0mega is a ransomware group first observed in May 2022, operating with a double extortion model:
* Encrypting victim files (adding the .0mega extension)
* Threatening to leak stolen data if ransom demands are not met.
Ransom notes are named DECRYPT-FILES.txt and include victim-specific details and a Tor-based negotiation portal.
Unlike typical Ransomware-as-a-Service (RaaS) operations, 0mega appears to work as a closed group, selecting a limited number of high-value targets.
The group employs two main tactics:
* Traditional ransomware encryption of on-premise systems.
* Cloud-based extortion, compromising Microsoft 365 Global Admin accounts, creating unauthorized admin users, and exfiltrating data via SharePoint.
Active period: May 2022 – January 2024
2023Lock is a ransomware strain first observed in January 2024, believed to be an evolution of the Venus and Zeoticus families and a direct precursor to the later TrinityLock variant. It employs a hybrid encryption method combining XChaCha20 and curve25519xsalsa20poly1305, appending the “.2023lock” extension to encrypted files. Upon infection, it delivers ransom notes in HTML, TXT, and HTA formats containing decryption instructions. Unlike many modern ransomware groups, there is no evidence that 2023Lock engages in double extortion or data exfiltration, operating purely through file encryption to pressure victims into payment. Its codebase and operational patterns strongly align with TrinityLock, which emerged a few months later with more sophisticated extortion tactics.
3AM, also known as ThreeAM, is a relatively new ransomware family that emerged in late 2023, initially deployed as a fallback option when LockBit infections failed. Written in Rust for 64-bit systems, it appends the “.threeamtime” extension to encrypted files and tags them with the marker “0x666,” while deleting Volume Shadow Copies to hinder recovery. 3AM operators use a double extortion strategy, combining file encryption with data theft and threats to leak stolen information. More recent campaigns have shown increased sophistication, incorporating email bombing followed by vishing calls to convince victims to grant remote access via Microsoft Quick Assist. Attackers then deploy virtual machines containing backdoors, allowing them to remain undetected while exfiltrating data before attempting to launch the ransomware payload.
8Base emerged in early 2022 and rapidly escalated its ransomware operations by mid-2023, positioning itself as a “simple pen tester” while executing a relentless double-extortion scheme: encrypting files using AES-256 CBC mode (appending the “.8base” extension) and threatening to leak stolen data via a Tor-accessible leak site. The group leverages initial access methods such as phishing and SmokeLoader, disables security mechanisms like Volume Shadow Copy and firewalls, and deploys persistence via registry and startup entries. Targeting primarily small and medium-sized organizations across sectors such as manufacturing, finance, IT, and healthcare in regions including the U.S., Brazil, and Europe, 8Base has drawn comparisons to Phobos and RansomHouse for its tactics and ransom-note style. In early 2025, international law enforcement operations disrupted the group, resulting in the arrest of four key actors, seizure of servers, and warnings to hundreds of potential victims.
The locker is written in C/C++/ASM.
It supports all systems starting from Windows 2003, has a separate binary for ESXi, and uses a unified encrypted file format across all systems.
WINDOWS:
• Two encryption modes: patch-based and file header.
• Extensive configuration settings: from ignoring specific paths/extensions to terminating services/processes, unlocking occupied files, working with network shares, and more.
• Arguments available for shutting down Hyper-V virtual machines, deleting backups, network scanning with logged-in user tokens.
• Each build includes an obfuscated PowerShell script.
• Execution is password-protected.
• The locker itself is shellcode for x86/x64; if you have custom execution methods, we can provide the shellcode.
ESXI:
• Encrypts files in patches, with configurable path exclusions.
The default configuration is pre-set to avoid disrupting Windows/ESXi/Linux systems.
Our commission is 20% of payouts
Abrahams_Ax, first observed in November 2022, is not a Ransomware-as-a-Service (RaaS) operation but a politically motivated hacktivist persona. The group is linked to the Iranian-associated threat actor COBALT SAPLING, which previously operated as Moses Staff. It uses double-extortion tactics focused on stealing and leaking sensitive data rather than encrypting files. Infrastructure, visual branding, and operational patterns strongly resemble those of Moses Staff, suggesting a shared origin. Its most notable incident was the breach of the Saudi Arabian Ministry of Interior, where stolen data was published alongside propaganda content. The group’s targeting appears to align with Middle Eastern geopolitical interests, particularly against Israeli- and Saudi-linked entities. No encryption methods or file extensions are publicly documented, as encryption is not part of their operations.
Abyss‑Data, also known as Abyss Locker, is a ransomware operation first identified around March 2023. It conducts double extortion by exfiltrating data and encrypting systems—particularly targeting VMware ESXi virtual environments—then threatening to leak stolen data via a TOR-based leak site if ransom demands aren't met. The group’s Linux variant derives from the Babuk ransomware source code with encryption resembling HelloKitty, using ChaCha–based ciphers. On Windows, Abyss Locker encrypts files (typically appending “.abyss” or randomized extensions), deletes Volume Shadow Copies, manipulates boot policy to disable recovery, and delivers ransom notes (e.g., WhatHappened.txt), often replacing the desktop wallpaper as part of its extortion tactics. Its campaigns have targeted diverse industries—finance, healthcare, manufacturing, technology—across multiple regions, with victim lists prominently featuring organizations in North America.
AdminLocker was first observed around December 2021 and appears to be a lone operator or small group, with no clear Ransomware-as-a-Service (RaaS) model reported. It uses single-extortion tactics—encrypting files without publicly documented data exfiltration—primarily targeting enterprise and personal systems via methods such as malicious email attachments, cracked software installers, P2P downloads, and malvertising. The ransomware employs symmetric and asymmetric encryption (likely AES combined with RSA) to lock files, appending extensions such as .admin1, .admin2, .admin3, .1admin, .2admin, and .3admin; victims receive a “!!!Recovery File.txt” ransom note with instructions to pay via Tor and Bitcoin. Notable for its multiple simultaneous variants with varied extensions, it reportedly allows victims to decrypt up to five small files as “proof” before demanding ransom. No high-profile sector- or region-specific campaigns are publicly documented.
This ransomware group (notably stylized as aGl0bGVyCg) has extremely limited publicly available information. No confirmed active period is documented, nor is there evidence of whether it operates as a RaaS (Ransomware-as-a-Service). Similarly, there is no known data about its extortion type (single or double), preferred targets, intrusion methods, encryption techniques, file extensions, or ransom note behavior. The only identifiable detail is the blog URL hitleransomware.cf, which appears to serve as its public-facing leak or command-and-control site. Overall, public threat intelligence remains too sparse to draw even basic conclusions beyond the existence of the blog site.
AiLock is a Ransomware-as-a-Service (RaaS) group first identified in March 2025. It employs a double-extortion approach—encrypting files and threatening to report breaches to regulators or share stolen data with competitors if the ransom isn’t paid. Victims have just 72 hours to respond and up to five days to pay; failure to pay results in data leaks and destruction of recovery tools. The ransomware appends the extension .AiLock to encrypted files, changes file icons to a green padlock with the “AiLock” name, and replaces the desktop wallpaper with a distinctive robot-skull logo. It employs a hybrid encryption scheme, combining ChaCha20 for file encryption with NTRUEncrypt for securing metadata, and uses a multi-threaded design (path-traversal and encryption threads with IOCP) for efficiency. While active campaigns and leak sites are confirmed, specific sectors, regions, and intrusion methods remain undisclosed in public sources.
