Fragmentation and Evolution of Ransomware Operations in 2025
The ransomware landscape in 2025 experienced a significant transformation, marked by the emergence of numerous short-lived ransomware groups that rapidly executed extortion campaigns before rebranding or dissolving. Rather than relying on technical innovation, these groups focused on optimizing access through identity compromise, cloud misconfiguration, and exploiting governance gaps. Notable new families such as RansomHub, Arkana, CrazyHunter, and NightSpire appeared, often sharing infrastructure and access brokers. The proliferation of these groups led to a 20% increase in publicly listed victims compared to the previous year, with attackers increasingly leveraging weekends and holidays to maximize impact while defenders were less vigilant. Payment rates for ransomware dropped to historic lows, prompting some groups to target larger enterprises for higher payouts, while others, like Akira, focused on mid-market organizations with smaller demands.
Ransomware tactics continued to evolve, with attackers adapting their procedures and expanding their use of advanced techniques, including AI-driven capabilities and targeting SaaS platforms. The operational focus shifted from malware sophistication to exploiting weaknesses in identity and cloud security. Security teams observed that attackers frequently made mistakes and adjusted their tactics in real time, as evidenced by endpoint telemetry and event logs. The overall trend in 2025 was a chaotic, fragmented threat environment where the barriers to entry for new ransomware groups were minimal, and the success of extortion operations depended more on access and agility than on technical prowess.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Threat reports highlight defensive coverage gaps against attacker behavior
By the end of 2025, multiple threat intelligence reports concluded that defenders were falling behind attacker behavior, especially at the procedure level. The reports emphasized the need to map controls to adversary behaviors, strengthen identity security, and improve cloud permission and governance management.
Zero-day exploitation spreads beyond state actors in 2025
The 2025 threat reporting found that zero-day exploitation became more common among criminal and hybrid threat groups, not just state-sponsored actors. This compressed defender response times and increased pressure on organizations to detect behavior rather than specific tools.
Attackers expand extortion and evasion tactics during 2025
Threat actors broadened their playbooks in 2025 by using living-off-the-land techniques, stronger detection evasion, weekend and holiday timing, and multi-extortion methods including DDoS and third-party harassment. AI and automation also accelerated social engineering and other attack operations.
Ransomware operators shift toward identity, cloud, and governance weaknesses
Across 2025, many ransomware and extortion groups increasingly relied on valid credential abuse, excessive cloud permissions, SaaS compromise, and governance gaps for initial access. Data theft and extortion often replaced traditional encryption, with lightweight or reused malware supporting the campaigns.
New short-lived ransomware groups proliferate throughout 2025
During 2025, dozens of short-lived ransomware families emerged, ran extortion campaigns, and then disappeared or rebranded. Most prioritized operational efficiency and branding over developing novel malware.
Major ransomware syndicates LockBit and AlphV fall, fragmenting the ecosystem
The decline of major ransomware syndicates such as LockBit and AlphV led to a surge of newer, less coordinated groups. This fragmentation reshaped the ransomware landscape and contributed to rapid group turnover during 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
New Ransomware Emerged in 2025 – Threat Intel Report
thecyberthrone.in
Open sourceSecurity coverage is falling behind the way attackers behave
helpnetsecurity.com
Open sourceRansomware’s new playbook is chaos
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies. The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
May 11, 2026
Ransomware Threat Landscape and Ecosystem Evolution in 2025
Ransomware in 2025 has evolved into a highly organized and profit-driven cybercrime ecosystem, with threat actors leveraging Ransomware-as-a-Service (RaaS), initial access brokers, and advanced extortion strategies. Attack volumes have reached record highs, with over 4,700 confirmed incidents through September and a notable increase in targeting of critical infrastructure, healthcare, and manufacturing sectors. The landscape is now fragmented among more than 85 active groups, and while victim disclosures have increased, ransom payments have dropped significantly as organizations improve their resilience and recovery capabilities. Attackers are increasingly using supply-chain compromises, zero-day exploits, and living-off-the-land techniques, making ransomware a persistent and adaptive threat. The underground infrastructure supporting ransomware operations has also matured, with dark web forums like RAMP serving as central hubs for collaboration, recruitment, and intelligence sharing among major ransomware groups such as LockBit, DragonForce, and Medusa. These forums facilitate the rapid dissemination of new ransomware variants and operational tactics, contributing to the ecosystem's agility. Meanwhile, specific ransomware families like HardBit 4.0 continue to innovate, employing sophisticated techniques such as brute-forcing RDP/SMB services and using legacy malware like Neshta as droppers to evade detection and maintain persistence, underscoring the technical advancement and adaptability of modern ransomware campaigns.
Mar 21, 2026
Ransomware Ecosystem Fragmentation and Emergence of New Threat Actors
The ransomware landscape in 2025 has become increasingly fragmented, with a record 85 active ransomware and extortion groups observed in Q3, according to Check Point Research. This decentralization follows law enforcement actions and the collapse of major ransomware-as-a-service (RaaS) groups, leading to the rapid emergence of 14 new ransomware brands in the quarter. The proliferation of independent actors and leak sites has made attribution and intelligence gathering more challenging for security professionals, as the top ten groups now account for only 56% of victims, down from 71% earlier in the year. LockBit's return with version 5.0 may signal a potential shift back toward re-centralization, but the overall trend remains one of increasing diversity and unpredictability in ransomware operations. Amid this fragmentation, new ransomware threats such as Kraken and Zorab have emerged, each employing sophisticated and deceptive tactics. Kraken, linked to the remnants of the HelloKitty cartel, targets both Windows and Linux environments, including VMware ESXi hypervisors, and uses double extortion techniques to pressure victims. Zorab, on the other hand, deceives victims by posing as a decryptor for STOP Djvu ransomware, only to re-encrypt files with a new extension. These developments underscore the evolving complexity of the ransomware threat landscape, with new actors leveraging both technical innovation and social engineering to maximize impact.
Mar 21, 2026