The Ransomware Landscape in 2025: More Victims, Less Leverage, Deeper Fragmentation

The headline numbers from 2025 tell a story of paradox. More victims than ever before — roughly 7,500 claimed on dark web leak sites across the year, representing a 45% increase over 2024. A record 124 active ransomware groups. Q4 2025 alone produced 2,287 unique victims, the highest single-quarter total ever tracked by GuidePoint Security's research team. Yet ransom payment rates hit historic lows, average demands fell sharply, and organizations recovered from attacks faster and with less reliance on paying for decryption keys than at any prior point in the ecosystem's history. Understanding how these two dynamics coexist requires looking at the structural changes that drove both.

2025 Ecosystem Upheaval: The Dominoes That Fell

The 2025 ransomware ecosystem was shaped more by the collapse of established players than by the emergence of new ones. Two dominant RaaS operations that had defined the prior period — LockBit and RansomHub — both effectively ceased functioning as leading operations during the year, and the vacuum they left produced the fragmented, competitive, affiliate-scrambling landscape that characterized 2025 from Q2 onward.

LockBit's Final Decline

LockBit entered 2025 severely damaged by Operation Cronos in February 2024, but not dead. LockBitSupp had reconstituted a leak site, and the group continued posting claims — though Trend Micro's April 2024 analysis had already shown that approximately two-thirds of post-disruption victim claims were recycled older cases. The May 2024 public identification of Dmitry Khoroshev as LockBitSupp, combined with the ongoing prosecution of developers and affiliates, steadily eroded both the group's reputation and its ability to recruit quality affiliates. By the end of 2024 LockBit accounted for only 5% of leak site activity, down from 20–30% at its peak. The release of LockBit 5.0 in September 2025 marked an attempted return, with the group claiming 106 new victims in December 2025 alone — but the ground-level affiliate network it had built over five years was fractured and largely migrated elsewhere.

RansomHub's Disappearance

RansomHub had risen to prominence precisely by capitalizing on LockBit's decline. Emerging in February 2024, it quickly attracted affiliates displaced from LockBit and BlackCat/ALPHV — including sophisticated operators from Scattered Spider and Evil Corp — with competitive revenue splits and multi-platform encryption capability covering Windows, Linux, FreeBSD, and ESXi. By early 2025 it was the most prolific RaaS brand in the ecosystem by victim count, averaging 75 new victims per month in the six months leading up to its shutdown.

On April 1, 2025, RansomHub's infrastructure went dark without public explanation. The shutdown left hundreds of affiliates without a platform and immediately created competitive pressure across the ecosystem. DragonForce claimed on the RAMP underground forum that RansomHub had moved to its infrastructure under a new "DragonForce Ransomware Cartel" arrangement. Whether this represented an acquisition, a hostile takeover, or an unrelated coincidence remained unclear, but the effect was immediate: Qilin's monthly victim claims nearly doubled in the weeks following RansomHub's disappearance, and DragonForce tripled its monthly output.

Who Dominated 2025

Qilin: The Year's Runaway Leader

Qilin — a Russia-linked RaaS operation first observed in 2022 and assessed to be a rebrand of the earlier Agenda ransomware group — ended 2025 as the year's most prolific ransomware brand by a significant margin. It claimed 1,066 attacks over the year, a 408% increase over its 2024 victim count of 179. In June 2025, it carried out 81 attacks in a single month. By year-end its total had surpassed LockBit's peak annual output.

The scale of Qilin's growth directly correlates with the RansomHub shutdown. When RansomHub went dark in April 2025, a Qilin administrator known as "Haise" became unusually active on underground forums advertising a new ransomware version released the same day, actively recruiting displaced affiliates. The timing was not coincidental. Qilin offered 80% of ransom payments under $3 million and 85% for larger amounts — among the most competitive splits in the market. It backed up the recruitment pitch with genuine capability improvements: new integrated DDoS capabilities, victim negotiation consultation services, and data audit tools designed to help affiliates identify the highest-value material in exfiltrated datasets before making extortion demands.

Qilin disproportionately targeted the healthcare sector throughout 2025, claiming healthcare victims at higher rates than any other group. Its attack on UK pathology laboratory Synnovis caused over $40 million in losses and disrupted NHS blood testing services for weeks — one of the highest-impact individual attacks of the year. In Q3 2025, an unusual spike of attacks on South Korean organizations — 30 victims in two months, 28 of them attributed to Qilin — was linked to an Iranian-affiliated affiliate operating through Qilin's open affiliate framework.

