How Ransomware Gangs Are Evolving and What It Means for Defenders

Ransomware now operates at a scale which rivals major industries — only its business is crime. What was once the work of isolated hackers has grown into a vast criminal ecosystem, involving supporting actors such as affiliates, data brokers, dark-web forum managers, illicit crypto exchanges and other money-laundering facilitators. Inside the gangs themselves, the work is divided with precision, from malware development and social engineering to attack coordination, victim targeting and cashing out illicit profits.

According to stats from LUMINAR, during the first half of 2025, 89 ransomware gangs carried out 4,040 attacks, a significant year-over-year increase of about 40% (compared to 2,873 attacks over the same period in 2024). In the first half of 2025, 35 new ransomware gangs have emerged. This underscores the extent to which ransomware attacks are becoming more frequent and wide-reaching, as well as the volatility of the ransomware ecosystem, where groups rapidly appear, disappear, and rebrand under new identities.

While most ransomware gangs are focused on making money, there are additional motives such as ideological or geopolitical goals. For example, nation-states may use ransomware for espionage or disruption, as part of a larger geo-political agenda. Others deploy APTs to generate much-needed revenue. North Korea, for instance, is alleged to use APTs to launch ransomware attacks that steal hard currency, helping prop up the regime amid a collapsing economy.

The Ransomware as a Service (RaaS) Industry

One of the key market drivers in ransomware gang growth has been the “Ransomware-as-a-Service” (RaaS) cybercrime “business model.” RaaS has made ransomware an easy-to-obtain, easy-to-use attack method. It has completely transformed the market, which has grown from a small, select group of highly technical criminal ransomware gangs to any “anyone-can-be-a-ransomware-criminal” environment, exponentially multiplying potential attacks on organizations large and small. RaaS schemes consist of three key players:

• The operator, who usually writes the code and packages it for easy use, while managing the technical backend infrastructure
• The affiliate, who carries out the attacks and uses the ransomware to infect victims, using techniques including access broker utilization, malversating and social engineering
• The victim(s)

To find and recruit affiliates, the operators troll dark web forums and messaging platforms like Telegram. Affiliates pay a one-time fee, pay for a monthly subscription or split the ransom proceeds with the operator.

Both the operator and affiliates profit from the RaaS model, and it can be a very lucrative enterprise. For example, in a Feb 2025 attack, Medusa announced that it targeted HCRG Care Group, a UK private health and social services provider, demanding $2 million.

RaaS is not the only way ransomware gangs can make money. In certain cases, some attempt to profit from double or triple dipping (also known as recycling operations), where they approach a previously targeted organization and ask for ransom on data that has already been stolen by other gangs and is already for sale on the dark web. In some cases, the targeted organization may not have sufficient threat intelligence capabilities in place to properly assess the situation, especially when under time pressure—and may therefore pay the ransom.

How Rivalries and Crackdowns Are Reshaping the Ransomware Gangs Landscape

As with any growing market, the more ransomware gangs who join the business, the stiffer competition gets for the rest. To maintain their edge, gangs in certain cases are targeting and attacking one another.  For instance, some gangs have engaged in reputational attacks and smear campaigns, such as spreading rumors about rival gangs in dark web forums, to try and get rid of competition. Others have leaked personal data and doxxed other gangs. Moreover, some groups, like DragonForce, have taken over competitors, absorbing their operations and expanding their market share.

Law enforcement is also devoting more resources toward catching ransomware groups. In May of 2025, Europol’s Operation ENDGAME focused on dismantling the infrastructure behind popular malware strains used to launch ransomware attacks. The following malware strains were neutralized during the operation: Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, Warmcookie. In addition, Law enforcement authorities issued arrest warrants for more than 20 people and took down 650 domains and more than 300 servers around the globe.

Enforcement activities by authorities are actively reshaping the ransomware ecosystem. For example, “Operation Cronos,” a global law enforcement takedown campaign, targeted LockBit and inadvertently fueled the emergence of new ransomware gangs. This prompted further fragmentation and diversification in the ransomware gang ecosystem.

Using Exit Scams to Leave the Business – and Come Back

Within the RaaS ecosystem, ransomware profits are shared, from 80/20, 60/40, 50/50, or another agreed upon combination. Funds are collected in a variety of ways: within an operator-controlled or shared wallet, the operator takes its cut and transfers the rest to the affiliates. Other groups use semi-automated or escrow systems to handle payouts.

A recent example came after the high-profile Change Healthcare attack in early 2024. The ALPHV/BlackCat gang allegedly withheld the ransom payment from its affiliate, then quickly shut down operations — only for many of its members to resurface weeks later under the new name “RansomHub,” continuing similar attacks with fresh branding.

Preventing Ransomware Attacks

Effective ransomware prevention starts with implementing and maintaining robust security best practices across the organization. As social engineering is one of the most common methods cyber criminals use to gain access into an organization’s systems, companies need to foster a security-first culture. Critical steps include training their employees regularly to ensure they are aware of phishing and other email- and messaging-based threats, enforcing strong password policies and making sure employees don’t keep “password” files on their hard drives.

On the technical side, they need to back up critical data, prioritize patch management, and develop incident response plans.

In addition, it may be time to implement advanced cyber security tools, especially those that leverage AI-powered threat intelligence, delivered by platforms such as Cognyte’s LUMINAR. Key ransomware protection practices that can help organizations reduce the risk and impact of ransomware to their operations include:

LUMINAR and Ransomware Gang Protection

Frequent upheaval in the ransomware landscape—marked by sudden collapses of major gangs and the rise of smaller successors—greatly complicates threat monitoring and defense.

External threat intelligence makes it easier to prevent ransomware attacks before they occur. LUMINAR brings potential ransomware threats to light, in real time. An AI-powered external threat intelligence solution, it delivers comprehensive visibility into the threat landscape within a single unified solution for security and risk management leaders encompassing cyber threat intelligence (CTI), external attack surface management and digital risk protection (DRP).

LUMINAR offers unique value by combining a comprehensive range of sources—from independent research to ransomware data leak sites to commercial feeds—along with historical data analyses powered by GenAI. This approach enables identifying the highest priority threats, making mitigation more effective.

LUMINAR’s AI-powered threat intelligence ensures that companies are quickly made aware of indicators of compromise, as well as leaks of organizational records or trade in organization-related access credentials. Continuous monitoring, real-time threat visibility, robust patch management, and risk-level assessment deliver actionable insights to prevent attacks before they happen while simultaneously keeping systems up to date and secure.

These critical insights make it much easier to create effective incident response plans, transforming reactive activities into proactive intelligence-driven strategies so if an attack does get through, it can be stopped much more quickly.

LUMINAR works within five minutes of onboarding, providing immediate value. In addition, LUMINAR quickly and easily integrates into an organization’s existing security workflows and solutions, from SOC (security operations center) and SOAR (security orchestration, automation and response) to SIEM (security information and event management), and beyond to enable effective and agile cyber security posture.

Conclusion

Picture ransomware gangs as weeds. Every time one is pulled, many more take its place. With comprehensive threat intelligence from LUMINAR, you may not be able to eliminate weeds entirely, but you can detect them before they are in full bloom in your organization’s garden.

Learn more about how LUMINAR’s external threat intelligence can protect your organization.