Ransomware Groups to Watch in 2025-2026

The ransomware threat hasn't diminished—it's fragmented. Law enforcement takedowns disrupted LockBit and BlackCat in 2024, but the affiliates didn't retire. They scattered to other operations, and attack volumes kept climbing. Q3 2025 saw 1,592 new victims across 85 active extortion groups, a 25% increase year-over-year.

Understanding which groups pose the greatest risk helps security teams prioritize defenses. Three operations deserve particular attention heading into 2026: Qilin for sheer volume and healthcare targeting, Everest for critical infrastructure focus, and Weaxor for technical innovation in initial access.

Qilin: The Volume Leader

Qilin claimed its 1,000th victim before the end of 2025, making it the most prolific ransomware operation in recent years. The Russia-based group first appeared in 2022 but only gained momentum in 2023 with 45 attacks. That number rose to 179 in 2024, then exploded after RansomHub went dark in April 2025. When RansomHub's affiliates needed a new home, Qilin welcomed them. Attack claims jumped 280 percent within months.

The group's 17 healthcare attacks in just the first week of January 2026 signal an ongoing focus on medical organizations. Healthcare targeting isn't new for Qilin—the group disrupted British pathology firm Synnovis in 2024, forcing thousands of NHS appointment cancellations and creating blood supply shortages that lasted months.

The Covenant Health breach in May 2025 exposed 478,000 patient records across facilities in six states. Qilin published the stolen data after negotiations failed, demonstrating willingness to follow through on extortion threats. The group reportedly collected over $50 million in ransom payments during 2024 alone.

Qilin operates as a traditional ransomware-as-a-service (RaaS) platform, providing affiliates with encryption tools and infrastructure in exchange for a cut of ransom payments. The model works: averaging 75 victims per month in Q3 2025, Qilin doubled its attack rate from earlier in the year.

Everest: Critical Infrastructure Focus

Everest takes a different approach. The group, active since 2020, has shifted toward data-only extortion without deploying encryption. They steal sensitive information and threaten to leak it, but often don't encrypt victim systems. This hybrid model combines ransomware tactics with initial access brokering—selling network access to other threat actors when victims won't pay.

The group's Christmas Day attack on Chrysler claimed over a terabyte of customer data including Salesforce records and service call recordings. Around the same time, Everest leaked a full 1TB data dump from ASUS, demonstrating willingness to publish everything when negotiations fail.

September through October 2025 marked Everest's most active period. The group claimed attacks on Collins Aerospace that disrupted European airports including Heathrow and Brussels. They targeted Sweden's power grid operator, AT&T (576,000 applicant records), Dublin Airport (1.5 million passenger files), and Under Armour (343GB including customer transaction histories).

Everest's initial access typically starts with compromised RDP credentials, purchases from other access brokers, or their corporate insider recruitment program launched in October 2023. The group offers cash payments to employees willing to provide remote network access—a tactic that bypasses technical defenses entirely.

Weaxor/Mallox: Technical Innovation

Weaxor represents a rebrand of the Mallox ransomware operation, and they've distinguished themselves through technical sophistication in initial access. Rather than relying solely on phishing or credential theft, Weaxor affiliates have weaponized the React2Shell vulnerability (CVE-2025-55182) for large-scale compromise.

React2Shell affects React Server Components and Next.js applications—software powering millions of web applications. The vulnerability requires no authentication and achieves code execution with a single HTTP request. Weaxor's adoption of this exploit chain demonstrates how quickly ransomware operators incorporate newly disclosed vulnerabilities into their operations.

The shift matters because it changes the attack profile. Traditional ransomware campaigns required human interaction—clicking a phishing link, opening a malicious attachment. Vulnerability exploitation happens automatically against exposed systems. Organizations running unpatched React applications face immediate risk from automated scanning.

The Broader RaaS Ecosystem

These three groups operate within a larger ecosystem that keeps regenerating despite law enforcement pressure. Flashpoint tracked a 179% year-over-year surge in attacks alongside the decline of LockBit and BlackCat. When major players fall, affiliates redistribute. New operations emerge. The overall threat level remains elevated.

Several trends shape the current environment:

Fragmentation over consolidation. Of 85 active extortion groups tracked in Q3 2025, 47 published fewer than ten victims. Affiliates increasingly operate independently rather than depending on established RaaS brands.

Data extortion without encryption. Multiple groups now skip encryption entirely, reducing operational complexity while maintaining leverage through data theft. If you have copies of stolen data, you don't need to lock the originals.

Cloud targeting. Ransomware designed for cloud infrastructure appeared throughout 2024 and 2025. Misconfigured S3 buckets and object storage became direct targets rather than just data exfiltration points.

AI-assisted operations. Some groups have begun using artificial intelligence to automate target selection and vulnerability identification. The barrier to entry keeps lowering.

Defensive Priorities

Against this threat environment, certain defenses matter more than others.

Patch management cannot slip. Thirty-two percent of attacks in 2025 started with unpatched vulnerabilities. The React2Shell exploitation shows how quickly new CVEs become ransomware vectors. Automated patch deployment, prioritized by severity and exploitability, closes the window attackers need.

Backup integrity determines recovery. Groups like Everest specifically target backup systems. Air-gapped or immutable backups remain the only reliable recovery mechanism when attackers gain administrative access.

Network segmentation limits blast radius. Zero Trust architectures and micro-segmentation constrain lateral movement. If attackers can't reach critical systems from their initial foothold, encryption and exfiltration both become harder.

Monitor for insider recruitment. Everest's cash-for-access program works because it bypasses technical controls. Behavioral monitoring for unusual access patterns and regular privilege reviews can surface compromised insiders before they enable network-wide compromise.

The ransomware threat has evolved from a few dominant groups to a distributed ecosystem where anyone with criminal intent can participate. The tools are available, the business model is proven, and the defenses remain uneven. Understanding who's attacking—and how—is the first step toward not becoming victim 1,001.