Key Findings
During the third quarter of 2025, we monitored more than **85 active data leak sites** (DLS) that collectively listed **1,592 new victims**. Compared to the **1,607 victims reported in Q2** 2025, the publication rate remained stable though it is still **notably higher** than the 1,270 victims recorded in Q3 2024 (a 25% increase YoY). Overall, there are **approximately 520 to 540 new victims per month**, indicating that ransomware activity has plateaued albeit at historically high levels.
_Figure 1 – Total Number of Reported Ransomware Victims in DLS, per month._
Despite the termination of several prominent ransomware groups, the **overall number of active threat actors continues to grow**, with new ones appearing every month.
During Q3 2025, we observed a steady expansion of double-extortion activity, driven mostly by small and emerging operators. Of the 85 data leak sites tracked this quarter, **47 groups published fewer than ten victims**, suggesting a growing number of affiliates moving beyond established ransomware-as-a-service (RaaS) programs to conduct attacks independently.
This fragmentation follows the **closure or dormancy** of several major RaaS brands during the year, including RansomHub, 8Base, BianLian, Cactus, and others. In Q3 alone, 14 new groups began publishing victims, bringing the total number of **newly observed actors in 2025 to 45**. In Q1, the ten most active groups accounted for 71% of all DLS postings. In Q2, their share fell to 63%, and by Q3, to just 56%.
These findings illustrate the **limited long-term impact of law-enforcement operations** on the overall number of ransomware victims. Despite several high-profile takedowns during the past year—most of them directed at **large RaaS operations** such as **LockBit, 8Base, and Blacksuit**—the total volume of attacks did **not significantly decline**. Instead, the attacks continue a **gradual upward trend**, from an average of **approximately 420 victims per month in Q2–Q3 2024** to about **535 per month in the same period of 2025**.
This limited effect appears to stem from the **focus of enforcement efforts**: takedown operations primarily target **RaaS infrastructure and administrators**, which does not affect the **affiliate operators** who conduct the intrusions and drive the operational execution. When a major RaaS platform is disrupted, these affiliates typically **migrate to alternative programs or establish their own data-leak sites**, resulting in only short-term interruptions to overall activity levels.
The effects of **affiliate mobility** are evident both in the **proliferation of new leak sites** and in the **rising activity** of existing groups. **Qilin**, the most active actor in Q3 2025—and one of the most aggressive in recruiting former **RansomHub** affiliates—averaged around **75 victims per month**, up from **36 in Q1** prior to RansomHub’s closure in April. **INC Ransomware** increased its monthly total from **23 to 39** victims, and **Play** went from **28 to 33** during the same period.
This **ongoing fragmentation of the ecosystem** may further erode ransomware operators’ reliability. Victims traditionally rely on attackers reputation to supply decryption keys after payment. Large RaaS brands have a commercial incentive to maintain credibility and provide the keys, but smaller, short-lived groups do not, leading to reduced payment rates which are currently estimated at **25–40% of total attacks**.
In this context, the re-centralization of affiliates around major, recognizable brands remains strategically significant. Large RaaS programs preserve their market advantage through **stability, reputation, and structured affiliate infrastructure**. The **re-emergence of LockBit**, discussed in the following section, may represent precisely such a re-consolidation of affiliates under a **stable and trusted brand identity**.
_Figure 2 – Ransomware Groups by Publicly Claimed Victims – Q3 2025._
Qilin, Akira, INC Ransom, Play, and Safepay maintained their positions among the most active groups in Q3. Warlock and The Gentlemen emerged more recently, both demonstrating rapid early activity: Warlock began posting victims in June 2025 and reached 43 total listings in Q3, while The Gentlemen claimed 38 victims during a single month of operation in September 2025.
Until its disruption during Operation Cronos in early 2024, LockBit dominated the RaaS ecosystem, accounting for 20–30% of all published victims. Following the takedown, several arrests were announced, and successor groups — first RansomHub, then Qilin — attempted to inherit its affiliate base. However, the group’s core administrator, known as LockBitSupp, was never apprehended and in underground forums continued to hint at an eventual comeback.
The release of LockBit 5.0 in September 2025 marks the group’s return to active operations, reigniting questions about whether the RaaS landscape may again consolidate around this long-standing brand.
_Figure 3 – LockBit’s share of all DLS-published victims._
LockBit had long promised a comeback. In May 2025, following the latest in a series of public setbacks, the group’s administrator, LockBitSupp, responded on the RAMP underground forum, declaring that they would _“always rise up after being hacked.”_
_Figure 4 – LockBit administrator vowing to return on the RAMP forum._
_Figure 5 – LockBit administrator announcing the group’s return on RAMP chat._
The XSS Russian-language cybercriminal forum previously banned LockBitSupp following a dispute with another user and reaffirmed that “explicit advertising of RaaS will remain prohibited.” RaaS programs depend on affiliate recruitment for their business model and maintaining visibility on prominent criminal forums such as XSS or RAMP is essential to their work.
By early September, the XSS administrator reported that LockBitSupp requested to be reinstated and opened the decision to a community vote.
_Figure 6 – XSS forum administrator polling members on whether to reinstate LockBitSupp._
Despite this effort, the vote ultimately failed, and LockBit remains banned from XSS.
