The Ransomware-as-a-Service Ecosystem in Late 2025: From LockBit's Disruption to the Rise of Qilin, Akira, and DragonForce

The ransomware landscape has undergone a dramatic transformation throughout 2025, with law enforcement disruptions creating both chaos and opportunity within the cybercriminal ecosystem. While Operation Cronos dismantled LockBit's infrastructure in early 2024, the void left by the once-dominant group has spawned a more fragmented, competitive, and paradoxically more dangerous threat environment. As we approach the end of 2025, ransomware attacks have reached unprecedented levels, with sophisticated Ransomware-as-a-Service (RaaS) platforms democratizing cybercrime and enabling affiliates worldwide to launch devastating attacks with minimal technical expertise.

2025: The Year Law Enforcement Struck Back - A Comprehensive Review of Major Cybercriminal Takedowns

How international cooperation and sophisticated investigative techniques delivered unprecedented blows to global cybercrime networks The year 2025 has emerged as a watershed moment in the fight against cybercrime, with law enforcement agencies worldwide delivering a series of devastating blows to criminal networks that had previously operated with near impunity. From

Breached CompanyBreached Company

The Evolution of Ransomware-as-a-Service

Ransomware-as-a-Service has fundamentally transformed cybercrime from an activity requiring elite technical skills into an accessible, plug-and-play business model. RaaS operators function like legitimate software vendors, developing and maintaining ransomware infrastructure while recruiting affiliates to execute attacks. The model typically operates on a profit-sharing basis, with developers taking anywhere from 20% to 40% of ransom payments while affiliates keep the remainder.

Spanish Cyberterrorism: 19-Year-Old Student Arrested for Massive Political Data Leak Targeting Prime Minister Pedro Sánchez

How a computer science student from Gran Canaria orchestrated one of Spain’s most significant political data breaches from his parents’ home, exposing thousands of high-profile figures in what authorities are calling an act of cyberterrorism Breaking News: Unprecedented Political Data Leak Rocks Spain In a dramatic turn of events that

Breached CompanyBreached Company

The industrialization of ransomware has produced staggering results. In January 2025 alone, the United States experienced a 149% year-over-year increase in ransomware incidents, with nearly 1,200 distinct cases reported in just five weeks. By Q3 2025, researchers tracked 1,592 new victims across 85 active ransomware groups, marking a 25% increase compared to the previous year. The proliferation of groups represents the most decentralized ransomware ecosystem on record, with 14 new operations emerging in Q3 alone.

What makes the current threat landscape particularly concerning is that the top ten ransomware groups now account for just 56% of all victims, down from 71% in Q1 2025. This fragmentation indicates that successful takedowns of major operators no longer significantly impact overall attack volumes—affiliates simply migrate to new platforms or establish independent operations.

The Evolution of LockBit: Analyzing the World’s Most Prolific Ransomware

Explore the evolution of LockBit, the world’s most prolific ransomware, its impact on global cybersecurity, and the essential defenses against its ever-adapting threats.

Breached CompanyBreached Company

LockBit's Fall from Grace

For years, LockBit stood as the most prolific RaaS operation, claiming over 3,500 victims since its 2019 debut. The group's infrastructure, affiliate network, and brand recognition made it the gold standard for ransomware operations. However, Operation Cronos in February 2024 marked the beginning of LockBit's decline.

The coordinated law enforcement action, led by international agencies including the FBI, UK's National Crime Agency, and Europol, resulted in the seizure of LockBit's infrastructure and the subsequent sanctioning of its founder, Russian national Dmitry Yuryevich Khoroshev. Law enforcement gained control of LockBit's data leak sites, using them to reveal information about the group's operations, and discovered that despite promises to the contrary, LockBit did not delete victims' data after receiving ransom payments.

While LockBit attempted to rebuild and continue operations, the damage proved insurmountable. By late 2025, the group no longer ranks among the top fifteen most active ransomware operations, a stunning fall for what was once the industry's undisputed leader.