Akira is a ransomware group first observed in March 2023, targeting both Windows and Linux environments, with a particular focus on corporate networks and VMware ESXi servers. The group employs a double extortion model, stealing sensitive data before encrypting systems and threatening to leak it on a Tor-based leak site if ransom demands are not met. Akira typically gains initial access through exploitation of unpatched VPN services, compromised RDP credentials, phishing, or abuse of legitimate remote administration tools. Its Windows variant uses the Windows CryptoAPI to encrypt files, appending the “.akira” extension while skipping critical system folders to maintain system stability. Ransom demands have ranged from $200,000 to over $4 million, typically requested in Bitcoin, and the group has been linked to high-profile incidents affecting education, manufacturing, and healthcare sectors. Akira appears to operate independently rather than as a Ransomware-as-a-Service, and continues to evolve, with recent variants improving encryption speed and evasion techniques.
First observed in early January 2020 (initial victim post on January 9, 2020), Ako (also known as MedusaReborn) operates under a Ransomware-as-a-Service (RaaS) model, with daily beta builds reportedly offered for affiliates. It uses a double-extortion approach—encrypting files and exfiltrating data, with subsequent threats to leak the data via a dedicated leak site. Delivery primarily occurs via malspam, often through password-protected ZIP attachments containing malicious .scr executables. After compromise, it deletes shadow copies and disables recovery, then encrypts files—excluding certain extensions—and appends random six-character suffixes, dropping files like ako-readme.txt and id.key. Encryption is carried out using unspecified algorithms, but its behavior aligns closely with MedusaLocker variants. Known targets include networked Windows environments, potentially across multiple sectors. No notably high-profile or geographically specific incidents are detailed.
ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.
ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.
Amnesia ransomware was first identified in May 2017, particularly affecting enterprise cloud environments. It does not appear to operate as Ransomware-as-a-Service (RaaS), and there is no public indication of a provider-led affiliate structure. The extortion model is single-stage—primarily file encryption without documented data theft or leak threats. It targets specific file types and resets their modified timestamps. Encrypted files may receive suffixes such as .amnesia, .@decrypt2017, .[Help244@Ya.RU].LOCKED, .CTB-Locker, and several others. Common ransom notes include files named HOW TO RECOVER ENCRYPTED FILES.TXT or RECOVER-FILES.HTML, typically placed in every folder. Executable names associated with its delivery include variants like guide.exe, update.exe, Happier.exe, bstarb.exe, among others. The encryption algorithm is AES-256, implemented in Delphi, and victims are instructed to contact the attackers via email addresses (e.g., decrypt@india.com). No high-profile incidents or geographic patterns have been publicly attributed to Amnesia.
Antibrok3rs emerged as an access broker (not a ransomware operator itself) linked to the aftermath of the 2023 MOVEit supply-chain exploitation. From November 2024 through early 2025, this actor has posted stolen data from at least 15 energy-sector victims, including U.S. utilities such as CenterPoint Energy, Entergy, Nevada Energy, and Appalachian Power—data likely obtained via the MOVEit breach. While some analysts suspected ties to the Cl0P ransomware collective, Antibrok3rs publicly denied any such affiliation. The extortion model centers on data leakage without accompanying file encryption—a purely leak-based threat. No delivery, encryption, or ransom note behaviors have been observed, nor is there evidence of RaaS activity.
Anubis is a financially motivated cybercrime group primarily known for its banking trojan operations but also linked to ransomware activity targeting corporate networks. First identified in 2016 and evolving over time, Anubis ransomware attacks have targeted Windows systems, often deployed after initial compromises by the Anubis banking malware or other access vectors such as phishing, malicious email attachments, or exploitation of unpatched vulnerabilities. The group’s ransomware encrypts files using strong symmetric encryption algorithms, appending distinctive extensions and delivering ransom notes with payment instructions via Tor. Anubis has targeted multiple sectors worldwide, including finance, retail, and government, often combining ransomware with credential theft and data exfiltration to maximize pressure on victims. Its infrastructure and tactics overlap with other financially motivated actors, suggesting possible affiliate or shared tool usage within broader cybercriminal ecosystems.
Apos ransomware surfaced in April 2024 and is best characterized as a data‑broker or leak‑only operation, rather than a traditional file‑encryption ransomware. It has not been observed to conduct encryption, but instead focuses on data exfiltration with threats to leak or sell the stolen information. Targets span sectors such as technology, healthcare, manufacturing, business services, telecommunications, and government—with significant victimology in Brazil, the United States, India, France, Paraguay, and Spain. Reporting suggests its activity tapered off after a few incidents, possibly indicating a one-time campaign or short-lived operation. Though some sources list multiple victims, technical details such as encryption algorithms, ransom notes, or extortion pricing are not publicly documented. Apos is sometimes listed among new or industrial-focused threats observed in Q1 2025, but remains poorly defined in public technical intel.
Page title
Status
Last visit
URL
Screen
Notion – The all-in-one workspace for your notes, tasks, wikis, and databases.
Aptlock surfaced in early 2025 and is characterized by a single-extortion model combined with threats of data leakage. The ransomware encrypts files on Windows systems, appending the extension .aptlock, and then changes the victim’s desktop wallpaper. Victims receive a ransom note named read_me_to_access.txt informing them that their critical company data has been exfiltrated and will be deleted or leaked if they don’t act. They are given 72 hours to initiate contact via Tor-based chat access (using credentials provided in the note), with further warnings issued if no engagement occurs within 5 days. Specific details about intrusion vectors, encryption algorithms used, or known affiliate operators remain undisclosed in public threat intelligence. No reliable evidence links Aptlock to Ransomware-as-a-Service operations or lists any known affiliates.
Arcane first emerged in mid-2021 under the UNC2190 cluster and later rebranded as Sabbath, continuing its operations against critical infrastructure like hospitals, schools, and educational entities. It follows a double-extortion model—encrypting data (using ROLLCOAST/Eruption malware) while also exfiltrating sensitive information and threatening to leak it. Victims have included institutions in the U.S. and Canada across sectors such as healthcare, education, and natural resources. Initial intrusion tactics involved deployment of Cobalt Strike with custom profiles, DLL-based in-memory execution, and signed TLS certificates, plus use of stealthy GET requests ending with “kitten.gif.” Specific encryption algorithms or file extensions have not been publicly confirmed. The group appears to operate in an affiliate-style model but remains under single management rather than a full RaaS platform.
ArcRypt (also known as ARCrypter or ChileLocker) was first identified in August 2022, originally targeting government entities in Latin America and subsequently expanding globally. The group employs a single-extortion model—there is no evidence of a data-leak threat or RaaS ecosystem. The malware encrypts files using extensions such as .crypt, .crYpt, and .crYptA3, and uniquely drops the ransom note before commencing encryption. It has variants for both Windows and Linux, including a Go-based Linux version. Communication with victims occurs via Tor-based portals, evolving over time from a single shared site to individualized mirror sites for each victim. In some cases, threat actors have instructed victims to contact them using Tox, creating a Tox profile for communication. Targets have included Chile’s government infrastructure, Colombia’s Invima agency, and organizations in China and Canada.
Arcus Media first emerged in May 2024 and operates as a Ransomware-as-a-Service (RaaS) with a double-extortion model—encrypting data and threatening to leak it if the ransom isn't paid. The group leverages advanced capabilities including selective encryption (partial encryption of large files with the ChaCha20 cipher and RSA‑2048 key protection), privilege escalation, disabling recovery mechanisms, and terminating critical services like SQL servers and email clients to maximize disruption and thwart defense. Initial access comes through phishing, credential theft, or exploitation of vulnerabilities, with lateral movement facilitated by tools like Mimikatz and Cobalt Strike. Since its debut, Arcus Media has — by mid‑2025 — been linked to 50+ confirmed attacks, spanning industries such as business services, retail, media, healthcare, and manufacturing across the Americas, Europe, and Asia. Victims include high-profile targets like Braz Assessoria Contábil and FILSCAP.
