Full Report
Key Takeaways: 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date. 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure. 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns. LockBit’s reappearance with
Analysis Summary
# Threat Actor: Decentralized Ransomware Ecosystem / LockBit (Version 5.0)
## Attribution & Identity
The primary focus is on the **decentralized ransomware ecosystem** observed in Q3 2025, comprising 85 active ransomware and extortion groups. This fragmentation is largely attributed to former affiliates of larger groups (like RansomHub, 8Base, and BianLian) reconstituting independently after law enforcement actions.
A notable actor returning within this context is **LockBit**, specifically reappearing as **LockBit 5.0**, administered by its known administrator, **LockBitSupp**.
## Activity Summary
Q3 2025 saw extraordinary activity marked by extreme decentralization:
* **85 active ransomware and extortion groups** were observed, the highest number recorded.
* **1,590 victims** were disclosed across 85 leak sites.
* **14 new ransomware brands** launched during the quarter, indicating rapid affiliate reconstitution following takedowns.
* The top ten groups accounted for only 56% of victims, down from 71% earlier in the year, emphasizing the rise of smaller, independent operations.
* **LockBit** reappeared in September 2025 with version 5.0, potentially signaling a move toward re-centralization.
## Tactics, Techniques & Procedures
The TTPs described focus more on structural behaviors and market dynamics rather than a specific TTP checklist for a singular actor:
* **Affiliate Reconstitution/Migration:** Affiliates rapidly migrate or rebrand after large RaaS platforms are dismantled (e.g., following RansomHub/8Base takedowns).
* **Leak Site Proliferation:** Actors create ephemeral leak sites to publish victims following compromise.
* **Reputation Erosion:** Smaller, short-lived crews have little incentive to honor ransom deals or provide decryption keys, leading to decreased victim trust and lower payment rates ($\approx 25\%$ to $40\%$).
* **LockBit 5.0 Novelty:** LockBit’s return implies the adoption of new operational innovation (details pending further deep-dive reports).
## Targeting
The reporting focuses on broad trends rather than specific sector/geographic targeting for the decentralized groups overall, but LockBit's return suggests continuity in targeting large entities.
* **Sectors:** Not specifically mentioned, but the high volume of 1,590 disclosed victims implies widespread targeting.
* **Geography:** Not specified.
* **Victims:** 1,592 new victims recorded across leak sites in Q3 2025. Specific organizational victims were not named in the provided context snippet.
## Tools & Infrastructure
* **Malware families used:** Not explicitly detailed, though LockBit 5.0 is the focus of infrastructure discussion.
* **Infrastructure (C2, domains, IPs):** Law enforcement efforts have primarily dismantled infrastructure and seized domains, leading to the scattering of operators rather than stopping the affiliates themselves.
## Implications
The current ransomware ecosystem is highly decentralized, making defense more challenging. Fragmentation degrades intelligence reliability, as reputation-based tracking is difficult across dozens of short-lived leak sites. The continued success of affiliate reconstitution undermines law enforcement effectiveness against structural threats. LockBit’s return suggests the potential for market re-centralization, which could lead to higher efficiency and renewed focus from major groups.
## Mitigations
* **Focus on Resilience over Attribution:** Given the high rate of new and ephemeral groups, security teams must focus less on tracking brand reputation and more on internal resilience and rapid containment, as any small actor could be highly effective.
* **Assume Non-Payment Incentive:** Due to the low integrity of smaller groups, security posture should assume that decryption keys may never be provided, even after payment.
* **Track Affiliates:** Since infrastructure takedowns are proving ineffective at stopping the operators, intelligence efforts should shift towards tracking the migration patterns of known affiliates following major takedowns.
* **Monitor LockBit Re-emergence:** Organizations should be prepared for potential shifts in TTPs associated with the relaunch of a major brand like LockBit 5.0.