10 New Ransomware Groups Of 2025 & Threat Trends For 2026

Ransomware in 2025 did not slow down — it evolved. 

Even as global law enforcement and coordinated disruption campaigns continued targeting major ransomware syndicates, the threat ecosystem simply adapted. What followed was not a collapse of ransomware operations, but a wave of fragmentation — where smaller groups emerged quickly, borrowed proven playbooks, and launched attacks with enterprise-grade efficiency. 

At Cyble, we tracked 10 ransomware groups that emerged in 2025 or became newly prominent this year. These groups reflect the direction the ransomware economy is heading into 2026, which is faster rebranding cycle, more credential-based intrusion chains, cross-platform encryption, and double extortion becoming baseline. 

This blog breaks down who they are, how they operate, and the key trends defenders should anticipate in 2026. 

• Double extortion is now the standard (exfiltration + encryption + public pressure) 

• RaaS-style ecosystems remain resilient, even after takedowns 

• Identity compromise outpaces vulnerability exploitation as the dominant initial access method 

• Linux and ESXi targeting is growing, driven by high-impact, low-effort disruption 

• Rebranding and ecosystem overlap will accelerate in 2026 

Unlike earlier years dominated by a handful of mega-syndicates, 2025 was characterized by many smaller actors operating in parallel — often with shared codebases or overlapping infrastructure. With nearly 6,500 incidents, the year saw the second-largest spike after 2023, indicating 47% more attacks in the last two years. 

Cyble also observed 57 new ransomware groups and 27 new extortion groups in 2025. Apart from these, over 350 new ransomware strains were discovered, mostly based on MedusaLocker, Chaos, and Makop ransomware families. 

Cyble Insight: The majority of emerging groups adopt double extortion immediately, because it increases ROI and reduces victim negotiation leverage. 

Let’s have a look at the top 10 newly emerged ransomware groups that left a mark this year and are expected to rapidly accelerate their operations in 2026. 

Devman is linked in reporting to the DragonForce ecosystem and appears to follow a “minimal branding, maximum reuse” operational approach. Instead of standing out with novel techniques, Devman aligns with a growing category of ransomware actors that rely on commodity intrusion access and trusted code lineages. This approach makes Devman harder to detect through branding alone, reinforcing why behavioral monitoring must take priority over name-based tracking. 

• Public reporting ties “DEVMAN” to the DragonForce RaaS ecosystem / code lineage and describes it as a newer actor/variant with claimed victims and a dedicated leak site.  

• No. of Victims: 53 

• Reported victim concentration is Asia and Africa, with “occasional” activity in Latin America and Europe.  

• Encrypted extension: .DEVMAN  

• Deterministic encrypted ransom-note filename observed: ‘e47qfsnz2trbkhnt.devman’ (useful behavioral IOC)  

• Note: reporting also describes unique strings/mutexes. 

Cyble Watch: Devman represents the “fast-and-light” ransomware model — quick access, fast encryption, low overhead. 

DireWolf emerged in May 2025 and quickly demonstrated mature extortion operations — including structured victim posting, double extortion tactics, and tooling designed to disrupt recovery. Its victim geography includes multiple regions, with notable concentration across Asia. DireWolf reflects how ransomware groups now achieve operational maturity rapidly, largely through reuse of established RaaS mechanics rather than long-term development cycles. 

• Emerged May 2025; first victim postings reported May 26, 2025 on their leak site.  

• A later deep-dive (dated Aug 28, 2025) describes ~39 confirmed victims and continued activity through August 2025.  

• No. of Victims: 49 

• Reported across 11+ countries, with apparent concentration in Singapore, Thailand, Philippines, and Taiwan (also cited: US, Italy, Canada, etc.).  

• Malicious domain used in campaigns/social engineering: tor-browser[.]io (+ subdomains www, sitemap, sitemaps) 

• Sample hashes (SHA-256): 

• 27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3  

• 8fdee53152ec985ffeeeda3d7a85852eb5c9902d2d480449421b4939b1904aad  

• 00065b7aeaa41e3aa52cf94be0f63afdd92e04799935d612f2451bcf4b1fb704 

Cyble Watch: DireWolf suggests Asia-first targeting is rising in ransomware economics. 

