Q3 2025 Ransomware Surge and the Rise of Qilin and Devman Groups
Ransomware attacks surged globally in the third quarter of 2025, with a 36% year-over-year increase in publicly disclosed incidents, according to BlackFog’s analysis. The number of attacks reached 270 in Q3 2025, compared to 198 in the same period of 2024, marking a 335% increase since Q3 2020. This escalation affected organizations in 93 countries, spanning critical sectors such as airlines, automotive manufacturers, and government entities. The Qilin ransomware group emerged as the most active threat actor during this period, being responsible for 20 incidents, including high-profile attacks like those on the Asahi Group. Notably, 54 ransomware groups were attributed to attacks in this quarter, with 18 new groups emerging, highlighting the fragmentation and volatility in the ransomware ecosystem. Among the newcomers, the Devman group made a significant impact, conducting 19 attacks across Asia, Africa, Europe, and Latin America, and was linked to a $91 million ransom demand. Law enforcement actions in 2024 and 2025, particularly against major operators like LockBit, contributed to the proliferation of new ransomware schemes, with 37 new groups appearing in the first half of 2025 and additional groups surfacing in July and August. Despite these disruptions, the overall volume of ransomware attacks remained high, with the number of victims posted to leak sites in July and August 2025 exceeding those from the same months in 2024. The attacks were more evenly distributed across multiple groups compared to previous years, indicating a shift in the operational landscape. The ransomware threat was not limited to large organizations; small businesses also suffered significant impacts, often lacking the resources to recover, as highlighted by personal accounts of business owners losing substantial revenue and savings. The persistence of legacy vulnerabilities and the absence of multi-factor authentication continued to facilitate successful attacks. Ransomware operators increasingly leveraged data exfiltration and extortion tactics, with a substantial portion of attacks involving the theft and public release of sensitive data. The emergence of new Ransomware-as-a-Service (RaaS) platforms, such as Devman’s, further democratized access to ransomware tools, enabling affiliates to launch attacks with greater ease. The continued evolution of ransomware tactics, the rise of new groups, and the resilience of established actors underscore the ongoing challenge for organizations in defending against these threats. The global ransomware battlefield in Q3 2025 was marked by increased attack frequency, greater diversity of threat actors, and escalating financial and operational impacts on victims.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Fortinet and Ivanti issue new security patch advisories
Fortinet and Ivanti released patch advisories highlighted in security reporting on major enterprise and edge-device risks. The advisories were part of a broader October 2025 patch cycle focused on actively targeted infrastructure technologies.
CISA adds two Windows zero-days and IGEL Secure Boot bypass to KEV
CISA added two Windows zero-day vulnerabilities being exploited in the wild, along with an IGEL OS Secure Boot bypass, to its must-patch catalog. The move signaled active exploitation and increased urgency for defenders to remediate affected systems.
Microsoft revokes 200+ certificates tied to Oyster malware delivery
Microsoft revoked more than 200 certificates associated with Vanilla Tempest, also known as VICE SPIDER, after they were used to distribute Oyster malware through fake Microsoft Teams installers. The action was part of a response to ongoing abuse of signed binaries and installer trust.
Trend Micro reveals Operation Zero Disco targeting Cisco switches
Trend Micro reported on Operation Zero Disco, in which attackers exploited Cisco SNMP vulnerability CVE-2025-20352 to implant rootkits on Cisco switches. The activity enabled stealthy persistence, control, and lateral movement in affected environments.
Google attributes EtherHiding campaign to North Korean actor UNC5342
Google threat intelligence linked the EtherHiding activity, which stored malware payloads on Ethereum and BNB Smart Chain, to North Korean threat actor UNC5342. The campaign reportedly used fake recruiter lures to deliver JADESNOW followed by INVISIBLEFERRET.
F5 discloses August breach affecting source code and customer data
F5 disclosed that it had suffered a breach in August 2025, with the announcement delayed until it received permission from the U.S. Department of Justice. Reporting said attackers stole BIG-IP source code, customer data, and information on unreleased vulnerabilities.
BlackFog reports Q3 2025 ransomware attacks rose 36% year over year
BlackFog published its Q3 2025 ransomware findings, stating that ransomware attacks increased 36% compared with the same quarter a year earlier. The report marked a broader assessment of ransomware activity and trends during the quarter.
