Ransomware’s Fragmentation Peaks Amid LockBit’s Resurgence
In the third quarter of 2025, the ransomware landscape experienced unprecedented fragmentation, with 85 active ransomware and extortion groups identified—the highest number recorded to date. This surge reflects a significant shift from a previously centralized market dominated by a few major ransomware-as-a-service (RaaS) operations to a more decentralized and volatile ecosystem.
During this period, these groups disclosed 1,592 victims across 85 leak sites, maintaining a high level of activity despite intensified law enforcement efforts. Notably, 14 new ransomware brands emerged in the quarter alone, underscoring the rapid adaptability of affiliates who quickly reconstitute after takedowns.
The Rise of Decentralized Ransomware Operations
The proliferation of leak sites signifies a fundamental structural transformation within the ransomware domain. The disruption of large RaaS groups by enforcement actions and market pressures has given rise to numerous opportunistic, decentralized actors. Many of these are former affiliates who have chosen to operate independently, leading to a more fragmented and unpredictable threat environment.
Data from over 85 monitored leak sites revealed:
– 1,592 new victims reported in Q3 2025.
– An average of 535 disclosures per month.
– A significant power shift, with the top ten groups accounting for just 56% of victims, down from 71% earlier in the year.
Smaller actors, many posting fewer than ten victims each, reflect a rise in independent operations outside traditional RaaS hierarchies. This trend has been fueled by the collapse of groups like RansomHub, 8Base, and BianLian. In Q3 alone, 14 new groups began publishing, bringing the total for 2025 to 45.
This level of fragmentation erodes predictability, which was once an advantage for cybersecurity professionals. When large RaaS brands dominated, security teams could track affiliate behaviors and infrastructure reuse. Now, the emergence of numerous ephemeral leak sites makes attribution fleeting and diminishes the reliability of reputation-based intelligence.
Law Enforcement’s Limited Impact
Despite several high-profile takedowns targeting groups like RansomHub and 8Base, the overall volume of ransomware attacks has not significantly decreased. Displaced affiliates often migrate or rebrand, continuing their operations under new guises.
The core issue is structural. Law enforcement efforts typically focus on dismantling infrastructure or seizing domains rather than apprehending the affiliates who execute the attacks. Consequently, when a platform is taken down, these operators quickly scatter and regroup, resulting in a broader, more resilient ecosystem. This decentralized model mirrors aspects of decentralized finance or open-source communities more than traditional criminal hierarchies.
This diffusion also undermines the credibility of the ransomware market. Smaller, short-lived crews have little incentive to honor ransom agreements or provide decryption keys. As a result, payment rates have declined, with estimates suggesting that only 25 to 40 percent of victims choose to pay, reflecting a growing distrust in attackers’ promises.
LockBit’s Return and Potential Re-centralization
In September 2025, LockBit 5.0 marked the return of one of cybercrime’s most enduring brands. Its administrator, LockBitSupp, had been hinting at a comeback for months following the 2024 takedown under Operation Cronos. The new version introduces:
– Updated variants for Windows, Linux, and ESXi systems.
– Enhanced encryption speed and improved evasion techniques.
– Unique negotiation portals tailored for each victim.
Within the first month, at least a dozen victims were targeted, demonstrating renewed affiliate confidence and technical sophistication.
For attackers, aligning with a recognizable brand like LockBit offers advantages that smaller crews cannot provide, such as reputation and reliability. Victims are more likely to pay ransoms to established groups, believing in their ability to deliver decryption keys and honor agreements. This resurgence suggests a potential re-centralization within the ransomware ecosystem, as affiliates may gravitate back toward more organized and reputable operations.
Emerging Ransomware Groups and Tactics
The fragmentation has also led to the emergence of new ransomware groups employing diverse tactics. For instance, the Ymir ransomware family has been noted for its stealthy attacks, exploiting memory management functions to execute malicious code directly in memory, thereby enhancing its evasion capabilities. Ymir uses the ChaCha20 algorithm for encryption and allows attackers to specify directories for targeted encryption, providing greater control over their operations.
Another notable group, Fog ransomware, emerged in early 2024, primarily targeting U.S. educational networks by exploiting stolen VPN credentials. Fog employs a double-extortion strategy, threatening to publish stolen data on TOR-based leak sites if victims refuse to pay. The group has demonstrated alarming speed, with the shortest observed time from initial access to encryption being just two hours.
The Financial Impact of Ransomware
Despite the increase in the number of ransomware groups and attacks, the total amount extorted has seen a decline. In 2024, ransomware attacks netted cybercrime groups a total of $813.5 million, down from $1.25 billion in 2023. This decrease is attributed to several factors, including enhanced organizational preparedness, skepticism towards cybercriminals’ assurances, and legal constraints in regions where ransom payments are prohibited.
The average ransom payment in Q4 2024 was $553,959, up from $479,237 in Q3. However, the median ransom payment dropped from $200,000 to $110,890 quarter-over-quarter, indicating a shift towards targeting smaller entities with more modest ransom demands.
Conclusion
The ransomware landscape in 2025 is characterized by unprecedented fragmentation, with a multitude of small, independent groups operating alongside the resurgence of established entities like LockBit. This evolution presents significant challenges for cybersecurity professionals, as the unpredictability and diversity of threats complicate defense strategies. While law enforcement efforts have disrupted major groups, the rapid adaptability of affiliates and the emergence of new tactics underscore the need for continuous vigilance and adaptive security measures.
