Emerging and Evolving Ransomware Threats: A 2024–2025 Overview
Recent years have seen a surge in sophisticated ransomware operations, with several groups refining tactics, expanding targets, and adapting to law enforcement disruptions. Below is a breakdown of the most active and evolving threats as of late 2024 and early 2025.
LockBit: A Persistent Threat with Ties to Russia
Once the most prolific ransomware-as-a-service (RaaS) operation, LockBit targeted thousands of victims worldwide, including government agencies, critical infrastructure, and private enterprises. Western law enforcement linked the group to Russian national Dmitry Yuryevich Khoroshev, indicted in 2023 alongside two other Russian affiliates. Despite crackdowns, LockBit’s infrastructure and tactics remain influential, with former affiliates migrating to newer RaaS platforms.
Lynx: A Rebranded RaaS with Aggressive Tactics
Emerging as a potential successor to the INC ransomware (sharing 48% of its code), Lynx operates a RaaS model and employs double extortion stealing data before encrypting files with the .lynx extension while deleting backups. Between July and November 2024, the group targeted U.S. and U.K. sectors, including energy, oil and gas, retail, and financial services. Despite claims of "ethical" victim selection, its rapid expansion suggests a calculated focus on high-value industries.
Medusa: A Global RaaS Operation with Russian Links
Active since 2022, Medusa exploits vulnerabilities in public-facing systems, phishing, and initial access brokers to breach organizations. Its victims span healthcare, education, manufacturing, and retail across the U.S., Europe, and India. While its core operators are suspected to be Russian-speaking, attribution remains unconfirmed.
Play: A Low-Profile but High-Impact Threat
First detected in June 2022, Play ransomware intensified operations following the disruption of other major groups. Unlike typical RaaS operations, Play avoids dark web advertising, claiming to be a "closed group" for secrecy. However, evidence suggests it collaborates with affiliates. Targets include healthcare, telecommunications, finance, and government services. In October 2024, researchers at Palo Alto Networks’ Unit 42 linked a Play ransomware deployment to North Korea’s APT45, highlighting potential state-sponsored cybercrime crossover.
Qilin (Agenda): A Russia-Based RaaS with Growing Reach
Operating since May 2022, Qilin targets Windows, Linux, and VMware ESXi servers using ransomware written in Golang and Rust. The group avoids attacks in CIS countries but aggressively recruits affiliates, leading to a five-fold increase in victim postings in the second half of 2025. Its rise is attributed to partnerships with initial access brokers, who supply stolen VPN credentials.
RansomHub: A Rising RaaS with Affiliate-Friendly Terms
Emerging in February 2024, RansomHub (formerly Cyclops/Knight) quickly became a dominant threat by recruiting affiliates from disrupted groups like LockBit and ALPHV/BlackCat. Its model offers affiliates a 10% fee or direct ransom collection, making it attractive to cybercriminals. With over 210 victims across healthcare, finance, government, and critical infrastructure in North America and Europe, RansomHub’s rapid growth underscores the resilience of the RaaS ecosystem.
Scattered Lapsus$ Hunters: A Cybercrime Supergroup
Formed in August 2025, this alliance merges Scattered Spider, LAPSUS$, and ShinyHunters, combining expertise in social engineering, help desk compromise, and ransomware deployment. The group ran a Salesforce campaign in August and October 2025, exposing data from Toyota, FedEx, and Disney. Though its leak site was seized in October 2025, the collective’s loose structure and technical sophistication suggest it remains a persistent threat.
Key Trends
- RaaS Dominance: Most groups operate under affiliate models, lowering the barrier for entry.
- Double Extortion: Nearly all groups now steal data before encryption to increase leverage.
- Geopolitical Ties: Many operations are linked to Russia or North Korea, though direct state sponsorship remains debated.
- Rebranding & Adaptation: Disrupted groups often reemerge under new names (e.g., Lynx, RansomHub).
- Critical Infrastructure Targeting: Energy, healthcare, and government sectors remain prime targets.
