The third quarter of 2025 saw a major shift in the cyber threat landscape with the formation of a powerful new ransomware alliance. The notorious groups LockBit, Qilin, and DragonForce have joined forces in a strategic partnership designed to enhance their attack capabilities by sharing tools and infrastructure. This collaboration is particularly significant as it may help restore LockBit’s reputation after its recent takedown, potentially triggering a surge in attacks on critical infrastructure and expanding the threat to sectors that were previously considered low risk. This kind of partnership isn’t new; it echoes the 2020 alliance between Maze and LockBit which helped popularize the devastating tactic of double extortion.
This quarter, Qilin hit a record number of victims, fueled by organized, business-like operations and a strong dark web presence for recruiting new members. The group’s success lies in its partnerships with initial access brokers (IABs), which provide it with fast, stealthy VPN access to victim networks. While the Qilin alliance is the most recent development, other major threats remain active, including Akira, Inc Ransom, and Play, all of which continue to exploit unpatched software to rapidly breach networks and deploy their attacks. Meanwhile, experts have recently spotted LockBit 5.0, a new version of the group’s ransomware that can target Windows, Linux, and ESXi systems, first advertised on September 3, 2025, to mark the gang’s sixth anniversary.
Despite the rise of these large, collaborative groups, the ransomware ecosystem is becoming increasingly fragmented. The number of active data-leak sites hit a record 81 in Q3 2025, driven by a surge of smaller ransomware groups that emerged as major players like LockBit and RansomHub declined. This fragmentation suggests that while new groups may not have the same firepower as the top players, they can collectively be just as destructive. These newer groups are likely to target small and medium-sized businesses (SMBs) that have weaker cyber defenses, even if the potential profits are lower.
This trend is particularly evident in the health care sector, which experienced a 31% surge in attacks during the quarter. This sharp increase was fueled by newly emerged groups like “Beast,” “The Gentlemen,” and “Cephalus,” which surpassed the attack volume of more established names like Qilin and Inc Ransom. This significant rise followed a brief period of relief in the second quarter of 2025 when health care listings dropped due to the absence of the previously dominant group RansomHub. This shows that the collective impact of smaller groups can be just as damaging as that of their more prominent counterparts.
Ransomware groups continued their opportunistic focus in the third quarter, primarily targeting professional, scientific, and technical services (PSTS), manufacturing, and construction. While PSTS attacks increased by 17%, attacks on manufacturing and construction sectors declined by 5% and 19% respectively. These shifts demonstrate that ransomware actors are constantly changing their focus, searching for the most vulnerable and profitable targets at any given time, making it crucial for all industries to maintain robust and up-to-date cybersecurity defenses.
Reference:
