Ransomware organizations take advantage of police raids on rival groups, profiting from their downfall
In the ever-changing landscape of cyber threats, the ransomware-as-a-service (RaaS) ecosystem has undergone significant disruption and fragmentation, as revealed in the Check Point Software Technologies Q2 2025 report.
The report highlights that global law enforcement efforts have taken a toll on major RaaS groups, with operators like RansomHub, Babuk-Bjorka, Lockbit, and others ceasing to publish new victims. This shift signals a diminished dominance of a few major players in the ransomware market.
As a result, the overall number of victims listed on ransomware Data Leak Sites has dropped by 6% compared to the previous year’s monthly average, reflecting fewer exposed victims or lower ransom payments.
However, ransomware attacks remain prevalent and are rising globally. RaaS groups like Qilin have emerged as dominant players, not only conducting attacks but also offering enhanced extortion services such as regulatory complaints and flooding corporate communication channels to increase pressure on victims.
There is a notable shift in extortion tactics away from direct data encryption toward data exfiltration and public exposure as the primary leverage for ransom demands, reflecting changes in both attacker tactics and victim responses.
One such example is the rise of Qilin, which has been operational since 2022 and has capitalized on its competitors' misfortunes. Qilin's activity nearly doubled in the second quarter of 2025, with an average of 70 victims per month.
The cybercrime ecosystem has a whack-a-mole nature, according to Check Point's report. As one group is dismantled, others rise to take its place, leading to a more dispersed and complex RaaS landscape.
Corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks, as ransomware attacks continue to pose a significant threat to businesses worldwide. The question on many minds is: Are we a target?
In the wake of RansomHub's shutdown in April 2025, many of its affiliates appear to have found a new partner in Qilin. Competition between prominent ransomware groups Qilin and DragonForce has been observed for these affiliates, as both groups seek to recruit new members in the fragmented RaaS ecosystem.
Some ransomware groups exhibit distinct geographic preferences, such as Safepay, which focused disproportionately on Germany, and Akira, which focused on Italy. Meanwhile, DragonForce, another major ransomware-as-a-service group, claimed that RansomHub had migrated to DragonForce's platform.
In conclusion, the ransomware ecosystem is currently more fragmented and sophisticated, with law enforcement disruptions causing shifts in operators and tactics, yet attacks and extortion remain highly active and evolving in scale and method. Corporate stakeholders must remain vigilant and proactive in protecting their systems against these ever-changing threats.
Key points:
- Major RaaS groups disrupted by global law enforcement, causing fragmentation.
- 6% decline in listed ransomware victims on leak sites, signaling fewer exposed victims or lower ransom payments.
- Rise in ransomware attacks worldwide, with sectors like Business Services and Healthcare heavily targeted.
- Qilin ransomware group leads with advanced extortion techniques beyond encryption.
- Shift from encryption to data theft and public exposure as extortion methods.
- Competition between prominent ransomware groups Qilin and DragonForce for affiliates of the now-defunct RansomHub.
- Distinct geographic preferences exhibited by some ransomware groups, such as Safepay and Akira.
- DragonForce's claim that RansomHub had migrated to DragonForce's platform.
- The shift in the ransomware market, following global law enforcement efforts against major RaaS groups, has led to a more complex and dispersed ransomware landscape, with newer players like Qilin emerging as dominant forces.
- corporations must be aware of these evolving ransomware threats and the shifting tactics used by groups such as Qilin, where data exfiltration and public exposure have become primary methods for extortion demands, rather than direct data encryption.