As ransomware groups refine their tactics and expand their reach, the threat landscape continues to evolve, with law enforcement actions only temporarily slowing their operations.
Toyota Motor Corporation cybersecurity rating report: https://www.rankiteo.com/company/toyota
The Walt Disney Company cybersecurity rating report: https://www.rankiteo.com/company/the-walt-disney-company
FedEx cybersecurity rating report: https://www.rankiteo.com/company/fedex
"id": "TOYTHEFED1773051888",
"linkid": "toyota, the-walt-disney-company, fedex",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Public Sector',
'location': ['Global',
'U.S.',
'U.K.',
'Europe',
'India'],
'name': 'Government agencies',
'type': 'Government'},
{'industry': ['Energy',
'Oil and gas',
'Telecommunications'],
'location': ['U.S.', 'U.K.', 'Global'],
'name': 'Critical infrastructure',
'type': 'Infrastructure'},
{'industry': ['Retail',
'Financial services',
'Healthcare',
'Manufacturing',
'Education',
'Finance'],
'location': ['U.S.',
'Europe',
'India',
'North America'],
'name': 'Private enterprises',
'type': 'Corporate'},
{'industry': 'Automotive',
'name': 'Toyota',
'type': 'Corporate'},
{'industry': 'Logistics',
'name': 'FedEx',
'type': 'Corporate'},
{'industry': 'Entertainment',
'name': 'Disney',
'type': 'Corporate'}],
'attack_vector': ['Exploiting vulnerabilities in public-facing systems',
'Phishing',
'Initial access brokers',
'Social engineering',
'Help desk compromise'],
'data_breach': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally identifiable '
'information',
'Corporate data']},
'description': 'Recent years have seen a surge in sophisticated ransomware '
'operations, with several groups refining tactics, expanding '
'targets, and adapting to law enforcement disruptions. The '
'overview covers active and evolving ransomware threats as of '
'late 2024 and early 2025, including LockBit, Lynx, Medusa, '
'Play, Qilin, RansomHub, and Scattered Lapsus$ Hunters.',
'impact': {'data_compromised': 'Yes',
'systems_affected': ['Windows', 'Linux', 'VMware ESXi servers']},
'initial_access_broker': {'entry_point': ['Stolen VPN credentials',
'Phishing',
'Public-facing system '
'vulnerabilities']},
'lessons_learned': 'Ransomware groups are increasingly operating under '
'affiliate models, employing double extortion tactics, and '
'targeting critical infrastructure. Geopolitical ties and '
'rebranding strategies complicate attribution and '
'disruption efforts.',
'motivation': ['Financial gain', 'Data extortion', 'Cybercrime'],
'post_incident_analysis': {'corrective_actions': ['Patch management and '
'vulnerability scanning',
'Employee training on '
'phishing and social '
'engineering',
'Enhanced monitoring and '
'threat detection',
'Network segmentation and '
'access controls',
'Regular backup testing and '
'offline storage'],
'root_causes': ['Exploitation of unpatched '
'vulnerabilities',
'Phishing and social engineering '
'attacks',
'Use of initial access brokers',
'Lack of network segmentation',
'Insufficient backup and recovery '
'measures']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': ['.lynx',
'LockBit',
'Medusa',
'Play',
'Qilin',
'RansomHub']},
'recommendations': ['Enhance monitoring of public-facing systems for '
'vulnerabilities',
'Implement robust backup and recovery measures',
'Strengthen phishing and social engineering defenses',
'Collaborate with law enforcement and cybersecurity firms '
'for threat intelligence',
'Adopt network segmentation and adaptive security '
'measures'],
'references': [{'source': 'Palo Alto Networks’ Unit 42'}],
'threat_actor': ['LockBit',
'Lynx',
'Medusa',
'Play',
'Qilin (Agenda)',
'RansomHub',
'Scattered Lapsus$ Hunters'],
'title': 'Emerging and Evolving Ransomware Threats: A 2024–2025 Overview',
'type': 'Ransomware'}