The disruption of LockBit sent shockwaves through the ransomware ecosystem, displacing thousands of affiliates who had relied on the platform's robust infrastructure and professional operations. These displaced actors quickly sought new homes, accelerating the rise of competing RaaS platforms that were eager to capture market share.

LockBit Group’s Ransomware Attack on Toronto SickKids Hospital: A Disturbing Trend in Cybersecurity

The digital realm, while offering countless benefits, has also become a breeding ground for malicious activities. Among the most concerning of these are ransomware attacks targeting critical infrastructure and essential services. A chilling example of this emerged on 20 December 2022, when Toronto’s renowned SickKids Hospital fell victim to a

Breached CompanyBreached Company

Qilin: The Reigning Champion of 2025

Qilin (also known as Agenda) has emerged as the most active and dangerous ransomware operation in 2025, filling the vacuum left by LockBit's collapse. The group has demonstrated remarkable growth, averaging 75 victims per month in Q3 2025—double its activity from earlier in the year. In both June and July 2025, Qilin led the ransomware landscape with 86 and 73 victims respectively, accounting for approximately 17% of all reported attacks during those months.

Global Cybercrime Crackdown 2025: A Mid-Year Assessment of Major Arrests and Takedowns

As we reach the end of August 2025, law enforcement agencies worldwide have achieved unprecedented success in dismantling cybercriminal networks, marking this as potentially the most successful year in the fight against cybercrime to date. Executive Summary The first eight months of 2025 have witnessed an extraordinary surge in international

Breached CompanyBreached Company

Technical Sophistication

Qilin's success stems from its sophisticated technical implementation and business model. The group's ransomware, written in Rust, provides exceptional cross-platform capabilities targeting Windows, Linux, and ESXi environments. Rust's memory-safe properties and efficient performance make the malware particularly difficult to detect and reverse-engineer, while its cross-platform nature allows affiliates to target diverse infrastructure.

The group employs a sophisticated double-extortion model, encrypting victim data while simultaneously exfiltrating sensitive information. Qilin's dedicated leak site, hosted on Tor, features customized company identifiers and account details for victims who refuse to pay. Throughout 2025, the group has continuously enhanced its platform, adding spam campaign capabilities, DDoS attack functions, automated network propagation, automated ransom negotiation panels, and even "in-house journalists" to assist affiliates with crafting pressure campaigns.

Major Breakthrough: Four Arrested in £440M Cyber Attacks on UK Retail Giants

NCA Makes Significant Progress in Investigation into Attacks on M&S, Co-op, and Harrods Bottom Line Up Front: Four young people, including a 17-year-old and three individuals aged 19-20, have been arrested by the UK’s National Crime Agency in connection with devastating cyber attacks that cost major retailers up to

Breached CompanyBreached Company

Strategic Targeting and Financial Impact

Since its 2022 emergence, Qilin has been linked to 926 attacks across 226 countries, with 168 confirmed incidents resulting in the breach of over 2.3 million records and the theft of 116 terabytes of data. The group's confirmed attacks alone have exfiltrated 47 terabytes of information, demonstrating the massive scale of their data theft operations.

Qilin's targeting reflects a calculated approach focused on high-value sectors. Manufacturing accounts for approximately 23% of the group's victims, followed by professional and scientific services at 18% and wholesale trade at 10%. The financial sector has proven particularly lucrative, with Qilin conducting a sustained campaign against South Korean financial institutions in August and September 2025, compromising 30 organizations in just two months.

One of Qilin's most significant attacks targeted Synnovis Laboratories, an NHS partner in the United Kingdom, resulting in the disruption of services at multiple hospitals and forcing the cancellation of over 10,000 appointments and procedures. More recently, on November 5, 2025, Qilin claimed responsibility for breaching Habib Bank AG Zurich, allegedly stealing 2.5 terabytes of sensitive customer and corporate data, including financial records, system source code, and personal identification documents.

