Key Takeaways:
- 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date.
- 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure.
- 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns.
- LockBit’s reappearance with version 5.0 signals potential re-centralization after months of fragmentation.
In Q3 2025, Check Point Research recorded a record 85 active ransomware and extortion groups, the highest ever observed. What was once a concentrated market dominated by a few ransomware-as-a-service (RaaS) giants has splintered into dozens of smaller, short-lived operations.
This proliferation of leak sites represents a fundamental structural shift. The same enforcement and market pressures that disrupted large RaaS groups have fueled a wave of opportunistic, decentralized actors, many run by former affiliates now operating independently.
Read the full Q3 2025 Ransomware Report
A Record 85 Active Groups
Across more than 85 monitored leak sites, ransomware operators published:
- 1,592 new victims in Q3 2025.
- An average of 535 disclosures per month.
- A major power shift: the top ten groups accounted for just 56% of victims, down from 71% earlier this year.
Smaller actors are now posting fewer than ten victims each, reflecting a rise in independent operations outside traditional RaaS hierarchies. Many emerged from the collapse of RansomHub, 8Base, and BianLian. Fourteen new groups began publishing in Q3 alone, bringing the 2025 total to 45.
Fragmentation at this level erodes predictability, once the cyber security professional’s advantage. When large RaaS brands dominated, security teams could track affiliate behaviors and infrastructure reuse. Now, dozens of ephemeral leak sites make attribution fleeting and reputation-based intelligence far less reliable.
 |
| Share of total victims by top 10 ransomware groups, Q1–Q3 2025 |
Read the full Q3 2025 Ransomware Report.
Law Enforcement’s Limited Impact
Several high-profile takedowns this year targeting groups like RansomHub and 8Base have not meaningfully reduced ransomware volume. Affiliates displaced by these operations simply migrate or rebrand.
The problem is structural. Law-enforcement efforts typically dismantle infrastructure or seize domains, not the affiliates who execute attacks. When a platform falls, those operators scatter and regroup within days. The result is a broader, more resilient ecosystem that mirrors decentralized finance or open-source communities more than a traditional criminal hierarchy.
This diffusion also undermines the credibility of the ransomware market. Smaller, short-lived crews have no incentive to honor ransom agreements or provide decryption keys. Payment rates, estimated at just 25 to 40 percent, continue to decline as victims lose trust in attacker promises.
LockBit’s Return and Re-centralization
In September 2025, LockBit 5.0 marked the return of one of cybercrime’s most enduring brands.
Its administrator, LockBitSupp, had teased a comeback for months following the 2024 takedown under Operation Cronos. The new version delivers:
- Updated Windows, Linux, and ESXi variants.
- Faster encryption and improved evasion.
- Unique negotiation portals per victim.
At least a dozen victims were hit in the first month. The campaign demonstrates renewed affiliate confidence and technical maturity.
For attackers, joining a recognizable brand like LockBit brings something smaller crews cannot offer: reputation. Victims are more likely to pay when they believe they will actually receive decryption keys, trust that large RaaS programs carefully maintain.
If LockBit succeeds in attracting affiliates seeking structure and credibility, it could recentralize a significant portion of the ransomware economy. Centralization has a dual effect. It makes tracking easier but increases the potential scale of coordinated attacks.
 |
| LockBit 5.0 ransom note from an attack |
DragonForce and the Performance of Power
DragonForce illustrates another survival strategy: visibility through branding. In September, the group publicly claimed coalitions with both LockBit and Qilin on underground forums. No shared infrastructure has been verified, and the alliances appear more symbolic than operational.
Still, these moves highlight ransomware’s evolution toward corporate-style marketing. DragonForce promotes itself with:
- Affiliate partnership announcements.
- Data-audit services to analyze stolen data and improve extortion leverage.
- Public relations aimed at projecting strength and reliability.
The group’s messaging reflects a competitive marketplace where image and credibility are as valuable as encryption speed.
 |
| DragonForce audit example |
Geographic and Industry Trends
Global targeting in Q3 2025 largely mirrored previous quarters but with distinct regional and sector shifts.
- The United States accounted for about half of all reported victims, continuing to be the prime target for financially motivated actors.
- South Korea entered the global top ten for the first time, almost entirely due to Qilin’s focused campaign against financial firms.
- Europe remained highly active, with Germany and the United Kingdom seeing sustained pressure from Safepay and INC Ransom.
Read the full Q3 2025 Ransomware Report
On the industrial side:
- Manufacturing and business services each represented about 10 percent of recorded cases.
- Healthcare held steady at 8 percent, though some groups such as Play avoid the sector to reduce scrutiny.
These shifts show how ransomware is guided by business logic more than ideology. Actors pursue sectors and regions with high-value data and low tolerance for downtime.
The Road Ahead
Q3 2025 confirms ransomware’s structural resilience. Enforcement and market pressure no longer suppress overall volume; they simply reshape the landscape. Each takedown disperses actors who quickly resurface under new names or join emerging collectives.
LockBit’s return adds another layer of complexity, raising the question of whether ransomware is entering a new consolidation cycle. If LockBit re-establishes dominance, it may restore some predictability but also re-enable large-scale, coordinated campaigns that smaller crews cannot execute.
For cyber security professionals, the takeaway is clear. Tracking brands is no longer enough. Analysts must monitor affiliate mobility, infrastructure overlap, and economic incentives — the underlying forces that sustain ransomware even as its faces fragment.
Read the full Q3 2025 Ransomware Report →