Summary: From LockBit 5 to the Gentlemen, ransomware gangs are using sophisticated tactics. Learn what they are and discover new protection strategies to help protect your organization in 2026.
Ransomware has become a multi-billion-dollar criminal industry. Since threat actors added AI to their toolboxes, they’ve begun using sophisticated extortion techniques, creating undetectable malware, and running convincing phishing campaigns.
While the number of reported ransomware cases fell over the last three years, dark‑web data shows a 25% rise in this criminal activity year over year. This increase indicates mutation rather than decline.
In 2026, we can expect more AI-driven automation in attacks, cross-cybergroup collaboration, and faster crypto‑based payouts. For businesses, resilience matters more than reaction. In this article, we profile the most active ransomware groups and outline measures to protect your organization.
How ransomware groups are evolving
As the IBM X-Force 2025 Threat Intelligence Index states, ransomware remains at the top of the malware food chain, making up 28% of cases in 2024. Yet, incident‑response teams have been getting fewer calls for three years straight. On paper, that looks like progress. In reality, as we noted in the intro, ransomware activity is growing on the dark web.
According to our research, ransomware incidents exposed on the dark web increased by 31% between July and September 2025, compared to the same period in 2024. We attribute much of this growth to Ransomware-as-a-Service (RaaS), a model that mimics the Software-as-a-Service (SaaS) one. RaaS rents malicious software and infrastructure to affiliates. It’s cheap, scalable, and makes launching an attack almost as easy as logging into a website.
Cyber gangs are also getting better at what they do—and it shows. Most can now build ransomware that works on Windows, Linux, ESXi, and FreeBSD, and some use the bring-your-own-vulnerable-driver (BYOVD) technique to bypass security.
Names like Akira, LockBit, Qilin, DragonForce, Medusa, INC, Lynx, and Play have dominated the past year. Yet, fewer big blow-ups in the headlines don’t mean the ransomware threat is fading; instead, it means it is becoming stealthier, faster, and harder to track.
The ransomware playbook is expanding fast, and the techniques threat actors are using now will shape the threat well into 2026.
The key tactics we talked about appear in the playbooks of many ransomware gangs.
Our list below shows 10 of the most active ransomware groups you might see in the headlines. Their models and tactics continue to shape the ransomware threat scene, influencing how emerging groups learn, recruit, and attack.
LockBit5 is the latest version of the ransomware developed by LockBit, one of the most aggressive ransomware gangs worldwide. It runs on a highly successful RaaS model, renting out its malware to affiliates and taking a cut of each ransom paid.
Taken down by law enforcement in 2024, LockBit resurfaced in September 2025. The group has stated its intent to target critical infrastructure, including nuclear power plants, thermal power plants, hydroelectric plants, and other similar facilities.
In Q3 2025, RaaS group Qilin listed more victims than ever in a single quarter, fuelled by aggressive recruiting, including banner ads on dark web forums and streamlined, business‑style operations.
The Qilin threat actors collaborate with initial access brokers (IABs) to buy stolen VPN credentials, allowing them to gain rapid access and bypass endpoint detection tools. More affiliates mean more attacks, and Qilin’s efficient setup keeps them coordinated and hard to block. In 2026, Qilin won’t just be writing ransomware; it’ll be scaling like a start‑up.
The Akira ransomware group has a retro vibe. Inspired by the 1988 cyberpunk anime movie of the same name, whose main character is an unstoppable force, the gang projects a similar image. Even their leak site carries the theme, styled in a retro green‑screen look.
The group emerged in 2023 and quickly became one of the most formidable threat actors. By 2025, Akira had hit over 250 organizations and gained an estimated $42 million in ransom payments.
The Play ransomware group, first seen in 2022, is known for targeting government agencies, police networks, and critical infrastructure in Latin America and Europe. Its name comes from the “.play” extension it adds to encrypted files.
The Play threat actors use custom encryption, double‑extortion tactics, and exploit VPN or RDP flaws to gain unauthorized access. In 2025, Play remained highly active and dangerous, especially for public-sector and critical-service organizations.
Although Play may not be the largest RaaS group, its focus on the public sector and tailored attacks make it a persistent global threat.
