Ransomware gang wars have entered an unprecedented phase. Instead of operating in the shadows, rival criminal groups are now publicly threatening to expose each other’s members—revealing identity photos, names, locations, and personal details—while simultaneously offering decryption services to the victims of their competitors. This extraordinary conflict, analyzed by cybersecurity experts, represents a rare crack in the criminal underworld that victims may be able to exploit.
Key Takeaways
- Ransomware gang wars are escalating with public doxxing threats between rival groups in 2025.
- Q1 2025 saw 2,028 known ransomware victims, a 100% increase from Q1 2024, with 65 active groups.
- Cl0p, Akira, and RansomHub claimed 770 victims in Q1 2025, making them the most active gangs.
- Victims may recover encrypted data during gang conflicts, though risks from untrustworthy actors remain high.
- Ransomware groups operate with hierarchical roles including developers, operators, affiliates, and negotiators.
How Ransomware Gang Wars Differ From Traditional Cybercrime
Ransomware gang wars represent a fundamental shift in how criminal organizations compete. Rather than conducting business quietly, these groups are now waging public battles that expose their internal conflicts. Gangs are threatening to dox rival members—publishing identity photos, names, and physical locations—as a form of retaliation and intimidation. This behavior is unprecedented in the ransomware ecosystem and signals deepening tensions within the criminal underworld.
Traditional ransomware operations followed a predictable pattern: gain network access, encrypt files, demand payment, and publish data if victims refused to pay. The hierarchy was clear: developers created the malware, operators deployed it, affiliates gained initial network access and exfiltrated data, and negotiators handled ransom discussions. Infighting was suppressed to maintain operational security. Today, that discipline is cracking. Gangs are abandoning anonymity as a weapon against rivals, creating unusual cybercrime conflicts that prioritize public humiliation over operational security.
Ransomware Gang Wars and the Explosion in Attack Volume
The timing of these feuds coincides with a massive surge in ransomware activity. In Q1 2025, ransomware groups targeted 2,028 known victims—more than double the number from the same quarter in 2024. The number of active ransomware gangs has also grown, with 65 groups now operating compared to 47 a year earlier, a 38% increase. This congestion creates competition for affiliates, victims, and negotiation leverage, fueling the rivalries that are now boiling over into public feuds.
The most active gangs in early 2025 include Cl0p, Akira, and RansomHub, which collectively claimed 770 victims in Q1 2025. With so many groups hunting the same targets and fighting for affiliate loyalty, the criminal ecosystem is becoming increasingly unstable. Affiliates—the operators who gain initial network access—can now switch between gang operations more easily, giving them leverage but also creating resentment among group leaders. This instability is driving the public conflicts we now see.
How Victims May Recover Data During Ransomware Gang Wars
The most immediate benefit of ransomware gang wars for victims is the possibility of data recovery without paying the original attacker. When rival gangs publicly feud, they sometimes offer decryption services to victims of their competitors as a way to embarrass and undermine the rival operation. A victim hit by one gang might be approached by a rival group offering to unlock their files—either for free as a publicity stunt or for a reduced payment.
However, this opportunity comes with substantial risks. Accepting decryption from a rival gang introduces multiple dangers: the decryption tool itself may be compromised, the rival gang may re-infect the network with their own malware, or they may simply take payment and provide nothing. Untrustworthy actors dominate the ransomware ecosystem, and there is no guarantee that a rival gang’s offer of help is genuine. Victims considering this path must weigh the potential recovery of their data against the risk of further compromise.
Organizations hit by ransomware should prioritize reporting the attack to law enforcement and consulting with incident response specialists before engaging with any criminal actor, regardless of how legitimate the offer appears. The brief window of opportunity created by gang wars can close quickly, and hasty decisions often backfire.
Why Ransomware Groups Are Turning on Each Other
Several factors are driving ransomware gang wars. First, law enforcement operations have destabilized major groups. LockBit, once a dominant force, was subject to a major law enforcement operation in early 2024, which disrupted its affiliate network and forced members to seek new criminal homes. Displaced affiliates and operators are now competing for access to existing gangs, creating tension within organizations that were not designed to absorb sudden influxes of new members.
Second, the sheer number of active gangs means that competition for targets is fiercer than ever. With 65 groups operating simultaneously, each trying to maximize victim claims and ransom payments, the incentive to sabotage competitors has grown. Doxxing rivals becomes a tool for eliminating competition—if the members of a rival gang face legal consequences or personal danger due to exposure, that gang becomes less of a threat.
Third, the affiliate model itself creates instability. Gangs depend on affiliates to gain network access and exfiltrate data, but affiliates have little loyalty. If one gang’s operations become unstable or unprofitable, affiliates simply move to another group. This creates a constant churn of personnel and allegiances, making it harder for gangs to maintain operational security or control their members’ behavior. Public feuding is sometimes the result of gangs losing control of their own people.
What This Means for Cybersecurity Going Forward
Ransomware gang wars create both opportunities and dangers for organizations. On one hand, the instability within criminal networks may lead to more mistakes, more exposure of gang infrastructure, and more opportunities for law enforcement to identify and prosecute members. The doxxing threats mean that some ransomware operators now face real personal consequences for their activities, which may deter recruitment or cause members to exit the criminal ecosystem.
On the other hand, the proliferation of gangs and the increase in attack volume mean that organizations face more threats than ever. The 100% increase in known victims from Q1 2024 to Q1 2025 suggests that the ransomware ecosystem is not weakening—it is expanding and fragmenting. More gangs, more affiliates, and more attacks create a chaotic threat landscape where even the internal conflicts of criminals offer little comfort to defenders.
Are ransomware gang wars likely to continue?
Yes. The conditions that fuel these conflicts—law enforcement pressure, affiliate instability, and intense competition for victims—show no signs of abating. As long as ransomware remains profitable and the ecosystem remains crowded, gangs will continue to fight for market share and survival. The doxxing threats are likely to escalate as groups seek new ways to intimidate rivals and recruit affiliates.
Can victims safely use decryption tools offered by rival gangs?
It is extremely risky. While a rival gang may genuinely offer decryption to embarrass a competitor, the tool could be compromised, the gang could re-infect the network, or they could simply take payment and disappear. Victims should consult law enforcement and incident response professionals before accepting any offer from criminal actors, regardless of how legitimate it appears.
How can organizations reduce their risk of ransomware attacks?
Organizations should focus on network segmentation, multi-factor authentication, regular backups stored offline, and employee security training. Monitoring for signs of network compromise—unusual outbound traffic, suspicious access patterns, or evidence of data exfiltration—can help detect attacks before encryption occurs. Incident response planning and coordination with law enforcement are also critical, as they improve the chances of recovery without paying ransom.
Ransomware gang wars represent a destabilization of the criminal ecosystem, but they do not signal the end of ransomware as a threat. Instead, they reflect the maturation and fragmentation of an industry that remains highly profitable and increasingly competitive. Victims caught in the crossfire may occasionally benefit from rival gangs’ willingness to undermine each other, but organizations cannot rely on criminal infighting for protection. The focus must remain on prevention, detection, and response—the fundamentals that work regardless of what chaos unfolds in the criminal underworld.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