In-depth Article on Cyberattacks Against Mitsubishi Electric Corp. and the Rise of Chinese-Affiliated Hacking Groups

Mitsubishi Electric Corp., a major player in a variety of industries, including defense, infrastructure, electronics, and railway systems, has been targeted by a series of sophisticated cyberattacks over the past decade. In a recent investigation, at least four Chinese-affiliated hacking groups have been linked to breaches within the company, underscoring

Breached CompanyBreached Company

Affiliate Program Excellence

Qilin's rapid ascension can be largely attributed to its attractive affiliate program. The group offers up to 85% revenue share to affiliates—one of the most generous splits in the RaaS ecosystem. This aggressive commission structure became particularly effective following RansomHub's sudden disappearance in April 2025, when displaced affiliates flocked to Qilin's platform. The influx of experienced operators contributed to a 280% jump in attack claims between late April and October 2025.

In-Depth Technical Document on the CrowdStrike BSOD Incident

@cisomarketplace CrowdStrike vs Microsoft: Impact and Fallout Explained Get a comprehensive understanding of the ongoing issue between CrowdStrike and Microsoft. Explore the potential impact on businesses worldwide and uncover the vulnerabilities it exposes. Find out how this incident affects Microsoft computers and learn why it’s crucial to have foolproof cybersecurity.

Breached CompanyBreached Company

The group's initial access methodologies vary across affiliates but commonly include phishing campaigns, exploitation of public-facing vulnerabilities, and abuse of external remote services such as RDP. In 2025, Qilin affiliates have been observed exploiting critical vulnerabilities including CVE-2024-21762 and CVE-2024-55591 in FortiGate appliances, and CVE-2025-31324 in SAP NetWeaver Visual Composer—the latter exploited as a zero-day before public disclosure.

Operation Endgame Continues: CrazyRDP Bulletproof Hoster Dismantled as Dutch Police Seize Thousands of Servers in Coordinated Cybercrime Crackdown

In a major escalation of the international Operation Endgame cybercrime offensive, Dutch police have seized thousands of servers owned by CrazyRDP, a notorious bulletproof hosting provider implicated in 80 law enforcement investigations spanning cybercrime operations and child sexual abuse material (CSAM) distribution. The operation marks the latest and

Breached CompanyBreached Company

Akira: Speed and Aggression

Akira ransomware has established itself as one of the fastest-moving and most aggressive threat groups in the current landscape. Since emerging in March 2023, Akira has impacted over 250 organizations globally and claimed approximately $244.17 million in ransomware proceeds as of late September 2025. The group's rapid evolution and sophisticated tactics have made it a primary concern for critical infrastructure defenders.

Lightning-Fast Attack Chains

What distinguishes Akira from competitors is the remarkable speed of its attack chains. In documented incidents, the group has exfiltrated victim data in as little as two hours from initial access—a timeline that leaves security teams with virtually no opportunity to detect and respond. This velocity is achieved through Akira's focus on compromising virtual infrastructure early in the attack lifecycle, allowing them to gain control of VM storage and hypervisor platforms that can disrupt multiple critical systems simultaneously.

Initially focused on VMware ESXi and Microsoft Hyper-V environments, Akira has continuously expanded its capabilities. In a June 2025 attack, the group demonstrated a significant evolution by encrypting Nutanix AHV virtual machine disk files for the first time, exploiting SonicWall vulnerability CVE-2024-40766 to expand beyond its traditional target platforms.

Critical Alert: Cybercriminals Actively Exploiting Vulnerabilities in Fortinet, Cisco, VMware, and WatchGuard Systems

Executive Summary Organizations worldwide face an unprecedented wave of actively exploited vulnerabilities affecting critical network infrastructure from major cybersecurity vendors. As of November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple high-severity vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, with threat actors demonstrating sophisticated

Breached CompanyBreached Company

SonicWall VPN Campaign

One of Akira's most successful campaigns throughout 2025 has involved the systematic targeting of SonicWall SSL VPN devices. Beginning in July 2025, security researchers observed a dramatic increase in Akira activity targeting organizations with SonicWall appliances, potentially exploiting CVE-2024-40766. Arctic Wolf Labs documented that even patched SonicWall devices showed signs of compromise, suggesting the group may have access to additional, undisclosed vulnerabilities or sophisticated bypass techniques.