Akira: Consistent, Focused, Healthcare-Adjacent

Akira followed Qilin in total 2025 activity with 947 claimed cases, a 125% year-over-year increase. Unlike Qilin's more opportunistic spread, Akira maintained a focused mid-market targeting profile — organizations with revenues in the range where they have real data to protect but not the enterprise security maturity to repel sophisticated attacks. Akira remained the most prevalent ransomware strain by active incident investigations throughout Q3 2025, responsible for approximately 34% of observed attack samples in that period according to Check Point Research. Its payment rate stayed slightly above the market average, reflecting the group's discipline in targeting organizations that both need and can afford to pay for decryption.

Cl0p: Explosive Spikes, Not Constant Volume

Cl0p's pattern in 2025 was dramatically different from Qilin and Akira's steady cadence. The group's leaked-case count jumped 525% year-over-year to 594, but the distribution was highly concentrated in Q1 2025 — reflecting the tail of the Cleo MFT exploitation campaign that Cl0p had initiated in December 2024. Cl0p's model remains zero-day-to-mass-exploitation rather than sustained affiliate operations: identify and weaponize a critical vulnerability in widely-deployed enterprise software, execute rapid mass exploitation before patching, and then spend weeks and months processing extortion demands across hundreds of simultaneous victims. The Oracle E-Business Suite campaign (CVE-2025-61882, exploited from August 2025) and a November 2025 campaign through CVE-2025-14611 followed the same pattern, producing another wave of victims into Q4.

DragonForce: The Cartel Model

DragonForce emerged in 2025 as both a major ransomware group and the architect of a structural innovation in the RaaS business model. Rather than operating as a traditional RaaS where a central operator maintains infrastructure and affiliates execute attacks under that brand, DragonForce pioneered a "cartel model" that allows affiliates to operate semi-independently: running their own campaigns, choosing their own targets, customizing extortion tactics, and even operating under their own brand names while using DragonForce's underlying infrastructure and tooling. DragonForce provided white-label ransomware builders, leak site infrastructure, and encryption mechanisms, while the affiliate retained operational independence. Attacks could carry the DragonForce name for notoriety, or the affiliate's own brand for operational flexibility.

DragonForce tripled its monthly victim count following RansomHub's shutdown and ended Q3 2025 claiming 56 victims for the quarter — smaller than Qilin and Akira but demonstrating sustained growth. The group also launched a "data audit" service: for affiliates who had extracted large datasets (typically over 300 GB from companies with revenues above $15 million), DragonForce analysts would review the stolen files, identify the highest-value commercial and financial material, and produce a customized extortion letter. The service reduced the analytical burden on affiliates while maximizing the extortion leverage from each compromise.

Emerging Groups

2025 saw 73 new ransomware groups identified — the highest new entrant count on record. Many represented short-lived operations, rebrands of disrupted groups, or affiliates who established independent brands after the collapse of platforms they had previously relied on. Several new entrants were notable for their sophistication at launch, suggesting experienced operators behind them: Warlock (emerging mid-2025, exploiting a Microsoft SharePoint zero-day, linked by tooling analysis to Chinese espionage infrastructure), Sinobi (emerging mid-2025, reaching 149 victims by year-end with a growth rate indicative of an established rather than nascent group), and AiLock (deliberately marketing itself as AI-assisted).

The Economics Crisis: Why Payment Rates Collapsed

The ransomware business model entered an existential crisis in 2025 that the increasing victim count obscures. Ransom payment rates — the percentage of attack victims who actually pay the demanded ransom — fell to historic lows throughout the year. In Q3 2025, only 23% of victims paid. For data theft-only attacks without encryption, the rate dropped to 19%. By the end of 2025, roughly four out of every five targeted organizations were resolving incidents without paying.

Three converging dynamics drove this collapse. First, improved backup maturity: organizations that had invested in clean, isolated, tested backup infrastructure could restore operations without needing decryption keys, removing the primary leverage point of encryption-based ransomware. Sophos data showed that 47% of attacks were stopped before encryption in 2025, up from 22% in 2023 — a more than doubling of pre-encryption interception. Among attacks that did result in encryption, 97% of affected organizations recovered their data by some method. Second, declining trust in attacker promises: Operation Cronos's revelation that LockBit had retained victim data after receiving payment destroyed the credibility of data deletion guarantees across the ecosystem. Victims who understood that paying might not prevent their data from being published anyway had correspondingly less reason to pay. The smaller, newer groups proliferating in 2025's fragmented ecosystem had even less reputational capital to maintain — and no commercial incentive to provide working decryptors or delete exfiltrated data after payment. Third, policy pressure and organizational discipline: government guidance encouraging payment refusal, cyber insurance policies with improved containment support, and improved organizational incident response maturity all contributed to victims' increasing willingness to decline demands.

