Dashboards don’t make decisions – people do. The people defending corporate data today aren’t just fighting a handful of infamous gangs but a swarm of ransomware crews. In the latest GuidePoint Security report, researchers count 77 known active ransomware and extortion groups – up from just 49 a year earlier. On the surface, victim volumes have stabilized at around 1,500–1,600 victims per quarter, leading to headlines proclaiming that ransomware levels have “normalized.” For the Data Protection Center charged with protecting an organization’s digital crown jewels, however, a bigger roster with fragmented tactics changes the risk calculus entirely.
This article traces the journey from understanding why the roster is exploding to what fragmented tactics mean for defenders, why steady victim counts mask deeper risks, and how to adapt without panic. Along the way, we’ll explore common pitfalls, metrics to watch, and change management practices that can help your team go from firefighting to foresight.
Why The Roster Is Exploding
For years, a handful of franchises like LockBit and Cl0p dominated the ransomware headlines. Law‑enforcement operations such as Operation Cronos in 2024 have discredited some of those “superbrands,” but they haven’t erased demand for extortion tools. Instead, they’ve done the opposite: 77 distinct crews now operate in the wild, a 57 percent year‑over‑year increase. GuidePoint’s researchers attribute this surge to two parallel forces:
Consolidation among large players. Skilled affiliates are gravitating toward established Ransomware‑as‑a‑Service (RaaS) platforms. When a dominant group fades, as LockBit has after Operation Cronos, its affiliates don’t retire – they take their scripts to the next biggest shop.
Proliferation of low‑skill actors. The commoditization of ransomware kits and leak‑site templates lowers the barrier to entry. Searchlight Cyber’s report notes that 35 new groups emerged in the first half of 2025. These crews often arise when ex‑affiliates rebrand or when small teams run short‑term campaigns.
These dynamics create a “long tail” of smaller gangs that may operate under the radar. The Emsisoft analysis observes that international law‑enforcement actions have unintentionally produced an explosion of new, smaller groups; its data shows that the number of active groups jumped 20–30 percent between summer 2024 and summer 2025. In other words, each takedown spawns multiple spin‑offs.
Fragmented Tactics: More Crews, But The Same Victims?
If the number of groups has exploded, why haven’t victim counts skyrocketed? The answer lies in fragmented tactics. GuidePoint’s researchers note that victim volumes have stabilized because the overall attacker capacity remains similar – the same pool of affiliates is simply distributing itself across more brands. Rather than large campaigns hitting thousands of organizations at once, numerous small‑scale incidents become apparent.
The MES Computing summary of GuidePoint’s Q3 2025 report makes it clear: while the victim volume has normalized, the number of named groups continues to multiply. This “new normal” reflects a split between RaaS franchises and independent extortion crews. Extortion‑only groups skip encryption altogether; they simply steal and threaten to leak data, often bypassing intrusion operations. The result is a diverse landscape where some actors specialize in double extortion, others offer “call‑a‑lawyer” services to affiliates, and still others maintain low profiles like SafePay.
Fragmentation affects defenders in two ways:
Tactics and tooling vary widely. Some crews leverage zero‑day vulnerabilities or supply‑chain attacks, while others rely on phishing kits, remote‑desktop brute force, or poorly configured backup servers. Searchlight Cyber’s report notes that new methods include hiring “legal teams” to contact regulators if victims refuse to pay.
Attribution becomes harder. With more groups splintering and rebranding, defenders struggle to map Indicators of Compromise (IoCs) to a specific actor and understand their typical dwell time or negotiation style.
What looks like a static volume of attacks hides a more complex threat landscape.
What 77 Groups Mean for Your Risk
A larger roster doesn’t just bring variety; it reshapes risk. More than half of publicly disclosed ransomware victims in Q3 2025 were based in the United States (56%), with Germany (5%) and the UK (4%) trailing far behind. Manufacturing, technology, and the legal sector were the most impacted industries, with manufacturing suffering 252 publicly claimed attacks, a 26 percent quarter‑over‑quarter jump. While some sectors like healthcare are perennial targets, the fragmentation of attacker ecosystems introduces new variables:
Regional concentration can shift quickly. Searchlight Cyber found that 65 percent of victims in the first half of 2025 were located in NATO member states. As smaller groups proliferate, they may favor industries and geographies where enforcement is weaker.
Data leakage volume grows. Searchlight’s analysis of the Cl0p leaks shows an average of 36.6 GB of data and 102,938 email addresses per victim. The more groups there are, the more leaked data floats in the ecosystem, increasing follow‑on fraud and supply‑chain risk.
Operational discipline varies. Veteran crews like Qilin, Akira and Play have become more organized. Qilin’s activity surged 318 percent year‑over‑year, claiming 234 victims in a single quarter. In contrast, transient groups may rely on opportunistic vulnerabilities and extort modest ransoms from small businesses. This disparity complicates prioritization for security teams.
