Full Report
Disclaimer This trend report on the deep web and dark web of May 2025 is sectioned into Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. Please note that there are some parts of the content that cannot be verified for accuracy. Key Issue 1) Ransomware 1. Overview In […]
Analysis Summary
# Industry News: Ransomware Landscape Reshuffled Post-RansomHub Exit, SafePay Dominates
## Summary
The May 2025 ransomware ecosystem experienced a significant leadership vacuum following the confirmed cessation of activities by RansomHub, the dominant group of 2024. SafePay emerged as the new most active group, primarily through direct operations, while DragonForce significantly expanded its influence by absorbing former RansomHub affiliates. Concurrently, sophisticated attack methods, including exploitation of a Windows CLFS zero-day (CVE-2025-29824) and new EDR bypasses, signal an escalating threat level.
## Key Details
- **Date:** May 2025 reporting period
- **Companies Involved:** SafePay, RansomHub (ceased), DragonForce, Qilin, Play, Microsoft (via CVE disclosure)
- **Category:** Threat Intelligence / Market Shift
## The Story
The ransomware market fractured in May 2025. RansomHub officially disbanded, leading to a power vacuum that SafePay swiftly filled, disclosing 58 victims directly without utilizing the Ransomware-as-a-Service (RaaS) model. DragonForce was another major beneficiary, absorbing affiliates and launching high-impact attacks, particularly against the UK retail sector, citing data breaches of major firms like C***. The Play group demonstrated technical sophistication by leveraging the Windows CLFS zero-day vulnerability (CVE-2025-29824). Overall, 384 victims were posted to dedicated leak sites (DLS), affirming the continued trend toward data exfiltration over simple encryption. New groups like DATACARRY, Dire Wolf, and J Group also initiated operations, indicating market fragmentation and lower barriers to entry.
## Business Impact
### For the Companies Involved
- **SafePay:** Gains immediate visibility and operational credibility as the top actor; likely to attract skilled threat actors looking for direct, high-yield opportunities outside the RaaS structure.
- **DragonForce:** Significantly increases its operational capacity and market share by absorbing RansomHub’s ecosystem, positioning itself as a major player challenging the RaaS norm.
- **RansomHub (Exiting):** Indicates potential internal disputes or successful disruption, forcing affiliates to seek new homes and potentially leading to temporary market instability.
### For Competitors
- **RaaS Providers:** May face initial disruption as affiliates migrate, but the emergence of successful direct operators like SafePay might offer new models for centralized control, potentially pulling affiliates away from traditional RaaS structures.
- **Emerging Groups (DATACARRY, DevMan):** Benefit from the reduced presence of established leaders, creating space to scale operations and establish market niches.
### For Customers
- **General Organizations:** Face a more varied and unpredictable threat landscape. The shift toward data exfiltration means the impact is less about immediate operational shutdown (encryption) and more about long-term reputational and regulatory damage from data exposure.
- **Targeted Sectors (Retail, Healthcare, Education):** These industries face intensified, focused attacks, requiring immediate reassessment of defensive posture against groups like DragonForce and SafePay.
### For the Market
- The trend confirms the maturation of the ransomware ecosystem, which is constantly restructuring following law enforcement pressure or internal disputes. The environment remains dynamic, with key leaders quickly replacing those who exit. The successful exploitation of a zero-day underscores the high-value nature of vulnerability intelligence in the cybercrime economy.
## Technical Implications
The successful exploitation of the Windows CLFS zero-day (CVE-2025-29824) by Play highlights ongoing supply chain risks in core operating system components. Furthermore, the adoption of "Bring Your Own Installer" (BYOI) as an EDR bypass technique suggests attackers are adapting to improve persistence and evade modern endpoint defenses without relying on known malicious payloads.
## Strategic Analysis
- **Market Positioning:** The market is clearly segmenting between highly organized, RaaS-based operations (though RansomHub's exit challenges this model), and highly focused, direct-action groups (SafePay). DragonForce appears to be merging capabilities from both spheres.
- **Competitive Advantage:** Groups demonstrating technical agility, such as Play utilizing zero-days, gain a temporary but significant advantage in achieving initial access and evading detection.
- **Challenges:** The fluidity—with RansomHub dissolving and new groups forming quickly—creates uncertainty. For established groups, managing affiliate disputes (as seen with RansomHub) remains a critical internal governance challenge that impacts long-term sustainability.
## Industry Reactions
- Analyst commentary points to the "great reshuffle" of May, suggesting that while disruption occurs, the underlying profit motive ensures the threat accelerates, not slows down.
- The unverified claim against the German automotive giant by Stormous serves as a cautionary note about threat actor propaganda and the need for rigorous internal validation of breach reports.
## Future Outlook
- Expect SafePay and DragonForce to contest leadership throughout Q3 2025, potentially raising the average ransom demanded due to their increased operational reach.
- Focus will shift to how quickly vendors patch the Windows CLFS zero-day, and whether similar novel EDR bypasses become standardized TTPs across other major ransomware factions.
## For Security Professionals
Practitioners must urgently review their patching cycles, especially concerning VPN/RDP access, given SafePay’s known entry vectors. Furthermore, reliance on traditional EDR signatures is insufficient; security teams must prioritize behavioral analysis and robust data exfiltration monitoring capabilities to counter evolving evasion techniques like BYOI.