Medusa, a fast-growing RaaS gang, works with affiliates but also conducts ransom talks itself. The group typically targets organizations from the healthcare sector (including children’s hospitals), education, manufacturing, technology, and government sectors.
In 2025, Medusa’s activity ramped up, impacting more than 40 organizations and demanding ransoms of up to $15 million. Known for its use of public pressure via social media and its own leak site, as well as its ties to “Frozen Spider,” an organized cybercrime group, Medusa’s aggressive tactics and expanding network make it one of the fastest-growing threats.
INC is a Ransomware‑as‑a‑Service group that surfaced in late summer 2023 and has quickly gone global. Its affiliates have attacked manufacturing firms, healthcare providers, financial services, law firms, and even government ministries—showing they’ll target nearly any sector.
Victims range from Yamaha’s Philippines subsidiary to the Pennsylvania Attorney General’s Office, where an August 2024 attack disrupted email, phones, and internal systems, halting criminal and civil cases. Like other RaaS gangs, INC rents out its malware and infrastructure, splitting ransom profits with affiliates.
The Lynx RaaS group first appeared in mid‑2024. It is widely believed to be a rebrand or spin‑off of INC ransomware, sharing large portions of its source code. It offers affiliates encryption tools, a leak site, and operational support, with an 80/20 profit split in their favor.
Victims of Lynx include organizations from the manufacturing, business services, technology, and transportation sectors, mostly in the US, UK, Canada, Australia, and Germany. Common entry points include stolen credentials bought on dark‑web markets and phishing attacks.
Lynx stands out for its sophisticated combination of cryptographic algorithms. It can alternate among four encryption codes, letting attackers adjust their tactics for speed and maximum damage.
BlackCat, also known as ALPHV, is one of the most advanced ransomware groups operating today. It uses double extortion—stealing data before encrypting it—to maximize pressure on victims.
What makes BlackCat stand out is its codebase: it’s the first major ransomware written in the Rust programming language, prized for speed and memory safety. With builds for both Windows and Linux, BlackCat can hit a wide range of targets, adding to its reputation as one of the most formidable crews in the ransomware world.
Clop exploits supply‑chain flaws at scale—most famously the MOVEit zero‑day breach (2023–2024) that hit hundreds of organizations worldwide. Active since 2019, it runs as RaaS and often relies on data theft without encryption.
In 2025, Clop remains one of the top 5 ransomware variants globally, targeting networks in finance, healthcare, manufacturing, and government sectors, often via unpatched file-transfer tools.
RansomHub emerged in February 2024, following the disappearance of ALPHV/BlackCat, and quickly became a dominant RaaS group by recruiting former members from Conti, REvil, and Scattered Spider. It now uses double extortion—encrypting and stealing data, then threatening to leak it—to target large enterprises.
By late 2024, RansomHub had claimed over 600 victims globally, including 74 in September alone, as well as high‑profile names like Clevo and American Standard. The group markets itself as “helpful consultants” post‑payment, masking its aggressive, financially driven campaigns.
While new ransomware names dominate headlines, it’s worth remembering the groups that built this criminal industry. Conti, DarkSide/BlackMatter, and Hive pioneered many of the tactics still in use today.
Although now defunct or rebranded, their playbooks and source code remain available. Conti’s techniques can be seen in groups like Black Basta, and leaked code from Babuk has been repurposed by other actors. These legacies ensure that even in their absence, their influence—and destructive capability—continues to shape the ransomware scene.
The ransomware scene never stands still. As law‑enforcement takedowns disrupt major players, new gangs rush in to fill the gap—often armed with recycled code, fresh branding, and more aggressive tactics.
These emerging ransomware threat actors aren’t just imitators. They adapt proven playbooks, experiment with novel attack methods, and compete fiercely for affiliates in the RaaS marketplace.
DragonForce is a RaaS group that surged in 2025, breaking victim records through aggressive recruiting, even advertising on dark‑web forums. It offers affiliates up to 80% of ransom proceeds plus ransomware builders for Windows, Linux, ESXi, and NAS.
The group reuses LockBit and Conti code, swaps payloads to evade defenses, and uses Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD) to disable security tools. In mid‑2025, it rebranded as a “ransomware cartel,” allowing affiliates to run their own brands while using its toolkit, making attacks even harder to trace.
