Dive Brief:
- Several major ransomware-as-a-service groups have stopped posting victims to popular leak sites, suggesting that the ecosystem is more dispersed than it used to be, according to a new report from Check Point Software Technologies.
- At the same time, many smaller groups that used to affiliate with larger players “are operating independently or seeking new partnerships,” Check Point said in its Thursday report.
- “Established players are actively competing to recruit these ‘orphaned’ affiliates,” according to the report, which cited competition between prominent groups Qilin and DragonForce for affiliates of the now-defunct RansomHub.
Dive Insight:
Check Point’s report paints a picture of new ransomware groups rising to prominence almost as soon as their predecessors collapse under the weight of law-enforcement investigations, arrests and infrastructure takedowns — underscoring the whack-a-mole nature of the cybercrime ecosystem.
By the time global law enforcement operations dealt a death blow to LockBit in May 2025, for example, the ransomware-as-a-service operator RansomHub had already expanded to supplant LockBit, which had been declining for roughly a year. But in April 2025, even before LockBit’s final demise, RansomHub itself shut down. “The precise circumstances behind its disappearance remain unclear,” Check Point researchers wrote, “but the impact on the ransomware ecosystem was immediate.”
RansomHub affiliates, which had been posting an average of 75 new victims every month in the six-month period leading up to the group’s shutdown, needed a new partner. Many of them appear to have found that partner in Qilin, whose activity nearly doubled in the second quarter of 2025, from an average of 35 victims per month to almost 70, according to Check Point.
Qilin has demonstrated longevity, operating since 2022, and its activities after the demise of RansomHub help illustrate why: It knows when to capitalize on its competitors’ misfortunes. After RansomHub went offline, Qilin began advertising its attack toolkit’s “enhanced features,” Check Point said, including “new integrated DDoS capabilities and [victim] negotiation consultations.”
DragonForce, another major ransomware-as-a-service group, likewise tried to capitalize on RansomHub’s demise, claiming that the group had migrated to DragonForce’s platform. Check Point’s data shows a “noticeable increase” in DragonForce victim reporting in April and June, but the company said it was unclear if this represented a sustained trend or a momentary blip.
Despite the changing threat-actor landscape, some aspects of the ransomware ecosystem remain the same, according to Check Point’s report. The United States accounts for roughly half of all reported victims, with the United Kingdom, Germany and Canada each accounting for 5%. But some groups “exhibit distinct geographic preferences,” Check Point noted, including Safepay, which focused disproportionately on Germany, and Akira, which focused on Italy.
Click Here For The Original Source.