The Structural Pivot: From Encryption to Data Theft

The most consequential tactical shift documented in 2025 was the accelerating move away from encryption as the primary extortion mechanism toward data theft and exposure as the principal lever. Resilience's annual cyber risk report, drawing on 827 claims, found that 57.6% of extortion cases in 2025 involved data theft without encryption — with the trend accelerating as the year progressed, from 49% in the first half to 65% in the second. Sophos reported that encryption occurred in only 50% of ransomware attacks in 2025, the lowest level in six years and a steep drop from 70% in 2024. Google Threat Intelligence Group (GTIG) observed confirmed or suspected data theft in approximately 77% of ransomware intrusions — up from 57% the prior year.

The logic of this shift is straightforward. Encryption carries operational costs and detection risk: it requires deploying a payload, generates significant I/O activity that behavioral detection tools can identify, and demands ongoing infrastructure to support decryption key management and negotiation. Data theft, conducted silently before any noisy encryption payload is deployed, is faster, harder to detect in real time, and produces extortion leverage that persists regardless of the victim's recovery capability. If an organization can restore from backup and decline to pay for decryption, the attacker's only remaining leverage is the threat to publish the stolen data. Moving to data-theft-first — or data-theft-only — preserves that leverage while eliminating the technical complexity and detection exposure of the encryption phase.

Qilin exemplified this approach with its new data audit service, and Cl0p's entire strategic framework has been built around data exfiltration without encryption since the MOVEit campaign in 2023. However, Coveware's Q4 2025 analysis introduced a complication: payment rates for data-only extortion (19%) fell below payment rates for encryption-plus-data-theft attacks. This suggests that victims are becoming better at evaluating whether data-only extortion threats are credible and consequential enough to warrant payment, reducing the leverage that exfiltration-only attacks provide. Coveware projected that this dynamic may drive some groups back toward encryption in 2026 — adding encryption to existing data theft rather than replacing it — in order to restore the leverage that backup recovery had reduced.

AI Moves from Experimentation to Operations

Generative AI moved from experimental use to operational integration within ransomware operations during 2025. The applications were less about autonomous attack execution and more about improving the efficiency and quality of specific attack phases where human labor had been the bottleneck or quality constraint.

Social engineering benefited the most directly. AI-generated phishing content outperformed traditional methods in documented testing — one Harvard study cited by Resilience found AI-generated phishing achieving a 54% success rate, a 4.5x improvement over conventional approaches. For ransomware operators whose initial access depends on credential theft through phishing, this represented a significant capability multiplier. Language barrier removal was another documented application: groups that had historically been limited to Russian-language victims or required significant translation infrastructure could now generate highly convincing spear-phishing content in English, French, Korean, or any other target language without specialist staff.

Code development and evasion improvement were also documented. Security researchers found groups using AI tools to refine ransomware code — modifying encryption implementations, altering obfuscation patterns, and adapting payloads to bypass specific security product signatures. The Global Group (also called El Dorado or Blacklock) explicitly advertised AI-powered negotiation support as a feature of its RaaS offering, automating parts of the victim communication process. The Anubis group's model of generating "investigative articles" analyzing stolen victim data — essentially AI-assisted data analysis to maximize extortion leverage — represents another direct application.

The entry barrier reduction dimension of AI should not be underestimated. Searchlight Cyber's year-end report specifically cited AI as lowering barriers to entry for non-specialist groups, enabling actors without deep technical expertise to produce professional-quality phishing campaigns, analyze exfiltrated datasets for maximum leverage, and handle negotiations with a credibility that previously required skilled human operators. This contributed directly to the 73 new groups entering the ecosystem in 2025.

How Attackers Got In: Access Vector Evolution

The most notable shift in initial access tactics during 2025 was the rise of social engineering of helpdesk and IT support functions — a technique pioneered by Scattered Spider that was widely adopted across the broader ransomware ecosystem. Groups began impersonating employees to call corporate service desks, persuading technicians to reset passwords, approve new MFA devices, or grant remote access under the pretext of troubleshooting. As organizations hardened patch management and phishing defenses, attackers pivoted toward exploiting the human processes that sit around those technical controls.

