Ransomware and threat actors did not slowdown in 2025, nor did they lose any of their motives. Instead, they become more fragmented and harder to track than ever before.
Key takeaways
- Publicly reported ransomware attacks reached approximately 7,200 incidents in 2025, representing a 47% increase over 2024.
- Security researchers observed 124 distinct ransomware groups during the year, the highest number recorded to date.
- An estimated 93 new ransomware variants emerged in 2025, nearly doubling the number observed the previous year.
- Double extortion remained the dominant business model, although data-theft-only campaigns continued gaining traction.
- Identity-based attacks, including stolen VPN credentials, compromised remote access accounts, and access broker activity, surpassed software exploitation as the leading initial access vector.
- Linux and ESXi environments became primary targets due to their ability to disrupt entire virtualized infrastructures.
- Cyble observed continued growth in ransomware leak-site activity, affiliate recruitment, and infrastructure reuse across multiple ransomware ecosystems.
This year, however, the ransomware landscape is not so much a set of dominant brands as it is dozens of small, quick groups. The interesting thing about these ransomware groups is that they can launch attacks using shared tools, affiliate networks, and recycled infrastructure.
What the Ransomware Landscape Looked Like in 2025
In the early days, the ransomware activity was dominated by a few big threat actors and ransomware groups. And it ran for some 10-15 years. Major groups, some of them still active today, dominated the ransomware landscape. These groups includes LockBit, Cl0p, BlackCat, and Conti ransomware.
Most of these groups had large affiliate ecosystems and were constantly making headlines.
In 2026, however, that model is changing.
The year did not show a decrease in ransomware activity after major law enforcement disruptions, but instead, it showed the resilience of the ransomware economy. As established groups faced more pressure, the affiliates moved; the codebases were reused, and new brands emerged at a pace like never before.
Industry reporting throughout the last year highlighted some of the biggest defining trends in the ransomware market.
- The world saw 124 named ransomware groups, a record high.
- There were nearly 7,200 publicly disclosed ransomware incidents worldwide.
- This year witnessed 93 new ransomware variants.
- Despite a decline in payment rates, global ransomware payments were estimated at around $850 million.
- December 2025 turned out to be one of the most active months on record for victim disclosures on ransomware leak sites.
This led to a highly fragmented threat landscape, enabling smaller groups to operate at a speed and with an effectiveness that was once only attributed to the major ransomware syndicates.
Fragmentation Is the New Normal
One of the most significant trends witnessed by Cyble in 2025 was the convergence of the ransomware ecosystems.
Rather than building operations from scratch, emerging groups:
- Reused existing ransomware codebases
- Shared infrastructure and hosting providers
- Recruited affiliates from disrupted operations
- Adopted proven extortion models immediately
- Leveraged credential access purchased from underground markets
This allowed new groups to achieve operational maturity in weeks rather than years.
In many cases, the ransomware “brand” became less important than the ecosystem supporting it.
How Cyble Identified Emerging Ransomware Groups
This analysis is based on what Cyble continuously monitors:
- Ransomware data leak sites (DLS)
- Dark web forums and marketplaces
- Ransomware affiliate recruitment channels
- Open-source threat intelligence
- Malware telemetry
- Victim disclosure tracking
- Incident response reporting
To be included in this list, a group only had to meet one of these:
- First observed operating in 2025
- Realized major operational growth during 2025
- Illustrated significant impact on enterprise victims
- Brought in notable tactics, techniques, or procedures (TTPs)
- Exhibited evidence of becoming a significant threat heading into 2026
While some may be rebrands or splinter operations from existing ecosystems, their emergence provides a good look at how the ransomware economy is changing.
10 Emerging Ransomware Groups to Watch

Several patterns immediately emerge:
- Credential-based access dominates. Most groups rely on compromised credentials, VPN access, or purchased initial access rather than novel exploits.
- Double extortion has become standard. Nearly every emerging group combines data theft with encryption.
- Cross-platform ransomware is expanding. Linux and ESXi support are common among newer operations.
- Operational maturity arrives faster. New groups are adopting enterprise-grade extortion practices almost immediately after appearing.
- Victim volume is becoming decentralized. No single group dominates the ecosystem in the way LockBit or Conti once did.

The 10 Emerging Ransomware Groups of 2025-2026
While dozens of ransomware brands appeared throughout 2025, only a handful demonstrated the combination of victim volume, operational maturity, technical capability, and ecosystem influence necessary to shape the threat landscape heading into 2026.
The groups below represent more than isolated threats. Collectively, they illustrate how ransomware operations are evolving toward faster deployment cycles, credential-driven intrusions, infrastructure reuse, and sophisticated extortion models.
