India ranks among top 10 nations hit by ransomware in Q3 2025

The ransomware landscape in Q3 2025 has reached a significant turning point. Despite several law enforcement operations earlier in the year, attack volumes remain historically high. Check Point Research identified 1,592 new victims across 85 active extortion groups, marking a 25% increase compared with the same period last year. India ranked ninth globally, accounting for around 2% of all ransomware attacks. Although well-known groups such as RansomHub and 8Base have disappeared, the gaps they left have been filled rapidly by smaller threat actors, resulting in an increasingly fragmented ransomware-as-a-service (RaaS) ecosystem.

Record fragmentation: 85 active extortion groups 

The number of active ransomware groups rose to a record 85 in Q3, including 14 newly formed operations. This represents the most decentralised ransomware environment on record. The dominance of major groups has declined, with the top ten responsible for only 56% of victims, compared with 71% in Q1 2025.

Almost half of all groups recorded fewer than ten victims, indicating an influx of small, agile affiliates operating independently. This growing fragmentation introduces considerable uncertainty for defenders, as these small and short-lived groups have little incentive to maintain a reputation for providing decryptors after payment. As a result, victims face reduced prospects of data recovery and diminished confidence in the outcomes of negotiations.

LockBit, once considered dismantled, has re-emerged with LockBit 5.0, an upgraded variant featuring multi-platform support, stronger encryption and improved evasion techniques. The return of its administrator, “LockBitSupp,” appears to be drawing affiliates back to more established RaaS brands. More than 15 confirmed victims have already been linked to the updated malware, and the group now requires a USD 500 deposit for affiliates wishing to join, suggesting an attempt at basic vetting.

Qilin has become the most active ransomware group of 2025. It averaged 75 victims per month in Q3, doubling its previous output. Although it promotes itself as ideologically motivated, analysis from Check Point Research shows that its operations are primarily profit-driven and span a wide range of sectors and regions. The group was responsible for 30 attacks on South Korea’s financial sector between August and September and offers affiliates up to 85% of revenue, making it one of the most financially attractive RaaS schemes.

Alongside these developments, DragonForce has emerged as an actor that places significant emphasis on branding. Rather than focusing solely on its malware, the group uses underground forums to announce “coalitions” with LockBit and Qilin and promotes “data audit services” designed to help affiliates identify high-value files. It listed 56 victims in Q3 2025, focusing particularly on Germany and high-revenue companies. This trend reflects a wider shift in which RaaS operators increasingly behave like start-ups, using reputation, feature sets and perceived benefits to attract affiliates.

Geographic and industry impact 

Geographically, the United States continued to account for roughly half of all ransomware victims worldwide. South Korea entered the top ten for the first time due to Qilin’s concentrated campaign against its financial sector. Germany, the United Kingdom and Canada also remained major targets, with groups such as INC Ransom, Safepay and DragonForce focusing heavily on these regions. Manufacturing and business services were the most affected industries, each comprising roughly 10% of attacks. Healthcare remained steady at around 8%, although some prominent RaaS groups still avoid targeting the sector to reduce scrutiny.

Despite multiple law enforcement takedowns, ransomware activity has remained stable at between 520 and 540 victims per month. These operations primarily disrupt infrastructure and leadership rather than the affiliates who carry out most attacks. Affiliates adapt quickly by joining other groups or establishing new ones, leading to temporary reductions in activity but little long-term impact on overall attack volumes.

Looking ahead to late 2025 and beyond, the resurgence of LockBit alongside increasing fragmentation suggests a hybrid future. The landscape is likely to remain decentralised but influenced by a small number of established RaaS brands. Check Point Research expects continued affiliate-led operations on smaller leak sites, expanded monetisation methods such as data-audit services and multi-extortion models, and persistent targeting of sectors with high financial potential.

Ransomware remains one of the most adaptable and financially motivated cyber threats. The balance between fragmentation and renewed centralisation is likely to shape its evolution in the coming years. In this environment, organisations must continue to strengthen endpoint and network security, maintain offline immutable backups, educate employees on phishing and credential theft, and closely monitor developments in RaaS infrastructure and affiliate activity.