Check Point’s quarterly Ransomware Report reveals dramatic changes in the global ransomware landscape. In Q2 2025, once-dominant ransomware-as-a-service (RaaS) groups, including Lockbit and RansomHub, either ceased operations or stopped publishing victim data altogether. Their abrupt disappearance fractured an ecosystem that had long been controlled by a few powerful players. In their place emerged a fragmented and volatile array of smaller, agile actors eager to fill the void. 

The shift was not by chance. Law enforcement has been under increased pressure to investigate and apprehend the operators of the most notorious ransomware groups and their efforts have started to pay dividends.  

In May alone, coordinated international law enforcement operations dismantled more than 300 malicious servers, shut down over 650 domains, and issued arrest warrants for at least 20 suspects tied to ransomware and initial access malware infrastructure. These actions struck at the operational core of ransomware campaigns, disrupting the very foundation on which most major RaaS groups rely. LockBit’s infrastructure takedown in late 2024, executed under Operation Cronos, set the tone for this year’s crackdown, proving that even the most prolific actors are vulnerable when the global cybersecurity community works in concert. 

Ransomware’s Reduced Profitability 

Beyond law enforcement, a shifting financial calculus has added pressure. Ransomware exploits are simply not as lucrative as they’ve been in the past. Governments around the world have implemented – or are exploring – regulations that ban ransom payments. In addition, many organizations have invested in backup and recovery strategies that allow them to refuse payment altogether. Decreasing trust in ransomware decryption promises has further eroded the effectiveness of these attacks.  

As a result, global payment rates have dropped to an estimated 25–27 percent, a historic low that is forcing cyber criminals to evaluate whether the risk is still worth the reward. From the trends we’re seeing from early 2025, it seems the defenders may finally be winning the war against RaaS groups. 

Vanishing Giants and Strategic Retreats 

The global ransomware stage is evolving considerably due to these punitive and financial pressures. In early 2025 we’ve seen a wave of high-profile exits, strategic retreats, and rebranding efforts. Some groups have vanished entirely, while others have pivoted toward data theft or silent extortion tactics.  

RansomHub, for instance, was among the most active groups in early 2024, but by Q2 2025, had effectively disappeared. LockBit followed a similar trajectory, halting victim disclosures and losing its status as the most active RaaS platform. The combined disappearance of these giants contributed to a noticeable decline in publicly posted ransomware victims – from 2,289 in Q1 to 1,607 in Q2 – though this figure remains higher than the 1,270 recorded during the same period in 2024. 

A New Ransomware Generation Takes Over 

While we’ve seen a marked reduction in high-profile names and published victims, these trends do not indicate that the ransomware threat is in full retreat. It has simply become more unpredictable and decentralized. A new generation of smaller, often short-lived ransomware groups is rising to fill the void. 

Groups like Qilin, Akira, and DragonForce have surged in activity, with Qilin overtaking Cl0p as the most prolific actor in Q2. DragonForce alone saw a 119 percent increase in attacks quarter over quarter, contributing to the dramatic reshaping of the ecosystem. At least 70 distinct ransomware groups were active in Q2, an increase of more than 50 percent year over year. 

This fragmentation has made ransomware harder to track, especially as affiliates switch allegiances, go independent, or operate without traditional branding. Many groups are now choosing low-profile, targeted campaigns that focus on data extortion rather than full-scale encryption. The days of easily attributed, brand-name ransomware attacks are fading, replaced by stealthier, more agile threats that move quickly and exploit vulnerabilities with increasing automation. In some cases, lateral movement within victim environments now occurs in under 48 minutes. 

What This Means for Cyber Defenders 

For security teams and defenders, these developments present both challenges and opportunities. The reliance on static indicators of compromise or reputation-based tracking is no longer sufficient. Defenders can no longer assume that knowing a handful of major groups will provide meaningful protection.  

Instead, organizations must shift to behavior-based detection models that focus on how an attacker operates, not just who they are. 

Equally important is the need for speed and adaptability in incident response. As threat actors become more decentralized, their tactics evolve faster. Defenses must evolve similarly to keep up with protections. The focus must move from reactive measures to proactive security strategies that anticipate threat behavior and adapt in real time. This includes robust data integrity controls, continuous network monitoring, and comprehensive visibility across on-premises, cloud, and hybrid environments. 

A Fragmented Threat Still Carries Risk 

The law enforcement crackdowns that have blunted some of the top ransomware groups may have unintentionally created fertile ground for affiliate spin-offs, impersonators, and opportunistic actors looking to stake their claim. Some previously dismantled groups, including AlphV/BlackCat and LockBit, have already begun to reappear in modified or rebranded forms, hinting at a possible resurgence once scrutiny subsides. 

Ultimately, this represents a wholesale reconfiguration of the threat landscape. The ecosystem is still active (and arguably more dynamic than ever), but it’s no longer defined by the few headline-grabbing names that once dominated our threat landscape. Ransomware has entered a new era: decentralized, agile, and harder to detect. 

Meeting the Moment with Smarter Defenses 

We know that the one constant in cyber defense is change. Traditional assumptions about ransomware are becoming less applicable, especially with the growth of AI threats. Threat models must be updated continuously. Detection must be behavior-driven and intelligence-led. And defenses must be layered, integrated, and capable of adjusting to fast-moving adversaries.  

Prevention-first strategies, real-time analytics, and cross-industry collaboration are now essential to keeping organizations safe. 

As the power structure behind ransomware shifts, security leaders must evolve their approach in tandem. Law enforcement is doing its part. Now it’s time for the cybersecurity community to rise to the challenge, build resilient infrastructures, and outpace a threat that refuses to stand still.