Argonauts Group is a data extortion operation that surfaced around September–October 2024, primarily targeting organizations in Italy, as well as entities in Taiwan, Japan, Canada, and the U.S. It does not appear to use conventional file-encryption ransomware methods—instead, it steals data and operates a dedicated data leak site (DLS) to pressure victims into paying. Victims span sectors like technology, manufacturing, transportation/logistics, and healthcare. The group has claimed to steal substantial volumes of sensitive information—e.g., 200 GB from Ivy Life Sciences (Taiwan) and 140 GB from Japan’s Zacros—and publicly disclosed some samples on its leak site. Although some references imply prior activity back to October 2021, these appear to be less reliable and not substantiated by authoritative intel. As of now, there is no clear evidence of traditional ransomware encryption, ransom notes, or RaaS infrastructure.
Arkana Security emerged in early 2025, debuting with a high-profile data-extortion campaign against the U.S. internet provider WideOpenWest (WOW!). The group does not appear to deploy actual ransomware encryption; rather, it operates a data-broker-led, leak-centric extortion model, with a structured "Ransom → Sale → Leak" progression. Victims so far include WOW! and several other organizations across sectors such as telecommunications, mining, finance, electronics, and music/entertainment, spanning the U.S. and UK. Arkana facilitates its threats through doxxing and "Wall of Shame" tactics, leveraging psychological pressure rather than encrypting systems. Its operations are characterized by post-intrusion lateral movement and deep backend access.
Arvin Club first appeared around early to mid-2021, debuting on its Tor leak site with posts dating back to May 5, 2021. While frequently characterized as ransomware, there is no verified evidence of file encryption or RaaS operations—its behavior aligns more closely with data-leak and hacktivist activity. The group actively publishes stolen data via its Onion site and maintains a prominent presence on Telegram, operating both official channels and group chats (notably with Persian-language content). A known target includes India's Kendriya Vidyalaya school network among others. Arvin Club has shown ideological leanings (notably support for REvil) and claims to have “hacktivist” motivations, including activities against the Iranian regime. No encryption algorithms, file extensions, or ransom notes have been publicly documented.
AstraLocker first appeared in 2021, likely as a fork of Babuk ransomware using leaked source code. It follows a single-extortion, smash-and-grab approach: distributed directly via phishing Microsoft Word documents containing embedded OLE objects. Once executed, it kills security and backup processes, deletes shadow copies, and encrypts files using modified HC-128 and Curve25519 algorithms, appending extensions like .Astra or .babyk. A “smash-and-grab” style attack, it’s less methodical than more sophisticated campaigns—deploying ransomware immediately upon user action rather than conducting prolonged network reconnaissance. In mid-2022, the operator ceased ransomware operations, releasing decryptors and announcing a pivot to cryptojacking.
AtomSilo emerged in September 2021 and ceased operations by year-end 2021. It functioned with a double‑extortion model, combining file encryption with data exfiltration and leak threats. The malware uses a hybrid encryption scheme—AES‑256 for file encryption and RSA‑4096 to secure the AES key—and appends the extension .ATOMSILO to encrypted files. Ransom notes follow formats like README-FILE-{computer name}-{timestamp}.hta or ATOMSILO-README.hta. Structurally and operationally, AtomSilo closely resembles the LockFile ransomware and is attributed to the Chinese state-linked actor BRONZE STARLIGHT (aka Cinnamon Tempest, DEV‑0401, Emperor Dragonfly, SLIME34), likely serving as a smokescreen for espionage-driven data theft. Victims spanned multiple industries and countries, including notable high extortion demands up to $1 million USD. The group also exploited the Atlassian Confluence vulnerability (CVE‑2021‑26084) for initial access and used DLL side‑loading for stealthy deployment.
Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.
First observed in July 2021, AvosLocker operates as a Ransomware-as-a-Service (RaaS) platform employing a double-extortion model—encrypting files and exfiltrating data with threats to leak it publicly. Its affiliates have targeted diverse environments including Windows, Linux, and VMware ESXi, particularly impacting sectors such as education, government, manufacturing, and healthcare across the U.S., Canada, and numerous other countries. Affiliates gain access through phishing emails, exploitation of vulnerabilities (notably Microsoft Exchange ProxyShell/log4j, Zoho ManageEngine), and compromised remote services. Technically, AvosLocker uses AES (with RSA-wrapped keys) for file encryption, often executing in safe mode to bypass security defenses, and directs victims to ransom notes like GET_YOUR_FILES_BACK.txt while changing the desktop wallpaper. Its data leak site operated from mid-2021 until about July–August 2023. No activity has been observed since May 2023.
AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.
In March 2022, the FBI and US Treasury Department issued a warning about the attacks.
Axxes ransomware emerged as a rebranded version of the previously known Midas ransomware group, with roots also tracing back through Haron and Avaddon lineage. It operates via a single-extortion model, encrypting files and appending the .axxes extension. Victims receive both an “RESTORE_FILES_INFO.hta” and a “.txt” ransom note. The ransomware performs extra actions like determining the device’s geolocation, modifying the Windows Firewall, changing file extensions, and terminating processes using taskkill.exe. Its known targets span the U.S., UAE, France, and China, including at least one high-profile victim—The H Dubai hotel. This group appears financially motivated, leveraging historical branding and code of earlier groups for its operations.
We are AzzaSec — a decentralized PMC (Private Military Contractor), RaaS (Ransomware-as-a-Service) syndicate, and botnet operator at the intersection of cyberwarfare, asymmetric operations, and underground economics.
Emerging from the collapse of traditional hacktivism, we evolved into a sovereign digital force. We offer custom offensive solutions to clients with political, financial, or strategic objectives. We are stateless, leaderless, and loyal only to code.
B0 is a relatively obscure ransomware operation with very limited public reporting outside of leak site monitoring. It appears to operate a data-extortion model, with a dedicated leak site on the Tor network, and no confirmed use of encryption-based ransomware in documented incidents. The group is listed in ransomware tracking services from at least mid-2024, but there are no major vendor reports describing their victimology, intrusion methods, encryption schemes, or specific targeting patterns. Its branding and operational style suggest a small, self-contained group rather than a large RaaS platform.
On January 26th, Babuk's dedicated leak site (DLS) was "relaunched". Bjorka (Telegram: @bjorkanesiaaaa) is the current administrator. Upon launch, the DLS was populated mainly by victims previously claimed by other groups such as RansomHub, Lockbit3, and Funksec. At this current time there is no apparent connection to the original Babuk operation besides reusing the Babuk site template and logos. The groups is also known as Babuk2 by other trackers.
It is important to note that the original Babuk DLS was hosted and available up until February 26th, 2024.
Babuk‑Locker emerged in early 2021 as a Ransomware‑as‑a‑Service (RaaS) gang targeting high‑value “big game” enterprises across sectors like healthcare, telecommunications, finance, education, and government. It initially deployed crypto-ransomware—encrypting files using ChaCha8 encryption with keys secured via elliptic‑curve Diffie‑Hellman—and later added a double‑extortion model involving data theft and leak site threats. Notable incidents include attacks on the Washington, D.C. Metropolitan Police Department and other organizations. In mid‑2021, Babuk’s source code was leaked, prompting both a fragmentation of its core operations and emergence of variants like Babuk Tortilla and Babuk V2. Affiliates exploited vulnerabilities in ESXi hypervisors to deliver destructive variants, and law enforcement actions eventually disrupted key operators.
BabyLockerKZ is a variant of MedusaLocker ransomware, first observed in late 2023. It operates under a double‑extortion model, combining file encryption with data exfiltration and extortion. Technically, it reuses MedusaLocker’s AES + RSA‑2048 hybrid encryption, appends the .hazard file extension to encrypted files, and includes a unique autorun registry key (“BabyLockerKZ”) alongside dedicated public/private key data inserted into registry values. Initial access is achieved through opportunistic methods like RDP compromises, with lateral movement facilitated by compromised credentials and tools such as Mimikatz. The variant employs a custom toolkit codenamed paid_memes, which includes tools like "Checker" for scanning credentials, facilitating automation, and bridging toolsets for further exploitation. Starting late 2022, its operators have compromised over 100 organizations per month, initially targeting European victims before shifting toward Latin America in 2023.
