Ransomware threats reached a tipping point in Q3 2025 as data-leak sites surged to a record 81 active platforms, driven by major developments across the ecosystem.
English-speaking hacking collective Scattered Spider teased its first ransomware-as-a-service (RaaS) offering, “ShinySp1d3r RaaS,” while long-standing operator LockBit returned with “LockBit 5.0,” explicitly authorizing affiliates to target critical infrastructure.
A powerful alliance between LockBit, DragonForce, and Qilin has further escalated global risk, and emerging groups expanded attacks into new regions such as Thailand, which saw a 69 percent surge in listings.
This quarter’s seismic shifts underscore the growing unpredictability and reach of ransomware, signaling urgent action for every CISO.
In late August 2025, Scattered Spider—previously known for sophisticated phishing and social-engineering campaigns—hinted at releasing its first RaaS platform, ShinySp1d3r RaaS, via an image of a ransom note shared on Telegram.
The group claimed that ShinySp1d3r would combine its social-engineering prowess with disruptive encryption, promising “the best RaaS to ever live.” If formally launched, this service would mark a watershed moment as the first major English-led RaaS, challenging the dominance of Russian-speaking providers like DragonForce, ALPHV, and RansomHub, which typically demand deposits to ensure operational security and rarely collaborate with English-speaking affiliates.
ShinySp1d3r’s development follows Scattered Spider’s recent collaborations: in Q2 2025, the group deployed DragonForce ransomware against retail, insurance, and aviation targets, and in Q3 joined breach-and-leak collective ShinyHunters to exfiltrate Salesforce data.
Although several members have been arrested, Scattered Spider’s loosely structured network of transient, often teenage, operators suggests the group will persist in refining its RaaS offering.
Critical Infrastructure Focus
On September 3, 2025, LockBit announced its resurgence on the RAMP dark-web forum, launching LockBit 5.0 to coincide with the sixth anniversary of its affiliate program.
The new version explicitly permits affiliates to attack critical infrastructure—including nuclear, thermal, and hydroelectric power plants—unless a formal agreement with the FBI dictates otherwise.
This marks a stark departure from the industry’s long-standing taboo against such targets following high-profile disruptions like the May 2021 Colonial Pipeline attack.
Similar partnerships have proven transformative in the past—such as in 2020, when LockBit joined forces with the Maze ransomware group.
LockBit 5.0’s broadened targeting options suggest a strategic push to regain dominance and perhaps retaliate against law enforcement actions that led to infrastructure seizures and member arrests in early 2024.
By restoring affiliates’ trust and expanding permissible targets, LockBit aims to reestablish itself as a top ransomware threat, leveraging both financial incentives and a narrative of vengeance to attract operators.
Alliances, New Groups, and Global Expansion
The return of LockBit was swiftly followed by a coalition with DragonForce and Qilin, forming a ransomware cartel poised to share tools, infrastructure, and tactics.
This alliance could accelerate the adoption of double-extortion schemes—encrypting systems while exfiltrating data—and amplify attacks on previously safe sectors.
Meanwhile, active data-leak sites climbed from 72 in Q2 to 81 in Q3 2025, reflecting smaller groups filling gaps left by declines in dominant players.
Emerging actors like Beast, The Gentlemen, and Cephalus fueled a 31 percent increase in health care sector listings, while professional, scientific, and technical services saw a 17 percent rise.
Thailand experienced a 69 percent jump in listings, driven by newly formed Devman2, which listed 22 organizations after averaging fewer than 10 per quarter.
Thailand saw a record 69% increase in data-leak site appearances from Q2 to Q3 2025, driven by the emergence of “Devman2.” Successor to “Devman,” this group, appearing for the first time this quarter, has already listed over 25% of Thailand’s organizations.
These trends highlight ransomware’s evolving landscape: English-speaking RaaS entrants, emboldened legacy operators targeting critical infrastructure, strategic alliances, and opportunistic newcomers expanding globally.
Organizations must brace for continued escalation in Q4 and beyond, implementing robust controls across social engineering defenses, network segmentation, and rapid incident response to counter this multifaceted threat.
As ransomware’s reach extends into every industry and region, the era of complacency is over. Defenders must adapt to a more aggressive and unpredictable foe or face mounting risk of disruptive attacks and extortion.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
