Ransomware Weekly: Threat Intelligence Digest | 30-Day Window

RANSOMWARE WEEKLY ThreatIntelligence Digest | 30-Day Window

One Group. 104 Victims. AFragmented Ecosystem with a Clear Leader.

Over the past 30 days, 56 activeransomware groups were responsible for 678 tracked incidents. The numbersconfirm what defenders have long suspected: the ecosystem is sprawling, decentralized,and shows no sign of slowing down.

But fragmentation doesn't meanequality. A small group of operators dominates the activity charts, and Qilin sits firmly at the top.

The Leaderboard

Qilin claimed 104 victims this period, accounting for more than 15% of all tracked attacks. That's not just the highest total. It's nearly double the output of its closest competitor. Behind it, four well-known groups maintained a steady operational tempo:
‍

Together, these five groups wereresponsible for roughly 44% of all observed activity, a striking concentrationin what is otherwise a deeply fragmented market.

One notable absence from the top of the table: Lock Bit. Once a dominant and consistent presence in victim counts, it recorded just 16 this period. Whether that reflects law enforcement disruption, internal restructuring, or a deliberate pause is unclear. For a group that once set the pace for the entire ecosystem, the drop is significant.

The Broader Picture

This week's data fits a trend that has been accelerating for months. The total number of active ransomware groups now exceeds 120, driven in large part by the proliferation of ransomware-as-a-service platforms that have made it easier than ever for new operators and affiliates to launch campaigns without building infrastructure from scratch.

The result is an environment where defenders must track a small number of highly prolific operators and a long tail of smaller, less predictable groups, any of which could scale quickly.

The Groups to Watch

Volume tells one story. Velocity tells another. The most strategically significant shifts this period came not from the established leaders, but from two groups that expanded their operations at an unusual pace:

‍

‍

Growth like this is rarely accidental. When a group scales this quickly, it typically signals access to new initial-access channels, a refined playbook, or newly established affiliate partnerships. For defenders, rapidly expanding groups are often the most dangerous. Not because of their size, but because they're still experimenting and the intelligence community hasn't yet caught up with their methods.

Data reflects a 30-day tracked window. 678 incidents across 56

‍