Ransomware groups exploit law enforcement actions against rival criminal organizations, continuing their operations.
In the dynamic world of cybercrime, the ransomware-as-a-service (RaaS) ecosystem has shown an intriguing pattern of resilience and adaptability. As major RaaS groups fall under law enforcement scrutiny, new players swiftly rise to fill the power vacuum.
According to Check Point Software Technologies' latest report, this cycle resembles a "whack-a-mole" dynamic. For instance, after the dismantling of LockBit in May 2025, RansomHub quickly expanded to take its place, albeit RansomHub itself shut down in April 2025. This quick succession highlights the robustness and adaptability of cybercriminal networks.
Several key factors contribute to this phenomenon. Firstly, law enforcement pressure leads to takedowns, arrests, and shutdowns of major RaaS groups. Secondly, the fragmentation of affiliates results in smaller groups switching allegiances or operating independently. Thirdly, competition among established RaaS gangs, such as Qilin and DragonForce, intensifies as they vie for former RansomHub affiliates. Lastly, strategic shifts by ransomware operators to lower visibility and legal risks by dispersing operations further fuels this cycle.
The RaaS ecosystem has become more dispersed than ever. Established players are actively recruiting 'orphaned' affiliates, enabling new groups to quickly gain prominence. Some RaaS groups, like Safepay and Akira, exhibit distinct geographic preferences, focusing disproportionately on Germany and Italy, respectively.
Meanwhile, many smaller RaaS groups that used to affiliate with larger players are now operating independently or seeking new partnerships. For example, after RansomHub's shutdown, its affiliates sought a new partner, with many finding a home in Qilin.
The United States accounts for approximately half of all reported ransomware victims. The UK, Germany, and Canada each account for 5% of all reported victims. Interestingly, several major RaaS groups have stopped posting victims to popular leak sites, suggesting a shift in tactics.
Competition between prominent RaaS groups Qilin and DragonForce for affiliates of the now-defunct RansomHub has been observed. Following RansomHub's demise, Qilin advertised its attack toolkit's "enhanced features," including new DDoS capabilities and victim negotiation consultations.
The precise circumstances behind RansomHub's disappearance remain unclear. However, the impact of its shutdown on the ransomware ecosystem was immediate, with Qilin's activity nearly doubling in the second quarter of 2025.
This constant cycle of collapse and emergence reflects both operational pragmatism by attackers and the evolving nature of the ransomware ecosystem in 2025. As law enforcement and cybersecurity professionals continue to combat these threats, it's crucial to stay informed about these shifts to effectively protect against these ever-evolving threats.
The ransomware-as-a-service (RaaS) landscape continues to demonstrate resilience, as new players like Qilin rise in the wake of dismantled groups, such as RansomHub. The competition among established RaaS gangs like Qilin and DragonForce fuels this cycle, with the former aggressively recruiting orphaned affiliates.
The constant ebb and flow within the RaaS ecosystem, characterized by a 'whack-a-mole' dynamic, necessitates continuous improvements in cybersecurity and technology to counteract these ever-evolving threats.
