The ransomware landscape is chaotic: attacks are rising, criminals are fighting among themselves, and law enforcement is getting tougher. Despite increased activity, ransom payments have decreased, but the risk to companies is not going down. We looked at the latest numbers, attacker tactics, and what the trends mean for defense.
How attackers are improving
Gangs are investing in tools designed to disable endpoint protection. They develop so-called EDR "killers," often by abusing vulnerable drivers that they bring into the system themselves and use to turn off detection and response. They also like to abuse remote management and monitoring tools—either bringing their own or using those already running in the victim’s network—to gain visibility and move further.
A shift toward attacks without encryption is also visible: attackers "only" steal data and threaten to publish it. For victims this means reputational risk and potential fines; for attackers, less work and faster pressure to pay. This shift doesn’t reduce the damage, it rather increases the pressure to prevent leaks. The basics are to limit access, monitor for anomalies, and have incident response procedures ready.
Crackdowns, rivalry, and new underworld stars
Police struck at major players like LockBit and BlackCat, and their dark web sites were plastered with takedown notices. The gangs themselves downplayed the impact, but they lost the trust of "affiliate" partners who buy and deploy their ransomware. LockBit’s activity has fallen from its peaks, BlackCat gave up entirely, and leak sites show a drop all the way to zero. While takedowns don’t mean the end of the threat, they show that coordinated action makes sense.
Meanwhile, RansomHub shot up, attracting partners with more favorable terms: affiliates collect the ransom and pay 10% to the service, while LockBit typically took 20%. This was a response to previous "exit" scams, when operators kept the entire ransom, which undermined trust. Dragon Force also joined the fray, attacking rival sites, publishing data, and kicking off open disputes—after its intervention, RansomHub didn’t recover, and it appears a single person may have been running it. The takeaway for defenders is clear: even though gangs fight each other and police takedowns work (sometimes even yielding decryption keys), ransomware isn’t going anywhere—so update systems, make reliable backups, train users, and deploy robust endpoint protection and EDR, which clearly gets in attackers’ way.
