Ransomware in 2025: The New Criminal Playbook


We have observed significant shifts in 2025, and I have compiled key information and trends into an easily digestible summary, drawing from multiple sources.
The ransomware ecosystem in the first half of 2025 has become more fragmented yet more dangerous, with a record setting 3,600+ publicly disclosed attacks. Law enforcement crackdowns on major groups like LockBit and ALPHV have created a “post-trust” environment, fuelling the rise of aggressive contenders like Cl0p, Akira, and Qilin. These groups are exploiting zero-day vulnerabilities, leveraging Ransomware-as-a-Service (RaaS) models, and increasingly adopting AI-driven tactics for social engineering, malware development, and even automated negotiations.
The shift toward multi-layered extortion, ranging from data theft and encryption to DDoS attacks and third-party harassment reflects an industry focused on maximum psychological and financial pressure. As ransomware gangs evolve their playbooks, defenders face a more industrialised and dynamic threat landscape, demanding faster patching, advanced identity protection, and AI-powered detection.
What is a “post‑trust” environment ? It refers to affiliates, partners, and customers of Ransomware‑as‑a‑Service (RaaS) no longer trust the operators of those services.
A good example after Operation Cronos disrupted LockBit and ALPHV/BlackCat, investigators exposed internal chats showing that these groups cheated their affiliates. This shattered trust, causing skilled ransomware affiliates to migrate to newer platforms like Qilin or to go independent. The result was a fractured ecosystem no longer dominated by a few large players but instead populated by many smaller, competing groups
Trending Ransomware Groups – H1 2025
Group | Estimated Victims (H1 2025) | Targeted Sectors | Notable Tactics & Exploits |
Akira | ~347 | Manufacturing, Transportation, Tech, Retail, Services, Education, Legal, Finance | Exploits VPNs (Cisco CVE-2023-20269, possible SonicWall zero-day), RDP abuse, double extortion, ESXi encryption |
Cl0p | ~333 | Retail, Manufacturing, Technology, Telecom, Professional Services | Mass exploitation of Cleo MFT zero-days (CVE-2024-50623, CVE-2024-55956), data theft-focused multi-extortion |
Qilin | ~318 | Government, Healthcare, Critical Infrastructure, Education | Exploits Fortinet flaws (CVE-2024-21762, CVE-2024-55591), Rust-based customisable encryptor, RaaS platform |
RansomHub | ~222 | Industrials, Government, Healthcare, Manufacturing | RaaS with favourable affiliate terms, phishing & vulnerability exploitation, ceased April 2025 |
Play | ~214 | Critical Infrastructure, Government, Healthcare, Education | Exploits FortiOS (CVE-2018-13379), ProxyNotShell, RMM tools; uses Mimikatz, Cobalt Strike; closed-group ops |
SafePay | ~186 | Financial, Legal, Healthcare, Critical Services, MSPs, Public Sector | RDP/VPN intrusion, unique social engineering (spam flood + IT support vishing), PowerShell & FileZilla use |
INC | ~132 | Government, Healthcare, Public Administration | RaaS, phishing & vulnerability exploitation, major data breaches (e.g., Pierce County Library System) |
DragonForce | ~15+ | Retail, Manufacturing, Construction, Government, Transportation | RaaS, phishing/vishing, modified LockBit/Conti/Babuk encryptors, aggressive against rival gangs |
Lynx | ~148 | Finance, Manufacturing, Aerospace, Telecom, Law Firms | RaaS, double extortion, LockBit code heritage, Windows/Linux targeting, advanced persistence |
Medusa | ~104 | Government, Healthcare, Critical Infrastructure | Double extortion, negotiable ransom extensions, long-standing presence |
Major Ransomware Players – H1 2025
Group | Quick Overview | Reference Links |
Akira | Active since 2023, Akira targets both Windows and Linux systems, often exploiting VPN devices (including a possible SonicWall zero‑day) and deploying cross‑platform ransomware in ESXi environments. Known for aggressive double‑extortion and a growing global footprint. | MITRE ATT&CK |
Cl0p | A long‑standing ransomware group focusing on data theft‑driven extortion. They are infamous for exploiting zero‑day flaws in file transfer software like Cleo MFT, heavily impacting supply chains. | MITRE ATT&CK |
Qilin | Operating as a RaaS platform, Qilin specializes in customizable Rust‑based ransomware and targets critical infrastructure. It has been linked to Chinese threat actor Moonstone Sleet, blurring lines between cybercrime and state activity. | MITRE ATT&CK |
RansomHub | Briefly a dominant RaaS service in 2025, RansomHub lured affiliates with favorable revenue splits before collapsing in April. It targeted diverse industries, including healthcare and manufacturing. | MITRE ATT&CK |
Play | Play (aka PlayCrypt) runs a closed operation rather than open RaaS, frequently exploiting Fortinet and Exchange vulnerabilities. It is known for re‑compiling binaries per attack and using multi‑extortion tactics. | MITRE ATT&CK |
SafePay | Believed to be a LockBit spinoff, SafePay uses creative social engineering (spam floods + IT helpdesk impersonation) alongside RDP/VPN intrusions. It has rapidly emerged as a disciplined, closed‑group operator. | |
INC | A RaaS operation with a focus on government and public‑sector targets, INC was responsible for one of H1 2025’s largest breaches. It has since evolved into its successor group, Lynx. | MITRE ATT&CK |
DragonForce | Once a hacktivist collective, DragonForce now runs RaaS operations with a reputation for aggressiveness, including targeting rivals. It deploys modified versions of LockBit and Conti ransomware. | |
Lynx | A rebrand of INC, Lynx is a LockBit‑derived group that conducts double‑extortion campaigns, targeting financial services and aerospace among others. Known for wiping shadow copies to block recovery. | |
Medusa | A veteran ransomware group that maintains steady operations across government and critical infrastructure targets. It offers negotiable ransom extensions to prolong victim engagement. | MITRE ATT&CK |
Further Reading
Forescout – 2025 H1 Threat Review: Surge in Zero‑Day Exploits, Nation‑Backed Hacktivism, and Healthcare Vulnerabilities
KELA – Over 3,600 Ransomware Victims and 2.67 Million Infostealer Infections in H1 2025
Comparitech – Ransomware Roundup: H1 2025 Stats on Attacks, Ransoms, and Active Gangs
CrowdStrike – 2025 Global Threat Report
Cyble – Global Threat Landscape Report – H1 2025
Halcyon - Power Rankings: Ransomware
Subscribe to my newsletter
Read articles from Shak directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