BackMyData is a variant of the Phobos ransomware family, first observed in early 2024. It follows a double‑extortion model: encrypting files and threatening data exposure. The ransomware primarily targets organizations via weak or misconfigured RDP access (e.g., remote desktop services), though phishing and initial-stage payloads like SmokeLoader have also been noted. Technical behavior includes AES‑256 file encryption, with keys secured via a public RSA‑2048 key embedded in the binary. Post-infection actions involve disabling firewalls, deleting volume shadow copies, inhibiting recovery functionality, and establishing persistence through registry Run keys and startup folder entries. Encrypted files receive the extension .BACKMYDATA, and victims are left with ransom notes (info.txt, info.hta, or .backmydata) that instruct them to contact attackers via email or Session Messenger. A significant incident involved a coordinated attack on Romania’s Hipocrate Information System (HIS), impacting 26 hospitals and causing widespread system outages across nearly 100 facilities, with ransom demands of approximately 3.5 BTC (~$175,000).
BalletsPistol is a Python-based ransomware strain distributed via GitHub. An investigative report from June 2025 reveals its delivery through a malicious ISO file hosted on a now‑removed public GitHub repository
tinextacyber.com+1
. The infection chain begins when the ISO (named Invoice.iso) is downloaded and mounted, revealing a batch script (MAIN.BAT) and supporting components—including a password-protected ZIP and shortcut (.lnk) for execution. The malware performs privilege escalation (via UAC bypass using fodhelper.exe), persistence via registry and scheduled tasks, and then extracts an executable from the ZIP to commence the main payload. This binary encrypts user files with a hybrid AES + RSA scheme, adding the .iDCVObno extension to encrypted files; it also drops ransom notes (RESTORE-MY-FILES.TXT or .HTA) and changes the victim’s wallpaper.
Beast ransomware emerged in 2022 as an enhanced iteration of the earlier “Monster” ransomware. It operates under a Ransomware-as-a-Service (RaaS) model, offering affiliates rich customization options to create tailored binaries targeting Windows, Linux, and VMware ESXi systems. Key technical capabilities include hybrid Elliptic-Curve + ChaCha20 encryption, segmented file encryption, ZIP wrapper mode (encrypting files into zip archives with embedded ransom notes), multithreaded processing, termination of services, shadow copy deletion, hidden partition usage, and subnet scanning. Affiliates are provided configurable offline builders, enabling streamlined deployment across multiple platforms. While Beast's functional power is well-documented, details on its specific victims, sectors targeted, and leak site activity remain limited in public sources.
aka Belesn Group.
Belsen Group emerged in January 2025 as a data broker and leak-focused threat actor, not engaging in ransomware encryption. Their first major action involved publishing sensitive configuration files, VPN credentials, and IP addresses for over 15,000 Fortinet FortiGate firewalls—data likely stolen through exploitation of CVE‑2022‑40684. The group began by sharing the data freely to establish credibility, before shifting to monetized access and offering sales of network access to high-value targets such as major banks and an East African airline. Their activities place them firmly in initial access brokerage, targeting confidential infrastructure details for sale.
BERT ransomware (also tracked as Water Pombero) first emerged in April 2025, rapidly targeting both Windows and Linux systems across Asia, Europe, and the U.S., with confirmed victims in healthcare, technology, electronics, and event services sectors. Its Windows variant employs a PowerShell-based loader that escalates privileges, disables Defender, UAC, and the firewall, then downloads the ransomware payload. The Linux version aggressively encrypts with up to 50 concurrent threads, forcibly shuts down VMware ESXi VMs to prevent recovery, and appends extensions like .encryptedbybert or .encrypted_by_bert. BERT uses AES encryption, and later variants feature optimized multithreading via ConcurrentQueue and DiskWorker threads. Analysts note code similarities with REvil and Babuk ESXi lockers, potentially pointing to shared development lineage or code reuse.
BianLian ransomware first appeared in June 2022 as a Go-based crypto-locker but pivoted in January 2023 to a pure data-extortion model after security firms released free decryptors for early versions. In its initial phase, it used AES-256 + RSA-2048 hybrid encryption, appending the .bianlian extension to files and dropping ransom notes with Tor links. The group targets a broad set of industries—healthcare, education, government, critical manufacturing, and professional services—with confirmed victims in the U.S., U.K., Australia, and Canada. Initial access is often obtained via compromised RDP credentials, exploitation of vulnerabilities in internet-facing systems, or use of stolen VPN credentials from infostealers. Post-compromise, BianLian conducts network reconnaissance, credential harvesting, and exfiltration of sensitive files before issuing extortion threats on its leak site. The group has claimed responsibility for dozens of breaches, with ransom demands often in the $100k–$2 million USD range.
BIDON is a variant of the Monti ransomware family, first observed around mid‑2023. It employs a double‑extortion strategy—encrypting victims’ files and simultaneously threatening to leak stolen data if the ransom isn’t paid. Notably, it appends the .PUUUK extension to encrypted files and drops a readme.txt ransom note outlining the extortion demands. The note offers a free decryption of two files as proof of capability and emphasizes that only authorized company personnel (e.g., top management) should engage. BIDON specifically targets corporate and enterprise organizations, not home users, and warns victims not to involve law enforcement or third-party recovery firms. It represents a shift toward more aggressive extortion tactics within the Monti lineage.
BitRansomware (also known as DCryptSoft or ReadMe) surfaced in November 2020, primarily as a widespread cryptolocker targeting end users in the APAC region, especially universities in Japan and Hong Kong. The malware was delivered via a malspam campaign powered by the Phorpiex botnet, distributing deceptive ZIP attachments with a screensaver-like .scr payload. Once activated, BitRansomware encrypts files and appends the .ReadMe extension—leaving ransom notes to guide victims toward payment. The campaign peaked sharply around November 4, 2020, with over 28,000 email instances detected in a single day, as seen by VMware NSX telemetry.
Hellcome Bjorkanism
Bjorka emerged as a prominent data-extortion actor and hacktivist initially active in 2022, targeting Indonesian institutions with massive data leaks—including voter records, police data, and internal telecom and utility datasets. After going quiet in 2023, the actor resurfaced in early 2025, now positioning under the name Babuk2, leveraging legacy branding from the Babuk ransomware group to amplify perceived credibility and fuel data extortion operations. Notably, Bjorka has not been linked to deploying true ransomware payloads; rather, the strategy revolves around reputational leverage via data leaks and selecting branding for psychological impact.
BlackNevas ransomware — also referred to as “Trial Recovery” — was first observed in November 2024. It is a direct derivative of the Trigona ransomware family and continues the lineage's focus on extortion over public shaming. BlackNevas operators support a double-extortion model, encrypting files using AES-256 with RSA-4112-protected keys, and appending the .-encrypted or .ENCRYPTED file extension to affected files. Hybrid payloads are available for Windows, Linux, NAS, and VMware ESXi platforms.
While BlackNevas does not host its own data leak site, it reportedly collaborates with other ransomware groups for data publication — known partners include Kill Security, Hunters International, DragonForce, Blackout, Embargo Team, and Mad Liberator. The group has predominantly targeted large enterprises in sectors such as finance, telecommunications, manufacturing, healthcare, and legal. Initial access is commonly achieved via phishing or exploitation of vulnerabilities, with lateral movement facilitated through SMB enumeration and optional LAN-wide propagation.
BlackSuit first appeared in May 2023 and is a confirmed rebrand or direct evolution of Royal Ransomware. It operates as a Ransomware-as-a-Service (RaaS), employing a double-extortion model—encrypting files and stealing sensitive data for leak threats. BlackSuit targets Windows and Linux systems, including VMware ESXi environments, using the .blacksuit extension for encrypted files. Technical analysis shows strong code overlaps (≈98%) with Royal, itself believed to be run by former Conti affiliates. Victims span healthcare, critical manufacturing, education, and government sectors, with notable incidents affecting public health systems in the U.S. Initial access vectors include phishing, exploitation of public-facing applications (e.g., Citrix and Fortinet vulnerabilities), and compromised credentials purchased from initial access brokers. Ransom notes direct victims to Tor-based negotiation portals.
