The ransomware landscape shifts quickly, as highlighted by the continued rise and fall of various Ransomware-as-a-Service (RaaS) groups. These groups offer tools and infrastructure that enable affiliates to attack. While their tactics are innovative and aggressive, they are inherently unstable, as they experience source code leaks and internal and external disputes.
Halcyon, the first dedicated anti-ransomware platform that uses advanced prevention tools, automated recovery, and enhanced security integrations, has unveiled its list of top RaaS groups and the Tactics, Techniques, and Procedures (TTPs) to watch for in 2025. This is in a bid to help various organizations boost their cybersecurity defenses, especially against attacks carried out by ransomware operators.
Top established RaaS groups
The past years saw the decline of major players like LockBit and BlackCat/ALPHV. But along with it is the emergence of RaaS groups that have swiftly established themselves as huge threats.
For 2025, Halcyon identified established RaaS groups to watch for.
- Play is one of the most active and innovative groups in the RaaS space. The group operates with tactics similar to the now-defunct ransomware strains, Hive and Nokoyawa.
- RansomHub has carried out high-impact attacks since its emergence in early 2024. It sets itself apart from other groups by offering affiliates up to 90% of ransom payments.
- 8Base deploys sophisticated tactics, including double extortion and advanced evasion techniques. It’s believed to be tied to experienced RaaS operators like RansomHouse and the Babuk ransomware builder.
- Qilin, previously known as Agenda, is a RaaS operation that targets both Windows and Linux systems. It’s written in Golang and Rust, the latter of which boasts superior security and cross-platform capabilities.
- BlackSuit is a private ransomware group that targets Windows and Linux systems. It shares similarities with Royal ransomware in terms of code structure and encryption methodology.
- Hunters International only emerged in October 2023 but by 2024, it has already conducted over 130 attacks. Leveraging the codebase from Hive, the group targets industries like healthcare, finance, and manufacturing.
Top emerging RaaS groups
Apart from established RaaS groups, Halcyon also named notable emerging groups to keep on the cyber radar.
- Sarcoma is a group that gained notoriety for its aggressive tactics and data breaches. Instead of listing ransom amounts, it uses data leaks to pressure victims into compliance.
- Fog ransomware has garnered attention with its swift file encryption and ransom demands in Bitcoin. It has since expanded, carrying out more lucrative and high-profile attacks.
- Originally a hacktivist group linked with the Anonymous movement, KillSec launched its RaaS platform in June last year. It earns a 12% commission on each payment.
- Meow Ransomware was first identified in 2022 and re-emerged in 2024. Linked to the Conti v2 variant, it targets U.S. industries handling sensitive data, including healthcare and medical research.
Top TTPs for RaaS Operations
This 2025, ransomware groups are expected to continue using sophisticated tactics, techniques, and procedures (TTPs) to enhance their attacks and evade detection.
Social engineering remains a top infection vector. Other common infection vectors for RaaS operators include brute forcing and leveraging stolen RDP and VPN credentials. Halcyon also foresees unpatched vulnerabilities being heavily exploited.
In 2025, more Linux systems could be targeted by ransomware groups, leveraging these systems’ “always on, always available” nature to establish command and control.
Ransomware operators also increasingly use Living-off-the-Land (LotL) techniques to avoid detection. Along with this, these groups develop custom cross-platform payloads and data exfiltration tooling, making data theft a standard in nearly every major operation.
Attackers bypass modern security defenses, such as EPP, EDR, and XDR tools, through advanced techniques like unhooking, blinding, and the deletion of shadow copies or cloud backups.
Additionally, more advanced TTPs, often seen in APT-style operations, are becoming prevalent. These include exploiting zero-day vulnerabilities, employing DLL side-loading, and leveraging payloads written in languages like Rust and Go.
While many ransomware groups still target low-hanging fruit, such as vulnerable applications or poorly defended systems, advanced operators also focus on certain sectors — with high-value sectors such as healthcare, critical infrastructure, manufacturing, and online commerce being prime targets. Additionally, industries with limited cybersecurity resources, such as the education sector and state or local governments, remain vulnerable.
As the ransomware landscape continues to see such shifts, Halcyon remains committed to providing advanced solutions alongside insightful reports. Quarterly, it publishes its Ransomware Malicious Quartile report. This report ranks ransomware groups according to key factors such as attack volume, sophistication, and impact.