Key Takeaways:
- 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date.
- 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure.
- 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns.
- LockBit’s reappearance with version 5.0 signals potential re-centralization after months of fragmentation.
In Q3 2025, Check Point Research recorded a record 85 active ransomware and extortion groups, the highest ever observed. What was once a concentrated market dominated by a few ransomware-as-a-service (RaaS) giants has splintered into dozens of smaller, short-lived operations.
This proliferation of leak sites represents a fundamental structural shift. The same enforcement and market pressures that disrupted large RaaS groups have fueled a wave of opportunistic, decentralized actors, many run by former affiliates now operating independently.
Read the full Q3 2025 Ransomware Report
A Record 85 Active Groups
Across more than 85 monitored leak sites, ransomware operators published:
- 1,592 new victims in Q3 2025.
- An average of 535 disclosures per month.
- A major power shift: the top ten groups accounted for just 56% of victims, down from 71% earlier this year.
Smaller actors are now posting fewer than ten victims each, reflecting a rise in independent operations outside traditional RaaS hierarchies. Many emerged from the collapse of RansomHub, 8Base, and BianLian. Fourteen new groups began publishing in Q3 alone, bringing the 2025 total to 45.
Fragmentation at this level erodes predictability, once the cyber security professional’s advantage. When large RaaS brands dominated, security teams could track affiliate behaviors and infrastructure reuse. Now, dozens of ephemeral leak sites make attribution fleeting and reputation-based intelligence far less reliable.
 |
| Share of total victims by top 10 ransomware groups, Q1–Q3 2025 |
Read the full Q3 2025 Ransomware Report.
Law Enforcement’s Limited Impact
Several high-profile takedowns this year targeting groups like RansomHub and 8Base have not meaningfully reduced ransomware volume. Affiliates displaced by these operations simply migrate or rebrand.
The problem is structural. Law-enforcement efforts typically dismantle infrastructure or seize domains, not the affiliates who execute attacks. When a platform falls, those operators scatter and regroup within days. The result is a broader, more resilient ecosystem that mirrors decentralized finance or open-source communities more than a traditional criminal hierarchy.
This diffusion also undermines the credibility of the ransomware market. Smaller, short-lived crews have no incentive to honor ransom agreements or provide decryption keys. Payment rates, estimated at just 25 to 40 percent, continue to decline as victims lose trust in attacker promises.
LockBit’s Return and Re-centralization
In…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
