Ransomware in 2025 is no longer just a disruptive malware problem—it is a mature, profit-driven cybercrime ecosystem. Threat actors have evolved into well-organized enterprises, leveraging Ransomware-as-a-Service (RaaS) models, initial access brokers, and sophisticated extortion strategies. Double and triple extortion have become standard practice, combining data encryption, data theft, and public pressure through leak sites and regulatory exposure.
With increased targeting of critical infrastructure, healthcare, manufacturing, and cloud-first enterprises, ransomware operators now prioritize impact, speed, and psychological leverage over sheer volume. The convergence of supply-chain compromises, zero-day exploitation, and living-off-the-land techniques has made ransomware one of the most persistent and adaptive threats organizations face in 2025.
2025 Trends
The ransomware landscape in 2025 exploded with record attack volumes—4,701 confirmed incidents through September (34% YoY increase from 2024)—yet became highly fragmented into 85+ active groups, down from LockBit’s 34% dominance in 2023. Victim disclosures stabilized at 520-540 monthly (1,592 in Q3 vs. 1,270 in Q3 2024, +25% YoY), but payments plummeted 35% to historic lows (25-30% rate) as recovery costs hit $5-6M per incident, often exceeding ransoms.
Key Growth Metrics
Attack frequency surged dramatically, with one incident every 19 seconds globally by Q3 and 80-130% YoY rises in some sectors.
- Q1 2025: 2,314 victims (+213% vs. Q1 2024’s 1,086).
- US incidents: +149% in first five weeks.
- Overall revenue correction: $813M in 2024 (down from $1.1B 2023), projected lower in 2025 despite volume spike.
| Metric | 2024 | 2025 (YTD) | YoY Change |
|---|---|---|---|
| Total Incidents | ~12,000 est. | 4,701 (Jan-Sep) | +34% |
| Active Groups | ~60 | 85 (Q3 peak) | +42% fragmentation |
| Victim Disclosures/Mo | ~400 | 520-540 | +30-35% |
| Ransom Payments | ~$813M | Down 35%+ | -35%+ 25% rate |
| Avg. Incident Cost | $5.13M | $5.5-6M | +7-17% |
| Attack Frequency | 1 every ~28 sec | 1 every 19 sec Q3 (+47% faster) | |
Fragmentation Drivers
Law enforcement takedowns (RansomHub April, LockBit variants) splintered RaaS, spawning 14 new brands quarterly and 47 groups with <10 victims each—no group over 11% share.
- Affiliates went independent/lone wolf (15% market share, doubled YoY).
- Top 10 share fell from 71% Q1 to 56% Q3; opportunistic actors filled voids.
Evolving Tactics
- Double/triple extortion dominated (data leaks > encryption), with dwell times down to 12 days via BYOVD, AI targeting, and IABs.
- Critical sectors absorbed 50% hits (manufacturing/healthcare up 34% YoY); median demands fell 20-34% to $1.3M as SMBs resisted.
- LockBit 5.0 re-emergence signals potential re-centralization amid volatility.
Top 25
| Rank | Group | Est. Victims/Attacks | Monthly Trend |
|---|---|---|---|
| 1 | Qilin | 298 / 200+ | 36/mo Q1 → 75/mo Q3 (108% rise) |
| 2 | Akira | 262 / 349 | Steady ramp-up; top 5 consistent Q1-Q3 |
| 3 | RansomHub | 235 / 736 | Peaked early 2025; ~200/mo pre-April shutdown |
| 4 | Cl0p/Clop | 234 | Stable data theft focus; quarterly waves |
| 5 | SafePay | 198 / 122+ | Rose post-RansomHub; top 5 Q3 |
| 6 | Play | 193 / 369 (’24 spillover) | 28/mo Q1 → 33/mo Q3 (18% rise) |
| 7 | Lynx | 161 / ~180 | ~40/mo since July; rapid postings |
| 8 | INC Ransom | 128 | 23/mo Q1 → 39/mo Q3 (70% rise) |
| 9 | Medusa | 100 | Steady late-year; deadline extensions |
| 10 | DragonForce | 56 Q3 | Tripled post-RansomHub (212% spike) |
| 11 | Warlock | 43 Q3 | Emerged June; ~14/mo rapid ramp |
| 12 | The Gentlemen | 38 Sept | ~38/mo single month; fast starter |
| 13 | ALPHV/BlackCat | High (18% share) | Declined post-takedown; sporadic Q3 |
| 14 | LockBit 3.0/5.0 | 15+ Sept | Re-emerged Sept; ~5→15+/mo |
| 15 | Rhysida | Notable | Steady mid-year; hospital focus |
| 16 | NoEscape | Emerging | Quarterly growth; cloud targets |
| 17 | Royal/BlackSuit | Selective | Low volume/high impact; stable |
| 18 | Fog | 2-11% share | +450% YoY growth; accelerating Q3 |
| 19 | Kill Security | 40+ India | Steady ~10/mo; RaaS promo ramp |
| 20 | Dire Wolf | Asia/Italy focus | New site; monthly increases |
| 21 | Silent Team | 2.8TB exfil | Sporadic high-profile |
| 22 | DATACARRY | Europe/Americas | Extortion-only; steady Q3 |
| 23 | Gunra | Global | Emerging; weekly postings late Q3 |
| 24 | “J” | 5 continents | Shadowy; consistent global |
| 25 | Everest | Notable breaches | Ops disruptions; quarterly |
Gainers and Losers
Qilin, DragonForce, INC Ransom, and Warlock showed the strongest growth in 2025, with Qilin surging 108% (36/mo Q1 to 75/mo Q3) via RansomHub affiliate recruitment, DragonForce tripling to 56 Q3 victims (+212% post-April), INC Ransom up 70% (23 to 39/mo), and Warlock emerging with 43 Q3 victims from zero in June.Decliners included RansomHub (offline April after 736 victims), Safepay (-62.5% mid-year), Play (-31.8% early growth stall), and legacy giants like LockBit/ALPHV (down to <5% share from 20-34% peaks) amid takedowns and fragmentation.
