Fewer ransomware gangs, but more victims in late 2025

ReliaQuest has reported a sharp rise in ransomware groups' claimed victims in the final quarter of 2025, with data-leak site postings up 50% on the previous quarter despite a fall in the number of active groups.

The company tracked 77 active ransomware data-leak sites in Q4 2025, down from 84 in Q3. Over the same period, the number of organisations listed on leak sites rose markedly. ReliaQuest also recorded a 40% increase in claimed victims compared with Q4 2024.

The figures point to a market where fewer groups generated higher volumes, according to ReliaQuest. The report describes a period of "short-term consolidation" in which higher-output groups increased activity as weaker operators lost momentum. It also notes that the wider ecosystem tends to fragment over time, with frequent churn in group names and leak sites.

Leading groups

Qilin and Akira remained the two most active ransomware threats in the quarter, based on the number of organisations listed on leak sites. ReliaQuest also highlighted a late-quarter return by LockBit 5.0, which it said listed 110 organisations in December alone.

ReliaQuest described the trend among top-tier ransomware-as-a-service operations as a focus on speed and execution across different environments. It linked that shift to a shorter window for defenders between intrusion and impact.

"Top-tier ransomware-as-a-service (RaaS) programs are optimizing for speed and cross-environment execution, which is compressing time-to-impact for defenders," said ReliaQuest.

In its commentary on Qilin, ReliaQuest said the group remained the "clear frontrunner" in terms of organisations impacted during the quarter. The report attributed that position to work on automation and customisation, alongside other product features. It framed these elements as drivers of faster deployment and longer-running operations against well-defended targets.

Sinobi surge

A newer group, Sinobi, rose to third place in Q4 after a sharp increase in listings. ReliaQuest said Sinobi's attributed leak-site listings rose 306% in the quarter. The group first emerged in July 2025.

ReliaQuest assessed that Sinobi is likely a rebrand or offshoot of Lynx ransomware. It linked the increase to affiliate migration away from declining operations. The report said Sinobi had no known presence on cybercriminal forums for recruitment, which reduced visibility into how it might onboard affiliates and change its toolset.

The report described Sinobi as relying on stealth through "living-off-the-land" techniques. It said affiliates used tools already present in Windows environments rather than deploying malware, including PowerShell and legitimate remote administration software. ReliaQuest also pointed to repeatable patterns in intrusions, including creation of new administrator accounts and Rclone-based data exfiltration.

ReliaQuest said living-off-the-land activity can resemble routine administration. It said that can delay detection until data theft is underway, which raises the importance of fast containment once defenders identify an intrusion.

Clop returns

ReliaQuest also flagged a resurgence by Clop after minimal activity in Q3. The group rose from one listed organisation in Q3 to 116 in Q4, according to the report.

The report attributed the surge to mass exploitation of CVE-2025-61882, which it described as a vulnerability in Oracle E Business Suite. It said exploitation involved an internet-reachable flaw and did not require user interaction or credentials. The activity targeted a platform that centralises sensitive corporate data, it added.

ReliaQuest characterised Clop as distinct for planned, vulnerability-led campaigns, rather than continuous operations. It said the group often focuses on widely deployed platforms and software supply chains, with a pattern of sharp spikes followed by dormancy.

Sector shifts

ReliaQuest said professional, scientific, and technical services, manufacturing, and health care remained among the most affected sectors. It also pointed to a 152% spike in retail trade postings in Q4 compared with Q3, which it linked to opportunistic targeting in the holiday period.

The report also noted an increase in postings affecting professional, scientific, and technical services. It said these organisations often sit in the supply chain for other sectors through privileged access, shared documents, and integrations.

ReliaQuest said vulnerabilities and remote access weaknesses can create downstream impact when service firms run or support customer environments. It also cited the effect of uneven security controls following mergers and acquisitions, where inherited infrastructure and inconsistent logging can create entry points.

Geographic pattern

On geography, the report said the US remained the most affected market, with leak-site listings rising 51% from Q3 to Q4. It described volatility outside the top markets, where short-lived campaigns can push smaller countries into the top ranks for a quarter before activity falls away.

The report said these swings often reflect opportunistic targeting and vulnerability waves rather than a durable geographic strategy. It also highlighted a rise in listings targeting organisations in the UAE, from seven to 41, and advised multinationals to keep security parity across regions.

"Regardless of which groups rise or fall quarter to quarter, the sustained increase in data-leak site posts emphasizes that ransomware remains a persistent, growing threat even as individual group names come and go," said ReliaQuest.