Law Enforcement Disruption and Ransomware Group Realignment in 2025
Law enforcement agencies have intensified their efforts against major ransomware groups, leading to significant disruptions in the global ransomware ecosystem. In Q2 2025, prominent ransomware-as-a-service (RaaS) groups such as LockBit and RansomHub either ceased operations or stopped publishing victim data, resulting in a fractured landscape previously dominated by a few powerful actors. This shift was largely attributed to coordinated international law enforcement operations, which in May 2025 dismantled over 300 malicious servers, shut down more than 650 domains, and issued arrest warrants for at least 20 individuals connected to ransomware and initial access malware infrastructure. The takedown of LockBit’s infrastructure in late 2024 under Operation Cronos set a precedent, demonstrating the vulnerability of even the most prolific ransomware groups when faced with unified global action. As a result, the ransomware ecosystem became more fragmented, with smaller, agile actors attempting to fill the void left by the dismantled groups. Concurrently, the profitability of ransomware attacks has declined due to evolving regulations, including bans on ransom payments, further pressuring threat actors. Despite these setbacks, LockBit has attempted a resurgence, announcing a strategic alliance with other major ransomware groups, Qilin and DragonForce, in Q3 2025. This coalition aims to share techniques, resources, and infrastructure, potentially restoring LockBit’s reputation among affiliates and increasing the operational capabilities of all involved groups. The emergence of LockBit 5.0, capable of targeting Windows, Linux, and ESXi systems, marks a technological advancement in their toolkit, first advertised in September 2025. Qilin, now the most active ransomware group, claimed over 200 victims in Q3 2025, with a particular focus on North American organizations. The alliance between LockBit, Qilin, and DragonForce is expected to trigger a surge in attacks, especially on critical infrastructure and sectors previously considered low risk. The ongoing evolution of the ransomware threat landscape underscores the dynamic interplay between law enforcement actions and the adaptability of cybercriminal groups. The future trajectory of ransomware will likely depend on the continued effectiveness of law enforcement operations and the ability of threat actors to reorganize and innovate. Organizations are advised to remain vigilant, as the threat landscape remains volatile and unpredictable. The collaboration among major ransomware groups signals a potential escalation in both the scale and sophistication of future attacks. The global cybersecurity community must continue to coordinate efforts to counter these evolving threats and mitigate their impact on critical sectors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers report no evidence yet of joint cartel operations
By October 2025, reporting on the new alliance noted that there was still no observed evidence of joint attacks or a shared leak site operated by DragonForce, Qilin, and LockBit. The cartel had been announced, but its operational integration had not yet been publicly demonstrated.
LockBit authorizes affiliates to target critical infrastructure
As part of the new alliance announced in September 2025, LockBit changed its targeting rules and allowed affiliates to attack critical infrastructure sectors that had previously been treated as off-limits. This marked a notable escalation in ransomware risk to sensitive sectors.
DragonForce, Qilin, and LockBit announce a ransomware cartel
In early September 2025, the three ransomware-as-a-service groups announced an alliance to coordinate attacks and share resources in response to mounting law enforcement pressure. The move was framed as an effort to strengthen market position and help restore LockBit's standing after earlier disruptions.
Operation Cronos disrupts LockBit infrastructure and leads to arrests
In February 2024, law enforcement seized LockBit infrastructure and arrested members, significantly damaging the group's operations and reputation. The crackdown increased pressure across the ransomware ecosystem and set conditions for later criminal consolidation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
LockBit, DragonForce, and Qilin form a ‘cartel’ to dictate ransomware market conditions
csoonline.com
Open sourceLaw Enforcement Pressure is Reshaping the Global Ransomware Threat Landscape
securityboulevard.com
Open sourceLockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem
thehackernews.com
Open sourceLockBit, Qilin & DragonForce Join Forces in Ransomware 'Cartel'
darkreading.com
Open sourceLockBit forms alliance with DragonForce, Qilin ransomware groups
scworld.com
Open sourceDragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies. The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
May 11, 2026
Ransomware Threat Landscape and Ecosystem Evolution in 2025
Ransomware in 2025 has evolved into a highly organized and profit-driven cybercrime ecosystem, with threat actors leveraging Ransomware-as-a-Service (RaaS), initial access brokers, and advanced extortion strategies. Attack volumes have reached record highs, with over 4,700 confirmed incidents through September and a notable increase in targeting of critical infrastructure, healthcare, and manufacturing sectors. The landscape is now fragmented among more than 85 active groups, and while victim disclosures have increased, ransom payments have dropped significantly as organizations improve their resilience and recovery capabilities. Attackers are increasingly using supply-chain compromises, zero-day exploits, and living-off-the-land techniques, making ransomware a persistent and adaptive threat. The underground infrastructure supporting ransomware operations has also matured, with dark web forums like RAMP serving as central hubs for collaboration, recruitment, and intelligence sharing among major ransomware groups such as LockBit, DragonForce, and Medusa. These forums facilitate the rapid dissemination of new ransomware variants and operational tactics, contributing to the ecosystem's agility. Meanwhile, specific ransomware families like HardBit 4.0 continue to innovate, employing sophisticated techniques such as brute-forcing RDP/SMB services and using legacy malware like Neshta as droppers to evade detection and maintain persistence, underscoring the technical advancement and adaptability of modern ransomware campaigns.
Mar 21, 2026
Q3 2025 Ransomware Surge and the Rise of Qilin and Devman Groups
Ransomware attacks surged globally in the third quarter of 2025, with a 36% year-over-year increase in publicly disclosed incidents, according to BlackFog’s analysis. The number of attacks reached 270 in Q3 2025, compared to 198 in the same period of 2024, marking a 335% increase since Q3 2020. This escalation affected organizations in 93 countries, spanning critical sectors such as airlines, automotive manufacturers, and government entities. The Qilin ransomware group emerged as the most active threat actor during this period, being responsible for 20 incidents, including high-profile attacks like those on the Asahi Group. Notably, 54 ransomware groups were attributed to attacks in this quarter, with 18 new groups emerging, highlighting the fragmentation and volatility in the ransomware ecosystem. Among the newcomers, the Devman group made a significant impact, conducting 19 attacks across Asia, Africa, Europe, and Latin America, and was linked to a $91 million ransom demand. Law enforcement actions in 2024 and 2025, particularly against major operators like LockBit, contributed to the proliferation of new ransomware schemes, with 37 new groups appearing in the first half of 2025 and additional groups surfacing in July and August. Despite these disruptions, the overall volume of ransomware attacks remained high, with the number of victims posted to leak sites in July and August 2025 exceeding those from the same months in 2024. The attacks were more evenly distributed across multiple groups compared to previous years, indicating a shift in the operational landscape. The ransomware threat was not limited to large organizations; small businesses also suffered significant impacts, often lacking the resources to recover, as highlighted by personal accounts of business owners losing substantial revenue and savings. The persistence of legacy vulnerabilities and the absence of multi-factor authentication continued to facilitate successful attacks. Ransomware operators increasingly leveraged data exfiltration and extortion tactics, with a substantial portion of attacks involving the theft and public release of sensitive data. The emergence of new Ransomware-as-a-Service (RaaS) platforms, such as Devman’s, further democratized access to ransomware tools, enabling affiliates to launch attacks with greater ease. The continued evolution of ransomware tactics, the rise of new groups, and the resilience of established actors underscore the ongoing challenge for organizations in defending against these threats. The global ransomware battlefield in Q3 2025 was marked by increased attack frequency, greater diversity of threat actors, and escalating financial and operational impacts on victims.
Mar 21, 2026