The ransomware landscape in Q3 2025 has reached a critical inflection point. Despite multiple law enforcement takedowns earlier in the year, ransomware attacks remain at historically high levels. Check Point Research tracked 1,592 new victims across 85 active extortion groups, marking a 25% increase year-over-year.

While major brands like RansomHub and 8Base have vanished, new and smaller threat actors have rapidly filled the void, fragmenting the ransomware-as-a-service (RaaS) market more than ever before.

Record Fragmentation: 85 Active Extortion Groups

The number of active ransomware groups surged to a record high of 85, with 14 new groups emerging in Q3 alone. This represents the most decentralized ransomware ecosystem on record.

  • The top 10 groups now account for just 56% of all victims (down from 71% in Q1 2025).
  • 47 groups posted fewer than ten victims, signalling an influx of small, agile affiliates launching independent attacks.

This fragmentation means greater unpredictability for defenders. Small, transient groups lack reputation-driven incentives to deliver decryptors after payment, reducing victims’ chances of data recovery and further eroding trust in negotiation outcomes.

LockBit 5.0: The Return of a Ransomware Leader

Once thought dismantled, LockBit has re-emerged with LockBit 5.0, an upgraded version featuring multi-platform support (Windows, Linux, ESXi), stronger encryption, and enhanced evasion. LockBit’s return, led by its notorious administrator “LockBitSupp,” signals a possible re-centralization of affiliates seeking stable, reputable RaaS brands.

Notable Details

  • Over 15 confirmed victims have already been attributed to LockBit 5.0.
  • Affiliates are required to pay a $500 deposit to join, indicating a vetting effort.

LockBit 5.0 ransom note from an attack in mid- September

Qilin Leads 2025: Profit Over Ideology

Qilin has emerged as the most active ransomware group of 2025, averaging 75 victims per month in Q3, doubling its activity from early in the year.

Though the group claims ideological motives, Check Point Research finds its campaigns to be purely profit-driven, targeting a broad range of sectors and regions.

  • Responsible for 30 attacks in South Korea’s financial sector between August and September.
  • Offers affiliates up to 85% revenue share, making it one of the most attractive RaaS programs.
DragonForce: Marketing Meets Malware

Emerging actor DragonForce is redefining how ransomware groups compete, not through code but through branding. By announcing “coalitions” with LockBit and Qilin on underground forums and offering “data audit services” that help affiliates identify high-value files, DragonForce blurs the line between extortion and analytics.

  • 56 victims were listed in Q3 2025.
  • Focused on Germany and high-revenue companies.
  • Promotes itself with aggressive PR and recruitment on criminal forums.

This self-marketing trend illustrates how criminal RaaS operators now compete like startups, differentiating through features, brand visibility, and affiliate incentives.

Dragonforce advertises data audit services

Geographic and Industry Impact

Top Targeted Regions

  • United States: approximately 50% of global ransomware victims.
  • South Korea: entered the top 10 for the first time due to Qilin’s financial campaign.
  • Germany, United Kingdom, and Canada: remained major targets for groups such as INC Ransom, Safepay, and DragonForce.

Most Targeted Industries

  • Manufacturing and business services, each representing about 10% of attacks.
  • Healthcare, stable at 8%, though some major RaaS brands often avoid these targets to limit scrutiny.
The Bigger Picture: Law Enforcement Takedowns vs. Affiliate Adaptation

Despite numerous takedowns, overall ransomware volume remains stable at 520 to 540 victims per month.

Why it happens?

  • Law enforcement primarily targets infrastructure and core groups, and not affiliates.
  • Affiliates migrate quickly or form new groups after disruptions.
  • The result is short-term dips and brand disappearance, but long-term resilience in overall attack volume.
Outlook for Late 2025 and Beyond

The re-emergence of LockBit, combined with the fragmentation of smaller groups, points toward a hybrid future: decentralized but orbiting powerful legacy brands.

Check Point Research expects:

  • Continued affiliate-driven operations across smaller leak sites.
  • Rising monetization strategies such as “data audits” and multi-extortion models.
  • Persistent targeting of sectors with high ransom potential.
Outlook

Ransomware activity remains high and resilient. Even as major brands fade, new groups appear to fill the vacuum. The ransomware ecosystem is fragmented but adaptive, making affiliate-driven RaaS models more difficult to disrupt.

For organizations, prevention and early detection are essential. Monitoring affiliate migration, data-leak sites, and shared infrastructure can provide early warning of new campaigns.

Staying ahead of these evolving threats requires more than just endpoint protection. Check Point’s External Risk Management platform helps organizations gain full visibility into their external risks and ransomware exposure. It continuously maps attack surfaces, monitors the open, deep, and dark web, and identifies compromised assets before they become points of exploitation. By integrating this intelligence with Check Point’s prevention and detection technologies, security teams can anticipate threats earlier, coordinate faster, and strengthen resilience against the next wave of ransomware attacks.

To learn more about the Ransomware Landscape, download our Q3 Report.

You may also like