The ransomware landscape is experiencing unprecedented turbulence in 2025, characterized by the rapid collapse of once-dominant groups, hostile takeovers, and internal betrayals. This upheaval has exposed deep instability within the cybercriminal ecosystem, as major ransomware-as-a-service (RaaS) outfits such as RansomHub, LockBit, Everest, and BlackLock have faced abrupt shutdowns, operational failures, and even public defacements of their dark web infrastructure. What brought these powerful groups to their knees?
What ever happened to RansomHub…
RansomHub emerged as a leading RaaS group in 2024, quickly replacing LockBit and ALPHV/BlackCat after they suffered fates RansomHub had yet to recognize. However, in April 2025, RansomHub’s infrastructure went offline without warning, stranding affiliates and disrupting ongoing ransom negotiations. Rival group DragonForce claimed to have absorbed RansomHub’s operations, displaying RansomHub’s logo on its own leak site and inviting RansomHub’s affiliates to join its cartel. The true nature of this move—whether a hostile takeover or a strategic merger—remains unclear, but the incident highlights the volatile and opportunistic nature of ransomware gangs.
LockBit also had a less-than-fairy-tale ending. Once the most prolific ransomware group on the planet, LockBit’s infrastructure was significantly disrupted by an international law enforcement operation in early 2024. Authorities seized its front- and back-end systems, rendering the group “effectively redundant” and marking a major blow to its criminal enterprise.
Everest faced a similar fate this year. The Everest ransomware group, known for targeting healthcare and acting as an initial access broker, saw its dark web leak site hacked and defaced in April 2025. The defacement, attributed to an unknown actor (possibly “XOXO from Prague”), included a sarcastic message (Don’t do crime CRIME IS BAD xoxo from Prague) and forced the site offline, further destabilizing the group’s operations.
BlackLock, another aggressive group, was crippled by a cybersecurity firm that exploited a vulnerability in its leak site. This allowed the firm to access sensitive information and alert authorities, preventing further attacks. DragonForce also defaced BlackLock’s site, compounding the group’s downfall.
Underlying Causes and Consequences of Ransomware Groups’ Collapse
The ransomware economy is driven by greed and competition (but aren’t we all?). Disputes over ransom payments and power struggles are common, leading to internal betrayals and exit scams. For example, ALPHV/BlackCat famously disappeared with a $22 million ransom, leaving affiliates empty-handed and triggering retaliation. According to an affiliate named Notchy, BlackCat suspended their account and pocketed the entire $22 million ransom collection (breaking the “contract” stipulated in the Ransomware-as-a-Service (RaaS) model).
When a rival group stumbles—due to law enforcement action, technical failure, or internal strife—other gangs are quick to seize their assets and poach affiliates. DragonForce, for instance, has repeatedly absorbed the infrastructure and members of struggling groups.
No doubt, ex-affiliates join the replacement group and thus, maybe the original ransomware group really goes nowhere at all? Groups often rebrand or split into new factions after internal conflicts. This cycle of rebranding and reorganization makes it difficult for law enforcement and threat intelligence teams to track ongoing threats.
As legacy groups collapse, new players like Qilin are rapidly emerging, reshaping the ransomware landscape with advanced tactics and aggressive affiliate recruitment.
Impact on the Ransomware Ecosystem
The instability in the ransomware ecosystem has led to a shifting threat landscape, with new groups merging as old ones fall. But with this shift comes an evolution in tactics, replacing one thorn in cybersecurity guards’ lives with another.