The campaign's success led to CISA and international partners issuing updated guidance on November 13, 2025, warning that Akira presents an "imminent threat" to critical infrastructure. In the past 90 days leading up to mid-November, 149 victims have been linked to Akira attacks, with Sophos X-Ops providing incident response support for numerous cases.

Advanced TTPs and Tooling

Akira's technical sophistication extends across the entire attack lifecycle. The group leverages multiple sophisticated tools including:

• POORTRY malware: Deployed to modify Bring Your Own Vulnerable Driver (BYOVD) configurations, create administrator accounts, steal credentials, and bypass VMDK protections
• SystemBC and STONETOP: Remote access trojans for command and control and payload delivery
• Cobalt Strike: For lateral movement and network reconnaissance
• Remote management tools: AnyDesk and LogMeIn to maintain persistence while mimicking legitimate administrator activity

The group's defense evasion techniques are equally sophisticated, including modifying firewall settings, terminating antivirus processes, uninstalling EDR systems, and exploiting vulnerabilities in Veeam Backup and Replication to compromise recovery infrastructure.

10 Latest Global Cybersecurity Breaches, Hacks, Ransomware Attacks and Privacy Fines (2025)

Major Data Breaches 1. Yale New Haven Health System Data Breach (April 2025) Yale New Haven Health experienced a significant data breach affecting 5.5 million patients. Detected on March 8, 2025, and disclosed on April 11, 2025, threat actors stole personal data of patients in a cyber attack that

Breached CompanyBreached Company

Akira_v2 Variant

In late 2025, Akira introduced an updated ransomware variant, Akira_v2, featuring faster encryption capabilities and enhanced evasion techniques. The new version represents a continuous evolution of the group's technical capabilities, incorporating lessons learned from thousands of previous attacks. Security researchers note that Akira threat actors are associated with multiple overlapping groups including Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, and may have connections to the defunct Conti ransomware operation.

DragonForce: The Ransomware Cartel

DragonForce represents one of the most intriguing developments in the 2025 ransomware landscape—a hybrid operation that blurs the lines between hacktivism and financial cybercrime while pioneering new business models for affiliate recruitment and operations.

Origins and Evolution

DragonForce first emerged in December 2023 with the launch of its "DragonLeaks" dark web portal. Some researchers trace its lineage to DragonForce Malaysia, a long-standing hacktivist collective, though this connection remains unconfirmed and the hacktivist group denies involvement in ransomware activities. Regardless of its origins, by 2025 DragonForce has evolved into a sophisticated RaaS operation with a unique organizational structure.

Comparing the Biggest CCO/DPO Fines to the Biggest Ransomware Attacks and Cyber Attack Damages

While fines for non-compliance with data protection laws such as GDPR and CCPA can reach staggering amounts, the financial damages resulting from ransomware attacks and cyberattacks can sometimes far exceed these fines. Here’s a comparison of the biggest CCO/DPO-related fines with some of the most significant ransomware attacks

Breached CompanyBreached Company

What sets DragonForce apart is its "cartel" model, announced in March 2025. Rather than operating as a traditional hierarchical RaaS platform, DragonForce positioned itself as a decentralized coalition, actively recruiting not just individual affiliates but entire ransomware groups to join its ecosystem. This approach represents a fundamental shift in ransomware organization, replacing centralized control with collaborative networks.