BlackBasta emerged in April 2022 and is widely assessed to be operated by former Conti group members. It functions as a Ransomware-as-a-Service (RaaS), leveraging a double-extortion model—encrypting data and threatening public leaks on its Tor-based site. The malware supports Windows and Linux/VMware ESXi environments, using ChaCha20 for encryption with RSA-4096 for key protection. Encrypted files are appended with the .basta extension, and a ransom note (readme.txt) provides negotiation instructions. BlackBasta has hit victims across manufacturing, construction, healthcare, government, and critical infrastructure sectors, with confirmed targets in the U.S., Canada, U.K., Australia, and New Zealand. Initial access vectors include exploitation of known vulnerabilities (e.g., QakBot infections, ZeroLogon, PrintNightmare), phishing, and purchasing credentials from Initial Access Brokers. By mid-2024, BlackBasta was among the top five most active ransomware groups worldwide.
Black Berserk is a relatively unsophisticated ransomware strain analyzed in late 2023. It operates under a single‑extortion model—encrypting files and demanding payment, with no documented abilities or threats for data exfiltration or public leaks. In observed cases, the malware appends the .Black extension to encrypted files (e.g., 1.jpg.Black) and leaves a ransom note titled Black_Recover.txt, which urges victims to make contact to negotiate payment or test decryption with benign files. The infection method appears opportunistic, delivered via isolated incidents or broad malware distribution—not linked to targeted campaigns or infrastructure. There is no evidence of it functioning as a RaaS operation or targeting any specific victim profiles or sectors.
BlackBit ransomware was first observed in August 2022 and is a .NET-based strain that closely mimics the design and functionality of LockBit 3.0, indicating either a fork of LockBit’s leaked builder or deliberate imitation. It uses a double-extortion model, encrypting victim files and threatening to leak stolen data via a Tor-based site. BlackBit employs AES symmetric encryption for file contents and RSA asymmetric encryption for key protection, appending the .BlackBit extension to affected files. The malware also includes features for terminating processes, deleting volume shadow copies, and disabling recovery mechanisms. Initial access vectors are not comprehensively documented but are consistent with phishing, exploitation of vulnerable public-facing services, and the use of compromised credentials. Victims have been identified across various sectors, including technology, manufacturing, and professional services, though its activity level has been far lower than LockBit’s.
BlackByte ransomware was first observed in July 2021 and operates as a Ransomware-as-a-Service (RaaS). It uses a double-extortion model—encrypting victim files while exfiltrating sensitive data for publication on its Tor-based leak site. The ransomware is written in C# and uses AES-256 for file encryption, with keys protected by RSA public-key encryption. Early variants exploited the ProxyShell vulnerability in Microsoft Exchange servers for initial access, but later campaigns have leveraged phishing, malicious attachments, and vulnerable internet-facing systems. BlackByte appends extensions such as .blackbyte or .blackbyte2.0 to encrypted files and leaves ransom notes (BlackByte_restoremyfiles.txt) instructing victims to contact them via Tor. The group has targeted organizations worldwide, including critical infrastructure, manufacturing, and government sectors. In February 2022, the FBI and USSS released a joint advisory warning about BlackByte’s impact and offering detection signatures.
Crux is a newly identified ransomware variant active since July 2025, which claims affiliation with the established BlackByte ransomware group. It implements a double‑extortion model—encrypting files (with the .crux extension) and threatening data leak via a Tor-based portal. A distinctive feature of Crux is its execution flow: it initiates via svchost.exe, cmd.exe, and bcdedit.exe to disable Windows recovery, followed by rapid file encryption. The ransomware has been confirmed in at least three incidents across sectors including agriculture, education, professional services, media, and nonprofits, in both the U.S. and U.K. Ransom notes consistently follow the naming pattern crux_readme_[random].txt.
Black Hunt ransomware has been active since at least mid-2021 and operates under a double-extortion model, encrypting victim files and threatening public release of stolen data via a Tor-based leak site. It primarily targets organizations rather than individuals, with confirmed attacks in sectors including manufacturing, retail, technology, and local government. Encrypted files are appended with the .BlackHunt extension, and ransom notes (Restore_Data.txt) direct victims to Tor portals for negotiation. The ransomware is capable of terminating processes, deleting shadow copies, and disabling recovery functions to maximize impact. Initial access methods include exploitation of vulnerable RDP services and the use of compromised credentials from initial access brokers. While its activity level is smaller compared to major RaaS families, its leak site has featured victims from multiple countries, suggesting an international reach.
BlackMatter emerged in July 2021 and quickly positioned itself as the successor to DarkSide (responsible for the Colonial Pipeline attack). It operated as a Ransomware-as-a-Service (RaaS), adopting a double-extortion model—encrypting systems while exfiltrating sensitive data for publication on its leak site. BlackMatter targeted Windows and Linux/VMware ESXi systems, using ChaCha20 for file encryption with RSA-1024 public key protection. The malware appended a custom extension per victim and dropped ransom notes (README.txt) with Tor portal links. The group focused on large organizations in industries such as critical infrastructure, agriculture, technology, and manufacturing, but claimed to avoid hospitals, nonprofits, and government entities (though some reports contradict this). Initial access methods included exploitation of known vulnerabilities, stolen credentials from brokers, and phishing campaigns. BlackMatter ceased operations in November 2021 after reported pressure from law enforcement and possible member arrests.
Blackout surfaced in February 2024 and operates using a double-extortion model. Targets span sectors like healthcare, mining, telecommunications, and food & beverage—in countries including France, Canada, Mexico, Croatia, and Spain. This ransomware employs conventional cryptographic techniques (details unspecified), appends a custom extension to encrypted files, and presents victims with ransom demands via a Tor-based leak/negotiation site. The operation runs as a crypto-ransomware and data broker, combining extortion with data publication threats.
BlackShadow is a state-aligned cybercrime group reportedly linked to Iran’s cyber operations, first identified in late 2020. Their operations blend data exfiltration with ransom threats, notably targeting Israeli organizations such as Cyberserve—a web hosting provider—and leaking data to inflict reputational damage. Victims included entities like Atraf (an LGBTQ dating app), tour booking services, and museums, reflecting political or ideological motivations over financial gain. Despite carrying out extortion, there is no evidence that BlackShadow employs typical encryption-based ransomware mechanics; instead, they leverage stolen data and the threat of public exposure.
BlackSnake is a Ransomware-as-a-Service (RaaS) operation that first appeared in August 2022, when its operators began recruiting affiliates on underground forums with an unusually low revenue share of 15%. It primarily targets home users rather than large enterprises and does not maintain a public leak site. Built on the Chaos ransomware code base, it features both file encryption and a cryptocurrency clipper module to steal funds from victims. The ransomware is developed in .NET and includes safeguards to avoid execution in Turkish or Azerbaijani environments, suggesting geographic targeting preferences. Infections result in encrypted files and ransom notes instructing victims to make contact via email for payment negotiations. The group’s operational scale and visibility remain limited compared to major RaaS families.
