Ransomware groups seize opportunities following the police dismantling of rival organizations
The cybersecurity landscape has witnessed significant changes in the ransomware-as-a-service (RaaS) sector, as depicted in the Check Point Software Technologies report from July 2025.
The report reveals a dynamic and competitive RaaS ecosystem, with established groups like Qilin, Inc. Ransom, and Akira expanding their reach and becoming among the most active and dangerous cybercriminals. For instance, Qilin accounted for 12% of published attacks in July 2025 and has intensified affiliate recruitment following the shutdown of RansomHub.
The rise and fall cycle within the RaaS ecosystem is driven by law enforcement actions. New ransomware groups quickly rise to prominence as their predecessors are taken down. A notable example is the temporary rise of RansomHub, which supplanted LockBit after its demise in May 2025 but unexpectedly shut down in April 2025.
The competition for affiliates among ransomware groups has increased, with many smaller groups operating independently or seeking new partnerships. Prominent groups such as Qilin and DragonForce actively compete to recruit "orphaned" affiliates from defunct organizations like RansomHub.
Technical sophistication and specialization are also key trends in the RaaS ecosystem. Groups employ advanced techniques including AI-enhanced tools, multi-platform payloads, selective encryption, and protective mechanisms against reverse engineering. For example, Akira uses a Rust-based variant optimized for VMware ESXi environments to evade detection and improve effectiveness.
Ransomware attacks are rising globally, with significant targeting of business services, healthcare, manufacturing, education, and government sectors. Different ransomware groups show varying victim profiles, with some avoiding education and healthcare, while others, like Inc. Ransom, deliberately target these sectors.
The report also suggests that the ransomware ecosystem is more dispersed than it used to be. Some ransomware groups exhibit distinct geographic preferences, such as Safepay focusing disproportionately on Germany and Akira focusing on Italy. The United States accounts for roughly half of all reported ransomware victims, while the United Kingdom, Germany, and Canada each account for 5% of all reported victims.
In summary, Check Point’s July 2025 report shows a ransomware ecosystem that is resilient despite law enforcement interventions, increasingly sophisticated technically, and highly competitive, with a mix of rising new groups and evolving established threat actors vying for dominance and affiliate recruitment.
The rising competition within the Ransomware-as-a-Service (RaaS) ecosystem, outlined in Check Point Software Technologies' report from July 2025, is driven by the dynamic nature of technology and cybersecurity, as evidenced by the expansion of groups like Qilin, Inc. Ransom, and Akira, who leverage advanced tools to become among the most active and dangerous cybercriminals.
Strategic affiliate recruitment is a crucial part of a ransomware group's growth within this competitive landscape, as demonstrated by Qilin's increased recruitment efforts following the shutdown of RansomHub, showcasing the persistent evolution of ransomware within the realm of cybersecurity.
