Trending

ee-track">
Link copied!

Table of Contents

New Ransomware Groups of 2025

10 New Ransomware Groups of 2025 and the Threat Trends Shaping 2026

Ransomware and threat actors did not slowdown in 2025, nor did they lose any of their motives. Instead, they become more fragmented and harder to track than ever before.

Key takeaways

  • Publicly reported ransomware attacks reached approximately 7,200 incidents in 2025, representing a 47% increase over 2024.
  • Security researchers observed 124 distinct ransomware groups during the year, the highest number recorded to date.
  • An estimated 93 new ransomware variants emerged in 2025, nearly doubling the number observed the previous year.
  • Double extortion remained the dominant business model, although data-theft-only campaigns continued gaining traction.
  • Identity-based attacks, including stolen VPN credentials, compromised remote access accounts, and access broker activity, surpassed software exploitation as the leading initial access vector.
  • Linux and ESXi environments became primary targets due to their ability to disrupt entire virtualized infrastructures.
  • Cyble observed continued growth in ransomware leak-site activity, affiliate recruitment, and infrastructure reuse across multiple ransomware ecosystems.

This year, however, the ransomware landscape is not so much a set of dominant brands as it is dozens of small, quick groups. The interesting thing about these ransomware groups is that they can launch attacks using shared tools, affiliate networks, and recycled infrastructure.

What the Ransomware Landscape Looked Like in 2025

In the early days, the ransomware activity was dominated by a few big threat actors and ransomware groups. And it ran for some 10-15 years. Major groups, some of them still active today, dominated the ransomware landscape. These groups includes LockBit, Cl0p, BlackCat, and Conti ransomware.

Most of these groups had large affiliate ecosystems and were constantly making headlines.

In 2026, however, that model is changing.

The year did not show a decrease in ransomware activity after major law enforcement disruptions, but instead, it showed the resilience of the ransomware economy. As established groups faced more pressure, the affiliates moved; the codebases were reused, and new brands emerged at a pace like never before.

report-ad-banner

Industry reporting throughout the last year highlighted some of the biggest defining trends in the ransomware market.

  • The world saw 124 named ransomware groups, a record high.
  • There were nearly 7,200 publicly disclosed ransomware incidents worldwide.
  • This year witnessed 93 new ransomware variants.
  • Despite a decline in payment rates, global ransomware payments were estimated at around $850 million.
  • December 2025 turned out to be one of the most active months on record for victim disclosures on ransomware leak sites.

This led to a highly fragmented threat landscape, enabling smaller groups to operate at a speed and with an effectiveness that was once only attributed to the major ransomware syndicates.

Fragmentation Is the New Normal

One of the most significant trends witnessed by Cyble in 2025 was the convergence of the ransomware ecosystems.

Rather than building operations from scratch, emerging groups:

  • Reused existing ransomware codebases
  • Shared infrastructure and hosting providers
  • Recruited affiliates from disrupted operations
  • Adopted proven extortion models immediately
  • Leveraged credential access purchased from underground markets

This allowed new groups to achieve operational maturity in weeks rather than years.

In many cases, the ransomware “brand” became less important than the ecosystem supporting it.

How Cyble Identified Emerging Ransomware Groups

This analysis is based on what Cyble continuously monitors:

  • Ransomware data leak sites (DLS)
  • Dark web forums and marketplaces
  • Ransomware affiliate recruitment channels
  • Open-source threat intelligence
  • Malware telemetry
  • Victim disclosure tracking
  • Incident response reporting

To be included in this list, a group only had to meet one of these:

  • First observed operating in 2025
  • Realized major operational growth during 2025
  • Illustrated significant impact on enterprise victims
  • Brought in notable tactics, techniques, or procedures (TTPs)
  • Exhibited evidence of becoming a significant threat heading into 2026

While some may be rebrands or splinter operations from existing ecosystems, their emergence provides a good look at how the ransomware economy is changing.