BlueSky ransomware first emerged in July 2022 and is characterized by aggressive, high-speed file encryption using a multithreaded architecture. Written with code elements reminiscent of Conti v3, it encrypts files using ChaCha20 secured with RSA‑4096, and further employs Curve25519 for key agreement. Delivery commonly comes through trojanized downloads from risky websites (e.g., “crack” or “keygen” hosts) or phishing emails. The malware also spreads laterally via SMB and evades detection by hiding threads using NtSetInformationThread. Once deployed, it renames encrypted files with the .bluesky extension and drops ransom notes in both HTML and TXT formats. Unlike double-extortion threats, BlueSky does not operate a public leak site and appears focused solely on disrupting file access. Observed activity spans large enterprises to SMBs, but the volume of attacks remained relatively low through early 2023.
aka BaqiyatLock
BQTLock surfaced in July 2025 and operates as a fully-fledged Ransomware-as-a-Service (RaaS) with a double-extortion model. It employs AES-256 for file encryption, with keys secured by RSA-4096, appending the .BQTLOCK extension to encrypted files. Victims receive ransom notes such as READ_ME-NOW_*.txt, warning that failure to make contact within 48 hours doubles the ransom, and that decryption keys will be destroyed after seven days. The group offers tiered pricing "waves" with different XMR (Monero) amounts for quicker decryption—e.g., Wave 1 might cost 13 XMR, while Wave 3 could be 40 XMR. Targets include organizations such as U.S. military alumni networks and educational institutions.
Br0k3r is not a conventional ransomware gang, but rather an Iran-linked cyber espionage and access brokerage group leveraging its foothold within victim networks to facilitate ransomware operations. Active since around 2017, the group provides privileged domain access—often sold or shared directly—with known ransomware operators such as ALPHV/BlackCat, NoEscape, and RansomHouse, receiving a portion of each successful ransom payout. Victims have included U.S. schools, municipal governments, financial and healthcare organizations, as well as targets in Israel, Azerbaijan, and the UAE. Br0k3r’s strategy merges espionage with criminal collaboration, allowing them to support both state-aligned intelligence objectives and financial incentives.
Brain Cipher ransomware surfaced in mid-2024, rapidly gaining notoriety after a high-impact attack on Indonesia’s National Data Center, which disrupted over 160 government services including immigration systems. The group operates with a double-extortion model, encrypting data using a LockBit 3.0-based payload (Salsa20/RSA hybrid) and threatening leaks via a Tor-hosted portal. Distinct behaviors include encrypting both file contents and filenames, and customizing encrypted file names with appended random extensions. Initial access methods include phishing and purchases from initial-access brokers. Ransom demands have ranged from tens of thousands up to $8 million USD, though victims have sometimes been offered decryption keys without payment. Victims span sectors such as government, healthcare, education, media, and manufacturing across Southeast Asia, Europe, and the Americas.
Cerber ransomware, active since 2016, has resurfaced occasionally using the name C3RB3R. It operates as a semi-private Ransomware-as-a-Service (RaaS) and targets both Windows and Linux environments. Cerber typically uses AES + RSA cryptographic methods and appends the .L0CK3D extension to encrypted files. It executes operations via phishing, malicious macros, and has even leveraged vulnerabilities such as Atlassian Confluence’s CVE-2023-22518 for deployment. Victims are directed to Tor-hosted payment portals for decryption instructions.
Cactus ransomware surfaced in March 2023 and has quickly become one of the fastest-growing and most aggressive ransomware-as-a-service (RaaS) variants. It follows a double-extortion model, encrypting files and threatening to leak stolen data to pressure victims. Cactus is notable for its ability to encrypt its own executable, evading detection by anti-malware tools, and for exploiting vulnerabilities in VPN appliances (e.g., Qlik Sense, Fortinet VPN) to gain initial access. Targets span global enterprises—including Schneider Electric and the Housing Authority of Los Angeles—and the group appears highly adaptable, often deploying the BackConnect persistence tool commonly associated with Black Basta. The ransomware changes file extensions to variants like .cts0 or .cts1, and places a ransom note named cAcTuS.readme.txt.
CatB ransomware was first observed in late 2022, gaining attention for abusing DLL hijacking via the Microsoft Distributed Transaction Coordinator (MSDTC) service—loading a malicious payload through DLL sideloading methods. The malware arrives in a two-stage dropper: the first DLL unpacks and launches the main payload (commonly named oci.dll), which subsequently encrypts files using hybrid RSA/AES cryptography. Unlike conventional ransomware, CatB does not rename files or distribute typical ransom notes; instead, it prepends the ransom message directly to the start of each encrypted file, making detection more difficult. Victims are instructed to contact the attackers via email (e.g., catB9991@protonmail.com or fishA001@protonmail.com), with the ransom demand escalating daily. Initial analysis suggests CatB may be a rebrand or evolution of Pandora ransomware, sharing various code artifacts and operational behavior.
Cerber Imposer is a post-2019 rebrand of the Cerber ransomware family, resurfacing in late 2021 with updated targeting of enterprise environments. Unlike its classic counterpart, Cerber Imposer utilizes the .locked file extension and includes a unique recovery note named __$$RECOVERY_README$$__.html. It does not reuse the original Cerber codebase; instead it borrows branding while operating under new cryptographic implementations and deployment tactics. Threat actors have leveraged known remote code execution vulnerabilities in Atlassian Confluence (CVE-2021-26084) and GitLab (CVE-2021-22205) to deliver this ransomware. The rebranded variant has compromised servers in the U.S., Germany, China, and Russia, indicating a broader scope of targeting than originally seen with early Cerber campaigns.
CerBerSysLock first appeared in December 2017 as a cryptoransomware imposter, leveraging Cerber-style branding to deceive victims. It uses XOR-based encryption to lock files and appends extensions such as .CerBerSysLocked0009881. Victims receive a ransom note titled “HOW TO DECRYPT FILES.txt”, which falsely claims to be from the Cerber ransomware. The note includes an email contact—TerraBytefiles@scryptmail.com—and instructs victims to reference their ID (e.g., "CerBerSysLocked0009881") when communicating. The ransomware is technically linked to the Xorist family and is generally considered an opportunistic, low-profile scam rather than part of a broader Ransomware-as-a-Service (RaaS) operation.
Chaos is a rapidly evolving Ransomware-as-a-Service (RaaS) group first observed in early 2025. It is considered distinct and unaffiliated with the Chaos Ransomware Builder that originated around 2021. Known for highly aggressive double-extortion operations, Chaos targets organizations across multiple platforms—Windows, ESXi, Linux, and NAS—with fast, configurable encryption mechanisms and optional partial-file targeting for stealth. Attackers gain access through vulnerabilities, phishing, or brokered credentials, then encrypt files while threatening to leak or destroy stolen data. Notable incidents include the breach of Optima Tax Relief, in which the group exfiltrated 69 GB of sensitive data before encrypting systems.
Cheers is a Linux-based ransomware variant observed starting in May 2022, engineered specifically to target VMware ESXi servers. The malware was developed from leaked Babuk ransomware source code and leverages the SOSEMANUK stream cipher combined with ECDH key exchange for encryption. It terminates all running virtual machines before renaming and encrypting log files and VM-related extensions—like .vmdk, .vmsn, and .vswp—appending a .Cheers extension. A ransom note titled "How To Restore Your Files.txt" is dropped per directory. The ransomware is attributed to the Chinese-affiliated group BRONZE STARLIGHT (also known as Emperor Dragonfly, DEV-0401), which has previously deployed other strains like Rook, NightSky, and Pandora. Cheers targets a range of industry sectors, with confirmed victims across healthcare, finance, logistics, and manufacturing.
ChileLocker first emerged in August 2022 and is considered part of the broader ARCrypter ransomware family. It employs a double-extortion model, encrypting Windows and Linux/VMware ESXi systems and threatening data leaks. ChileLocker uses the NTRU public key cryptosystem for encryption and typically appends the .crypt extension to affected files. Following encryption, it drops a ransom note—often named readme_for_unlock.txt—and directs victims to a password-protected Tor negotiation portal, with the password provided in the note. The group also disables recovery mechanisms by deleting shadow copies. Its initial access tactics include exploitation of misconfigured RDP access, phishing, malicious installers, botnets, fake updates, and malvertising. The ransomware has impacted victims across various regions, including Chile, Mexico, Canada, Spain, and others.
