Ransomware-as-a-service ecosystem splinters into 85-group market in Q3 2025
Threat Actor Meta
Summary
Hide ▲
Show ▼
Q3 2025 marked a major ransomware ecosystem shift as 85 active groups and 14 new brands pushed the market toward fragmentation. The change raises risk because former affiliates and short-lived crews make attribution, tracking, and negotiation less reliable. It also shows that takedowns have not reduced overall volume; they have redistributed operators across more leak sites. A possible countertrend is the return of LockBit 5.0, which could recentralize part of the market if affiliates rally around a trusted brand.
Related Happenings
Qilin consolidates into dominant RaaS position as ransomware market reconcentrates
Threat Actor Meta
H score39
First: 03.07.2026 16:00
Last: 03.07.2026 16:00
Sources 1
About this happening:
**Qilin** is consolidating into a dominant **RaaS** position as the ransomware ecosystem shifts back from fragmentation to concentration, increasing affiliate scale and victim vol...
Qilin consolidates into dominant RaaS position as ransomware market reconcentrates
Threat Actor MetaAbout this happening: **Qilin** is consolidating into a dominant **RaaS** position as the ransomware ecosystem shifts back from fragmentation to concentration, increasing affiliate scale and victim vol...
INC ransomware group’s RaaS expansion and victim growth in 2026
Threat Actor Meta
H score45
First: 18.06.2026 17:12
Last: 18.06.2026 17:12
Sources 1
About this happening:
**INC** has grown from a **RaaS** startup into one of **2026**’s most prolific ransomware groups, with **830+ victims since August 2023**. The expansion followed affiliate migrati...
INC ransomware group’s RaaS expansion and victim growth in 2026
Threat Actor MetaAbout this happening: **INC** has grown from a **RaaS** startup into one of **2026**’s most prolific ransomware groups, with **830+ victims since August 2023**. The expansion followed affiliate migrati...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor Meta
H score26
First: 18.06.2026 16:30
Last: 18.06.2026 16:30
Sources 1
About this happening:
**Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor MetaAbout this happening: **Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
**Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
H score11
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
Timeline
-
14.11.2025 12:37 2 articles · 7mo ago
Ransomware-as-a-service ecosystem splinters into 85-group market in Q3 2025
Initial DisclosureBy **Q3 2025**, enforcement pressure had fractured the ransomware market into smaller crews, while former affiliates kept launching new brands and leak sites.
Show sources
- Ransomware's Fragmentation Reaches a Breaking Point While LockBit Returns — thehackernews.com — 14.11.2025 12:37
- Ransomware's Fragmentation Reaches a Breaking Point While LockBit Returns — thehackernews.com — 14.11.2025 12:37