10 Emerging Ransomware Groups to Watch

Emerging Ransomware Groups to Watch

Several patterns immediately emerge:

  1. Credential-based access dominates. Most groups rely on compromised credentials, VPN access, or purchased initial access rather than novel exploits.
  2. Double extortion has become standard. Nearly every emerging group combines data theft with encryption.
  3. Cross-platform ransomware is expanding. Linux and ESXi support are common among newer operations.
  4. Operational maturity arrives faster. New groups are adopting enterprise-grade extortion practices almost immediately after appearing.
  5. Victim volume is becoming decentralized. No single group dominates the ecosystem in the way LockBit or Conti once did.
Victim counts of the top emerging ransomware groups

The 10 Emerging Ransomware Groups of 2025-2026

While dozens of ransomware brands appeared throughout 2025, only a handful demonstrated the combination of victim volume, operational maturity, technical capability, and ecosystem influence necessary to shape the threat landscape heading into 2026.

The groups below represent more than isolated threats. Collectively, they illustrate how ransomware operations are evolving toward faster deployment cycles, credential-driven intrusions, infrastructure reuse, and sophisticated extortion models.

1. Devman

Devman emerged as one of the clearest examples of the modern ransomware playbook: minimal innovation, maximum operational efficiency.

Rather than introducing new malware families or novel techniques, Devman appears to leverage existing ransomware infrastructure and code lineage associated with the DragonForce ecosystem. This approach enables rapid scaling while reducing development overhead and operational risk.

Key Facts

  • First observed in 2025
  • 53 known victims
  • Asia and Africa are primary regions
  • Uses Double Extortion

Common TTPs

Initial Access

  • Stolen credentials
  • Purchased access from brokers
  • Exposed remote access services

Execution

  • Rapid ransomware deployment following access

Impact

  • File encryption
  • Data theft
  • Leak-site publication

MITRE ATT&CK Techniques

TacticTechnique
Initial AccessT1078 – Valid Accounts
DiscoveryT1083 – File Discovery
ExfiltrationT1041 – Exfiltration Over C2
ImpactT1486 – Data Encrypted for Impact

Devman demonstrates how quickly threat actors can become operationally effective using established ransomware ecosystems. Defenders should focus on behavioral indicators and credential abuse rather than relying solely on ransomware family names.

2. DireWolf

DireWolf appeared publicly in May 2025 and rapidly established itself as a mature extortion operation.

Within weeks of emerging, the group maintained structured victim disclosures, dedicated negotiation channels, and evidence of coordinated double-extortion activity.

Its rapid operational maturity reflects a broader trend across the ransomware ecosystem: emerging groups inherit proven playbooks rather than developing capabilities from scratch.

Key Facts

  • First observed in May 2025
  • Linked to 49 known victims
  • Impacted organizations across 11+ countries
  • Primarily targets Southeast Asia
  • Employs a double-extortion ransomware model
  • Currently active

Common TTPs

Initial Access

  • Social engineering
  • Malicious websites
  • Credential compromise

Execution

  • Rapid deployment after privilege escalation

Impact

  • Encryption
  • Data theft
  • Public victim exposure

MITRE ATT&CK Techniques

TacticTechnique
Initial AccessT1566 – Phishing
Credential AccessT1110 – Brute Force
ExfiltrationT1048 – Exfiltration Over Alternative Protocol
ImpactT1486 – Data Encryption

3. RALord / NOVA

RALord, later associated with NOVA, represents one of the clearest examples of ransomware rebranding observed during 2025.

The group’s evolution highlights how modern ransomware operations function as interchangeable brands rather than fixed organizations.

As law enforcement pressure grows, many operators are abandoning recognizable names and resurfacing new identities while retaining affiliates, tooling, and infrastructure.

