Ransomware surge in Q3 2025 as new alliances target more sectors

The number of active data-leak sites related to ransomware and cyber extortion reached a record high in the third quarter of 2025, with significant shifts in the behaviour and alliances among major ransomware groups, according to new analysis by ReliaQuest.

Data-leak site surge

In Q3 2025, 81 unique data-leak sites were observed, the highest number recorded to date. The continued fragmentation of the ransomware landscape has resulted in increasingly unpredictable attack patterns. Smaller ransomware groups have stepped in to fill gaps left by the decline of larger players, broadening the scope of targeted regions and industries, including those not traditionally affected.

Despite the steady overall number of organisations listed on data-leak sites compared to the previous quarter, the analysis indicates that significant developments are reshaping the ransomware ecosystem. Notably, regions such as Thailand experienced an unprecedented 69% surge in data-leak listings, largely attributed to the newly emerged "Devman2" group. Thailand, with a projected digital economy valued at USD $140.3 billion in 2025, is one of several nations facing heightened risks from these expanding threats.

Shifting alliances and new threats

The report highlights several key developments among high-profile ransomware actors. The hacking group known as Scattered Spider has alluded to the ongoing development of its first Ransomware-as-a-Service (RaaS) platform, "ShinySp1d3r RaaS". This offering combines social engineering with disruptive encryption techniques, posing a dual risk of both data theft and encryption-based extortion to targeted organisations.

In a statement shared via Telegram, the group claimed ShinySp1d3r RaaS will be "the best RaaS to ever live." This marks a notable shift for English-speaking, West-based cybercriminal groups, which have traditionally relied on partnerships with Russian-speaking ransomware operators. The formal release of ShinySp1d3r RaaS would represent the first major English-led RaaS platform to date.

According to ReliaQuest, "Although several members of the group have been arrested, Scattered Spider will continue to operate and develop this service. The group is unstructured and made up of transient members, primarily teenagers who are drawn to cybercrime through online communities and forums."

LockBit evolution and critical infrastructure

LockBit, a longstanding ransomware operator, returned to prominence in September with the launch of its "LockBit 5.0" affiliate programme on the dark web. This new programme permits affiliates to target sectors previously off-limits, including critical infrastructure such as power plants. The announcement follows law enforcement actions against LockBit in early 2024, which resulted in several arrests and the seizure of group infrastructure.

"It is permissible to attack critical infrastructure such as nuclear power plants, thermal power plants, hydroelectric power plants, and other similar organizations.* *These authorizations remain in effect until an agreement is reached between the FBI and LockBit not to attack certain categories of targets. If you are reading this and these rules have not changed, then the FBI has not yet approached us for this agreement and they are quite comfortable with the authorizations to attack the above categories of organizations."

The expansion of permissible targets is seen as both a response to law enforcement pressure and a deliberate escalation. ReliaQuest notes that if LockBit manages to regain trust among affiliates, the group could re-emerge as a dominant ransomware threat.

Coalitions and business-like operations

LockBit has also formed a coalition with other prominent RaaS groups, DragonForce and Qilin, a partnership which analysts suggest is likely to result in more frequent and effective attacks. Such collaborations have proven transformative in the past, with similar alliances introducing double extortion tactics that combine system encryption with data theft to increase pressure on victims.

Qilin itself achieved a record high number of items listed on its data-leak site during Q3 2025, aided by business-oriented practices and aggressive recruitment, including banner advertisements on dark web forums. Other groups of concern include "Akira," Inc Ransom, and "Play," all of which continue to exploit unpatched vulnerabilities and basic security gaps in internet-connected software.

Qilin's approach exemplifies the increasing professionalisation of ransomware operations: "Qilin's success shows that ransomware groups succeed by running like businesses, with organized practices, recruiting, and efficient operations. For example, they partner with initial access brokers (IABs) to get VPN access, allowing faster and more coordinated attacks that can bypass EDR detection."

Sector and geographical targeting

Emerging ransomware groups such as Beast, The Gentlemen, and Cephalus are contributing to a 31% rise in attacks on healthcare organisations. The professional, scientific, and technical services sector also saw a 17% uptick, while manufacturing and construction sectors experienced declines of 5% and 19%, respectively. These shifts reflect the opportunistic nature of ransomware targeting, with attackers seeking both sensitive data and organisations with weaker cyber defences.

The expansion of attacks beyond the US and Europe into countries like Thailand, Egypt, and Colombia demonstrates ransomware actors' efforts to evade detection and enforcement. The US remains the most prominent target due to high payouts and the prevalence of cyber insurance that often covers ransomware payments. ReliaQuest observed: "Ransomware groups analyze stolen data, including insurance policies, to maximize extortion payments. Meanwhile, lenient enforcement in countries like Russia allows these groups to operate without consequences."

Emerging groups to watch

One group highlighted as one to watch by ReliaQuest is The Gentlemen, a RaaS group which emerged in September 2025 and has already listed 35 victims on its data-leak site. With a 90/10 profit split for affiliates, it is expected to expand its operations in coming quarters.

Recommended defensive measures

The analysis concludes with advice for organisations to improve cyber resilience. ReliaQuest recommends restricting RDP and remote access, prioritising patching of public-facing applications, and implementing containment measures for file encryption. The report outlines the significance of basic security hygiene in defending against sophisticated and opportunistic ransomware attacks.

According to the report: "This report reveals that ransomware remains one of the most critical threats to organizations worldwide, and it outlines three crucial steps they should take now to strengthen their defenses against these attacks. Restrict RDP and Remote Access; File Containment Restrictions; Patch Public Applications."

The ransomware landscape in Q3 2025 is defined by record activity among both established and emerging groups, novel alliances, and an expanded global reach, putting a range of sectors and geographies at greater risk from cyber extortion and associated disruptions.