The State of Ransomware – Q3 2025
During the third quarter of 2025, we monitored more than 85 active data leak sites (DLS) that collectively listed 1,592 new victims. Compared to the 1,607 victims reported in Q2 2025, the publication rate remained stable though it is still notably higher than the 1,270 victims recorded in Q3 2024 (a 25% increase YoY). Overall, there are approximately 520 to 540 new victims per month, indicating that ransomware activity has plateaued albeit at historically high levels.
These findings illustrate the limited long-term impact of law-enforcement operations on the overall number of ransomware victims. Despite several high-profile takedowns during the past year—most of them directed at large RaaS operations such as LockBit, 8Base, and Blacksuit—the total volume of attacks did not significantly decline. Instead, the attacks continue a gradual upward trend, from an average of approximately 420 victims per month in Q2–Q3 2024 to about 535 per month in the same period of 2025.
LockBit 5.0 represents an upgraded evolution of the previous 4.0 version, incorporating Windows, Linux, and ESXi variants. The new build introduces enhanced evasion and anti-analysis mechanisms, faster encryption routines, and the use of a randomized 16-character file extension to disrupt signature-based detection. Most confirmed infections were deployed on Windows systems, while roughly 20 percent targeted ESXi virtual infrastructure.
To read the complete article see: