In the third quarter of 2025, Check Point Research documented a record 85 active ransomware and extortion groups, marking the highest number ever observed. What was previously a concentrated market dominated by a few large ransomware-as-a-service (RaaS) operations has fragmented into dozens of smaller, often short-lived groups. This proliferation of leak sites represents a fundamental structural shift. The same law enforcement and market pressures that disrupted major RaaS groups have spurred a wave of opportunistic, decentralized actors, many of whom are former affiliates now operating independently.
Across the more than 85 monitored leak sites, ransomware operators disclosed 1,592 new victims in Q3 2025, averaging 535 disclosures per month. This data indicates a significant power shift: the top ten groups accounted for only 56% of victims, a notable decrease from 71% earlier in the year. Smaller actors are now frequently posting fewer than ten victims each, reflecting the rise of independent operations outside of traditional RaaS hierarchies. Many of these groups emerged following the disruption of major operations like RansomHub, 8Base, and BianLian. Furthermore, 14 new groups began publishing in Q3 alone, bringing the total number of new brands launched in 2025 to 45.
This level of fragmentation erodes the predictability that cybersecurity professionals once relied on. When large RaaS brands were dominant, security teams could effectively track affiliate behaviors and infrastructure reuse. However, now, the existence of dozens of ephemeral leak sites makes attribution challenging and renders reputation-based intelligence far less reliable. Adding to the complexity is the limited long-term impact of law enforcement actions.
Several high-profile takedowns this year targeting groups such as RansomHub and 8Base have failed to meaningfully reduce the overall volume of ransomware activity. Affiliates displaced by these operations simply migrate or quickly rebrand. The core issue is structural: law-enforcement efforts typically dismantle infrastructure or seize domains, but they do not capture the affiliates who execute the attacks. When a platform is taken down, those operators scatter and quickly regroup, resulting in a broader, more resilient ecosystem that more closely resembles decentralized finance or open-source communities than a traditional criminal hierarchy.
This diffusion also serves to undermine the credibility of the ransomware market itself. Smaller, short-lived crews have little incentive to uphold ransom agreements or provide functional decryption keys. Consequently, payment rates, currently estimated to be only between 25 and 40 percent, continue to decline as victims lose trust in the attackers’ promises.
Reference:
