Ransomware activity in Q3 2025 remained high and fragmented, with a record 85 active extortion groups and an average of about 535 victims per month, driven largely by small affiliates and a few dominant operators. LockBit resurfaced with LockBit 5.0 while Qilin became the most active group, and targeted campaigns shifted regional and sector concentrations such as Qilin’s focus on South Korea’s financial sector. #LockBit #Qilin
Keypoints
- 85 active data leak sites were observed in Q3 2025, a record high, with the top 10 groups responsible for only 56% of published victims.
- Ransomware victim publications stabilized at ~535 victims per month in Q3 2025, a 25% increase year-over-year from Q3 2024.
- Fragmentation increased as many affiliates moved away from major RaaS programs; 47 groups published fewer than ten victims and 14 new groups appeared in Q3.
- LockBit reappeared with the release of LockBit 5.0 in September 2025, introducing new encryptors, multi-platform support, and enhanced evasion features.
- Qilin was the most active actor (≈75 victims/month) and recruited many former RansomHub affiliates, including a focused campaign against South Korea’s financial sector.
- DragonForce used marketing and coalition claims to attract affiliates and promoted services like data-driven extortion analysis.
- Manufacturing and business services remained the most affected sectors; healthcare persisted at ~8% of victims despite selective avoidance by some groups.
MITRE Techniques
- [T1490] Data Encrypted for Impact – Used by LockBit 5.0 and other groups to encrypt victim files and demand ransom; article notes “updated ransom notes now explicitly identify themselves as ‘LockBit 5.0’ and include a unique personal identifier” describing negotiation portals and 30-day grace periods.
- [T1486] Data Encrypted for Impact (duplicate common mapping) – Ransomware groups deployed encryptors across Windows, Linux, and ESXi; article states “the new build introduces enhanced evasion and anti-analysis mechanisms, faster encryption routines, and the use of a randomized 16-character file extension.”
- [T1530] Data from Information Repositories – Affiliates responsible for intrusion and exfiltration with Qilin managing leak-site operations; article: “affiliates responsible for intrusion and exfiltration while Qilin manages infrastructure, leak-site operations, and negotiations.”
- [T1078] Valid Accounts – Affiliates migrated between RaaS programs and used established access methods after takedowns; article describes affiliates “migrate to alternative programs or establish their own data-leak sites,” indicating reuse of access techniques.
- [T1190] Exploit Public-Facing Application – Focused campaign against South Korea linked to “a compromised cloud server operated by an IT contractor serving multiple mid-sized private equity funds,” indicating exploitation of a public-facing cloud service.
- [T1620] Archive Collected Data (Data Staging) – DragonForce offering “data-driven extortion service that offers affiliates tailored analysis of stolen data” implies staging and analysis of large exfiltrated datasets for targeted extortion.
Indicators of Compromise
- [Victim Counts] Reporting context – 1,592 new victims listed in Q3 2025; ~535 victims per month on average.
- [Ransom Note / Build Identifiers] LockBit 5.0 context – “LockBit 5.0” ransom note naming and use of a randomized 16-character file extension; example: LockBit 5.0 ransom note from mid-September 2025.
- [Data Leak Sites / Group Names] Threat actor context – group names and DLS examples: Qilin, LockBit, DragonForce, INC Ransom, Play (and others such as Warlock, The Gentlemen).
- [Targeted Organizations] Victim examples – Shamir Medical Center listed briefly on Qilin’s DLS; 30 South Korean victims (28 between Aug–Sep 2025) mostly in financial services.
- [Platform Targets] Affected systems context – Windows systems (majority), ESXi (≈20%), and Linux variants observed in LockBit 5.0 deployments.
Read more: https://research.checkpoint.com/2025/the-state-of-ransomware-q3-2025/