Key Facts

  • First observed in 2025
  • Linked to 46 known victims
  • Operates globally across multiple regions
  • Functions under a Ransomware-as-a-Service (RaaS) model
  • Notable for its rebranding activity

Common TTPs

Initial Access

  • Affiliate-driven access
  • Credential compromise

Execution

  • Standardized ransomware deployment

Impact

  • Encryption
  • Leak-site publication

MITRE ATT&CK Techniques

TacticTechnique
Initial AccessT1078 – Valid Accounts
DiscoveryT1018 – Remote System Discovery
CollectionT1005 – Data From Local System
ImpactT1486 – Data Encryption

4. Global Group

Global Group distinguishes itself through multi-platform capabilities.

Unlike many ransomware operations that focus primarily on Windows environments, Global has demonstrated support for Linux and ESXi systems, making it particularly dangerous for organizations dependent on virtualized infrastructure.

Key Facts

  • First observed in June 2025
  • Linked to 31 known victims
  • Primarily targets enterprise infrastructure
  • Impacts Windows, Linux, and ESXi environments
  • Employs a double-extortion model

Common TTPs

Initial Access

  • Opportunistic exploitation
  • Credential abuse

Impact

  • Hypervisor encryption
  • Enterprise disruption

MITRE ATT&CK Techniques

TacticTechnique
Initial AccessT1190 – Exploit Public-Facing Application
DiscoveryT1046 – Network Service Discovery
Lateral MovementT1021 – Remote Services
ImpactT1486 – Data Encryption

5. J Group

The J Group is notable because it notes a common phenomenon: ransomware brands that exist primarily as extortion identities rather than stable malware families.

Public reporting around the group remains fragmented, making attribution difficult.

Key Facts

  • Visibility increased significantly in 2025
  • Linked to 38 known victims
  • Attribution remains low confidence
  • Primarily engages in opportunistic targeting

Common TTPs

Initial Access

  • Unknown
  • Likely affiliate-sourced access

Impact

  • Encryption
  • Extortion

MITRE ATT&CK Techniques

TacticTechnique
Initial AccessT1078 – Valid Accounts
DiscoveryT1083 – File Discovery
ImpactT1486 – Data Encryption

6. Warlock

Warlock became prominent after being linked to exploitation campaigns targeting vulnerable on-premises SharePoint environments.

The group’s activity highlights a persistent reality of ransomware defense: patch latency remains one of the most effective enablers of enterprise compromise.

Key Facts

  • Major activity observed in July 2025
  • Linked to 66 known victims
  • Gains initial access through SharePoint exploitation
  • Primarily targets internet-facing enterprise systems

Common TTPs

Initial Access

  • Public-facing application exploitation

Persistence

  • Web shells

Execution

  • Post-exploitation ransomware deployment

MITRE ATT&CK Techniques

TacticTechnique
Initial AccessT1190 – Exploit Public-Facing Application
PersistenceT1505.003 – Web Shell
Credential AccessT1003 – OS Credential Dumping
ImpactT1486 – Data Encryption

7. BEAST

Although BEAST predates 2025, it achieved significant visibility during the year through continued affiliate recruitment and multi-platform expansion.

The group’s ability to target Windows, Linux, and ESXi environments reflects the  sophistication of ransomware-as-a-service ecosystems.

Key Facts

  • Increased activity observed in 2025
  • Linked to 46 known victims
  • Targets Windows, Linux, and ESXi environments
  • Operates under a Ransomware-as-a-Service (RaaS) model

Common TTPs

Initial Access

  • RDP compromise
  • SMB exploitation
  • Credential theft

MITRE ATT&CK Techniques

TacticTechnique
Initial AccessT1133 – External Remote Services
Credential AccessT1110 – Password Attacks
Lateral MovementT1021 – Remote Services
ImpactT1486 – Data Encryption

8. Sinobi

Sinobi emerged as a disciplined, high-control ransomware operation in 2025, strongly associated with credential-driven intrusions and enterprise targeting. Unlike noisy opportunistic groups, Sinobi shows signs of structured access planning—suggesting either experienced operators or recycled affiliate infrastructure from established ecosystems.