Chort is a relatively new data-extortion ransomware group that surfaced in late 2024, with confirmed activity beginning in October–November 2024. It operates under a double-extortion model—exfiltrating sensitive data before encrypting systems—and organizes victims via a Tor-hosted data leak site (DLS). The group has targeted organizations in the U.S. education sector (including schools and nonprofits) and in Kuwait's agriculture sector, among others. Technical behaviors include execution via PowerShell and removal of shadow copies to disrupt recovery. The group's approach emphasizes public pressure through data exposure rather than technical innovation.
Cicada3301 is a sophisticated Ransomware-as-a-Service (RaaS) group that emerged in June 2024. It’s written in Rust and supports cross-platform operations, targeting Windows, Linux, VMware ESXi, NAS, and even PowerPC systems. Technically, its ransomware shares many traits with BlackCat/ALPHV, such as use of ChaCha20 encryption, Rust-based structure, similar configuration interfaces, and methods for shutting down virtual machines and deleting snapshots. Cicada3301 also implements double-extortion tactics—encrypting or exfiltrating data and publishing it on Tor-based leak sites. The group appears to have established an affiliate program, demonstrated through their deployment interfaces and recruitment tactics via forums like RAMP. Operations are believed to be highly professional, possibly involving former ALPHV developers or affiliates.
CiphBit is a crypto-ransomware first detected in April 2023. It utilizes a double-extortion model, encrypting files and threatening to leak stolen data via a Tor-hosted portal if ransom demands are not met. The malware appends encrypted files with a vector including a unique victim ID, the attacker’s email address (onionmail.org), and a four-character random extension—making file identification and recovery especially difficult. Victims span various sectors including banking, manufacturing, healthcare, logistics, and professional services across North America and Europe. The group is classified as a data broker due to its evolving extortion methods involving free leaks and selective leaks to pressure victims. Recent high-profile victims include iptelecom GmbH (Germany) and Therma Seal Insulation Systems (USA), reaffirming its cross-industry reach and impact.
Cloak is a cybercriminal ransomware group that first appeared publicly in mid-2023, operating with a double-extortion model. It deploys an ARCrypter variant derived from Babuk, delivered via loaders that terminate security and backup services, delete shadow copies, and install encrypted payloads using algorithms like HC-128 combined with Curve25519 key generation. Victims include entities such as the Virginia Attorney General’s Office, whose IT systems were disrupted and whose data (134 GB) was exfiltrated and listed on Cloak’s Tor leak site. Cloak has been linked to other ARCrypter variants like Good Day, sharing victim portals and infrastructure. Its operations reportedly use initial access brokers, phishing, malvertising, and exploit kits for network infiltration.
Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: "Dont Worry C|0P" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.
Colossus ransomware was first observed in September 2021, when ZeroFox researchers uncovered the variant attacking a U.S.-based automotive group. It employs a double-extortion model, using Themida packing and sandbox evasion to disable defenses and deliver encrypted payloads. Victims are urged to visit a support site—hosted at a domain like colossus.support—to negotiate payment, or face large-scale data dumps and increasing ransom amounts tied to countdown timers. Operators demonstrated familiarity with RaaS playbooks, drawing architectural parallels to groups like EpsilonRed, BlackCocaine, and REvil/Sodinokibi.
Launched around September 2024, ContFR is a French-speaking RaaS that uses a Tor-hosted platform to provide ransomware embedded in PDF files (targeting both Windows and macOS). The group offers a tiered subscription model—“TEST,” “BASIC,” and “ELITE”—allowing affiliates varying degrees of customization, offline capability, and support based on the package purchased. As of the latest reporting, no victims are publicly listed, though data leak publications likely require a subscription to access. The operation suggests an organized, business‑like structure, distinct from opportunistic one‑off strains.
Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.
Core ransomware surfaced in early 2025 as a new variant within the broader Makop family. It employs a single-extortion model, focusing on encrypting files and demanding payment, without public data-leak threats. The malware appends the .core extension to encrypted files and is delivered via typical exploit vectors known to RaaS campaigns. Core does not showcase advanced double-extortion tactics seen in other modern strains, but it stands out for its familial lineage and continued evolution from Makop ancestors.
CrazyHunter is a rising ransomware threat first detected in early 2025, with particularly dangerous campaigns targeting Taiwanese critical infrastructure sectors such as healthcare, education, manufacturing, and industrial services. Technically sophisticated, its toolkit is composed of approximately 80% open-source tools, including the Prince Ransomware Builder (for encryption), ZammoCide (for defense evasion via BYOVD techniques), and SharpGPOAbuse (enabling lateral movement via Group Policy). In a notable incident like the February attack on Mackay Memorial Hospital, attackers employed a USB-based infection vector, then escalated privileges using vulnerable signed drivers (e.g., zam64.sys) to disable security defenses. The ransomware appends extensions like .Hunted3 and displays “Decryption Instructions.txt” as ransom notes. The group maintains a data leak site where it publicly claims multiple Taiwanese organizations as victims.
CrossLock ransomware was first observed in April 2023, targeting an IT services firm in Brazil using a double‑extortion approach—encrypting data and threatening to leak it publicly. Written in Go, it uses a hybrid encryption scheme combining ChaCha20 for file encryption with Curve25519 for key protection. Victims see their files renamed with the .crlk extension and ransom notes titled ---CrossLock_readme_To_Decrypt---.txt. The malware includes advanced techniques like Event Tracing for Windows (ETW) bypass and process mimicking (e.g., Cybereason processes) for stealth. It was publicly tracked until July 2023, after which activity (and its leak site) went offline.
also known as “Fantomas”.
Cryakl first appeared in 2014, spreading primarily across Eastern Europe and Russia via phishing emails with malicious attachments. It uses an asymmetric RSA-based encryption scheme, appending victim-specific IDs and contact emails into filenames and ransom notes. The ransomware operates under a RaaS-like model, distributing builds to affiliates for broader dissemination. In 2018, Belgian law enforcement seized Cryakl’s command-and-control infrastructure and recovered decryption keys, enabling victims to restore files via free tools like Kaspersky’s RakhniDecryptor and the NoMoreRansom project.
CryLock is a ransomware variant that emerged around April 2020, evolving from the Cryakl (Fantomas) ransomware family. It follows a semi-affiliate model, offering customizable options for partners—such as variable encryption routines, network scanning for lateral movement, shadow copy deletion, and process termination—and flexible delivery methods. During encryption, CryLock renames files to include the developer email, a unique victim ID, and a randomized three-letter extension. Victims typically encounter a countdown timer in a pop-up ransom message that warns about escalating ransom costs and potential loss of decryption capabilities.
Crynox (sometimes referred to as “Crynox Ransomware”) appears to be a generic file-locker threat that appends .crynox to encrypted files and drops a ransom note (read_it.txt) instructing victims to contact crynoxWARE@proton.me. It seems to use RSA-4096 and AES for encryption and may change desktop wallpaper, but there's no evidence of double-extortion or leak site operation. Distribution methods cited include phishing, pirated software, and malicious websites.
CryptedPay is a standalone ransomware strain observed around early 2025, that encrypts files using AES-256 and appends the .CRYPTEDPAY extension. Victims receive a ransom note (README.txt), have their desktop wallpaper changed, and are instructed to pay approximately $280 in Monero (XMR). The ransomware imposes a 62-hour deadline, threatening permanent file loss if not paid.
CryptNet is a newer Ransomware-as-a-Service (RaaS) operation first identified in April 2023. It follows a double-extortion model, performing data exfiltration before encrypting files. Written in .NET and obfuscated with .NET Reactor, CryptNet utilizes AES-256 (CBC) and RSA-2048 encryption. Its codebase shares strong similarities with Chaos and Yashma ransomware families.
aka Public Data Storage
Crypto24 emerged in early 2025 as a fast-growing double-extortion ransomware-as-a-service (RaaS) group. It targets organizations across industries such as financial services, healthcare, logistics, and technology, with notable victims in Malaysia, Colombia, Egypt, and India. The group executes rapid infiltration—often leveraging stolen credentials—encrypts files (appending the .crypto24 extension), and exfiltrates significant volumes of data (e.g., 2 TB from Vietnam’s CMC Group). Affiliate-oriented operations are indicated by their presence on RAMP forums, suggesting professional recruitment and offering free decryption for small file samples to entice victims.