When you defend a single network against 77 potential adversaries, your focus must shift from tracking brand names to understanding tactics, techniques, and procedures (TTPs) and the underlying economics of ransomware.
How Data Protection Centers Should Respond
You don’t need to centralize all security operations to adapt to this volatile landscape, but you do need a federated defense. Think of your Data Protection Center as the semantic layer between scattered infrastructure and senior leadership. It’s a shared “language” of threat intelligence, risk metrics, and response protocols that travels from SOC analysts to boardroom presentations without translation errors.
Key pillars of this federated defense include:
Shared threat intelligence. Subscribe to multiple feeds that profile emerging actors, but normalize them into a single taxonomy. Searchlight Cyber emphasizes continuous threat intelligence gathering because the proliferation of new groups makes it critical to update your defenses.
Baseline‑driven monitoring. Instead of chasing names, monitor for behaviors: suspicious PowerShell downloads, large outbound SMB transfers, or repeated failed logins on remote services. Steady volumes of attacks can mask the diversity of TTPs; a baseline can help flag anomalies.
Immutable, off‑site backups and segmentation. The Emsisoft report recommends immutable backups and multi‑factor authentication. Combined with network segmentation and just‑in‑time access, these controls force attackers to invest more effort, making your organization a less attractive target.
Human factor training. Many of the new groups rely on phishing, social engineering, or stolen credentials. Regular phishing simulations and awareness training reduce the success rate of low‑skill actors.
Pitfalls To Avoid
Just as the quest for a single source of truth can create bottlenecks in BI, the quest for silver bullets in ransomware defense breeds its own failures. Common anti‑patterns include:
“Threat‑feed overload.” Flooding analysts with feeds can lead to alert fatigue. Prioritize high‑quality sources and map them to the MITRE ATT&CK framework.
“Lift‑and‑shift patching.” Rushing to patch all vulnerabilities without considering the business context can disrupt operations. Use risk‑based prioritization so that critical external‑facing systems come first.
“No plan for extortion.” Focusing solely on encryption misses extortion‑only attacks. Ensure your incident response plan covers data exfiltration, negotiation policies, and communication with stakeholders.
“Assuming small groups aren’t serious.” Some of the most active groups are nimble and professional. Don’t dismiss unfamiliar names; treat all intrusions with the same rigor.
Proving Value To The Board
Data Protection Centers aren’t measured by the number of dashboards they produce, but by the trust they earn. To justify investments in an age of 77 active groups, focus on metrics that resonate with executives:
Mean time to detect (MTTD) and mean time to respond (MTTR). A shrinking MTTD shows that your monitoring strategy spots intrusions quickly; a shrinking MTTR demonstrates effective containment.
Phishing resistance rates. Track the percentage of employees who report simulated phishing attempts and correlate improvements with awareness initiatives.
Backup integrity tests. Document the frequency and success of restoration drills. Immutable backups remain your last line of defense if encryption strikes.
Incident cost avoidance. Quantify the potential financial impact of avoided breaches by comparing your environment’s threats to breach‑cost benchmarks.
Communicating these metrics regularly helps the board understand that stability in victim counts does not equate to reduced risk. The growing roster simply means attacks are distributed differently.
Change Management That Sticks
Defending against 77 adversaries isn’t about buying more tools; it’s about teaching the organization a new language of cyber hygiene. A few approaches help make change stick:
Run “ransomware 101” sessions. Teach non‑technical stakeholders the difference between encryption, double extortion, and pure extortion. When executives understand why a small leak matters, they’ll support proactive investments.
Promote a contribution model. Encourage analysts and engineers to contribute back: share lessons learned after an incident, update threat libraries, and propose improvements via pull requests.
Maintain a monthly changelog. Transparency builds trust. Summarize new TTPs, emerging groups, and the controls you’ve implemented to mitigate them.
Celebrate detection successes. Highlight near misses and successful mitigations in quarterly reviews; recognition reinforces good practices and turns security from a cost center into a source of competitive advantage.
Where This Leaves Data Protection
The job of the Data Protection Center isn’t to chase every new ransomware brand; it’s to end the debates about which numbers to trust and which threats to prioritize. When you speak the same threat language across your organization, you transform ransomware from an amorphous boogeyman into a manageable risk.
Yes, there are 77 active crews and counting. Yes, victim counts have plateaued. But behind those numbers lies a dynamic landscape defined by consolidation and fragmentation, by commoditized tooling and professionalized operators, by steady volumes and exploding variety. Embrace that duality. Build a federated defense grounded in shared intelligence, disciplined monitoring, and resilient backups. Avoid the pitfalls of over‑indexing on feeds or underestimating small actors. Prove your value with metrics that matter. And above all, invest in change management so that every stakeholder knows how their choices – from patching to reporting suspicious emails – shape the outcome.
Do that, and the roster’s size becomes just another data point. Your organization won’t be defined by the number of gangs on the threat‑feed, but by your ability to anticipate, withstand, and recover. That’s what turns a chaotic ransomware landscape into a confident defense.