White-Label Ransomware Platform

DragonForce's technical platform offers affiliates unprecedented customization capabilities. The white-label model allows affiliates to:

• Create unique ransomware brands using DragonForce's infrastructure
• Compile custom binaries with personalized configurations
• Design custom ransom notes and file extensions
• Access pre-built negotiation tools and encrypted storage
• Utilize templated leak sites branded as "RansomBay"

The commission structure is highly competitive, with DragonForce taking only a 20% revenue share—significantly lower than most RaaS platforms. This aggressive pricing, combined with the platform's flexibility, proved particularly attractive following RansomHub's collapse in April 2025, when DragonForce successfully recruited numerous displaced affiliates.

Data Audit Services: A New Monetization Model

In August 2025, DragonForce introduced an innovation that may reshape ransomware economics: data audit services. This offering provides affiliates with detailed analysis of stolen data to maximize extortion leverage. When affiliates submit datasets over 300GB from companies with annual revenues exceeding $15 million, DragonForce's team analyzes the data and identifies the most valuable commercial and financial information, accompanied by customized extortion letters designed to maximize pressure.

The Royal Mail Ransomware Attack: A Deep Dive into the January 2023 Belfast Incident

In the ever-evolving landscape of cyber threats, ransomware attacks have emerged as one of the most formidable challenges for organizations worldwide. The beginning of 2023 was no exception, as the UK’s postal service giant, Royal Mail, fell victim to a significant ransomware attack. This incident, which took place in early

Breached CompanyBreached Company

In one showcased example, DragonForce reviewed stolen files from a gold mining company, highlighting critical design data, intellectual property, and business intelligence that could be used to devastating effect in extortion negotiations. This "extortion-as-analytics" approach represents a concerning evolution, applying data science principles to criminal operations.

UK Retail Campaign

DragonForce gained significant notoriety in April and May 2025 through a coordinated campaign targeting major UK retailers. The attacks against Marks & Spencer, Harrods, and Co-op triggered multi-day outages of e-commerce platforms, loyalty programs, and internal operations.

The M&S breach was particularly severe, forcing the company to pause all online clothing and home orders for approximately one week, with even in-store contactless payment systems affected. The Cyber Monitoring Centre classified these attacks as a "single combined cyber event" with total losses between £270-440 million ($363-592 million). In July 2025, UK's National Crime Agency arrested four individuals, including a 17-year-old, in connection with these devastating attacks.

The Co-op incident, though potentially contained before full deployment, revealed the threat actors' advanced social engineering capabilities. The retailer's decisive action to "yank their own plug" when they discovered the attack in progress prevented ransomware encryption, though the attack still cost at least £206 million in lost revenues.

Security experts linked these attacks to affiliates using Scattered Spider techniques—sophisticated social engineering combined with DragonForce's ransomware payload. The attacks represented one of the most devastating waves to hit the UK retail sector.

Aggressive Competition

DragonForce has distinguished itself through openly hostile behavior toward competing ransomware operations. Within 24 hours of announcing its cartel model in March 2025, the group defaced the leak sites of rival operations BlackLock and Mamona. When RansomHub's infrastructure went offline on April 1, 2025, DragonForce immediately published announcements suggesting RansomHub should join their platform—a move interpreted as both mockery and aggressive recruitment.

UK Bans Ransomware Payments: A New Era in Fighting Cyber Extortion

Bottom Line Up Front: The UK has officially banned public sector organizations and critical infrastructure operators from paying ransomware demands, marking a historic shift in cybersecurity policy. While this bold move aims to disrupt criminal business models, ransomware groups are escalating to multi-layered extortion tactics that go far beyond simple

Breached CompanyBreached Company

Despite these controversies, DragonForce has demonstrated steady growth, roughly tripling its monthly victim count since RansomHub's shutdown and claiming 56 victims in Q3 2025. While this remains below Qilin and Akira's activity levels, the group's innovative approach and successful affiliate recruitment suggest it will remain a significant player in the evolving ransomware ecosystem.

Other Active RaaS Groups in Late 2025

The fragmentation of the ransomware landscape has created opportunities for numerous other groups to establish themselves as significant threats: