Ransomware Threat Landscape and Ecosystem Evolution in 2025
Ransomware in 2025 has evolved into a highly organized and profit-driven cybercrime ecosystem, with threat actors leveraging Ransomware-as-a-Service (RaaS), initial access brokers, and advanced extortion strategies. Attack volumes have reached record highs, with over 4,700 confirmed incidents through September and a notable increase in targeting of critical infrastructure, healthcare, and manufacturing sectors. The landscape is now fragmented among more than 85 active groups, and while victim disclosures have increased, ransom payments have dropped significantly as organizations improve their resilience and recovery capabilities. Attackers are increasingly using supply-chain compromises, zero-day exploits, and living-off-the-land techniques, making ransomware a persistent and adaptive threat.
The underground infrastructure supporting ransomware operations has also matured, with dark web forums like RAMP serving as central hubs for collaboration, recruitment, and intelligence sharing among major ransomware groups such as LockBit, DragonForce, and Medusa. These forums facilitate the rapid dissemination of new ransomware variants and operational tactics, contributing to the ecosystem's agility. Meanwhile, specific ransomware families like HardBit 4.0 continue to innovate, employing sophisticated techniques such as brute-forcing RDP/SMB services and using legacy malware like Neshta as droppers to evade detection and maintain persistence, underscoring the technical advancement and adaptability of modern ransomware campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Emsisoft reports ransomware victim claims surpassed 8,000 in 2025
An Emsisoft report published in January 2026 said claimed ransomware victims worldwide rose by more than 50% versus 2023, exceeding 8,000 cases in 2025. Despite takedowns such as BlackSuit, the report found that smaller, unstable groups and social-engineering-driven intrusions kept overall ransomware activity growing.
Top-10 ransomware review confirms 2025 decentralization trend
A January 2026 review of the top ransomware groups of 2025 concluded that traditional RaaS brands had lost influence as affiliates rotated between groups and shared infrastructure more freely. The report said attackers were using quieter, longer-dwell operations that enabled more precise data theft and extortion.
Briefing documents rise of exfiltration-only ransomware extortion
At the start of 2026, researchers reported a growing shift from encryption-based ransomware to pure data exfiltration and extortion. Attackers were said to abuse legitimate cloud services and administrative tools to steal data quietly, often leaving little forensic evidence and increasing regulatory and reputational pressure on victims.
Researchers warn ransomware entry points expanded beyond the perimeter
A briefing published at the end of 2025 described attackers increasingly gaining access through cloud misconfigurations, supply-chain weaknesses, social engineering on platforms like Microsoft Teams, and abuse of legitimate IT tools. It also highlighted evasion methods such as safe mode encryption, telemetry suppression, and BYOVD to bypass defenses.
Analysis finds 2025 ransomware shifted to fewer, higher-value targets
A late-2025 industry briefing reported that ransomware operators were increasingly pursuing fewer but more lucrative victims, using business-like RaaS models, data theft, supply-chain pressure, and layered extortion. The shift was associated with lower payment rates but larger overall payouts and greater impact per incident.
RAMP forum identified as a key hub for ransomware collaboration
Researchers highlighted RAMP (Russian Anonymous Marketplace) as a major dark web forum used by ransomware operators, affiliates, and brokers for recruitment, trading, and coordination. The forum was noted as an early source of signals on campaigns involving groups such as DragonForce, Qilin, Medusa, Eldorado, GLOBAL Group, and LockBit.
HardBit 4.0 ransomware emerges with new evasion and access tactics
By late 2025, HardBit released version 4.0, adding a multi-stage deployment chain, use of the Neshta file-infecting virus as a dropper, Windows Defender disabling, and passphrase-gated execution to hinder analysis. The group continued to rely on brute-force access to exposed RDP and SMB services, followed by credential harvesting, lateral movement, and persistence via registry changes and hidden files.
Dominant ransomware groups disrupted, fragmenting the ecosystem
Following disruptions of major ransomware groups in 2024, the 2025 ecosystem became more fragmented and decentralized. Affiliates increasingly operated independently, reused tools across brands, and made attribution and disruption harder for defenders.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Ransomware attacks kept climbing in 2025 as gangs refused to stay dead
go.theregister.com
Open sourceRansomware Trends, Statistics and Facts in 2026 | Informa TechTarget
techtarget.com
Open sourceTop 10 Ransomware Groups of 2025
socradar.io
Open sourceRansomware Without Encryption: Why Pure Exfiltration Attacks Are Surging—and Why They’re So Hard to Catch
morphisec.com
Open sourceThe Evolving Economics of Ransomware: Fewer Payments, Bigger Payouts
morphisec.com
Open sourceInside Ransomware Threat Landscape 2025 Analysis
thecyberthrone.in
Open sourceHardBit 4.0 Ransomware Actors Attack Open RDP and SMB Services to Persist Access
cybersecuritynews.com
Open sourceDark Web Forum: RAMP
socradar.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies. The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
May 11, 2026
Fragmentation and Evolution of Ransomware Operations in 2025
The ransomware landscape in 2025 experienced a significant transformation, marked by the emergence of numerous short-lived ransomware groups that rapidly executed extortion campaigns before rebranding or dissolving. Rather than relying on technical innovation, these groups focused on optimizing access through identity compromise, cloud misconfiguration, and exploiting governance gaps. Notable new families such as RansomHub, Arkana, CrazyHunter, and NightSpire appeared, often sharing infrastructure and access brokers. The proliferation of these groups led to a 20% increase in publicly listed victims compared to the previous year, with attackers increasingly leveraging weekends and holidays to maximize impact while defenders were less vigilant. Payment rates for ransomware dropped to historic lows, prompting some groups to target larger enterprises for higher payouts, while others, like Akira, focused on mid-market organizations with smaller demands. Ransomware tactics continued to evolve, with attackers adapting their procedures and expanding their use of advanced techniques, including AI-driven capabilities and targeting SaaS platforms. The operational focus shifted from malware sophistication to exploiting weaknesses in identity and cloud security. Security teams observed that attackers frequently made mistakes and adjusted their tactics in real time, as evidenced by endpoint telemetry and event logs. The overall trend in 2025 was a chaotic, fragmented threat environment where the barriers to entry for new ransomware groups were minimal, and the success of extortion operations depended more on access and agility than on technical prowess.
Mar 21, 2026
Ransomware Tactics and Defenses in 2025
Ransomware remains one of the most significant threats to organizations worldwide, with attackers continuously evolving their tactics to maximize impact and profits. Recent analysis highlights that the most successful ransomware groups leverage automation, customization, and advanced tooling, with groups like Qilin and LockBit 5.0 leading the market by using data leak sites to pressure victims into paying ransoms. The ransomware-as-a-service (RaaS) model has further lowered the barrier to entry for cybercriminals, enabling a wider range of actors to participate in attacks. Double extortion tactics, where data is both encrypted and exfiltrated for additional leverage, are now commonplace, and the underground economy supporting ransomware is thriving, with infostealers playing a critical role in supplying credentials for initial access. Defending against ransomware requires a multi-layered approach, including the deployment of open-source platforms like Wazuh for detection and response, as well as a focus on securing credentials and monitoring for infostealer activity. The proliferation of infostealers has transformed cybercrime, enabling attackers to bypass multi-factor authentication and facilitate lateral movement within networks. Organizations are urged to improve visibility across assets, implement robust access controls, and stay vigilant against phishing and other common ransomware delivery vectors. The ongoing evolution of ransomware and its supporting ecosystem underscores the need for continuous adaptation of security strategies and technologies.
Mar 21, 2026