BlackLock, also known as Mamona, is a relatively new Raas group that surfaced in 2024 and quickly linked itself to the DragonForce ransomware cartel. This alliance gives BlackLock access to shared infrastructure, ransomware builders, and an established affiliate network—a big advantage for a newcomer.
BlackLock focuses on manufacturing and other critical industries, often going after companies with high operational dependency to maximize ransom pressure.
Its growing role in the DragonForce ecosystem means BlackLock benefits from coordinated attacks and pooled resources, helping it punch above its weight in the crowded RaaS marketplace. Analysts expect its visibility to increase in 2026 as more affiliates adopt its malware.
This is a new ransomware organization that emerged in autumn 2025 and quickly made its mark, hitting over 30 organizations in 17 countries. They use customized tools and advanced evasion techniques, paired with a structured and highly organized attack style that reflects a high level of technical maturity.
True to their name—a nod to the Guy Ritchie film—they present a polished brand identity, complete with a professional logo and motto on their darknet leak site. Thailand and the United States have been hit hardest so far, followed by India, Mexico, and Colombia.
Ransomware gangs don’t discriminate. They attack businesses of all sizes, including large corporations, start-ups, schools, hospitals, and even small family-owned businesses. If you’ve got sensitive data, you’re a target. The best time to prepare was yesterday; the second‑best is right now.
Your employees are your human firewall. Most ransomware starts with a simple mistake: clicking a fake email link, opening the wrong attachment, or trusting an odd‑looking website. Criminals bank on that moment of inattention.
Conduct regular training sessions on identifying suspicious emails, attachments, and links. Also, run simulated phishing campaigns to allow your team to practice detecting scams. An alert team can stop most attacks before they even start.
Regularly back up your critical data and store those backups securely offline, away from your network. This way, your resources stay safe even if an attack happens. And even if attackers do gain access to your network, you can restore your systems without incurring any costs. Organizations that didn’t follow this step suffered one of the biggest data breaches in recent years.
Segment your network so ransomware can’t spread everywhere at once. Separate sensitive data and systems from the rest of your network to slow lateral movement during an attack.
Ransomware attacks often begin on endpoints, such as laptops, desktops, or servers. To block these attacks early on, use advanced endpoint protection tools that detect and stop ransomware the moment an employee downloads a malicious file or clicks a phishing link.
Keep ransomware actors at bay by tracking real-time threat intelligence feeds. These tools alert you to new ransomware variants, active attacks, and exploitable vulnerabilities. Platforms like NordStellar provide timely alerts, allowing you to plug security gaps before they become entry points.
Your incident response plan should make it crystal clear: who does what, when, and how during a ransomware attack. It is your step-by-step strategy that outlines how to detect, contain, and respond to an attack.
Drill it often so everyone—from your IT team to your top execs—can act without hesitation. Speed is your biggest weapon when attacks unfold.
As ransomware tactics mutate and automate, a reactive approach is no longer enough. Businesses need proactive resilience. NordStellar’s threat exposure management platform is designed to help companies detect and respond to cyber threats early, breaking the cyber kill chain before an attack escalates.
Our platform provides a multi-layered defense. Attack surface management identifies external vulnerabilities that cybercriminals exploit. Dark web monitoring scans ransomware blogs for mentions of your company or partners, providing insights into what threat actors are planning and helping you prevent attacks. This is complemented by data breach monitoring, which detects credentials exposed by infostealer malware—a common precursor to a ransomware attack.
Stay ahead of ransomware threats. Contact us today to protect your data.
Ransomware spreads through phishing emails, infected software downloads, unpatched vulnerabilities, and malicious websites.
Ransomware gangs typically target organizations with valuable data and weak cybersecurity defenses. They are highly likely to target businesses that have paid ransoms in the past, because they may assume these organizations are more likely to pay again.
Yes, ransomware can return after removal if the underlying cause of the malware infection isn't resolved.
Joanna Krysińska
Senior Copywriter
A writer, tech enthusiast, dog walker, and amateur pastry chef, Joanna grew up in a family of engineers and mathematicians, so a techy mind is in her genes. She loves making complex tech topics less complex and digestible. She also has a keen interest in the mechanics of cybercrime.
