Ransomware-as-a-Service (RaaS) continues to evolve rapidly, with new groups emerging, old ones rebranding, and attackers experimenting with AI-driven tactics. The changing ransomware landscape demands a proactive approach to cybersecurity. Whether you rely on an internal IT team or partner with a managed services provider, it’s critical to understand how they're navigating these shifts—not only to strengthen defenses but also to anticipate where the next wave of attacks may come from.
Flashpoint’s latest analysis highlights the most active groups and emerging trends shaping the threat landscape in 2025.
Below are five RaaS trends IT leaders should know to help guide strategic decision-making and risk management.
1. Rapid Turnover: Groups Disappear but Often Rebrand
More than 29 ransomware groups went inactive at the start of 2025. While law enforcement actions and internal disruptions play a role, many groups simply rebrand or resurface under new names.
The disappearance of a ransomware group does not mean the threat has ended. Vigilance must remain high, as renamed or reorganized groups may return even stronger.
2. Emerging RaaS Players and New Tactics
The top five most active RaaS groups in early 2025 are:
- Akira – exploited a SonicWall vulnerability
- Cl0p – leveraged zero-day flaws in managed file transfer systems
- Qilin – disrupted operations for the UK’s NHS partner Synnovis
- Safepay – a newer group that attacked Ingram Micro
- RansomHub – targeted U.S. government entities, though it may already have disbanded
Targets span critical industries, from healthcare to supply chains, underscoring the importance of continuous monitoring and rapid vulnerability management.
3. AI-Powered Ransomware: An Emerging Threat
Groups such as Funksec are experimenting with AI—using large language models to craft phishing templates and deploying tools like the malicious chatbot WormGPT.
AI integration is likely to expand in 2025. Expect more convincing and automated social engineering attacks. Cybersecurity awareness and defenses must evolve alongside these new tactics.
4. Old Code, New Faces: Reuse and Recycling
Ransomware developers often recycle source code and branding:
- SafePay shares code with LockBit.
- Variants like Devman and DragonForce show similarities to Conti.
- The “Babuk v2” relaunch appears to be a brand hijack by unrelated actors.
- Affiliates from groups like BlackCat (ALPHV) have migrated to new operations such as RansomHub.
A retired brand or leaked code base does not signal safety. Expect recycled tactics and familiar playbooks under new names.
5. Primary Attack Vectors Remain the Same—With AI on the Horizon
Despite the rise of AI, attackers still rely most heavily on proven techniques:
- Exploiting unpatched vulnerabilities in RMM tools and other systems.
- Infostealers to gain initial access.
- Living-off-the-Land (LOTL) techniques to escalate privileges and evade detection.
Patch management remains a cornerstone of defense. Organizations must also strengthen detection and response to spot attackers misusing legitimate tools.
The ransomware landscape in 2025 is marked by turnover, rebranding, code recycling, and early signs of AI-powered attacks. For IT leaders and business executives, this means one thing: a proactive, layered approach to cybersecurity is non-negotiable. Staying informed, patching aggressively, monitoring for escalate privileges and preparing for AI-enhanced threats are all essential to building resilience against the next wave of ransomware.
How is your business preparing for the next wave of ransomware threats? Combating the evolving ransomware landscape requires a thoughtful, proactive strategy that protects without hindering productivity. Whether you’re managing IT in-house or outsourcing your IT function, our team can help you identify risks, close security gaps, and build resilience for the future. Let’s talk about how to make your cybersecurity stronger—so your business can keep moving forward with confidence.