_Figure 7 – Voting results on LockBitSupp’s proposed return to XSS._
In early September 2025, LockBit announced on RAMP the official launch of LockBit 5.0, coinciding with the sixth anniversary of the operation. New affiliates were asked to provide a Bitcoin deposit of roughly US $500 for access to a new encryptor and an updated control panel.
_Figure_ _8_ _– LockBit 5.0 affiliate registration screen._
Since that announcement, we identified more than 15 distinct victims affected by LockBit 5.0, which replaced the earlier 4.0 builds that were still active until April 2025. LockBit continues to enforce strict operational security: all affiliate interfaces require individualized credentials, and no victims have been publicly listed on the group’s data-leak site.
_Figure_ _9_ _– LockBit 5.0 ransom note from an attack in mid-September 2025_
Updated ransom notes now explicitly identify themselves as “LockBit 5.0” and include a unique personal identifier that allows each victim to access a private negotiation portal. Victims are typically granted a 30-day grace period before the stolen data is published.
_Figure_ _10_ _– Screenshot of LockBit 5.0 negotiations with a victim, mid-September 2025._
Analysis of the initial campaign shows that approximately 65 percent of identified attacks targeted organizations in the United States, with the remainder affecting Mexico, Indonesia, and several European countries.
LockBit 5.0 represents an upgraded evolution of the previous 4.0 version, incorporating Windows, Linux, and ESXi variants. The new build introduces enhanced evasion and anti-analysis mechanisms, faster encryption routines, and the use of a randomized 16-character file extension to disrupt signature-based detection. Most confirmed infections were deployed on Windows systems, while roughly 20 percent targeted ESXi virtual infrastructure.
Historically, LockBit has been among the most active and disruptive RaaS programs. With its extensive experience and the lower entry barrier for new affiliates, the re-emergence of the group poses a renewed risk to organizations across many sectors. The actions observed in September likely represent only the leading edge of a larger campaign, and the October victim postings on LockBit’s data-leak site are expected to confirm its full operational return.
DragonForce distinguishes itself among emerging ransomware groups through its heavy emphasis on public relations and coalition branding, frequently issuing high-profile statements and partnership claims on criminal forums. In September 2025, it announced on RAMP a supposed “coalition” with Qilin and LockBit, presented as a unified affiliate initiative.
However, these declarations appear largely symbolic, with no verified evidence of shared infrastructure or joint operations. The announcements likely serve to attract affiliates and project influence within a fragmented RaaS market. This reflects DragonForce’s broader strategy to maintain visibility and credibility in an increasingly competitive underground ecosystem.
_Figure_ _11_ _– DragonForce announcing updates and coalition with LockBit and Qilin._
DragonForce roughly tripled its monthly victim count since the shutdown of RansomHub and claimed 56 victims in Q3 2025. This is still fewer than Qilin and Akira but shows steady growth. DragonForce continues to actively recruit affiliates and promote new features in its RaaS program and recently announced on RAMP a data-driven extortion service that offers affiliates tailored analysis of stolen data to maximize ransom leverage.
_Figure_ _12_ _– DragonForce’s “data audit” services._
Under this model, an affiliate that accessed a large dataset (typically over 300 GB) from a company with annual revenues above US $15 million can submit it for analysis and maximize the extortion impact. In a recent showcased example, DragonForce reviewed stolen files from a gold mining company and highlighted the most valuable commercial and financial information, accompanied by a customized extortion letter.
_Figure_ _13_ _– DragonForce Audit example._
Qilin remains the most active ransomware group in 2025, increasing its monthly victim rate to an average of 75 victims in Q3, up from 36 in Q1.
Although the group presents itself as ideologically motivated, its operations appear entirely financially driven. In a June 2024 interview published on its WikiLeaksV2 blog, Qilin’s operators described themselves as “idealists who love our country.” This statement, however, contrasts sharply with the group’s broad and opportunistic targeting across sectors and geographies.
_Figure_ _14_ _– Qilin interview from June 2024 on their official blog._
In a separate interview on SuspectFile, a Qilin affiliate characterized the program as profit-focused and flexible, with affiliates responsible for intrusion and exfiltration while Qilin manages infrastructure, leak-site operations, and negotiations. Reported affiliate share ranges between 80% and 85%, which is among the highest in the market. This has attracted numerous operators previously active under RansomHub and BianLian.
Qilin’s open affiliate framework accommodates actors with diverse motivations and capabilities. In one recent case, the group’s data-leak site briefly listed Israel’s Shamir Medical Center among its victims.
_Figure_ _15_ _– Shamir Medical Center announcement on Qilin’s DLS._
According to Israeli researcher Erez Dassa, the responsible affiliate was likely an Iranian-linked threat actor. Dassa reported that following direct communication, Qilin’s administrators agreed that public association with terrorism or politically motivated activity could expose the group to additional pressure and subsequently removed the listing.
_Figure 16- Erez Dassa’s Telegram post explaining the Shamir incident._
This incident illustrates the range of motivations operating within large RaaS ecosystems. While affiliates enjoy broad autonomy, Qilin demonstrates a degree of central oversight and reputational management, removing politically sensitive cases that may jeopardize its long-term operations. The group continues to balance open recruitment and strategic control, maintaining its position as a leading and resilient RaaS brand.