Between July 2024 and June 2025, no less than 41 new ransomware groups have emerged. For the first time, the global landscape has seen over 60 gangs active simultaneously.
What’s driving this surge? Law enforcement takedowns of major ransomware groups. While many of these have been successful, they had paradoxical effects:
- Fragmentation: Dispersed affiliates from shuttered operations quickly spin up their own ventures, reusing leaked ransomware code, renting out commoditized malware, and lowering the barriers to entry for new players.
- Distrust: The underworld increasingly resembles a “Mexican standoff.” Exit scams are on the rise, affiliates are double-dealing stolen data across multiple leak sites, and rival groups are attacking each other. This creates chaos, but also volatility.
- Diffusion: The balance of power is shifting. In 2022, the top 10 ransomware groups accounted for 69% of all attacks. Today, they account for only 50%, showing that the market is far more distributed and difficult to disrupt through traditional takedown strategies.
The outcome is a criminal economy that is simultaneously more chaotic, less trustworthy, yet more resilient. The “mega-gangs” that once dominated headlines are no longer the only threat and hundreds of smaller, opportunistic groups now operate in parallel, forcing defenders to fight on multiple fronts at once.
For organizations, this means:
- The attack surface has widened, with more varied techniques and less predictable targeting.
- Supply-chain attacks and data extortion are no longer concentrated in a handful of groups but spread across a swarm of smaller actors.
- Traditional defense strategies must evolve from focusing on “the big names” to building resilience against a distributed, commoditized threat landscape.
At ZENDATA, we continuously track these dynamics. The challenge is no longer just “stopping ransomware.” It is about anticipating the ripple effects of a constantly mutating underground economy and ensuring that defensive strategies evolve as fast as the adversaries do.
Full article on The Record
