Ransomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies.
The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
LockBit resurfaces with 207 claimed victims in 2026
A new analysis reported that LockBit had claimed 207 victims in 2026, indicating a public comeback after the group's apparent halt in new postings after June 2025. The development suggests renewed resilience or reactivation despite earlier signs of decline and prior disruption pressure.
TRM reports 93 new ransomware variants and flat payments in 2025
TRM Labs reported that ransomware activity expanded in 2025 even as ransom payments stagnated, with leak-site victim postings up 44%, ransom payments holding near $850 million, and total ransomware-linked inflows around $1.3 billion. The firm said ecosystem fragmentation accelerated with 93 new ransomware variants in 2025, a 94% increase from 2024, while revenue remained concentrated among established groups.
Check Point reports ransomware consolidation in Q1 2026
Check Point Research reported that ransomware activity stayed historically high in Q1 2026 with 2,122 victims posted across more than 70 leak sites, but the ecosystem shifted away from 2025 fragmentation toward consolidation. The top 10 groups accounted for 71.1% of publicly claimed victims, led by Qilin, while The Gentlemen emerged as a major actor and LockBit 5.0 showed a strong re-emergence.
Ransomware ecosystem fragments into more groups in 2025
By 2025, the ransomware landscape had become highly fragmented, with 85 active groups and 45 new entrants. This shift followed law enforcement disruption of major operations such as LockBit and ALPHV/BlackCat and coincided with growing use of data-only extortion and other adapted tactics.
KELA says half of 2025 ransomware attacks hit critical sectors
KELA reported that 2,332 ransomware incidents targeted critical infrastructure sectors between January and September 2025, a 34% increase year over year and roughly half of all recorded attacks. Manufacturing, healthcare, energy, transportation, and financial services were highlighted as top targets, with manufacturing attacks rising 61% to 838 incidents.
Global ransomware incidents surge through January-September 2025
Between January and September 2025, 4,701 confirmed ransomware incidents were recorded globally, representing a 34% to 50% increase over 2024. The period also saw ransom payment rates fall to roughly 23% to 25%, pushing threat actors toward new extortion models.
Qilin activity rises following the alliance announcement
After the September 15 alliance announcement, Qilin experienced a notable spike in activity, likely driven by increased visibility and migration of operators. DragonForce and Qilin otherwise appeared to continue growing autonomously rather than as part of a tightly integrated coalition.
Qilin, DragonForce, and LockBit announce an alliance
On September 15, 2025, an alliance between the ransomware groups Qilin, DragonForce, and LockBit was announced. Subsequent analysis suggests the move was largely symbolic, especially for LockBit, rather than evidence of deep operational integration.
Comparitech reports 65% rise in government ransomware attacks in H1 2025
Comparitech reported 208 ransomware attacks against government agencies worldwide in the first half of 2025, up 65% from the first half of 2024 and 25% from the second half of 2024. The analysis identified the United States as the most affected country and highlighted Qilin, INC, RansomHub, Funksec, Medusa, and SafePay among the groups targeting public-sector entities.
LockBit ceases posting new claims after June 2025
The Yarix analysis states that LockBit showed no operational recovery or new victim claims after June 2025. This marked a visible decline in the group's public activity amid broader pressure on major ransomware operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
The State of Ransomware - Q1 2026 - Check Point Research
research.checkpoint.com
Open sourceRansomware’s back office: What the ransom note won’t say
welivesecurity.com
Open sourceLockBit Won't Die: 207 Victims in 2026 and What Ransomware Resilience Actually Looks Like
johnzblack.com
Open sourceNew Disruption Opportunities in the Evolving Ransomware Ecosystem | TRM Blog
trmlabs.com
Open sourceRansomware Attack 2025 Recap – From Critical Data Extortion to Operational Disruption
cybersecuritynews.com
Open sourceIn depth analysis of the alleged Qilin, DragonForce and LockBit alliance
labs.yarix.com
Open sourceHalf of 2025 ransomware attacks hit critical sectors as manufacturing, healthcare, and energy top global targets - Industrial Cyber
industrialcyber.co
Open sourceComparitech reports 65% surge in ransomware attacks on government agencies in 2025 - Industrial Cyber
industrialcyber.co
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Threat Landscape and Ecosystem Evolution in 2025
Ransomware in 2025 has evolved into a highly organized and profit-driven cybercrime ecosystem, with threat actors leveraging Ransomware-as-a-Service (RaaS), initial access brokers, and advanced extortion strategies. Attack volumes have reached record highs, with over 4,700 confirmed incidents through September and a notable increase in targeting of critical infrastructure, healthcare, and manufacturing sectors. The landscape is now fragmented among more than 85 active groups, and while victim disclosures have increased, ransom payments have dropped significantly as organizations improve their resilience and recovery capabilities. Attackers are increasingly using supply-chain compromises, zero-day exploits, and living-off-the-land techniques, making ransomware a persistent and adaptive threat. The underground infrastructure supporting ransomware operations has also matured, with dark web forums like RAMP serving as central hubs for collaboration, recruitment, and intelligence sharing among major ransomware groups such as LockBit, DragonForce, and Medusa. These forums facilitate the rapid dissemination of new ransomware variants and operational tactics, contributing to the ecosystem's agility. Meanwhile, specific ransomware families like HardBit 4.0 continue to innovate, employing sophisticated techniques such as brute-forcing RDP/SMB services and using legacy malware like Neshta as droppers to evade detection and maintain persistence, underscoring the technical advancement and adaptability of modern ransomware campaigns.
