Ransomware isn’t dying — it’s mutating.

November 14, 2025 Faeem BLOGS 0

If you feel like ransomware headlines are getting harder to keep up with, you’re not imagining it. The ecosystem has exploded into something almost unrecognizable — messy, chaotic, and crowded.

Check Point’s new Q3 2025 report puts numbers to what many of us in security have been feeling: ransomware is no longer a “few big gangs” problem — it’s now a swarm.

And in the middle of this chaos?
LockBit has quietly made a comeback.

Let’s break down what’s happening and why it matters for anyone running a business, managing security, or building systems today.

* 85 Ransomware Groups… at the Same Time

A few years ago, dealing with ransomware meant tracking a handful of dominant RaaS brands. Today?
Think of it like the streaming market — what used to be Netflix is now Netflix + 50 smaller apps you’ve never heard of, all competing for your attention.

Security researchers counted 85 active ransomware/extortion groups in Q3 alone — the most ever seen.
That includes:

  • 1,592 new victims just this quarter
  • 14 brand-new ransomware gangs that seemingly appeared overnight
  • A long tail of tiny crews posting fewer than ten victims each

This is ransomware’s gig economy moment. Affiliates aren’t disappearing after takedowns — they’re going independent, spinning up new brands, and operating without rules or reputations to protect.

That unpredictability is a nightmare for defenders.
No patterns. No consistent TTPs. No reliable attribution. Just noise.

* Why Law Enforcement Wins Aren’t Slowing the Fire

We’ve watched major operations take down big names like RansomHub and 8Base. That should reduce attacks — but it hasn’t.

Why?
Because takedowns hit infrastructure, not people.

Affiliates — the individuals actually breaking into networks — don’t get caught. They just pack up their tools, join a new group, or start one themselves.
This is why ransomware feels immortal. It doesn’t die — it rearranges itself.

And with dozens of new, short-lived crews popping up, there’s zero incentive for professionalism.
No brand trust. No working decryptors.
Victims know this, which is why ransom payments have plummeted to 25–40%.

Ironically, that drop in payments is a big part of why LockBit’s return matters.

* LockBit 5.0: The Comeback Nobody Asked For

Just when the ransomware world was fragmenting into chaos, in walks an old brand with one thing the smaller crews lack:

-> Reputation.

LockBit 5.0 arrived in September with:

  • New Windows, Linux, and ESXi variants
  • Faster encryption
  • Better evasion
  • Individual negotiation portals

And affiliates noticed.
At least a dozen victims have already shown up.

If LockBit attracts enough disillusioned affiliates looking for “structure,” we could see the ransomware market swing back toward recentralization.
Good news for defenders?
Maybe — big brands are easier to track.

Bad news?
Big brands also run large-scale, coordinated campaigns that smaller groups could never pull off.

* Meanwhile, DragonForce Is Out Here Building a Brand

Ransomware crews used to operate in the shadows. Now they act like startups.
DragonForce is a perfect example — publicly announcing “alliances,” offering “data audit services,” and marketing themselves like a cybersecurity consultancy (just… evil).

It’s bizarre, but also telling:
The ransomware economy isn’t just about encryption speed anymore.
It’s about image, credibility, and affiliate attraction.

* Who’s Getting Hit Right Now?

Some interesting shifts this quarter:

  • The U.S. remains the biggest target — about half of all victims
  • South Korea enters the top ten for the first time, driven by Qilin
  • Germany and the U.K. continue to be hammered

Industries hit hardest:

  • Manufacturing
  • Business services
  • Healthcare (still 8%, though some groups avoid it to dodge political heat)

If your organization is in any of these categories, your risk profile isn’t theoretical — it’s active.

* What This All Means

Fragmentation has made ransomware noisier, riskier, and harder to predict.
LockBit’s return could make it more organized — and more dangerous — again.

Whether the market centralizes or stays decentralized, one thing is clear:
Ransomware isn’t going away. It’s evolving faster than our playbooks.

For defenders, the strategy has to shift:

  • Don’t just track group names — track affiliate behavior, code overlap, and economic incentives
  • Focus on compromise routes, not branding
  • Assume attackers will regroup within days of a takedown

This is no longer a fight against a few big villains.
It’s a fight against an entire criminal economy.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.