RALord (also referenced as NOVA in later reporting) highlights the identity-fluid nature of ransomware operations. Rebranding and ecosystem overlap appear central to its survival. Its indicators — including extension patterns and ransom note naming — align with common RaaS design practices. This “brand mutation” reduces the value of signature-only threat tracking and increases the need for telemetry-based clustering. 

• Nova RaaS publicly discussed April 2025 as distributing RaLord/RALord ransomware.  

• Later reporting describes Nova as formerly known as RALord and notes exposure/leaks about Nova’s inner workings in early December 2025.  

• No. of Victims: 46 

• Public victim geography is fragmented in mainstream writeups; one community intel writeup lists victims across multiple countries (e.g., US, Spain, Japan, Norway, Saudi Arabia, France, Taiwan, etc.) but treat this as lower-confidence unless you corroborate via your own monitoring.  

• Encrypted extension: .RALord (also shown as .ralord in some reporting)  

• Ransom note pattern: README-[random_string].txt 

• Detection name (vendor-specific): GAV:RALord.RSM (SonicWall) 

• Lower-confidence / community-published infra + IOCs (use for hunting with caution): 

• MD5s:  

ef846baabc14fe461cff4c4a0fd5056f, be15f62d14d1cbe2aecce8396f4c6289, 4566f5ba6d1a1db0dd7794ea8d791b3f  

• Multiple .onion DLS domains listed (NOVA/RALord) 

Cyble Watch: Expect NOVA/RALord-like rebrands to grow in 2026 as disruption pressure increases. 

Global stands out for its emphasis on cross-platform capability — including support for Linux and ESXi alongside Windows. Global’s operational model appears broad and opportunistic rather than tightly targeted. However, its technical capability indicates a focus on high-impact encryption where modern enterprises are most fragile – hypervisors and virtualized infrastructure. 

• Introduced as “GLOBAL GROUP” on Ramp4u in June 2025; reporting ties it to earlier brands (Mamona / BlackLock). 

• Broader reporting states the operation targeted multiple regions since early June 2025.  

• No. of Victims: 31 

• Reported targeting includes Australia, Brazil, Europe, and the United States (broad campaign footprint).  

• Mutex string observed in early sample: GlobalFxo16jmdgujs437  

• Extensions can be affiliate-defined (example mentioned: .lockbitloch) — treat extensions as variable/less reliable for GLOBAL GROUP specifically. 

Cyble Watch: Cross-platform ransomware is becoming the default — not the exception. 

The J group is best understood through victimology rather than technical writeups. It reinforces a pattern seen across 2025. Some ransomware brands function primarily as leak-site identities rather than stable malware families. In these cases, tracking must rely on victim disclosures, infrastructure monitoring, and extortion site analysis rather than consistent payload-level indicators. 

• Public references exist primarily as a ransomware strain name rather than a well-documented “group.” Some sources describing “J-Ransom” are older (years), suggesting it may be legacy/low-activity or a label reused by multiple actors.  

• A separate vendor writeup (Chinese) mentions samples captured April 2025, which may reflect a naming/categorization convention rather than one stable actor.  

• No. of Victims: 38 

• No consistent, high-confidence public victim geography surfaced in mainstream reporting for “J Ransom” as an actor brand (more like a strain label).  

• File extension in “J-Ransom” strain reporting: .LoveYou  

• One publicly indexed sample (Any.Run task reference) is associated with MD5 4924B945CFDC5BFECE03F5140A546384 (treat as sample-specific IOC). 

Cyble Watch: Ransomware branding ≠ actor stability. Monitor extortion infrastructure. 

Warlock’s relevance in 2025 stems from its linkage to exploitation of on-premises SharePoint vulnerabilities and rapid post-exploitation ransomware delivery. This is a classic example of ransomware following initial compromise from exploitation chains, not just phishing or credential abuse. For defenders, Warlock represents the persistence of one of the most preventable ransomware vectors – unpatched public-facing enterprise software. 