1. Devman
Devman emerged as one of the clearest examples of the modern ransomware playbook: minimal innovation, maximum operational efficiency.
Rather than introducing new malware families or novel techniques, Devman appears to leverage existing ransomware infrastructure and code lineage associated with the DragonForce ecosystem. This approach enables rapid scaling while reducing development overhead and operational risk.
Key Facts
- First observed in 2025
- 53 known victims
- Asia and Africa are primary regions
- Uses Double Extortion
Common TTPs
Initial Access
- Stolen credentials
- Purchased access from brokers
- Exposed remote access services
Execution
- Rapid ransomware deployment following access
Impact
- File encryption
- Data theft
- Leak-site publication
MITRE ATT&CK Techniques
| Tactic | Technique |
| Initial Access | T1078 – Valid Accounts |
| Discovery | T1083 – File Discovery |
| Exfiltration | T1041 – Exfiltration Over C2 |
| Impact | T1486 – Data Encrypted for Impact |
Devman demonstrates how quickly threat actors can become operationally effective using established ransomware ecosystems. Defenders should focus on behavioral indicators and credential abuse rather than relying solely on ransomware family names.
2. DireWolf
DireWolf appeared publicly in May 2025 and rapidly established itself as a mature extortion operation.
Within weeks of emerging, the group maintained structured victim disclosures, dedicated negotiation channels, and evidence of coordinated double-extortion activity.
Its rapid operational maturity reflects a broader trend across the ransomware ecosystem: emerging groups inherit proven playbooks rather than developing capabilities from scratch.
Key Facts
- First observed in May 2025
- Linked to 49 known victims
- Impacted organizations across 11+ countries
- Primarily targets Southeast Asia
- Employs a double-extortion ransomware model
- Currently active
Common TTPs
Initial Access
- Social engineering
- Malicious websites
- Credential compromise
Execution
- Rapid deployment after privilege escalation
Impact
- Encryption
- Data theft
- Public victim exposure
MITRE ATT&CK Techniques
| Tactic | Technique |
| Initial Access | T1566 – Phishing |
| Credential Access | T1110 – Brute Force |
| Exfiltration | T1048 – Exfiltration Over Alternative Protocol |
| Impact | T1486 – Data Encryption |
3. RALord / NOVA
RALord, later associated with NOVA, represents one of the clearest examples of ransomware rebranding observed during 2025.
The group’s evolution highlights how modern ransomware operations function as interchangeable brands rather than fixed organizations.
As law enforcement pressure grows, many operators are abandoning recognizable names and resurfacing new identities while retaining affiliates, tooling, and infrastructure.
Key Facts
- First observed in 2025
- Linked to 46 known victims
- Operates globally across multiple regions
- Functions under a Ransomware-as-a-Service (RaaS) model
- Notable for its rebranding activity
Common TTPs
Initial Access
- Affiliate-driven access
- Credential compromise
Execution
- Standardized ransomware deployment
Impact
- Encryption
- Leak-site publication
MITRE ATT&CK Techniques
| Tactic | Technique |
| Initial Access | T1078 – Valid Accounts |
| Discovery | T1018 – Remote System Discovery |
| Collection | T1005 – Data From Local System |
| Impact | T1486 – Data Encryption |
4. Global Group
Global Group distinguishes itself through multi-platform capabilities.
Unlike many ransomware operations that focus primarily on Windows environments, Global has demonstrated support for Linux and ESXi systems, making it particularly dangerous for organizations dependent on virtualized infrastructure.
Key Facts
- First observed in June 2025
- Linked to 31 known victims
- Primarily targets enterprise infrastructure
- Impacts Windows, Linux, and ESXi environments
- Employs a double-extortion model
Common TTPs
Initial Access
- Opportunistic exploitation
- Credential abuse
Impact
- Hypervisor encryption
- Enterprise disruption
MITRE ATT&CK Techniques
| Tactic | Technique |
| Initial Access | T1190 – Exploit Public-Facing Application |
| Discovery | T1046 – Network Service Discovery |
| Lateral Movement | T1021 – Remote Services |
| Impact | T1486 – Data Encryption |
5. J Group
The J Group is notable because it notes a common phenomenon: ransomware brands that exist primarily as extortion identities rather than stable malware families.
Public reporting around the group remains fragmented, making attribution difficult.
Key Facts
- Visibility increased significantly in 2025
- Linked to 38 known victims
- Attribution remains low confidence
- Primarily engages in opportunistic targeting
Common TTPs
Initial Access
- Unknown
- Likely affiliate-sourced access
Impact
- Encryption
- Extortion
MITRE ATT&CK Techniques
| Tactic | Technique |
| Initial Access | T1078 – Valid Accounts |
| Discovery | T1083 – File Discovery |
| Impact | T1486 – Data Encryption |
6. Warlock
Warlock became prominent after being linked to exploitation campaigns targeting vulnerable on-premises SharePoint environments.
