Ransomware attacks around the world stayed extremely high in the third quarter of 2025, even after several police takedowns earlier in the year. Researchers at Check Point recorded 1,592 new victims across 85 different ransomware groups, showing a 25% jump from last year.
What’s unusual this time is how scattered the crime world has become. With big gangs disappearing, dozens of smaller groups stepped in and filled the gap. This created a messy and unpredictable environment where attacks can come from anywhere, making the threat harder for countries, including India, to prepare for.
US Leads Global Ransomware Share, India at 2% In Q3 2025
When looking at which countries were hit the most, the United States stayed at the top with 52% of all ransomware victims. The United Kingdom followed with 6%, while Germany stood at 4%. India appeared in the 9th position, accounting for 2% of all ransomware attacks in Q3 2025.
Even though 2% may sound small, it matters because India’s digital growth, from online banking to cloud-based services, makes it an attractive target.
A scattered ransomware world means attackers can jump borders easily, and a small spike today can turn into a bigger wave tomorrow.
Ransomware Gangs Acting Like Startups
The overall ransomware scene in Q3 2025 looked like a battlefield with new players showing up almost every week. Eighty-five active extortion groups were tracked, and 14 were brand new. Many large groups like RansomHub and 8Base vanished, but smaller and faster gangs rushed in to take their place.
Yet one major twist stole attention: the return of LockBit, now upgraded to LockBit 5.0. This group came back stronger with better encryption, support for multiple systems, and a vetting rule where affiliates must pay a $500 deposit. At least 15 confirmed victims have already been linked to this version.
Another fast-growing name is Qilin, the most active ransomware group of 2025. It averaged 75 victims per month, hitting different sectors purely for profit. In South Korea alone, it carried out 30 attacks in the financial sector between August and September.
Then there is DragonForce, a group treating ransomware like a business startup. Instead of just coding malware, it focuses on branding, partnerships with groups like LockBit and Qilin, and “data audit services” that help criminals pick valuable files. DragonForce listed 56 victims in Q3 and mainly targeted companies in Germany.
These shifts show a clear pattern: ransomware groups are getting smarter, quicker, and more organised, even when they pretend to be chaotic. And for countries like India, the rising complexity means staying alert is no longer optional.