Devman launches a new ransomware-as-a-service platform
In late September 2025, the ransomware operator known as Devman shifted from working as an affiliate for groups including Qilin, DragonForce, and Conti to launching his own RaaS operation. He consolidated prior leak-site activity into new infrastructure and began recruiting affiliates under strict entry requirements.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Threat Intelligence Executive Report – Volume 2025, Number 5
news.sophos.com
Open source🎓️ Vulnerable U | #138
vulnu.com
Open sourceBlackFog Report Reveals 36% Increase in Q3 Ransomware Attacks YoY
blackfog.com
Open source2025 Q3 Ransomware Report
blackfog.com
Open sourceDEW #133 - Redefining Security Visibility, TTP-First Hunting & F5 breach
detectionengineering.net
Open sourceDevman's RaaS Launch: The Affiliate Who Aims to Become the Boss
analyst1.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies. The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
May 11, 2026
Law Enforcement Disruption and Ransomware Group Realignment in 2025
Law enforcement agencies have intensified their efforts against major ransomware groups, leading to significant disruptions in the global ransomware ecosystem. In Q2 2025, prominent ransomware-as-a-service (RaaS) groups such as LockBit and RansomHub either ceased operations or stopped publishing victim data, resulting in a fractured landscape previously dominated by a few powerful actors. This shift was largely attributed to coordinated international law enforcement operations, which in May 2025 dismantled over 300 malicious servers, shut down more than 650 domains, and issued arrest warrants for at least 20 individuals connected to ransomware and initial access malware infrastructure. The takedown of LockBit’s infrastructure in late 2024 under Operation Cronos set a precedent, demonstrating the vulnerability of even the most prolific ransomware groups when faced with unified global action. As a result, the ransomware ecosystem became more fragmented, with smaller, agile actors attempting to fill the void left by the dismantled groups. Concurrently, the profitability of ransomware attacks has declined due to evolving regulations, including bans on ransom payments, further pressuring threat actors. Despite these setbacks, LockBit has attempted a resurgence, announcing a strategic alliance with other major ransomware groups, Qilin and DragonForce, in Q3 2025. This coalition aims to share techniques, resources, and infrastructure, potentially restoring LockBit’s reputation among affiliates and increasing the operational capabilities of all involved groups. The emergence of LockBit 5.0, capable of targeting Windows, Linux, and ESXi systems, marks a technological advancement in their toolkit, first advertised in September 2025. Qilin, now the most active ransomware group, claimed over 200 victims in Q3 2025, with a particular focus on North American organizations. The alliance between LockBit, Qilin, and DragonForce is expected to trigger a surge in attacks, especially on critical infrastructure and sectors previously considered low risk. The ongoing evolution of the ransomware threat landscape underscores the dynamic interplay between law enforcement actions and the adaptability of cybercriminal groups. The future trajectory of ransomware will likely depend on the continued effectiveness of law enforcement operations and the ability of threat actors to reorganize and innovate. Organizations are advised to remain vigilant, as the threat landscape remains volatile and unpredictable. The collaboration among major ransomware groups signals a potential escalation in both the scale and sophistication of future attacks. The global cybersecurity community must continue to coordinate efforts to counter these evolving threats and mitigate their impact on critical sectors.
Mar 21, 2026
Qilin Ransomware Surge and Korean Financial Sector Supply Chain Attack
A significant increase in ransomware attacks has been observed, driven by alliances between major ransomware groups and a surge in activity from the Qilin group. Qilin accounted for nearly 29% of all ransomware attacks in October 2025, with industrials, consumer discretionary, and healthcare sectors being the most targeted. North America experienced the majority of these attacks, but South Korea saw a notable spike, particularly in its financial sector, due to a sophisticated supply chain attack involving a compromised Managed Service Provider (MSP). This campaign, dubbed 'Korean Leaks,' resulted in 25 South Korean financial institutions being hit in September alone, a dramatic rise from previous months. The Qilin group operates as a Ransomware-as-a-Service (RaaS) and has demonstrated explosive growth, leveraging affiliates that include state-linked actors such as North Korea's Moonstone Sleet. The attack on South Korea's financial sector highlights the evolving tactics of ransomware groups, including the use of MSPs as initial access vectors and the blending of criminal and state-sponsored operations. The ongoing alliances and technical sophistication of these groups are expected to drive further increases in ransomware activity, especially during high-traffic periods like the end-of-year holidays.
Mar 21, 2026