Ransomware activity has reached record levels, and a new report highlights the latest trends and identifies dangerous new gangs. The Acronis Cyberthreats Report reveals a 70% year-on-year increase in publicly known victims, showing how ransomware dominates the cybercrime landscape for Managed Service Providers and their clients.
A shift in ransomware tactics
The report focuses on the first half of the year and shows increasing activity in early 2025, reflecting the scalability of Ransomware-as-a-Service (RaaS) operations such as Cl0p, Play, and RansomHub.
By mid-2025, attack volumes began to stabilize, partly as a result of law enforcement crackdowns.
In February, the 8Base gang was dismantled, while Phobos operators — responsible for compromising over 1,000 victims using advanced encryption and evasion techniques — were arrested in Thailand.
Two months later, RansomHub abruptly shut down, disrupting the RaaS ecosystem and triggering widespread regrouping. Affiliates migrated to established collectives such as Qilin and DragonForce, or formed spinoffs like VanHelsing and RansomBay.
DragonForce has quickly emerged as a new cartel, offering affiliates branding freedom and flexible operations. Meanwhile, stealth-focused variants such as Anubis and ELENOR-corp have gained traction, emphasizing anti-forensic methods and pure data extortion over traditional encryption.
Ransomware gangs target MSPs
Data in the Acronis report shows how ransomware groups including Akira, Play, Cl0p, RansomHub, Qilin and RALord/Nova stood out as the most active threats targeting MSPs and telecom providers.
The category “Others” in the chart above includes groups such as Abyss, ArcusMedia, BianLian, Ciphbit, Fog, Frag, FunkSec, Hunters International, INC Ransom, JGroup, Kraken (Hello Kitty), LockBit, Medusa and SilentRansomGroup (SRG).
Each group favors distinct entry tactics: Cl0p continues to exploit known flaws in third-party software, while Akira and RansomHub lean on phishing and credential theft, often powered by infostealers.
This shift highlights a broader trend toward flexible, multi-vector intrusions — with attackers choosing whichever access route offers the quickest path past a target’s defenses.
Emerging ransomware players reshape the threat landscape
Between January and May 2025, Acronis observed a new wave of ransomware groups, with the top 10 collectively responsible for 145 known victims worldwide.
Devman
Devman stands out as a rapidly growing ransomware-as-a-service (RaaS) operation. It offers its malware and infrastructure to affiliates in exchange for a share of the ransom, and even shares encryption tools with other groups such as Qilin and RansomHub. This overlap suggests close collaboration—or possibly shared developers operating under multiple brands. Devman relies on classic double extortion, combining encryption with the threat of public data leaks to pressure victims into paying.
NightSpire
Another fast-moving entrant, NightSpire, emerged in March 2025 and appears to be a rebranded evolution of the earlier Rbfs group. Its activity mirrors that of established affiliate models, though it’s unclear whether NightSpire functions as an open RaaS platform or a closed collective. Its victims are primarily small and mid-sized businesses across manufacturing, logistics, and finance, and it too favors double-extortion tactics to maximize leverage.
These newcomers illustrate how quickly ransomware ecosystems adapt and fragment, with each group testing new business models, alliances, and branding strategies to stay ahead of law enforcement and defensive technologies.
RALord/Nova
RALord, which rebranded as Nova in March 2025, has quickly established itself as a prominent RaaS operation. Like Devman, the group provides affiliates with the full attack toolkit — from malware and infrastructure to leak-site publishing — and takes charge of publicly exposing stolen data when victims refuse to pay.
RALord/Nova’s strategy blends operational disruption with deliberate humiliation. The group routinely publishes detailed breakdowns of its breaches, explaining how it compromised targets to damage reputations and amplify pressure on victims. Its business model is openly commercial: affiliates can buy or rent encryption tools and advertise services across darknet forums and Tor-based leak sites, giving the group both reach and visibility within the cybercrime ecosystem.
The report authors explain how this calculated mix of marketing, intimidation, and technical agility makes Nova one of the more manipulative RaaS brands to emerge in 2025 — signaling how far ransomware groups have evolved to become full-fledged cybercriminal enterprises.
MSPs need to meet evolving ransomware threats
Together, these findings highlight the growing complexity of modern attack chains — and the urgent need for layered, adaptive defenses across every sector.
Data-theft extortion and zero-day exploitation are increasingly replacing large-scale encryption campaigns, favoring stealth and precision over volume, and AI will accelerate the pace of disruption.
Discover more data and insight, including recommendations on protecting your MSP and its clients in the full Acronis Cyberthreats Report H1 2025.
October 22-23, 2025 – 
PortAventura Theme Park (Barcelona), Spain