The group’s activity highlights a persistent reality of ransomware defense: patch latency remains one of the most effective enablers of enterprise compromise.
Key Facts
- Major activity observed in July 2025
- Linked to 66 known victims
- Gains initial access through SharePoint exploitation
- Primarily targets internet-facing enterprise systems
Common TTPs
Initial Access
- Public-facing application exploitation
Persistence
- Web shells
Execution
- Post-exploitation ransomware deployment
MITRE ATT&CK Techniques
| Tactic | Technique |
| Initial Access | T1190 – Exploit Public-Facing Application |
| Persistence | T1505.003 – Web Shell |
| Credential Access | T1003 – OS Credential Dumping |
| Impact | T1486 – Data Encryption |
7. BEAST
Although BEAST predates 2025, it achieved significant visibility during the year through continued affiliate recruitment and multi-platform expansion.
The group’s ability to target Windows, Linux, and ESXi environments reflects the sophistication of ransomware-as-a-service ecosystems.
Key Facts
- Increased activity observed in 2025
- Linked to 46 known victims
- Targets Windows, Linux, and ESXi environments
- Operates under a Ransomware-as-a-Service (RaaS) model
Common TTPs
Initial Access
- RDP compromise
- SMB exploitation
- Credential theft
MITRE ATT&CK Techniques
| Tactic | Technique |
| Initial Access | T1133 – External Remote Services |
| Credential Access | T1110 – Password Attacks |
| Lateral Movement | T1021 – Remote Services |
| Impact | T1486 – Data Encryption |
8. Sinobi
Sinobi emerged as a disciplined, high-control ransomware operation in 2025, strongly associated with credential-driven intrusions and enterprise targeting. Unlike noisy opportunistic groups, Sinobi shows signs of structured access planning—suggesting either experienced operators or recycled affiliate infrastructure from established ecosystems.
A defining trait is its emphasis on data theft before encryption, reinforcing the modern “steal-first, encrypt-second” model.
Key Facts
- First observed in mid-2025
- Linked to 138 known victims
- Primarily targets organizations in the United States
- Focuses on the manufacturing and services sectors
- Employs a double-extortion model
- Commonly gains initial access through VPN exploitation and credential compromise
Common TTPs
Initial Access
- Stolen VPN credentials
- Valid account abuse
- Access broker purchases
Execution
- Staged intrusion → lateral movement → encryption
Impact
- Data exfiltration
- System-wide encryption
MITRE ATT&CK Mapping
| Tactic | Technique |
| Initial Access | T1078 – Valid Accounts |
| Credential Access | T1556 – Modify Authentication Process |
| Lateral Movement | T1021 – Remote Services |
| Exfiltration | T1041 – Exfiltration Over C2 |
| Impact | T1486 – Data Encrypted for Impact |
9. NightSpire
NightSpire reflects one of the most important transitions in the ransomware ecosystem: the shift from pure encryption-based extortion to hybrid extortion-first models.
Early activity focused on data theft and pressure campaigns. Over time, encryption was introduced to increase negotiation leverage, a common evolution pattern across 2025 groups.
Key Facts
- First observed in early 2025
- Linked to 92 known victims
- Evolved from a data exfiltration model to double extortion
- Targets organizations across multiple sectors
- Uses email, onion sites, and Telegram for extortion and victim communication
Common TTPs
Initial Access
- Credential theft
- Phishing campaigns
Execution
- Staged exfiltration
- Delayed encryption deployment
Impact
- Data leakage threats
- System encryption
MITRE ATT&CK Mapping
| Tactic | Technique |
| Initial Access | T1566 – Phishing |
| Discovery | T1083 – File and Directory Discovery |
| Collection | T1005 – Data from Local System |
| Exfiltration | T1041 – Exfiltration Over C2 |
| Impact | T1486 – Data Encrypted for Impact |
10. The Gentlemen
The Gentlemen emerged as one of the most operationally mature ransomware groups of 2025, showing signs of professional-grade intrusion capability.
Their activity includes structured lateral movement, use of legitimate administrative tools, and careful victim selection across high-value sectors such as healthcare, manufacturing, and insurance.