A defining trait is its emphasis on data theft before encryption, reinforcing the modern “steal-first, encrypt-second” model.

Key Facts

  • First observed in mid-2025
  • Linked to 138 known victims
  • Primarily targets organizations in the United States
  • Focuses on the manufacturing and services sectors
  • Employs a double-extortion model
  • Commonly gains initial access through VPN exploitation and credential compromise

Common TTPs

Initial Access

  • Stolen VPN credentials
  • Valid account abuse
  • Access broker purchases

Execution

  • Staged intrusion → lateral movement → encryption

Impact

  • Data exfiltration
  • System-wide encryption

MITRE ATT&CK Mapping

TacticTechnique
Initial AccessT1078 – Valid Accounts
Credential AccessT1556 – Modify Authentication Process
Lateral MovementT1021 – Remote Services
ExfiltrationT1041 – Exfiltration Over C2
ImpactT1486 – Data Encrypted for Impact

9. NightSpire

NightSpire reflects one of the most important transitions in the ransomware ecosystem: the shift from pure encryption-based extortion to hybrid extortion-first models.

Early activity focused on data theft and pressure campaigns. Over time, encryption was introduced to increase negotiation leverage, a common evolution pattern across 2025 groups.

Key Facts

  • First observed in early 2025
  • Linked to 92 known victims
  • Evolved from a data exfiltration model to double extortion
  • Targets organizations across multiple sectors
  • Uses email, onion sites, and Telegram for extortion and victim communication

Common TTPs

Initial Access

  • Credential theft
  • Phishing campaigns

Execution

  • Staged exfiltration
  • Delayed encryption deployment

Impact

  • Data leakage threats
  • System encryption

MITRE ATT&CK Mapping

TacticTechnique
Initial AccessT1566 – Phishing
DiscoveryT1083 – File and Directory Discovery
CollectionT1005 – Data from Local System
ExfiltrationT1041 – Exfiltration Over C2
ImpactT1486 – Data Encrypted for Impact

10. The Gentlemen

The Gentlemen emerged as one of the most operationally mature ransomware groups of 2025, showing signs of professional-grade intrusion capability.

Their activity includes structured lateral movement, use of legitimate administrative tools, and careful victim selection across high-value sectors such as healthcare, manufacturing, and insurance.

This group is widely viewed as either:

  • A rebrand of earlier threat actors, or
  • A coalition of experienced affiliates consolidating under a new identity

Key Facts

  • First observed in Q3 2025
  • Linked to 63 known victims
  • Impacted organizations across 17+ countries
  • Primarily targets critical infrastructure and enterprise organizations
  • Employs a high-pressure double-extortion model

Common TTPs

Initial Access

  • Credential compromise
  • VPN exploitation
  • Social engineering

Execution

  • Privilege escalation
  • Tool-based lateral movement

Impact

  • Data theft + encryption
  • Operational disruption

MITRE ATT&CK Mapping

TacticTechnique
Initial AccessT1078 – Valid Accounts
Privilege EscalationT1068 – Exploitation for Privilege Escalation
Lateral MovementT1021 – Remote Services
ExfiltrationT1041 – Exfiltration Over C2
ImpactT1486 – Data Encrypted for Impact

Cross-Group Intelligence: What 2025 Actually Changed

Individual group analysis is useful. But defenders do not face “groups”—they face repeatable attack patterns reused across ecosystems.

Across all 10 groups, five structural shifts define ransomware evolution heading into 2026.

1. Credential Theft Has Overtaken Exploits

Across all observed groups, the dominant entry point is no longer vulnerability exploitation—it is identity compromise.

Most common initial access methods:

  • VPN credential reuse
  • Stolen passwords from data leaks
  • Access broker marketplaces
  • Session hijacking
Credential Theft Has Overtaken Exploits

Implication: Patch management alone is no longer sufficient.

