Ransomware organizations exploit the shutdowns of rival groups, fueling their own illicit activities.
Ransomware-as-a-Service Ecosystem in Flux Following Major Shutdowns
The ransomware landscape has undergone significant changes in the wake of major players, such as RansomHub, being taken down by global law enforcement actions. According to a recent report by Check Point Software Technologies, the ecosystem is currently in a state of fragmentation and evolution.
RansomHub, which expanded to supplant LockBit (which had been declining for approximately a year), ceased operations in April 2025. The immediate impact was evident, with many smaller groups either operating independently or seeking new partnerships. One such group that has capitalised on this opportunity is Qilin, which nearly doubled its activity in the second quarter of 2025, averaging almost 70 victims per month.
Qilin, along with DragonForce, is one of the prominent ransomware groups vying for the affiliates of the now-defunct RansomHub. After RansomHub went offline, Qilin began advertising its attack toolkit's "enhanced features," including "new integrated DDoS capabilities and [victim] negotiation consultations."
DragonForce, another major player in the ransomware-as-a-service (RaaS) scene, also attempted to capitalise on RansomHub's demise, claiming that the group had migrated to DragonForce's platform. However, Check Point's data shows a "noticeable increase" in DragonForce victim reporting in April and June, but the company said it was unclear if this represented a sustained trend or a momentary blip.
The report from Check Point paints a picture of new ransomware groups rising to prominence as their predecessors collapse under law-enforcement investigations and infrastructure takedowns. One such newcomer is GLOBAL GROUP, which launched in June 2025 as a rebrand and evolution of BlackLock/Mamona/Eldorado. The group introduced innovations such as AI-driven negotiation, Go-based payloads, mobile-optimised affiliate panels, and expanded ransomware capabilities across multiple platforms.
The report also highlights the persistence of established ransomware groups, such as Qilin and DragonForce, in the evolving ransomware landscape. Despite several major ransomware groups stopping posting victims to popular leak sites, these groups continue to adapt and innovate, incorporating AI tools for automating phishing kit generation, victim behaviour tracking, and negotiation processes.
The ransomware ecosystem remains active, with the United States accounting for roughly half of all reported ransomware victims, followed by the United Kingdom, Germany, and Canada each accounting for 5%. The report suggests that the ecosystem is more dispersed than it used to be, with less concentration on a few dominant groups. Established ransomware groups are actively competing to recruit these 'orphaned' affiliates, further fuelling the ongoing evolution of the ransomware landscape.
Read also:
- Labour's Online Safety Bill transforms into a high-stakes political dilemma
- Tool for Intune Server Administration
- Enhancing Control Over Tech Dependencies in the Internet Is BSI's Ambition
- Financial institutions under the OCC's supervision assess the impact of a data breach, with certain banks restricting the exchange of information.