Insider recruitment and bribery emerged as a documented trend, most prominently reported in connection with the Medusa ransomware group but assessed by Coveware as a growing tactic across the ecosystem. Attackers directly contacted employees — in some documented cases via LinkedIn or social media — offering cryptocurrency payments for credentials or remote access. The targeting was selective: organizations too mature to compromise through conventional initial access vectors became viable targets through their employees' financial motivations.

Vulnerability exploitation remained consistent as an initial access method, with emphasis on zero-day and n-day vulnerabilities in internet-facing applications — VPN appliances, RDP services, edge devices, and file transfer software. The ConnectWise authentication bypass (CVE-2024-1709), Ivanti vulnerabilities, and Cl0p's continuing serial exploitation of MFT platform zero-days all featured across 2025 incident investigations. Living-off-the-land techniques for lateral movement and credential access — using built-in administrative tools like WMI, RDP, SSH, PsExec, and legitimate remote monitoring tools — remained the consistent post-access pattern throughout the year.

Sectors and Geography: Who Bore the Burden

Manufacturing remained the single most targeted sector in 2025, accounting for approximately 14–29% of all claimed victims depending on the data source. The range reflects different methodologies for categorizing victims, but the consistency of manufacturing at the top of every dataset is itself significant. Manufacturing organizations combine large volumes of operationally valuable data, often-constrained IT security maturity relative to financial or technology sector peers, and supply chain dependencies that amplify the extortion pressure from operational disruption. Manufacturing attacks rose approximately 61% year-over-year.

Healthcare was the second or third most targeted sector across full-year data, with over 500 victims claimed and Qilin specifically emerging as the sector's most active threat. Healthcare organizations face the same pressure dynamic as manufacturing — operational disruption has immediate and visible consequences for patient care — but with the additional dimension that patient data is highly regulated and personally sensitive, making exposure threats particularly credible and consequential. GuidePoint noted that Qilin conducted more healthcare attacks than any other group, including the Synnovis attack that disrupted NHS pathology services across London hospitals for weeks.

Technology, professional services, and retail rounded out the top-five targeted industries. The US remained the dominant geographic target by a substantial margin, accounting for 45–66% of all claimed victims depending on the dataset and period — a concentration that reflects both the scale of US enterprise and the concentration of high-value, high-propensity-to-pay targets in North American markets.

What Law Enforcement Achieved — and What It Did Not

The 2025 data forces an honest assessment of what law enforcement disruptions accomplish and what they cannot. Operation Cronos (LockBit, February 2024), the Hive takedown, the Qakbot disruption, and multiple affiliate arrests and extraditions undeniably damaged specific criminal enterprises and produced real victim relief — decryption keys distributed, ransom demands averted, prosecutions progressed. But the aggregate victim count increased by 45% in 2025. The disruption of major groups did not reduce total ransomware activity; it redistributed it.

The redistribution effect has a specific structural logic. Successful law enforcement operations target the largest, most visible operations — the ones with the highest victim counts and the most documented history. Affiliates from disrupted operations are experienced, technically capable, and highly motivated to continue generating income. They migrate to successor platforms rapidly and bring their access, tooling, and targeting knowledge with them. The average number of victims per active group has remained relatively stable across the 2023–2025 period even as the number of groups grew — suggesting that affiliate capability is the binding constraint, not infrastructure, and that disrupting the infrastructure without capturing the affiliates simply redistributes that capability rather than eliminating it.

This does not make law enforcement action futile. It does suggest that arrest, extradition, and prosecution of operators and affiliates — particularly those physically accessible in cooperative jurisdictions — produces more durable disruption than infrastructure seizure alone. The Panev extradition and the Khoroshev indictment represent the harder, slower work that offers the most persistent impact. The fact that Khoroshev remains at large and free in Russia illustrates the fundamental limit of the enforcement model: as long as major operators maintain residence in non-extraditing jurisdictions, law enforcement can impose costs but cannot achieve permanent resolution.

What the 2025 Data Demands from Defenders

The 2025 landscape produces a specific set of implications for organizational defense that differ in important ways from the advice that would have been appropriate in 2022 or 2023.

