Dive Brief:
- Several major ransomware-as-a-service groups have stopped posting victims to popular leak sites, suggesting that the ecosystem is more dispersed than it used to be, according to a new report from Check Point Software Technologies.
- At the same time, many smaller groups that used to affiliate with larger players âare operating independently or seeking new partnerships,â Check Point said in its Thursday report.
- âEstablished players are actively competing to recruit these âorphanedâ affiliates,â according to the report, which cited competition between prominent groups Qilin and DragonForce for affiliates of the now-defunct RansomHub.
Dive Insight:
Check Pointâs report paints a picture of new ransomware groups rising to prominence almost as soon as their predecessors collapse under the weight of law-enforcement investigations, arrests and infrastructure takedowns â underscoring the whack-a-mole nature of the cybercrime ecosystem.
By the time global law enforcement operations dealt a death blow to LockBit in May 2025, for example, the ransomware-as-a-service operator RansomHub had already expanded to supplant LockBit, which had been declining for roughly a year. But in April 2025, even before LockBitâs final demise, RansomHub itself shut down. âThe precise circumstances behind its disappearance remain unclear,â Check Point researchers wrote, âbut the impact on the ransomware ecosystem was immediate.â
RansomHub affiliates, which had been posting an average of 75 new victims every month in the six-month period leading up to the groupâs shutdown, needed a new partner. Many of them appear to have found that partner in Qilin, whose activity nearly doubled in the second quarter of 2025, from an average of 35 victims per month to almost 70, according to Check Point.
Qilin has demonstrated longevity, operating since 2022, and its activities after the demise of RansomHub help illustrate why: It knows when to capitalize on its competitorsâ misfortunes. After RansomHub went offline, Qilin began advertising its attack toolkitâs âenhanced features,â Check Point said, including ânew integrated DDoS capabilities and [victim] negotiation consultations.â
DragonForce, another major ransomware-as-a-service group, likewise tried to capitalize on RansomHubâs demise, claiming that the group had migrated to DragonForceâs platform. Check Pointâs data shows a ânoticeable increaseâ in DragonForce victim reporting in April and June, but the company said it was unclear if this represented a sustained trend or a momentary blip.
Despite the changing threat-actor landscape, some aspects of the ransomware ecosystem remain the same, according to Check Pointâs report. The United States accounts for roughly half of all reported victims, with the United Kingdom, Germany and Canada each accounting for 5%. But some groups âexhibit distinct geographic preferences,â Check Point noted, including Safepay, which focused disproportionately on Germany, and Akira, which focused on Italy.