This group is widely viewed as either:
- A rebrand of earlier threat actors, or
- A coalition of experienced affiliates consolidating under a new identity
Key Facts
- First observed in Q3 2025
- Linked to 63 known victims
- Impacted organizations across 17+ countries
- Primarily targets critical infrastructure and enterprise organizations
- Employs a high-pressure double-extortion model
Common TTPs
Initial Access
- Credential compromise
- VPN exploitation
- Social engineering
Execution
- Privilege escalation
- Tool-based lateral movement
Impact
- Data theft + encryption
- Operational disruption
MITRE ATT&CK Mapping
| Tactic | Technique |
| Initial Access | T1078 – Valid Accounts |
| Privilege Escalation | T1068 – Exploitation for Privilege Escalation |
| Lateral Movement | T1021 – Remote Services |
| Exfiltration | T1041 – Exfiltration Over C2 |
| Impact | T1486 – Data Encrypted for Impact |
Cross-Group Intelligence: What 2025 Actually Changed
Individual group analysis is useful. But defenders do not face “groups”—they face repeatable attack patterns reused across ecosystems.
Across all 10 groups, five structural shifts define ransomware evolution heading into 2026.
1. Credential Theft Has Overtaken Exploits
Across all observed groups, the dominant entry point is no longer vulnerability exploitation—it is identity compromise.
Most common initial access methods:
- VPN credential reuse
- Stolen passwords from data leaks
- Access broker marketplaces
- Session hijacking

Implication: Patch management alone is no longer sufficient.
2. Encryption Is Becoming Optional, Not Mandatory
A growing number of operations now rely primarily on:
- Data theft
- Extortion pressure
- Public leak threats
Encryption is used only when negotiation leverage is weak.
Implication: Backup strategy alone does not reduce extortion risk.
3. Ransomware-as-a-Service Is Fragmenting
The RaaS model is no longer centralized.
Instead:
- Affiliates move between brands
- Infrastructure is reused across groups
- Branding changes faster than tooling
This is why tracking “groups” alone is becoming unreliable.
4. Hypervisor and Linux Targeting Is Now Standard
Across Global Group, Sinobi, BEAST, and others:
- ESXi environments are explicitly targeted
- Linux servers are treated as high-value entry points
- Virtualization layers are prioritized over endpoints
Impact: A single compromise can encrypt entire environments.
5. Asia and Emerging Markets Are Targeted
Multiple groups show rising focus on:
- Southeast Asia
- South Asia
- Latin America
- Manufacturing-heavy economies
This reflects:
- Faster digitization
- Lower security maturity variance
- High operational disruption value
Consolidated MITRE ATT&CK Pattern Map (All Groups)
Across all 10 ransomware groups, the most repeated techniques are:

Key insight: Despite different branding, operational behavior is highly standardized.
Transition to 2026 Outlook
What emerges from these 10 groups is not diversity—but convergence.
Different names. Same workflows. Same pressure model. Same entry points.
The next section will cover:
- Why ransomware is accelerating despite takedowns
- The rise of cartel-style ecosystems
- AI-assisted extortion and negotiation models
- What defenders must prioritize in 2026
If 2025 was defined by fragmentation, 2026 is shaping up to be defined by convergence under pressure.
Ransomware is no longer a collection of isolated groups. It is becoming a self-sustaining criminal ecosystem where access brokers, malware developers, affiliates, and laundering networks operate like interchangeable supply chains.
The result is faster attacks, shorter group lifespans, and more consistent victim impact—even when individual brands disappear.
What This Means for Defenders
Across all observed trends, one pattern dominates:
Ransomware is shifting from malware execution to identity-driven business disruption.
Defensive priorities for 2026 should focus on:
1. Identity Hardening
- Phishing-resistant MFA
- Session monitoring
- Credential leak detection
2. Lateral Movement Containment
- Network segmentation
- Privilege minimization
- Behavioral anomaly detection
3. Infrastructure Protection
- ESXi and hypervisor isolation
- Immutable backups
- Admin plane separation
4. Exfiltration Monitoring
- Outbound traffic anomaly detection
- Large-scale archive detection
- Cloud storage misuse monitoring
5. Crisis Readiness
- Leak-site monitoring
- Legal + PR coordination playbooks
- Tabletop simulations for multi-pressure extortion
Conclusion
The ransomware landscape heading into 2026 is shaped less by new malware and more by the evolving economics of cyber extortion. Today’s most successful threat actors are not necessarily the most technically advanced, they are the most operationally efficient, leveraging purchased access, reusing proven infrastructure, applying psychological pressure, and operating multiple ransomware brands to maximize scale and profitability.
As ransomware continues to evolve, the challenge is no longer just preventing malware infections; it is about protecting identities, limiting exposure, and reducing opportunities for attackers to gain initial access.
FQA Abouts Ransomware Groups
What is the 3/2/1 rule for ransomware?
Keep 3 copies of data, on 2 different media, with 1 offsite to prevent ransomware loss.
