Ransomware in 2025: The New Criminal Playbook

ShakShak
5 min read

We have observed significant shifts in 2025, and I have compiled key information and trends into an easily digestible summary, drawing from multiple sources.

The ransomware ecosystem in the first half of 2025 has become more fragmented yet more dangerous, with a record setting 3,600+ publicly disclosed attacks. Law enforcement crackdowns on major groups like LockBit and ALPHV have created a “post-trust” environment, fuelling the rise of aggressive contenders like Cl0p, Akira, and Qilin. These groups are exploiting zero-day vulnerabilities, leveraging Ransomware-as-a-Service (RaaS) models, and increasingly adopting AI-driven tactics for social engineering, malware development, and even automated negotiations.

The shift toward multi-layered extortion, ranging from data theft and encryption to DDoS attacks and third-party harassment reflects an industry focused on maximum psychological and financial pressure. As ransomware gangs evolve their playbooks, defenders face a more industrialised and dynamic threat landscape, demanding faster patching, advanced identity protection, and AI-powered detection.

What is a “post‑trust” environment ? It refers to affiliates, partners, and customers of Ransomware‑as‑a‑Service (RaaS) no longer trust the operators of those services.

A good example after Operation Cronos disrupted LockBit and ALPHV/BlackCat, investigators exposed internal chats showing that these groups cheated their affiliates. This shattered trust, causing skilled ransomware affiliates to migrate to newer platforms like Qilin or to go independent. The result was a fractured ecosystem no longer dominated by a few large players but instead populated by many smaller, competing groups


GroupEstimated Victims (H1 2025)Targeted SectorsNotable Tactics & Exploits
Akira~347Manufacturing, Transportation, Tech, Retail, Services, Education, Legal, FinanceExploits VPNs (Cisco CVE-2023-20269, possible SonicWall zero-day), RDP abuse, double extortion, ESXi encryption
Cl0p~333Retail, Manufacturing, Technology, Telecom, Professional ServicesMass exploitation of Cleo MFT zero-days (CVE-2024-50623, CVE-2024-55956), data theft-focused multi-extortion
Qilin~318Government, Healthcare, Critical Infrastructure, EducationExploits Fortinet flaws (CVE-2024-21762, CVE-2024-55591), Rust-based customisable encryptor, RaaS platform
RansomHub~222Industrials, Government, Healthcare, ManufacturingRaaS with favourable affiliate terms, phishing & vulnerability exploitation, ceased April 2025
Play~214Critical Infrastructure, Government, Healthcare, EducationExploits FortiOS (CVE-2018-13379), ProxyNotShell, RMM tools; uses Mimikatz, Cobalt Strike; closed-group ops
SafePay~186Financial, Legal, Healthcare, Critical Services, MSPs, Public SectorRDP/VPN intrusion, unique social engineering (spam flood + IT support vishing), PowerShell & FileZilla use
INC~132Government, Healthcare, Public AdministrationRaaS, phishing & vulnerability exploitation, major data breaches (e.g., Pierce County Library System)
DragonForce~15+Retail, Manufacturing, Construction, Government, TransportationRaaS, phishing/vishing, modified LockBit/Conti/Babuk encryptors, aggressive against rival gangs
Lynx~148Finance, Manufacturing, Aerospace, Telecom, Law FirmsRaaS, double extortion, LockBit code heritage, Windows/Linux targeting, advanced persistence
Medusa~104Government, Healthcare, Critical InfrastructureDouble extortion, negotiable ransom extensions, long-standing presence

Major Ransomware Players – H1 2025

GroupQuick OverviewReference Links
AkiraActive since 2023, Akira targets both Windows and Linux systems, often exploiting VPN devices (including a possible SonicWall zero‑day) and deploying cross‑platform ransomware in ESXi environments. Known for aggressive double‑extortion and a growing global footprint.MITRE ATT&CK
Cl0pA long‑standing ransomware group focusing on data theft‑driven extortion. They are infamous for exploiting zero‑day flaws in file transfer software like Cleo MFT, heavily impacting supply chains.MITRE ATT&CK
QilinOperating as a RaaS platform, Qilin specializes in customizable Rust‑based ransomware and targets critical infrastructure. It has been linked to Chinese threat actor Moonstone Sleet, blurring lines between cybercrime and state activity.MITRE ATT&CK
RansomHubBriefly a dominant RaaS service in 2025, RansomHub lured affiliates with favorable revenue splits before collapsing in April. It targeted diverse industries, including healthcare and manufacturing.MITRE ATT&CK
PlayPlay (aka PlayCrypt) runs a closed operation rather than open RaaS, frequently exploiting Fortinet and Exchange vulnerabilities. It is known for re‑compiling binaries per attack and using multi‑extortion tactics.MITRE ATT&CK
SafePayBelieved to be a LockBit spinoff, SafePay uses creative social engineering (spam floods + IT helpdesk impersonation) alongside RDP/VPN intrusions. It has rapidly emerged as a disciplined, closed‑group operator.
INCA RaaS operation with a focus on government and public‑sector targets, INC was responsible for one of H1 2025’s largest breaches. It has since evolved into its successor group, Lynx.MITRE ATT&CK
DragonForceOnce a hacktivist collective, DragonForce now runs RaaS operations with a reputation for aggressiveness, including targeting rivals. It deploys modified versions of LockBit and Conti ransomware.
LynxA rebrand of INC, Lynx is a LockBit‑derived group that conducts double‑extortion campaigns, targeting financial services and aerospace among others. Known for wiping shadow copies to block recovery.
MedusaA veteran ransomware group that maintains steady operations across government and critical infrastructure targets. It offers negotiable ransom extensions to prolong victim engagement.MITRE ATT&CK

Further Reading

  1. Forescout2025 H1 Threat Review: Surge in Zero‑Day Exploits, Nation‑Backed Hacktivism, and Healthcare Vulnerabilities

    Read the report →

  2. KELAOver 3,600 Ransomware Victims and 2.67 Million Infostealer Infections in H1 2025

    Read the report →

  3. ComparitechRansomware Roundup: H1 2025 Stats on Attacks, Ransoms, and Active Gangs

    Read the article →

  4. CrowdStrike2025 Global Threat Report

    Read the report →

  5. CybleGlobal Threat Landscape Report – H1 2025

    Read the report →

  6. Halcyon - Power Rankings: Ransomware

    Read the report →

0
Subscribe to my newsletter

Read articles from Shak directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Shak
Shak