The ransomware ecosystem is experiencing one of its most unstable moments. If you work in IT or in any organization that depends on digital systems, this landscape directly affects you. During the third quarter of 2025, a historic record was set: 92 ransomware and extortion groups operating simultaneously. We have never seen a scenario so fragmented, so volatile, and so difficult to predict.
At TecnetOne, we have closely followed this trend. What looks like “criminal chaos” is actually a deep reconfiguration of the ransomware market—marked by new brands, reformed old actors, and notable growth in countries like Mexico.
Within this turbulent environment, Qilin, also known as Agenda, is emerging as one of the most active groups in the country—right as another giant, LockBit, announces its return.
A More Fragmented—and More Dangerous—Ransomware Market
It may seem contradictory, but the collapse of major criminal organizations has not slowed malicious activity; it has multiplied it. This quarter alone, 1,712 victims were recorded across 92 leak sites. What stands out is:
- The 10 most active groups accounted for only 48% of victims.
- The remaining half was spread across small, short-lived, nearly unknown actors.
This shows that ransomware has become decentralized. If before you could monitor LockBit, Conti, or BlackCat as dominant players, today you must track dozens of small cells causing the same destruction but with far more unpredictability.
This shift has a clear origin: the recent collapse of groups like RansomHub, 8Base, and BianLian. Their affiliates quickly reorganized into smaller groups, leading to 18 new ransomware “brands” in a single quarter.
Law enforcement has taken down infrastructure—but not the operators. As servers fall, criminals simply multiply, rebrand, and resume operations.
Criminal Reputation Collapse Also Changes the Game
In this underground market, even criminals depend on reputation. If a group fails to “deliver” decryption keys, it loses leverage. With so many new small cells, the payment rate has plunged to 33%. Even victims no longer trust that they will recover their data.
But this drop in trust opens the door to something worrying: the return of a group that historically did deliver.
Read more: 500,000 Passwords and Sensitive Data of Mexicans Leaked on Telegram
LockBit Returns Stronger: Criminal Power Reconsolidates
After being hit by Operation Cronos in 2024, many believed LockBit was crippled. But in September it resurfaced with LockBit 5.0, a faster, more aggressive version featuring:
- Variants for Windows, Linux, and ESXi
- Advanced evasion techniques
- Double-speed encryption
- Personalized negotiation portals
In its first month back, LockBit already claimed at least 15 confirmed attacks.
Its administrator, LockBitSupp, reappeared on underground forums claiming the organization is fully rebuilt. While these claims can’t be verified, the impact is immediate: dozens of affiliates are tempted to return to a group with structure, reputation, and reliable payouts.
If LockBit manages to regroup the “orphaned” members from other collapsed groups, we may witness a new wave of coordinated attacks.
Qilin: The Emerging Group Already Operating in Mexico
While the giants attempt to rebuild, Qilin is rapidly expanding—and its presence in Mexico is now confirmed.
This group:
- Operates under the Ransomware-as-a-Service (RaaS) model
- Emerged in 2022
- Is written in Rust and C
- Works on Windows, Linux, and ESXi
- Uses double extortion (encryption + data leak)
- Exceeded 700 victims in 2025 alone
- Has focused heavily on financial, healthcare, and government sectors
This quarter, Qilin ranked among the world’s most active groups due to its attacks in South Korea—but its expansion across Latin America is also advancing.
Confirmed Qilin Victims in Mexico (2025)
Recorded attacks in Mexico include:
- Fundidora de Cananea (Sonora, mining – November 13)
- Ganadería Revuelta (meat sector – August 22)
- Tecnología Especializada Asociada de México (TEAM) (IT – August 30)
These incidents show one thing clearly: Qilin is testing the Mexican landscape and targeting strategic sectors. It is no longer just global corporations—Mexican organizations are now firmly on the radar.
A Ransomware Ecosystem Evolving Like a Decentralized Network
At TecnetOne, we see it clearly: monitoring “group names” is no longer enough. What matters now is tracking:
- Affiliates
- Shared infrastructure
- Movement patterns
- Overlapping tactics
- Economic incentives within the underground market
This phenomenon resembles decentralized technologies like cryptocurrencies or open-source ecosystems: multiple actors contribute to a shared environment without a centralized leader.
You might also be interested in: How Israel’s Cyber Model Could Guide Mexico
Are Attacks Decreasing? No. Is the Landscape Getting Worse? Yes.
The fragmentation of ransomware is not reducing the volume of attacks. On the contrary:
- More actors
- More economic pressure
- More automated techniques
- More opportunities to attack poorly protected sectors
If LockBit attracts affiliates again, we may shift from chaotic attacks to more organized and larger campaigns.
Mexico: A Growing Target for Ransomware
Groups continue exploiting the same entry points we’ve seen for years:
- Exposed RDP
- Well-crafted phishing
- Credentials leaked on the dark web
- Unpatched vulnerabilities
- Cloud misconfigurations
The reality is simple: Mexico has become an attractive market for ransomware groups—particularly because many organizations still fail to implement basic security measures.
How to Protect Yourself in Such a Chaotic Landscape
The main recommendation remains: do not pay ransoms. Authorities and specialists agree that paying only strengthens the criminal ecosystem.
Beyond that, it’s essential to:
- Maintain verified backups
- Implement multi-factor authentication
- Close exposed services
- Monitor leaked credentials
- Train employees on social engineering
- Adopt defenses beyond perimeter security
At TecnetOne, we insist: ransomware evolves as fast as your strategy should.
