Ransomware's Fragmentation Reaches A Breaking Point While Lockbit...

In Q3 2025, Check Point Research recorded a record 85 active ransomware and extortion groups, the highest ever observed. What was once a concentrated market dominated by a few ransomware-as-a-service (RaaS) giants has splintered into dozens of smaller, short-lived operations.

This proliferation of leak sites represents a fundamental structural shift. The same enforcement and market pressures that disrupted large RaaS groups have fueled a wave of opportunistic, decentralized actors, many run by former affiliates now operating independently.

Across more than 85 monitored leak sites, ransomware operators published:

Smaller actors are now posting fewer than ten victims each, reflecting a rise in independent operations outside traditional RaaS hierarchies. Many emerged from the collapse of RansomHub, 8Base, and BianLian. Fourteen new groups began publishing in Q3 alone, bringing the 2025 total to 45.

Fragmentation at this level erodes predictability, once the cyber security professional's advantage. When large RaaS brands dominated, security teams could track affiliate behaviors and infrastructure reuse. Now, dozens of ephemeral leak sites make attribution fleeting and reputation-based intelligence far less reliable.

Several high-profile takedowns this year targeting groups like RansomHub and 8Base have not meaningfully reduced ransomware volume. Affiliates displaced by these operations simply migrate or rebrand.

The problem is structural. Law-enforcement efforts typically dismantle infrastructure or seize domains, not the affiliates who execute attacks. When a platform falls, those operators scatter and regroup within days. The result is a broader, more resilient ecosystem that mirrors decentralized finance or open-source communities more than a traditional criminal hierarchy.

This diffusion also undermines the credibility of the ransomware market. Smaller, short-lived crews have no incentive to honor ransom agreements or provide decryption keys. Payment rates, estimated at just 25 to 40 percent, continue to decline as victims lose trust in attacker promises.

In September 2025, LockBit 5.0 marked the return of one of cybercrime's most enduring brands.

Its administrator, LockBitSupp, had teased a comeback for months following the 2024 takedown under Operation Cronos. The new version delivers:

Source: The Hacker News