Check Point: The State of Ransomware – Q3 2025
Summary:
Check Point Research released their Q3 ransomware report. Their findings found that the overall volume of attacks have normalized, but the landscape as a whole is experiencing “fragmentation and decentralization”.
The researchers found the number of active extortion groups hit a record high of 85 in Q3 2025. The top 10 groups accounted for only 56% of all published victims, down significantly from 71% in Q1 2025, which demonstrates a less centralized threat landscape. The steady growth is driven mostly by a large number of small and emerging operators (47 groups published fewer than ten victims), suggesting more affiliates are operating outside of established Ransomware-as-a-Service (RaaS) programs.
Check Point found that attack volume remained high in Q3 2025. The number of published victims stabilized at an average of 535 victims per month (approximately 1,592 victims in the quarter). This volume represented a 25% increase compared to Q3 2024.
Qilin became the most active group, averaging about 75 victims per month after recruiting former affiliates of the defunct RansomHub group. The reappearance of LockBit 5.0 in September 2025 is a significant development, potentially signaling an attempt to re-centralize affiliates under a major, established brand. The new version features enhanced evasion, faster encryption, and targets Windows, Linux, and ESXi systems. Other top groups included Akira, INC Ransom, and Play.
The most impacted sectors tracked by Check Point were Manufacturing and Business services. The healthcare sector held steady at approximately 8% of total victims, despite some major groups selectively avoiding it.
Security Officer Comments:
We noticed a similar trend highlighted by Check Point, that the ransomware landscape is showing signs of decentralization. Instead of a few ransomware operators carrying out most of the attack volume, we are tracking a large variety of smaller ransomware operations.
Check Point tracked around 535 victims per month, while our average was similar at 493 (January to October). Check Point tracked 1,592 victims in Q3, which is close to our 1,417. We tracked a much higher percentage increase in Q3 2025 at 52%, but this may also be due to our continued improvements in tracking attacks.
Check Point noted their top four groups as Qilin, Akira, Inc Ransom, and Play, which mirrors our own findings. We also tracked Critical Manufacturing and Commercial Services as our top two targeted sectors in Q3 2025.
Suggested Corrections:
Ransomware attack volume continues to proliferate in 2025. We have seen the number of ransomware attacks per month nearly double in 2025. While there are still several major players, we seem to be tracking new and distinct ransomware groups at regular intervals, highlighting a more fragmented ransomware landscape. The reason for this is likely due to several factors. First, continued law enforcement activities against major groups has caused cybercriminal affiliates to search for new strains to work with. Affiliates are seeking out new platforms or creating their own, leading to a proliferation of smaller, independent groups.
Many affiliates may be choosing to operate independently. The core components of many popular ransomware variants (like Conti and Babuk) have been leaked or made publicly available. This allows technically skilled affiliates to set up their own operations easily, without needing to pay a cut to a RaaS developer. The use of automation and even generative AI in RaaS toolkits has made it easier to generate new malware and conduct successful, customized attacks quickly. This levels the playing field, making smaller, newer groups just as effective as the established ones.
Another possibility is that adversaries are moving away from a few massive, high-profile attacks toward a larger volume of smaller attacks, often targeting less-defended entities like small and medium-sized businesses (SMBs) embedded in supply chains. This lower-stakes, high-volume model is naturally better suited for a fragmented, competitive landscape.
Effective ransomware mitigation requires a multi-layered defense centered on three core principles: data protection, prevention of initial access, and limiting lateral movement.
https://research.checkpoint.com/2025/the-state-of-ransomware-q3-2025/
Check Point Research released their Q3 ransomware report. Their findings found that the overall volume of attacks have normalized, but the landscape as a whole is experiencing “fragmentation and decentralization”.
The researchers found the number of active extortion groups hit a record high of 85 in Q3 2025. The top 10 groups accounted for only 56% of all published victims, down significantly from 71% in Q1 2025, which demonstrates a less centralized threat landscape. The steady growth is driven mostly by a large number of small and emerging operators (47 groups published fewer than ten victims), suggesting more affiliates are operating outside of established Ransomware-as-a-Service (RaaS) programs.
Check Point found that attack volume remained high in Q3 2025. The number of published victims stabilized at an average of 535 victims per month (approximately 1,592 victims in the quarter). This volume represented a 25% increase compared to Q3 2024.
Qilin became the most active group, averaging about 75 victims per month after recruiting former affiliates of the defunct RansomHub group. The reappearance of LockBit 5.0 in September 2025 is a significant development, potentially signaling an attempt to re-centralize affiliates under a major, established brand. The new version features enhanced evasion, faster encryption, and targets Windows, Linux, and ESXi systems. Other top groups included Akira, INC Ransom, and Play.
The most impacted sectors tracked by Check Point were Manufacturing and Business services. The healthcare sector held steady at approximately 8% of total victims, despite some major groups selectively avoiding it.
Security Officer Comments:
We noticed a similar trend highlighted by Check Point, that the ransomware landscape is showing signs of decentralization. Instead of a few ransomware operators carrying out most of the attack volume, we are tracking a large variety of smaller ransomware operations.
Check Point tracked around 535 victims per month, while our average was similar at 493 (January to October). Check Point tracked 1,592 victims in Q3, which is close to our 1,417. We tracked a much higher percentage increase in Q3 2025 at 52%, but this may also be due to our continued improvements in tracking attacks.
Check Point noted their top four groups as Qilin, Akira, Inc Ransom, and Play, which mirrors our own findings. We also tracked Critical Manufacturing and Commercial Services as our top two targeted sectors in Q3 2025.
Suggested Corrections:
Ransomware attack volume continues to proliferate in 2025. We have seen the number of ransomware attacks per month nearly double in 2025. While there are still several major players, we seem to be tracking new and distinct ransomware groups at regular intervals, highlighting a more fragmented ransomware landscape. The reason for this is likely due to several factors. First, continued law enforcement activities against major groups has caused cybercriminal affiliates to search for new strains to work with. Affiliates are seeking out new platforms or creating their own, leading to a proliferation of smaller, independent groups.
Many affiliates may be choosing to operate independently. The core components of many popular ransomware variants (like Conti and Babuk) have been leaked or made publicly available. This allows technically skilled affiliates to set up their own operations easily, without needing to pay a cut to a RaaS developer. The use of automation and even generative AI in RaaS toolkits has made it easier to generate new malware and conduct successful, customized attacks quickly. This levels the playing field, making smaller, newer groups just as effective as the established ones.
Another possibility is that adversaries are moving away from a few massive, high-profile attacks toward a larger volume of smaller attacks, often targeting less-defended entities like small and medium-sized businesses (SMBs) embedded in supply chains. This lower-stakes, high-volume model is naturally better suited for a fragmented, competitive landscape.
Effective ransomware mitigation requires a multi-layered defense centered on three core principles: data protection, prevention of initial access, and limiting lateral movement.
- First and foremost, protect your data by maintaining an air-gapped, immutable backup that adheres to the 3-2-1 rule, guaranteeing a secure recovery path.
- Second, minimize the risk of a breach by enforcing Multi-Factor Authentication (MFA) on all accounts and maintaining a rigorous patch management program to close known vulnerabilities.
- Third, to contain any successful intrusion, employ strict network segmentation to prevent an attacker from moving freely across your network to high-value assets, and utilize Endpoint Detection and Response (EDR) tools for automated detection and containment.
- Finally, ensure all personnel are trained with security awareness training and that your organization maintains a tested Incident Response Plan to minimize downtime and business impact when an attack inevitably occurs.
https://research.checkpoint.com/2025/the-state-of-ransomware-q3-2025/