Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Ransomware-as-a-service ecosystem splinters into 85-group market in Q3 2025

Threat Actor Meta
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

Q3 2025 marked a major ransomware ecosystem shift as 85 active groups and 14 new brands pushed the market toward fragmentation. The change raises risk because former affiliates and short-lived crews make attribution, tracking, and negotiation less reliable. It also shows that takedowns have not reduced overall volume; they have redistributed operators across more leak sites. A possible countertrend is the return of LockBit 5.0, which could recentralize part of the market if affiliates rally around a trusted brand.

Related Happenings

TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns

Threat Actor Meta
First: 31.03.2026 15:15 Last: 31.03.2026 15:15 Sources 1

About this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...

Open Happening

The Gentlemen RaaS split exposed by hastalamuerte

Threat Actor Meta
First: 19.03.2026 18:00 Last: 19.03.2026 18:00 Sources 1

About this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...

Open Happening

2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates

Target Trend
First: 17.03.2026 23:41 Last: 17.03.2026 23:41 Sources 1

About this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...

Open Happening

Phobos long-running ransomware-as-a-service operation and broad distribution

Threat Actor Meta
First: 17.02.2026 13:31 Last: 17.02.2026 13:31 Sources 1

About this happening: **Phobos** remains a **long-running ransomware-as-a-service** operation linked to the **Crysis** family, with a broad affiliate ecosystem that has driven repeated intrusions world...

Latest development: 05.03.2026 10:34

Evgenii Ptitsyn pleaded guilty to wire fraud conspiracy for administering Phobos ransomware, a long-running RaaS operation linked to the Crysis ransomware family. The U.S. Department of Justice says Phobos collected more than $39 million in ransom payments from over 1,000 public and private entities worldwide, and Ptitsyn was extradited from South Korea in November 2024 before the plea.

Open Happening

DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella

Threat Actor Meta
First: 05.02.2026 00:14 Last: 05.02.2026 00:14 Sources 1

About this happening: **DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...

Open Happening

Timeline

  1. 14.11.2025 12:37 2 articles · 6mo ago

    Ransomware-as-a-service ecosystem splinters into 85-group market in Q3 2025

    Initial Disclosure

    By **Q3 2025**, enforcement pressure had fractured the ransomware market into smaller crews, while former affiliates kept launching new brands and leak sites.

    Show sources
    Open in new tab