In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Ransomware gangs are like the mythical Hydra — chop off one head, and another two spring up.
As cybersecurity and law enforcement moved in and closed ransomware groups in 2024, ex-members moved to new groups or formed their own before pointing new weapons at businesses and governments in 2025.
These often rebrand as ransomware-as-a-service (RaaS) groups, customized by threat actors who buy older source code and develop new strain versions.
RaaS groups have also adapted to respond to the trend of not paying ransom and are becoming more aggressive and flexible.
The power vacuum left by the disruption of LockBit and ALPHV/BlackCat operations is being filled by ransomware gangs, including Arcus Media, HellCat, RansomHub, FunkSec, and Rhysida, while offshoots of LockBit lurk in the shadows.
Key Takeaways
- Although ransomware attacks decreased in 2024, attackers are adopting more aggressive tactics and new strains to maintain threats in 2025.
- Arcus Media, HellCat, RansomHub, FunkSec, and Rhysida are emerging or dominant ransomware groups, each with distinct tactics and targets.
- RansomHub has claimed dominance in the RaaS landscape after recruiting former LockBit and ALPHV operators.
- Despite law enforcement disruptions, legacy malware like LockBit strains remain in use due to leaked source code, posing ongoing threats.
- Show Full Guide
6 New Ransomware Gangs in 2025
Arcus Media: Advanced Technical Nightmare
Arcus Media is a new RaaS group that, unfortunately for its targets, takes the nefarious prize for being technical, precise, and skilled with advanced capabilities.
The skills of the black hat hackers behind this group, whose attribution is yet unknown, are focused on using advanced coding to breach, encrypt, exfiltrate, and disrupt as much as possible any attempts done by victims to recover systems and data.
This group first became known in November 2024 and claimed to have targeted more than 50 industries in the business services, retail, and media sectors. The group likes to execute initial access via malicious attachments in phishing emails.
Once inside systems, Arcus Media ransomware demonstrates a highly technical approach. It deploys obfuscated malicious scripts and custom binaries, creates scheduled tasks, modifies registry settings, and more.
The group excels at initial recon of targets, brute-force attacks, advanced encryption use, and disruption of backup and recovery.
HellCat: Ransomware Extortion, Dark Humor & Humiliation
HellCat came into the spotlight in 2024 despite not (yet) being considered a major player.
Relatively new to the scene, the group focuses on unique tactics, including aggressive double extortion techniques. The group plays “with deeper psychological elements aimed at humiliation and public pressure.”
HellCat shouldn’t be underestimated. Reports suggest they are still developing their operations and may share infrastructure or code with other groups.
This group is very ambitious, at times seemingly taking on more than it can handle. It has no problem going after the government or critical infrastructure.
For example, quoting Cato CTRL’s findings, the group targeted a French energy distribution company with an annual revenue exceeding $7 billion USD and then offered root access to the company’s server for $500.
It also advertised root access to the Iraq city government’s servers for $300.
They also like the attention of high-impact attacks, asking one French company to pay $125,000 in “baguettes”.
Their use of psychological warfare and media attention suggests that the group is hungry to grow.
LockBit: Gone — But Ransomware Strains Still Thrive
LockBit, despite being dismantled by the FBI, continues to fuel rumors on the dark web. Many in the underground believe that a LockBit 4.0 strain exists in the wild.
Beyond rumors, while the LockBit distributors and developers are no longer operating, LockBit ransomware malware strains are still in play. This is because the malware source code has been leaked, allowing other ransomware groups or blackhatters to update and reuse it.
Security teams should be monitoring these randomly emerging LockBit strains. Modifying the source code can allow operators to use the updated malware undetected by cybersecurity tools that do not flag modified strains.
The reputation of LockBit is also used by lone operators or groups of operators hiding behind the legendary name like the mysterious NotLockBit.
RansomHub: Heavyweights of RaaS
Experts agree that RansomHub has become the dominant player in RaaS and claim the group has won over most of the LockBit and ALPHV operators.
eCrime Threat Researcher Corsin Camichel told ChainAnalysis that RansomHub posted the highest number of victims in 2024, which speaks of the gang’s ability to manage the high pressures that come with the RaaS crown.
RansomHub’s malware ranks in the top ten charts for ransomware strains most used in 2024.
This group employs double extortion, encryption of data, and leaks to pressure victims. Their ransomware is successful in the criminal malware sector because it is efficient.
FunkSec: The Ransomware Gang That Dabbles in Hacktivism
FunkSec, a relatively small group, emerged in late 2024 and quickly gained notoriety in December of that year for claiming a potentially record-breaking number of victims.
CheckPoint Security reports that the gang uses AI-assisted malware development to make its malware more accessible to operators who have little or no experience in the field.
FunkSec also likes double or triple extortion, steals victim data, and always threatens to leak it. Like other groups, FunkSec has a site where the leaked data and victims’ data are published.
FunkSec is known for blurring the lines between ransomware and hacktivism, challenging cybersecurity experts to track down their tactics. That said, there are doubts about some of FunSec’s data breaches, as they sometimes seem to be bundled up from previous leaks.
Rhysida: Experienced High Profile Ransomware Group
Rhysida has been around for several years and is still very relevant. The problem with this gang is that it is known for continually updating its techniques and malware.
Unlike other ransomware actors, Rhysida poses national security risks. The group is known for targeting critical infrastructure, such as the Port and Airport of Seattle, last year.
Rhysida’s motivations have been questioned, and the possibility they are nation-state supported is greater than slim. Rhysida ransom price tags are extremely high.
Keep an eye on this group, especially if international geopolitical tensions emerge through 2025.
The Bottom Line
The RaaS industry is beginning to settle after a year of intense power struggles and wild competition.
While law enforcement actions, international cooperation, and businesses that refuse to pay have made ransom payments drop in 2024, 2025 will be no easy road.
Security teams would gain a lot by becoming familiar with top ransomware players and learning their styles and adversaries’ tactics.
FAQs
What are the biggest new ransomware gangs in 2025?
Is LockBit ransomware still a threat in 2025?
What makes RansomHub a major ransomware threat?
How does AI impact ransomware in 2025?
Why is FunkSec considered both ransomware and hacktivism?
References
- Arcus Media Ransomware Displays Novel Process Targeting, Selective Encryption and Recovery Disruption (Halcyon)
- Cato CTRL Threat Research – Unmasking Hellcat: Not Your Average Ransomware Gang (Cato Networks)
- Understanding Ransomware Threat Actors: LockBit (CISA)
- Crypto Ransomware 2025: 35.82% YoY Decrease in Ransomware Payments (Chainalysis)
- Meet FunkSec: A New, Surprising Ransomware Group, Powered by AI (Check Point Blog)