Top Gainers
| Rank | Group | Growth Metric | Key Driver |
|---|---|---|---|
| 1 | Qilin | +108% 36/mo Q1 → 75/mo Q3 | RansomHub affiliates (80-85% cut); rep management |
| 2 | DragonForce | +212% spike to 56 Q3 victims | PR/coalitions; data audit; LockBit code reuse |
| 3 | INC Ransom | +70% 23/mo Q1 → 39/mo Q3 | Canada/healthcare focus; steady ramp |
| 4 | Warlock | 43 Q3 victims (new June) | Rapid emergence; agile operations |
| 5 | Play | +18% 28/mo Q1 → 33/mo Q3 | Wave disclosures; US-heavy |
Top Losers
| Rank | Group | Decline Metric | Key Driver |
|---|---|---|---|
| 1 | RansomHub | Offline post-736 victims | April shutdown; affiliates scattered |
| 2 | BlackSuit | Dismantled 450+ US victims | DHS/Operation Checkmate takedown |
| 3 | Safepay | -62.5% mid-year | Post-RansomHub competition |
| 4 | ALPHV/BlackCat | <5% share (was 18%) | Exit scam/takedown; sporadic |
| 5 | LockBit (pre-5.0) | 20-30%→<11% | Operation Cronos takedown |
Ceased Operations
RansomHub, BlackSuit (Royal successor), SatanLock, and BianLian/8Base ceased major operations in 2025, driven by law enforcement takedowns, abrupt shutdowns, or internal collapses amid ecosystem fragmentation. RansomHub dominated early 2025 with 736 victims before vanishing in April, scattering affiliates to Qilin and DragonForce; BlackSuit infrastructure was dismantled in August after 450+ US victims and $370M+ payments. SatanLock, a rapid riser with 67 claims since early 2025, shuttered in July with a cryptic Telegram farewell.
| Group | Shutdown Date | Victims/Impact | Cause |
|---|---|---|---|
| RansomHub | April 2025 | 736 total 75/mo peak | Abrupt offline Affiliates migrated to Qilin/DragonForce |
| BlackSuit (Royal successor) | August 2025 | 450+ US victims $370M+ payments | DHS/Operation Checkmate Servers seized globally |
| SatanLock | July 2025 | 67 claims Rapid riser | Self-announced closure Cryptic Telegram farewell |
| BianLian/8Base | Q2 2025 | Multiple sectors | Enforcement pressure Stopped publishing victims |
| Babuk-Bjorka | Q2 2025 | Declining activity | Fragmentation Disappeared from landscape |
| FunkSec | Q2 2025 | Low-profile ops | Stopped victim posts No revival |
| Cactus | Q2 2025 | Niche operations | Ceased publishing Market saturation |
| Hunters Intl. | Q2 2025 | Emerging but dormant | No new victims Enforcement pressure |
Closing Notes
The ransomware landscape in 2025 reinforces a hard truth: prevention alone is no longer sufficient. Organizations must assume breach and focus equally on resilience, detection, and recovery. Security leaders need to prioritize attack surface reduction, identity hardening, immutable backups, and continuous threat intelligence monitoring. Governance and executive-level engagement are critical, as ransomware is now a business risk, regulatory risk, and operational risk, not just a technical one. In this evolving threat environment, success is defined not by avoiding every attack—but by how quickly and effectively an organization can contain, recover, and continue operations without rewarding adversaries.
Pingback: CyberSecurity 2025: TheCyberThrone YearEnd Consolidated Intelligence – TheCyberThrone