askformore@bittnet.ro
Scheduled Classes

Ransomware fragmentation reaches peak, LockBit returns in force

Fragmentation of the ransomware ecosystem: an alarming phenomenon in 2025

Ransomware fragmentation reaches its peak, LockBit returns in force. As we enter 2025, the ransomware landscape has evolved dramatically, reaching a critical point of unprecedented fragmentationTraditional cyber groups like REvil or Conti have disbanded or reorganized, but in their wake they have left a void that has been quickly filled by dozens of new or revitalized groups. Among them, lockbit has made an explosive comeback, resurfacing with improved tactics and an aggressive presence in the cybercriminal community.

What is ransomware fragmentation and why does it matter?

Fragmentation in the context of ransomware refers to:

  • Breaking large groups into smaller, decentralized cells,
  • Creation of new ransomware variants by individual hackers or hacktivists,
  • Increased accessibility of Ransomware-as-a-Service (RaaS) technology.

This fragmentation creates an unpredictable and extremely dangerous network of attackers who:

  • Avoid detection more easily
  • Attack multiple targets simultaneously
  • Uses varied and more difficult to counter techniques

Worrying statistics from 2025:

  • Over 2.800 unique ransomware variants identified only in the first four months of the year
  • The number of double-extortion attacks has increased by 38% compared to 2024
  • Attacks on healthcare systems have increased 65%, becoming the main target sector

LockBit: the return of a giant in the world of cybercrime

LockBit, one of the most notorious ransomware groups in recent years, is resurfacing in the spotlight of security analysts with a new version of its tool – LockBit-NG (Next Gen)This new iteration brings some worrying innovations:

  • Advanced self-adaptive encryption mechanism
  • Automatic detection of local backups for deletion
  • Internal network tapping functionality via PowerShell and WMI

LockBit-NG operates in a classic RaaS model, providing the necessary infrastructure to other hackers in exchange for a share of the profits. This approach directly contributes to proliferation of fragmentation phenomenon.

LockBit's new strategy: less noise, more efficiency

Compared to old versions, the new LockBit emphasizes:

  1. Target filtering: excludes small networks without financial potential
  2. Silent encryption: initial data exfiltration, then encryption in the background
  3. Spear-phishing delivery

How does the darknet contribute to the growth of ransomware fragmentation?

The platforms on Dark web plays a crucial role in this new wave of fragmentation. On dedicated forums, they are now selling:

  • Automated ransomware kits, easily customizable
  • Turnkey command and control (C2) servers
  • Access to compromised infrastructures (Initial Access Brokers)

Even amateur hackers can launch sophisticated attacks without advanced knowledge, leading to:

  • Increasing number of unsuccessful but destructive attacks
  • Increasing pressure on IT teams
  • Diversification of threat vectors

Who are the favorite victims of the new ransomware wave?

New and decentralized groups avoid major risks and choose targets precise, localized where the level of protection is lower:

  • Regional hospitals and private clinics
  • Transport and logistics companies
  • Local authorities and small schools
  • Accounting firms and law offices

These organizations often have:

  • Old infrastructure
  • Limited IT budgets
  • Poor backup and recovery procedures

Protective measures for organizations in 2025

Faced with this diversity of threats, any company should review its cyber protection plan. Key recommendations include:

  1. Implementing an advanced detection and response system (EDR/XDR)
  2. Segmentation of internal networks and rigorous control of privileges
  3. Isolated (air-gapped) backup and regular data recovery testing
  4. Regular cybersecurity education campaigns for employees
  5. Periodic simulation of ransomware attacks (tabletop scenarios)

Zero Trust: the defensive philosophy of the future

Adopting a type model Zero Trust assume:

  • Continuous verification of the identity and actions of all users
  • Limiting access to only contextually necessary resources
  • Behavior monitoring and automatic self-remediation

The future of ransomware: what can we anticipate?

The current fragmentation doesn't seem to be slowing down. Analysts believe we will continue to see:

  • Bundling malware with generative AI for phishing perfectly adapted to the target
  • More supply chain attacks which exploits partnerships between companies
  • The rise of obscure cryptocurrencies for payments that are harder to track

From a business and institutional perspective, it is vital to adopt proactive and collaborative thinking. Detection becomes insufficient without a robust prevention and response plan.

Conclusion: Continuous adaptation in a volatile cyber scenario

The fragmentation of the ransomware landscape is not just a new phase, but a fundamental shift. LockBit and other groups have shown that flexibility and decentralization are dangerous weapons in the hands of cybercriminals. At the same time, effective defense requires an integrated, personalized, and constantly updated approach.

You have certainly understood what the news in 2025 is related to cybersecurity, if you are interested in deepening your knowledge in the field, we invite you to explore our range of courses dedicated to cybersecurity in the category CybersecurityWhether you're just starting out or want to brush up on your skills, we have a course for you.