• Warlock is linked in 2025 reporting to exploitation of on-premises SharePoint vulnerabilities and follow-on ransomware deployment (Storm-2603). Microsoft notes exploitation attempts as early as July 7, 2025 and ongoing active attacks.  

• No. of Victims: 66 

• Targeting is described as internet-facing SharePoint servers (global exposure by nature); attribution includes multiple China-linked actors, with Storm-2603 associated with ransomware deployment.  

• Web shell filenames: spinstall0.aspx (and variants spinstall.aspx, spinstall1.aspx, spinstall2.aspx, etc.)  

• Additional file names: IIS_Server_dll.dll, SharpHostInfo.x64.exe, xd.exe, debug_dev.js  

• File path for stolen web configs: 1[5-6]TEMPLATELAYOUTSdebug_dev.js  

• C2 IP called out: 65.38.121[.]198  

• Network IOC set (example list in Microsoft hunting content): 131.226.2.6, 134.199.202.205, 104.238.159.149, 188.130.206.168, plus c34718cbb4c6.ngrok-free.app 

• Exploited CVEs discussed: CVE-2025-49704 / CVE-2025-49706, plus related CVE-2025-53770 / CVE-2025-53771  

Cyble Watch: Patch latency continues to be a top ransomware enabler. 

BEAST (active since earlier years but highly visible in 2025) represents the continued success of RaaS ecosystems that support multi-platform payloads. Its capabilities include encryption across Windows/Linux/ESXi environments and it has been associated with common intrusion vectors such as compromised RDP, SMB scanning, and opportunistic exploitation. BEAST is a strong indicator that affiliate ecosystems remain resilient despite ransomware takedowns. 

• Cybereason describes Beast as active since 2022 with later promotion of partnership/updates on underground forums (including an “offline builder” promoted by August 2024). 

• Other reporting frames “Beast” as a modern RaaS with rapid growth in 2025 (this varies by source; treat “emerged Feb 2025” claims as reporting-dependent rather than absolute origin).  

• No. of Victims: 46 

• Reporting cites disclosures across US, Europe, Asia, and Latin America (based on victim postings/monitoring).  

• Mutex string: BEAST HERE?  

• Multi-platform targeting noted: Windows / Linux / ESXi builds (useful for scoping and hunting across environments).  

Cyble Watch: BEAST shows RaaS models are sustainable and easily adaptable. 

Sinobi appears to operate as either a rebrand or close relative of the Lynx ecosystem and demonstrates deliberate tradecraft, including data exfiltration before encryption. Cases point to credential-based access (VPN compromise), defense neutralization, and staged extortion. Sinobi’s model reflects a more enterprise-aware approach — prioritizing operational control before monetization. 

• Sinobi’s ransomware brand emerged in mid-2025, quickly distinguishing itself through disciplined intrusions and operational maturity.  

• As of September 2025, reporting indicated ~40 known victims, suggesting steady activity and an organized extortion pipeline.  

• No. of Victims: 138 

• Victims are primarily in the United States, with broader targeting noted across “US and allied countries.”  

• Sector focus includes manufacturing/production and other mid-to-large business verticals. 

• Encrypted extension: .SINOBI 

• Ransom note: README.txt  

• Crypto implementation reported: Curve-25519 + AES-128-CTR (useful for reverse engineering / attribution comparison).  

• Possible infrastructure overlap / rebrand signals with Lynx DLS and ecosystem traits. 

Cyble Watch: Identity security failures will remain a key ransomware entry point in 2026. 

NightSpire is notable for its evolution. Early campaigns leaned towards exfiltration-based extortion, later expanding into double extortion ransomware. This confirms a Cyble observation from 2025; while data theft alone can pressure victims, encryption remains the most effective mechanism for forcing payment — especially when combined with leak-site exposure. 

• Reported to have emerged in early 2025 and operated a leak site since 12 March 2025. 

• Observed evolution from exfiltration-only extortion to double extortion (encrypting after theft) in later 2025 activity.  

• A confirmed victim case described: Nippon Ceramic compromised on 10 April 2025.  

