Ransomware attacks on the rise as new groups emerge, Flashpoint warns

Despite stronger cybersecurity defenses, ransomware continues to surge, driven by the emergence of new ransomware-as-a-service (RaaS) groups and the evolution of attack tactics. This is according to new research from threat intelligence firm Flashpoint.

Flashpoint’s midyear analysis reveals ransomware attacks have increased 179% compared to the same period in 2024, underscoring the persistent financial and operational risks that ransomware poses to organizations worldwide. Much of this growth is driven by RaaS operators and affiliates, who provide malware and infrastructure to cybercriminals in exchange for profit-sharing agreements.

Emerging ransomware trends in 2025

Flashpoint’s report highlights several shifts shaping the ransomware landscape this year:

1. Extortion over encryption

This shift has been happening for a long time now, with new and old groups adopting “pure extortion” tactics over encryption. Groups like World Leaks, formerly known as Hunter’s International, now rely solely on data theft and blackmail. Established groups such as RansomHub and newcomers like Weyhro have also employed this method.

2. Family Ties and Rebranding

Ransomware groups frequently rebrand or reuse leaked source code from defunct operations. For instance, SafePay has clear code overlaps with the notorious LockBit, while other groups like Devman and DragonForce show connections to past ransomware families. Flashpoint analysts note that this recycling of tactics and tools makes attribution increasingly difficult.

3. AI-Driven cybercrime

The use of artificial intelligence is now entering the ransomware playbook. The group Funksec openly uses large language models (LLMs) to generate phishing templates and even developed “WormGPT,” a malicious chatbot designed for social engineering. Analysts expect more groups to adopt AI-driven tooling throughout 2025.

4. Recycling old brands

In January 2025, the notorious but shuttered Babuk resurfaced as “Babuk v2.” Upon closer inspection, Flashpoint determined the group was recycling victim data from other operations rather than conducting fresh attacks, illustrating how old names are leveraged to generate fear and credibility.

5. Persistent access vectors

While AI enables more convincing phishing campaigns, attackers continue to exploit unpatched vulnerabilities, infostealers, and remote monitoring and management (RMM) software. Once inside, threat actors increasingly rely on Living off the Land (LOTL) techniques to escalate privileges and move laterally across networks.

Big names missing

Not all ransomware operations are thriving in 2025. Flashpoint notes that more than 29 groups are no longer active this year. Still, history suggests many may eventually resurface under new branding.

LockBit

Once the most prolific RaaS operation with over 3,500 victims since 2019, LockBit is no longer among the top 15 active groups. The decline follows Operation Cronos, a coordinated global law enforcement action in February 2024, as well as sanctions against its alleged founder, Russian national Dmitry Yuryevich Khoroshev. LockBit held momentum through late 2024, but a May 2025 affiliate breach crippled its infrastructure. No new victims have been posted since May 9.

BlackCat

The BlackCat (ALPHV/Noberus) collective, another notorious gang, was dismantled by law enforcement in December 2023, briefly relaunched, then officially shut down in March 2024. Many of its affiliates have since migrated to RansomHub, reinforcing the cyclical nature of ransomware operations. Analysts also suggest BlackCat itself was a rebranding of the earlier DarkSide/BlackMatter gangs, highlighting the constant evolution of cybercrime syndicates.

A shifting but persistent threat

Flashpoint warns that while some groups fall, new ones quickly rise to take their place. The ransomware economy continues to evolve, leveraging rebranding, AI, and new extortion models to sustain attacks.

“Organizations must remain vigilant against ransomware threats,” Flashpoint analysts caution, “as the shifting tactics and rapid emergence of new groups mean the landscape in 2025 is more volatile than ever.”