1. Backup strategy must be designed against data theft extortion, not just encryption recovery. The shift to 57.6% data-theft-only attacks means that clean, isolated backups — essential as they are for recovering encrypted systems — do not address the primary extortion lever in a majority of 2025-style attacks. The question of what data an attacker could exfiltrate, how sensitive it is, and what regulatory and reputational consequences its publication would trigger is now the central risk calculation in a ransomware incident. Data minimization, access control on sensitive repositories, and DLP monitoring are the defensive controls that address this threat — not backup frequency.
2. Human attack surfaces require the same investment as technical ones. Helpdesk social engineering is now ecosystem-wide, having spread from Scattered Spider across numerous groups. IT service desk processes that allow credential resets or MFA enrollment based on caller-provided identity assertions without additional verification represent a documented, actively exploited initial access path. Every organization's IT support process should require out-of-band verification for any action that grants credential access or enrolls a new authentication device.
3. Lateral movement detection is the most reliable pre-encryption indicator available. The consistent use of LOLBin-based lateral movement — RDP, PSExec, WMI, legitimate remote management tools — produces detectable patterns in network and endpoint telemetry before any data exfiltration or encryption event. Organizations with effective lateral movement detection — monitoring for RDP enumeration, PSExec execution from non-standard hosts, mass credential use — have the most actionable early warning available in the modern attack chain.
4. Small and mid-market organizations are not safer in a fragmented ecosystem. The proliferation of 73 new groups in 2025, many targeting the mid-market with volume-oriented operations, means that the apparent reduced risk from LockBit's decline is offset by broader targeting across a larger number of less discriminating operators. The fragmented ecosystem is not a safer ecosystem for smaller organizations — it is one where the threat is more diffuse and harder to track.
5. Incident response must explicitly address data exposure risk. Even organizations that successfully resist encryption and restore from backup face the data exposure dimension of modern ransomware incidents. Incident response plans that address only technical recovery — system restoration, malware removal — without a parallel track for assessing what data was accessed, what regulatory notifications are required, and how to manage public exposure of exfiltrated data are incomplete for the threat environment that 2025 established as the baseline.

Looking Into 2026

The trajectory from 2025 into 2026 suggests several high-confidence continuations and a few emerging uncertainties. Volume will continue to rise — Q1 2026 data from Bitsight already shows continued increases, with Qilin, Akira, and the newly active Sinobi leading activity. The manufacturing sector will remain the primary target. The US will continue to bear disproportionate attack volume. AI's role in ransomware operations will expand from its current foothold in phishing and negotiation into broader tactical integration.

The key uncertainty is how the economics crisis resolves. Coveware's projection that declining payment rates for data-only extortion may push groups back toward encryption-plus-exfiltration represents one possible resolution — encryption returns as an additional pressure layer rather than disappearing. An alternative resolution is continued consolidation around groups with strong brand reputations who can credibly commit to providing decryptors and deleting data after payment, recreating the trust dynamic that made LockBit and RansomHub effective at collecting payment in their prime. LockBit 5.0's December 2025 return and Qilin's sustained dominance both point toward this second path — a modest re-centralization around trusted brands in a still-fragmented ecosystem.

What will not resolve in 2026 is the fundamental dynamic: ransomware is profitable enough to attract continuous new entrants, the affiliate pool is experienced and mobile, and the jurisdictional constraints on law enforcement mean that operator-level arrests will remain rare. The 2025 data presents defenders with a clear challenge — not that the threat is new, but that its economics and tactics have shifted in ways that make prior defensive assumptions insufficient.

Key Takeaways

1. 2025 set records for victim volume while setting records for low payment rates simultaneously. These trends are not contradictory — they reflect a ransomware economy under financial pressure that is compensating for lower per-attack revenue with higher attack frequency and broader targeting.
2. The ecosystem fragmented dramatically following the collapse of LockBit and the April 2025 disappearance of RansomHub. 124 active groups, 73 new entrants, and a declining share of activity concentrated in the top ten groups all reflect a marketplace in which no dominant operator exists. Qilin emerged as the year's leader by volume, but the concentration that LockBit commanded at its peak does not yet exist under any successor.
3. Data theft has overtaken encryption as the primary extortion mechanism. 57.6% of extortion cases in 2025 involved data theft without encryption. This renders backup-focused resilience strategies incomplete — data exposure is now the primary threat dimension in the majority of attacks, and organizations that have not assessed their data exposure risk are not adequately prepared for the current threat.
4. Generative AI is now operationally integrated in ransomware attack chains, primarily in social engineering quality and scale, code adaptation for evasion, negotiation support, and data analysis for maximizing extortion leverage. The 73 new groups that entered the ecosystem in 2025 benefited from AI's barrier-reduction effect.
5. Law enforcement disruption redistributes rather than eliminates. The 45% increase in attacks despite multiple major disruptions confirms that affiliate capability is the binding constraint — experienced operators migrate to new platforms rapidly. Prosecution and extradition of operators and affiliates offers more durable impact than infrastructure seizure alone.