• No. of Victims: 92 

• Public reporting suggests a broad, multi-sector victim pool rather than one region, spanning industries such as healthcare, education, manufacturing, government, retail, logistics, etc.  

• Individual confirmed cases include Japan-based manufacturing-related targets, implying Asia visibility alongside global reach.  

• Operational comms channels: ProtonMail / OnionMail / Telegram used for negotiation coordination (indicator of actor infrastructure).  

• Operator aliases linked in reporting: xdragon128 / xdragon333, and Cuteliyuan — associated with overlapping threat ecosystems (useful for persona tracking).  

• Note: The publicly accessible sources don’t consistently publish hashes/domains for NightSpire; for hard IOCs you’d typically rely on incident telemetry, sandboxed samples, or threat feeds. 

Cyble Watch: Expect more “exfil-first” actors to adopt encryption for higher conversion rates. 

The Gentlemen emerged as one of the most operationally mature ransomware operations of 2025. Reporting suggests activity across more than a dozen countries and describes sophisticated behaviors including use of legitimate admin tooling and Group Policy manipulation. Their tradecraft resembles seasoned operators rather than new entrants, indicating potential rebranding from earlier ecosystems or recruitment of experienced affiliates. 

• The Gentlemen were first widely noticed in Q3 2025, though investigations suggest operations may have started earlier.  

• One early victim cited: JN Aceros (Peru) compromised as early as June 30, 2025.  

• The group continues activity into late 2025, with reports of high-impact disruptions (example: Romanian energy provider incident reported in late December).  

• No. of Victims: 63 

• Reported to have operated across 17+ countries, with a geographically diverse footprint including Europe, Latin America, and Asia.  

• Sector targeting includes manufacturing, healthcare, insurance, and other critical industries, consistent with high-pressure extortion behavior.  

• Sample hashes (SHA-1 published in advisory): 

• c12c4d58541cc4f75ae19b65295a52c559570054  

• c0979ec20b87084317d1bfa50405f7149c3b5c5f  

• df249727c12741ca176d5f1ccba3ce188a546d28  

• e00293ce0eb534874efd615ae590cf6aa3858ba4 

Cyble Watch: The Gentlemen demonstrate that emerging groups can be “new names, old hands.” 

Ransomware groups are increasingly treated like “brands,” not organizations. When pressure rises — from law enforcement, competitors, or internal leaks — actors simply rebrand. 

Cyble expects: Faster mutation cycles and more infrastructure crossover. 

Encryption + theft will remain baseline, but more groups will add: 

• DDoS threats 

• harassment of executives 

• partner/vendor pressure 

• insider-style coercion 

• regulatory reporting threats 

Cyble expects: Higher pressure negotiation frameworks. 

VPNs, remote admin tools, cloud accounts, and exposed credentials are already the leading ransomware entry points. 

Cyble expects: Credential access brokers to expand further in 2026. 

Virtualized infrastructure gives attackers the highest ROI per intrusion: 

• encryption hits entire VM clusters 

• business disruption is immediate 

• recovery is expensive and slow 

Cyble expects: ESXi and Linux payload development to increase as “default builds.” 

The era of mega-syndicates dominating the market is fading. Today’s threat is defined by smaller, agile crews that: 

• scale via affiliates 

• reuse existing tools 

• strike fast 

• and disappear quickly 

Cyble expects: “Many small fires” rather than “one big inferno.” 

Ransomware is evolving into a repeatable business process, where playbooks matter more than innovation. The ransomware groups of 2025 demonstrate that the threat is not fading—it is adapting. As attackers streamline operations and defenders improve visibility, success increasingly depends on early detection, credential protection, and behavioral intelligence, rather than chasing names or ransomware variants. 

Defenders should focus on: 

• credential hygiene 

• exposure management 

• patch discipline 

• behavioral detections 

• proactive leak-site monitoring 

• and incident response maturity 

Cyble Assessment: In 2026, the organizations most at risk will not be those lacking tools — but those lacking visibility into identity and lateral movement. Organizations preparing for 2026 should focus less on who the attackers are—and more on how they operate.