2. Encryption Is Becoming Optional, Not Mandatory

A growing number of operations now rely primarily on:

  • Data theft
  • Extortion pressure
  • Public leak threats

Encryption is used only when negotiation leverage is weak.

Implication: Backup strategy alone does not reduce extortion risk.

3. Ransomware-as-a-Service Is Fragmenting

The RaaS model is no longer centralized.

Instead:

  • Affiliates move between brands
  • Infrastructure is reused across groups
  • Branding changes faster than tooling

This is why tracking “groups” alone is becoming unreliable.

4. Hypervisor and Linux Targeting Is Now Standard

Across Global Group, Sinobi, BEAST, and others:

  • ESXi environments are explicitly targeted
  • Linux servers are treated as high-value entry points
  • Virtualization layers are prioritized over endpoints

Impact: A single compromise can encrypt entire environments.

5. Asia and Emerging Markets Are Targeted

Multiple groups show rising focus on:

  • Southeast Asia
  • South Asia
  • Latin America
  • Manufacturing-heavy economies

This reflects:

  • Faster digitization
  • Lower security maturity variance
  • High operational disruption value

Consolidated MITRE ATT&CK Pattern Map (All Groups)

Across all 10 ransomware groups, the most repeated techniques are:

Consolidated MITRE ATT&CK Pattern Map All Groups

Key insight: Despite different branding, operational behavior is highly standardized.

Transition to 2026 Outlook

What emerges from these 10 groups is not diversity—but convergence.

Different names. Same workflows. Same pressure model. Same entry points.

The next section will cover:

  • Why ransomware is accelerating despite takedowns
  • The rise of cartel-style ecosystems
  • AI-assisted extortion and negotiation models
  • What defenders must prioritize in 2026

If 2025 was defined by fragmentation, 2026 is shaping up to be defined by convergence under pressure.

Ransomware is no longer a collection of isolated groups. It is becoming a self-sustaining criminal ecosystem where access brokers, malware developers, affiliates, and laundering networks operate like interchangeable supply chains.

The result is faster attacks, shorter group lifespans, and more consistent victim impact—even when individual brands disappear.

What This Means for Defenders

Across all observed trends, one pattern dominates:

Ransomware is shifting from malware execution to identity-driven business disruption.

Defensive priorities for 2026 should focus on:

1. Identity Hardening

  • Phishing-resistant MFA
  • Session monitoring
  • Credential leak detection

2. Lateral Movement Containment

  • Network segmentation
  • Privilege minimization
  • Behavioral anomaly detection

3. Infrastructure Protection

  • ESXi and hypervisor isolation
  • Immutable backups
  • Admin plane separation

4. Exfiltration Monitoring

  • Outbound traffic anomaly detection
  • Large-scale archive detection
  • Cloud storage misuse monitoring

5. Crisis Readiness

  • Leak-site monitoring
  • Legal + PR coordination playbooks
  • Tabletop simulations for multi-pressure extortion

Conclusion

The ransomware landscape heading into 2026 is shaped less by new malware and more by the evolving economics of cyber extortion. Today’s most successful threat actors are not necessarily the most technically advanced, they are the most operationally efficient, leveraging purchased access, reusing proven infrastructure, applying psychological pressure, and operating multiple ransomware brands to maximize scale and profitability.

As ransomware continues to evolve, the challenge is no longer just preventing malware infections; it is about protecting identities, limiting exposure, and reducing opportunities for attackers to gain initial access.

FQA Abouts Ransomware Groups


  1. What is the 3/2/1 rule for ransomware?


    Keep 3 copies of data, on 2 different media, with 1 offsite to prevent ransomware loss.

Discover how we help proactively defend against evolving threats with Gen 3 intelligence. Request a Demo today!

Share Post:

Stay Informed

The Cyber Briefing Security Teams Actually Read!

Join security teams across 50+ countries getting Cyble's weekly research, advisories, and analyst insights.

No spam, ever. Unsubscribe anytime.

Related Topics

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams