10 New Ransomware Groups of 2025 & What Their Rise Means for 2026

CyberDefender 11 mins0

Ransomware didn’t fade in 2025 — it evolved, fragmented, and proliferated into a sprawling ecosystem of smaller but highly efficient threat actors. Despite coordinated law enforcement takedowns of major syndicates, cybercrime simply adapted.

  • ~6,500 ransomware incidents in 2025 — the second largest annual volume on record.
  • 57 new ransomware groups and 27 extortion-only groups.
  • 350+ novel ransomware strains, many based on existing toolkits like MedusaLocker, Chaos, and Makop.
  • A clear shift toward double extortion — stealing data before encryption — as the baseline model.

These trends illustrate that 2026 will not see ransomware decline, but accelerating diversification, rebranding, and operational sophistication.

Key Patterns from the 2025 Ransomware Landscape

Before examining the individual groups, it’s critical to understand the broader shifts:

1. Double Extortion Is the New Standard

Unlike earlier years when encryption alone was the core tactic, in 2025 the majority of emerging groups adopted double extortion — first exfiltrating data and then encrypting systems to maximize pressure on victims. The result: stronger negotiation leverage and larger impacts from each incident.

2. RaaS Ecosystems Remain Resilient

Ransomware-as-a-Service (RaaS) models continued to thrive even after major actors were disrupted. Smaller groups borrowed, rebranded, or repackaged existing code and infrastructure to launch fresh operations quickly.

3. Identity Compromise Beats Vulnerabilities

Credential theft — especially from VPNs, remote access tools, and admin accounts — became the dominant initial access vector, surpassing traditional software vulnerability exploitation. This aligns with broader research showing credential abuse leading ransomware initial access.

**4. Cross-Platform Encryption (Linux & ESXi) **

Groups increasingly deployed payloads capable of encrypting not just Windows systems but Linux and VMware ESXi environments — maximizing damage by hitting virtualization infrastructures that host large swaths of enterprise data.

Top 10 Ransomware Groups of 2025

Below is an in-depth look at the most impactful new or newly elevated ransomware operations of the year, including their tactics, geographic reach, and distinguishing characteristics:

1. Devman

Overview:
Linked to the DragonForce RaaS ecosystem, Devman exemplifies the increasingly common “minimal branding, maximum reuse” trend. Rather than innovating malware, Devman relies on efficient reuse of established intrusion and encryption techniques, making it harder to track by name alone.

Activity & Targets:

  • ~53 confirmed victims.
  • Strong presence in Asia and Africa, with occasional activity in Europe and Latin America.

Technical Indicators:

  • Encrypted file extension: .DEVMAN
  • Unique ransom-note pattern helps with behavior-based detection.

2. DireWolf

Overview:
First seen in May 2025, DireWolf quickly demonstrated mature double extortion playbooks, complete with structured victim postings and disruption tools. It shows how new groups can scale rapidly by adopting proven RaaS mechanics.

Geography:

  • ~49 victims across 11+ countries, especially in Southeast Asia and parts of North America and Europe.

Indicators:

  • Malicious domains used in social engineering campaigns.
  • Several confirmed SHA-256 hashes for samples linked to the group.

3. RALord / NOVA

Overview:
Also known as NOVA, this group illustrates how rebranding has become a core operational tactic. Multiple overlapping identifiers suggest that RaaS-style operations now mutate their identities in response to pressure from defenders or competitors.

Features:

  • ~46 victims globally.
  • Ransomware uses the .RALord extension and README-style ransom notes.
  • Mix of multi-region infections including the US, Europe, and Asia.

4. GLOBAL GROUP

Overview:
Unusually for new entrants, this collective focused on cross-platform capability, including Linux and VMware ESXi — targeting environments where encryption causes widespread operational impact.

Reach & Tech:

  • ~31 victims globally.
  • Evidence of variable encrypted extensions linked with affiliate builds.

5. J (Group)

Overview:
Rather than representing a classic malware family, “J” appears more like a leak-site identity, illustrating how extortion operations can gain brand visibility without stable, consistent payload behavior.

Traits:

  • ~38 victims attributed.
  • Ransomware strain labeled .LoveYou in some samples — reflective of naming conventions rather than a cohesive group.

6. Warlock

Overview:
Linked to exploitation chains against unpatched SharePoint servers and other internet-facing systems, Warlock shows that classic vulnerability exploitation is not dead — but still a key path to successful ransomware deployment when paired with weak patching discipline.

Highlights:

  • ~66 victims, often via web shells and exploitation tools.
  • Multiple exploited CVEs linked to active ransomware follow-on.

7. BEAST

Overview:
Although originating earlier (reported since 2022), BEAST emerged with high visibility in 2025 as a resilient RaaS offering targeted payloads across Windows, Linux, and ESXi. It underscores how legacy ecosystems adapt and persist.

Impact:

  • ~46 known victims spanning major regions.
  • Multi-platform capability.

8. Sinobi

Overview:
Likely related to the Lynx ecosystem, Sinobi boasts deliberate tradecraft, including credential-based access, staged extortion, and data theft before encryption — a sign of enterprise-aware operations.

Performance:

  • ~138 victims globally.
  • Strong footprint in the United States and allied countries.
  • Uses .SINOBI encrypted extension.

9. NightSpire

Overview:
Notable for its evolution from exfiltration-only extortion to full double extortion (data theft + encryption), NightSpire reflects a broader trend where actors first pressure victims with leaks, then escalate to encryption for stronger leverage if needed.

Scope:

  • ~92 victims spanning sectors like healthcare, manufacturing, government, and retail.
  • Leak-site presence from March 2025.

10. The Gentlemen

Overview:
One of the most mature groups to emerge in 2025, The Gentlemen demonstrates sophisticated tradecraft including use of legitimate admin tools, Group Policy manipulation, and multi-country campaigns. Their sophistication suggests either experienced operators or rebrands of older RaaS affiliates moving into new branding.

Operations:

  • ~63 victims across 17+ countries.
  • Sectors include manufacturing, healthcare, and insurance.

Ransomware Trends That Will Define 2026

The rise of these groups reveals five key trends that defenders must prepare for:

1. Rapid Rebranding Will Become Normal

Ransomware actors increasingly behave like consumer brands. When under pressure, they rebrand or reuse infrastructure — making static signature-based tracking less useful.

2. Multi-Stage Extortion Will Grow

Beyond double extortion (data theft + encryption), attackers are adding new coercion layers: DDoS threats, executive harassment, partner/vendor pressure, and regulatory exposure.

3. Identity Security Is Paramount

Credential breaches — rather than pure software exploitation — will continue as the leading access vector. Expect credential access brokers to expand these markets.

4. Hypervisors & Linux Targets Will Spike

Hit big infrastructure components like ESXi clusters and Linux servers, and attackers can disrupt entire organizations with fewer resources.

5. Small Groups Will Cause Large Damage

The era of a few mega-syndicates dominating the field is fading. Instead we will see many agile, small crews launching high-impact, short-lived campaigns that are hard to attribute.

Final Thoughts: The Reality for 2026

Ransomware has transitioned from headline-grabbing mega-attacks toward a business-like ecosystem built on rapid adaptation, shared tooling, and strategic extortion playbooks. The groups that shaped 2025 are not historical footnotes — they are the early pioneers of a faster, more fragmented, and more insidious ransomware landscape for 2026.

For defenders, success will depend less on which group is attacking and more on understanding how they operate: prioritizing credential hygiene, threat behavior analysis, leak-site monitoring, patch discipline, and zero-trust identity controls

CyberDefender