Introduction

The Year the Ransomware War Changed

Between April 2024 and March 2025, ransomware evolved—not in sophistication, but in strategy.

It was a year defined by collapse, chaos, and recalibration. The fall of two of the most dominant ransomware syndicates, LockBit and AlphV, triggered a power vacuum across the cybercriminal landscape. These weren’t just threat groups—they were institutions. Their downfall did not end the war. It reshaped the battlefield.

In their place, dozens of new actors emerged, many of them lacking the infrastructure, discipline, or credibility of their predecessors. The result: a rise in volume, a drop in coordination, and a growing unpredictability in how, where, and why attacks unfold.

The Numbers Behind the Noise

In the twelve months observed:

Publicly disclosed ransomware victims climbed to 6,046, up from 4,893 the year prior—a 24% increase year over year.

That figure has more than doubled since 2023, when it stood at 2,708.

The number of ransomware groups making public disclosures rose from 61 in 2023 to 96 in 2025.

52 entirely new groups emerged in the last year, compounding the 51 new entrants that appeared in the preceding year.

The ransomware ecosystem didn’t shrink. It splintered.

While some interpret recent declines in ransom payments as a sign that ransomware is losing relevance, the sheer volume of victims and the instability of new actors suggest otherwise. The threat didn’t retreat—it scattered.

LockBit: From Reign to Ruin

LockBit’s story was once a blueprint for ransomware success: polished infrastructure, professional negotiations, and dominant market share. But 2024 marked a turning point.

Operation Cronos, a multi-agency law enforcement effort, dealt a crushing blow to the group’s reputation and operations. Affiliates fled. Market share collapsed. And for the first time, LockBit administrators were publicly identified and targeted with international bounties. What was once the most feared brand in ransomware now became a cautionary tale for aspiring operators.

LockBit didn’t just fall. It fractured the economy that revolved around it.

The Rise of the Rest

With LockBit and AlphV gone, no single group emerged to take the crown. Instead, smaller actors flooded the space, many with hastily assembled infrastructures, erratic victim targeting, and limited capacity for negotiation or follow-through. This era marked the start of a new ransomware phase—less strategic, more opportunistic.

Groups like RansomHub, Play, and Akira filled parts of the void. But the broader trend was clear: affiliates dispersed, brand loyalty dissolved, and Ransomware-as-a-Service became Ransomware-as-a-Chaos.

About Our Ransomware Report

This report is the product of a year-long investigation conducted by the Black Kite Research & Intelligence Team (BRITE). It draws from real-time monitoring of over 150 ransomware groups, deep intelligence gathered from dark web channels, and the technical telemetry of more than 6,000 victims.

Among these groups, 96 were observed to have published at least one victim during the past 12 months.

For each confirmed victim, BRITE performed:

  • Industry and country attribution using the NAICS standard
  • Pre- and post-incident analysis using the Black Kite platform Monitoring of ransomware blog disclosures, affiliate communications, and extortion tactics across forums, Telegram channels, and leak sites

A dedicated Methodology section at the end of this report provides more detail.

Explore the stark realities revealed by the latest ransomware attack data.

PREVIOUS
NEXT