Mar 21, 2026
Law Enforcement Disruption and Ransomware Group Realignment in 2025
Law enforcement agencies have intensified their efforts against major ransomware groups, leading to significant disruptions in the global ransomware ecosystem. In Q2 2025, prominent ransomware-as-a-service (RaaS) groups such as LockBit and RansomHub either ceased operations or stopped publishing victim data, resulting in a fractured landscape previously dominated by a few powerful actors. This shift was largely attributed to coordinated international law enforcement operations, which in May 2025 dismantled over 300 malicious servers, shut down more than 650 domains, and issued arrest warrants for at least 20 individuals connected to ransomware and initial access malware infrastructure. The takedown of LockBit’s infrastructure in late 2024 under Operation Cronos set a precedent, demonstrating the vulnerability of even the most prolific ransomware groups when faced with unified global action. As a result, the ransomware ecosystem became more fragmented, with smaller, agile actors attempting to fill the void left by the dismantled groups. Concurrently, the profitability of ransomware attacks has declined due to evolving regulations, including bans on ransom payments, further pressuring threat actors. Despite these setbacks, LockBit has attempted a resurgence, announcing a strategic alliance with other major ransomware groups, Qilin and DragonForce, in Q3 2025. This coalition aims to share techniques, resources, and infrastructure, potentially restoring LockBit’s reputation among affiliates and increasing the operational capabilities of all involved groups. The emergence of LockBit 5.0, capable of targeting Windows, Linux, and ESXi systems, marks a technological advancement in their toolkit, first advertised in September 2025. Qilin, now the most active ransomware group, claimed over 200 victims in Q3 2025, with a particular focus on North American organizations. The alliance between LockBit, Qilin, and DragonForce is expected to trigger a surge in attacks, especially on critical infrastructure and sectors previously considered low risk. The ongoing evolution of the ransomware threat landscape underscores the dynamic interplay between law enforcement actions and the adaptability of cybercriminal groups. The future trajectory of ransomware will likely depend on the continued effectiveness of law enforcement operations and the ability of threat actors to reorganize and innovate. Organizations are advised to remain vigilant, as the threat landscape remains volatile and unpredictable. The collaboration among major ransomware groups signals a potential escalation in both the scale and sophistication of future attacks. The global cybersecurity community must continue to coordinate efforts to counter these evolving threats and mitigate their impact on critical sectors.
Mar 21, 2026
Fragmentation and Evolution of Ransomware Operations in 2025
The ransomware landscape in 2025 experienced a significant transformation, marked by the emergence of numerous short-lived ransomware groups that rapidly executed extortion campaigns before rebranding or dissolving. Rather than relying on technical innovation, these groups focused on optimizing access through identity compromise, cloud misconfiguration, and exploiting governance gaps. Notable new families such as RansomHub, Arkana, CrazyHunter, and NightSpire appeared, often sharing infrastructure and access brokers. The proliferation of these groups led to a 20% increase in publicly listed victims compared to the previous year, with attackers increasingly leveraging weekends and holidays to maximize impact while defenders were less vigilant. Payment rates for ransomware dropped to historic lows, prompting some groups to target larger enterprises for higher payouts, while others, like Akira, focused on mid-market organizations with smaller demands. Ransomware tactics continued to evolve, with attackers adapting their procedures and expanding their use of advanced techniques, including AI-driven capabilities and targeting SaaS platforms. The operational focus shifted from malware sophistication to exploiting weaknesses in identity and cloud security. Security teams observed that attackers frequently made mistakes and adjusted their tactics in real time, as evidenced by endpoint telemetry and event logs. The overall trend in 2025 was a chaotic, fragmented threat environment where the barriers to entry for new ransomware groups were minimal, and the success of extortion operations depended more on access and agility than on technical prowess.
Mar 21, 2026