Ransomware Ecosystem Update: Leading Groups, RaaS Expansion, and Termite’s ClickFix Adoption
Reporting highlights a broader shift in the ransomware ecosystem toward platform-like operations and ransomware-as-a-service (RaaS) models that lower the barrier to entry and accelerate the creation of new crews. Huntress telemetry for 2025 is cited as placing Akira as a leading ransomware group, with operators increasingly targeting the hypervisor layer to bypass traditional endpoint controls; separate commentary describes rapid victim growth for Qilin (claimed to exceed 1,000 victims in 2025) and notes LockBit regaining operational capability after prior disruption. The same reporting also points to “Extortion-as-a-Service” offerings (including a federation described as SLSH—Scattered Spider/Lapsus$/ShinyHunters) that enable affiliates to rent tooling rather than develop it, contributing to a surge in newly formed groups.
A separate technical write-up details Termite ransomware as a Babuk-derived operation first observed in late 2024 that has matured into a multi-stage intrusion and double-extortion threat, claiming dozens of victims across multiple sectors and regions by March 2026. The report emphasizes Termite’s operationalization of ClickFix (browser-based social engineering) to bypass traditional phishing defenses, and provides a distinctive forensic marker: encrypted files reportedly have the Babuk-inherited trailing string "choung dong looks like hot dog", positioned as a practical indicator during triage. Another overview article catalogs major active ransomware groups and tactics, including Lynx (described as sharing substantial code with INC, using double extortion, appending .lynx, and deleting shadow copies) and Medusa, while reiterating law-enforcement attribution and indictments tied to LockBit leadership and deployment activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Leak site tied to Scattered Lapsus$ Hunters is seized
Authorities seized a leak site associated with the Scattered Lapsus$ Hunters consolidated threat group. The seizure is highlighted as a public disruption of that extortion ecosystem.
LockBit leadership faces US indictment and sanctions
US authorities publicly indicted and sanctioned alleged LockBit leadership. The action is cited as a notable law-enforcement response against one of the most prominent ransomware operations.
Termite claims more than 35 victims by March 2026
By March 2026, Termite had claimed over 35 victims across healthcare, government, logistics, chemicals, and financial services in North America, Europe, and Australia. Reporting also linked the operation to the Velvet Tempest affiliate ecosystem and incidents including Blue Yonder.
Documented Termite intrusion chain observed in February 2026
A February 2026 intrusion attributed to Termite used ClickFix, LOLBIN abuse including finger.exe and tar.exe, geolocation checks, CastleRAT command-and-control, fileless PowerShell staging, and on-host .NET compilation with csc.exe before Active Directory reconnaissance. The case provided detailed technical insight into the group's tradecraft.
Termite adopts large-scale ClickFix social engineering
Termite later moved to large-scale use of ClickFix, a browser-based social-engineering technique that tricks users into launching malicious PowerShell commands. This became a prominent newer initial-access method for the group.
SLSH federation offers extortion-as-a-service model
A federation of Scattered Spider, Lapsus$, and ShinyHunters, referred to as SLSH, was reported to be offering an extortion-as-a-service model. The model allegedly lowered the skill threshold for less experienced threat actors.
73 new ransomware groups emerge within six months
Reporting said 73 new ransomware groups appeared within a six-month period as criminals increasingly rented tools instead of building them. The trend was presented as evidence of lower barriers to entry in the ransomware market.
LockBit 5.0 regains operational capability after shutdown
Reporting stated that LockBit 5.0 had restored its ability to operate after an earlier shutdown. The development indicated the group's resilience despite prior disruption efforts.
Akira increasingly targets hypervisors to evade endpoint defenses
Huntress said Akira increasingly attacked the hypervisor layer to bypass traditional endpoint security controls. This represented a tactical shift toward infrastructure-level impact and evasion.
Akira becomes leading ransomware group in Huntress 2025 data
Huntress reported from its 2025 data that Akira was the leading ransomware group. The company said Akira's tactics were evolving quickly, including efforts to neutralize existing security tools.
Qilin scales to over 1,000 victims in 2025
Black Duck Software reported that Qilin recorded more than 1,000 victims in 2025, roughly seven times the prior year's total. Separate reporting also described Qilin as rapidly increasing victim postings during 2025.
Termite shifts from Cleo exploitation to credential theft
Termite's access methods evolved from exploiting Cleo MFT flaws to stealing credentials with RedLine Stealer. This reflected a change in how the group established footholds in victim environments.
Termite exploits Cleo MFT vulnerabilities for initial access
After emerging, Termite used exploitation of Cleo managed file transfer remote-code-execution flaws CVE-2024-50623 and CVE-2024-55956 to gain initial access. This marked an early access vector in the group's intrusion activity.
Termite ransomware first observed
The Termite ransomware operation was first observed in the wild in November 2024. Reporting describes it as derived from the leaked Babuk source code and operating as a double-extortion threat.
RansomHub emerges as a fast-growing rebrand
RansomHub is described as a rapidly growing ransomware operation that emerged in 2024 and recruited affiliates from disrupted groups. The group became part of the reshaped affiliate-driven ransomware ecosystem.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Tarnung als Taktik: Warum Ransomware-Angriffe raffinierter werden | CSO Online
csoonline.com
Open sourceRogues gallery: 15 worst ransomware groups active today | CSO Online
csoonline.com
Open sourceTermite Ransomware - Threat Intelligence and Technical Dissection - TheCyberThrone
thecyberthrone.in
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued **high ransomware activity** and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by *Help Net Security* reports ransomware actors claimed **4,737 attacks in 2025**, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of **RansomHub** was followed by affiliates quickly shifting to other operations, while **LockBit** failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward **extortion models that don’t rely on encryption**, emphasizing data theft and coercion as groups diversify pressure tactics. Multiple technical reports describe how attackers are improving delivery and resilience. *BleepingComputer* says **Gootloader** now uses heavily malformed ZIP files—concatenating **500–1,000** ZIP archives and manipulating ZIP structures (e.g., truncated `EOCD`)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. *The Register* reports **DeadLock** ransomware uses **Polygon smart contracts** to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the *Session* messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by *KnowBe4* shows threat actors exploiting **email routing/spoofing misconfigurations** to make phishing appear internal (often leveraging **Tycoon2FA**), while ReliaQuest’s trend report and a separate write-up on **CastleLoader** describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as **ClickFix** being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
Mar 21, 2026
Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate **ransomware operators are increasingly leaning on data theft and extortion** as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows **business email compromise (BEC)** and **funds transfer fraud (FTF)** dominated claims volume, while **ransomware** represented a smaller share but featured **sharply higher initial demands** (average just over **$1.0M**, with some as high as **$16M**) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks. In parallel, the broader ransomware ecosystem continues to **reorganize rather than shrink** despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a **tactical shift among pro-Iranian/pro-Palestinian-aligned operators** away from *Sicarii* toward **BQTLock (Baqiyat 313 Locker)**, including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, **ShinyHunters** claimed a major theft from AI merchant-data platform *Woflow* (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the **SoundCloud** incident (reported exposure of data tied to ~**29.8M** accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
Mar 31, 2026
Ransomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies. The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
May 11, 2026