux, and ESXi. Faster encryption and better evasion. Unique negotiation portal for each victim.
At least 12 casualties occurred within the first month. This campaign shows the affiliate’s newfound confidence and technical maturity.
For attackers, joining a well-known brand like LockBit brings something a small team can’t provide: reputation. Victims are more likely to pay if they believe they will actually receive a decryption key, carefully maintained by a large RaaS program.
If LockBit is successful in attracting affiliates looking for structure and reliability, it could recentralize a significant portion of the ransomware economy. Centralization has a two-fold effect. This makes tracking easier, but increases the potential scale of a coordinated attack.
Ransom note from LockBit 5.0 attack
Dragon force and power performance
DragonForce demonstrates another survival strategy: visibility through branding. In September, the group publicly claimed affiliation with both Rockbit and Kirin on underground forums. The shared infrastructure is untested and the partnership appears to be more symbolic than operational.
Still, these moves highlight the evolution of ransomware toward corporate-style marketing. DragonForce advertises:
Affiliate partnership announcement. A data auditing service that analyzes stolen data and increases extortion leverage. Public relations activities aimed at conveying strength and reliability.
This group’s message reflects a competitive market where image and credibility are as important as encryption speed.
DragonForce audit example
Geographic and industry trends
Global targeting for Q3 2025 largely mirrors previous quarters, but with clear changes in regions and sectors.
The United States accounts for about half of all reported victims and continues to be a prime target for financially motivated attackers. South Korea’s entry into the world’s top 10 for the first time is almost entirely due to Qilin’s intensive campaign against financial companies. Europe remains active, with Germany and the UK seeing continued pressure from Safepay and INC Ransom.
Read the full Q3 2025 Ransomware Report
On the industrial side:
Manufacturing and business services each accounted for about 10% of recorded cases. Healthcare stabilized at 8%, although some groups, such as Play, are avoiding this sector to reduce scrutiny.
These changes demonstrate how ransomware is guided by business logic rather than ideology. Attackers pursue sectors and regions with high-value data and low tolerance for downtime.
The road ahead
Q3 2025 will confirm the structural resilience of ransomware. Execution and market pressures no longer suppress overall trading volume. They simply reshape the landscape. After each removal, actors disperse, and they quickly resurface under new names or join emerging collectives.
LockBit’s resurgence adds further complexity and raises questions about whether ransomware is entering a new consolidation cycle. If Rockbit regains its dominance, some predictability may be restored, but it could once again become possible for large-scale, coordinated campaigns that cannot be carried out by small crews.
For cybersecurity professionals, the takeaway is clear. Tracking brands is no longer enough. Analysts need to monitor affiliate mobility, infrastructure duplication, and economic incentives—the underlying forces that sustain ransomware even as its surface fragments.
🔗 Read the full Q3 2025 Ransomware Report →
Source link
