Ransomware's Fragmentation Reaches a Breaking Point While LockBit Returns

Ransomware’s Fragmentation Reaches a Breaking Point While LockBit Returns

In Q3 2025, Check Point Research recorded 85 active ransomware groups, the highest ever observed, alongside LockBit 5.0’s return, signaling a shift in cybercrime dynamics. 1,590 victims were disclosed across 85 leak sites, reflecting sustained activity despite law enforcement pressure.

Why This Matters

The ransomware landscape has transitioned from centralized RaaS models to a fragmented ecosystem of short-lived, independent operations. This decentralization erodes the predictability that security teams relied on, as smaller actors avoid infrastructure reuse and reputation-based intelligence becomes unreliable. Enforcement actions against major groups like RansomHub only displace affiliates, who regroup under new brands, sustaining attack volume. Payment rates have dropped to 25–40% as victims lose trust in unverified decryption promises.

Key Insights

• “85 active ransomware groups in Q3 2025, Check Point Research”
• “Decentralized operations over RaaS hierarchies, as seen in the collapse of RansomHub and 8Base”
• “LockBit 5.0’s return with updated Windows/Linux/ESXi variants and unique negotiation portals”

Practical Applications

• Use Case: “Healthcare sector targeted at 8% with Play group avoiding it to reduce scrutiny”
• Pitfall: “Assuming payment guarantees from small, unverified groups leads to lower recovery rates and increased financial risk”

References:

• https://thehackernews.com/2025/11/ransomwares-fragmentation-reaches.html