CryptXXX is a ransomware strain that first appeared in April 2016, developed by the same group behind the Reveton and Angler Exploit Kit operations. It uses a single-extortion model, encrypting victim files with RSA-4096 and AES-256 encryption, appending the .crypt or .crypt1 extensions in early versions, and later variants dropping different extensions. Distribution was largely via the Angler and Neutrino exploit kits, targeting unpatched browsers, plugins, and malicious email attachments. CryptXXX also included credential theft capabilities, harvesting from browsers and FTP clients, and in some variants, a file-stealing module. Notable campaigns affected victims globally, with a strong concentration in North America and Europe. Operations were disrupted in mid-2016 when security researchers from Kaspersky Lab released decryption tools, forcing the group to release updated, harder-to-crack versions.
Crysis ransomware was first identified in early 2016 and is a long-running family that later evolved into the Dharma ransomware line. It follows a Ransomware-as-a-Service (RaaS) model, allowing affiliates to customize email addresses, extensions, and ransom notes. Crysis primarily spreads via malicious email attachments, remote desktop protocol (RDP) brute-force attacks, and software cracks. It uses strong hybrid encryption—AES for file content and RSA for key protection—and appends various extensions such as .crySis, .wallet, or attacker-specified tags. It also deletes shadow copies to hinder recovery. Over the years, it has targeted businesses and individuals worldwide, with notable prevalence in healthcare, manufacturing, and professional services sectors. In 2017, law enforcement released master decryption keys through the NoMoreRansom project, enabling recovery for earlier versions, though newer builds remain active in the wild.
Cs‑137 is a newly observed ransomware strain that first appeared in January 2025. It employs the ChaCha20 cipher for encryption and appends obfuscated filenames with a random 10-character alphanumeric identifier while preserving the original file extension. In its current testing phase, it drops a ransom note with a randomized filename (e.g. ABCDEF-README.txt) and sets a randomly named image file as the desktop wallpaper. The note references a Tor-based extortion portal—though access is not yet active, indicating the operation’s early development stage. The strategy suggests single-extortion behavior, focused on disrupting access rather than data theft or leak threats.
aka Critroni
CTB‑Locker emerged in mid‑2014, introducing a new era of ransomware by leveraging elliptic curve cryptography (ECC), Tor-based C&C communication, and Bitcoin payments—earning its name from “Curve-Tor-Bitcoin Locker.” It was packaged and sold as a ransomware kit for approximately $1,500–$3,000, allowing affiliates to deploy customized campaigns. The malware encrypts user data (including network and removable drives), changes desktop wallpapers, and appends file extensions like .CTBL, .CTB2, or randomized strings. Victims receive instructions for payment, typically within a limited timeframe, or risk permanent data loss. In 2015–2017, law enforcement and cybersecurity firms (including McAfee and Kaspersky) disrupted the network, arrested operators, and facilitated decryption tools.
Cuba ransomware, active since at least 2019, is a financially motivated threat group operating a double-extortion scheme—encrypting files and exfiltrating data to pressure victims. It has targeted government agencies, healthcare providers, critical infrastructure, financial institutions, and manufacturing firms, primarily in the United States, Canada, and Europe. Distribution often involves the Hancitor (Chanitor) malware loader, phishing campaigns, and exploitation of vulnerabilities in public-facing services such as Microsoft Exchange. Cuba employs RSA and AES encryption, typically appending the .cuba extension to affected files, and drops ransom notes instructing victims to contact the attackers via Tor-based portals. In December 2021, the FBI reported that Cuba ransomware operators had compromised at least 49 entities in U.S. critical infrastructure sectors, stealing data and demanding multimillion-dollar ransoms.
Cyclops ransomware was rebranded as Knight around mid‑2023, emerging initially in early 2023. It operates as a Ransomware-as-a-Service (RaaS), targeting multiple platforms including Windows, macOS, Linux, and ESXi systems. Crafted in Go, it uses strong encryption algorithms like ChaCha20 and Curve25519. Knight includes both a full and "lite" encryptor, supports batch attacks, hosts a Tor leak site, and offers a web portal for affiliates—positioning itself as a scalable and partner-friendly ransomware operation. Affiliates can manage deployments, track payments, and negotiate with victims through a sophisticated RaaS platform.
D0glun is a crypto-ransomware strain first observed in January 2025, believed to be derived from Babuk via an intermediary variant known as Cheng Xilun. It uses AES-256 symmetric encryption and appends filenames with patterns such as .@D0glun@<original extension> or similar. The malware encrypts files rapidly, changes the desktop wallpaper, and drops ransom notes typically named @[email protected], Desktopcxl.txt, or help.exe. The campaign has shown signs of shared infrastructure and code reuse from Cheng Xilun, but there is no confirmed evidence of a large-scale or mature operation. Its activity so far suggests it is being tested or deployed by a small group or individual rather than a structured affiliate network.
D4rk4rmy is a data-extortion focused threat actor that emerged in mid-2025, targeting high-profile organizations across sectors like financial services, hospitality, and education. It operates primarily through leak site extortion rather than encryption, listing prominent entities—such as Bridgewater Associates, Magellan Financial, Onex Canada Asset Management, Tsai Capital, Casino de Monte-Carlo, and others—on its Tor-based platform. The group has also hit victims in technology, logistics, and university sectors across multiple continents. Their tactic centers on reputation manipulation and public exposure to pressure victims into negotiations.
Dagon Locker is a double-extortion ransomware family that surfaced around September 2022. It represents an evolution of the MountLocker and Quantum ransomware lines. The group employs strong encryption using ChaCha20 protected by RSA-2048 and appends the .dagoned extension to encrypted files. It provides operators flexibility through command-line options to control encryption behavior, such as skipping logs, deletions, or process termination. Notably, Dagon Locker is frequently distributed via phishing campaigns and as part of Brodin-based initial access chains. It operates under a Ransomware-as-a-Service (RaaS) model, engaging affiliates to launch customized campaigns—particularly targeting organizations in South Korea.
Daixin Team is a ransomware and data extortion group active since at least June 2022, known for targeting the healthcare sector, including hospitals, clinics, and related service providers. The group employs a double-extortion model—exfiltrating sensitive data before encrypting systems—and has leaked protected health information (PHI) to pressure victims. Intrusions often involve exploiting VPN vulnerabilities (notably in Fortinet FortiOS) and using compromised credentials for initial access. The ransomware uses AES for file encryption with RSA to protect the keys, and ransom notes direct victims to a Tor-based portal. The U.S. CISA, FBI, and HHS have issued joint advisories warning of the group’s impact on healthcare delivery and patient safety
dAn0n is a data-extortion actor that first appeared in April 2024. Operating primarily in a leak-focused extortion model, they publish stolen data on a Tor-hosted site rather than encrypting files. Their victims include organizations across sectors like business services, technology, healthcare, transportation, and legal—all largely based in the United States, with a few in Ireland and South Korea. Activity surged in May 2024, landing them in the top 10 most active ransomware actors that month. Despite limited branding efforts, their smaller operational footprint has allowed for swift, targeted breaches that prioritize rapid data exposure over elaborate cryptographic tactics.
Dark Power is a ransomware group first observed in January 2023, known for targeting small to mid-sized organizations across education, healthcare, manufacturing, and information technology sectors. The group uses a double-extortion model, encrypting files and threatening to leak exfiltrated data via a Tor-based site if ransom demands are not met. Written in the Nim programming language, Dark Power ransomware appends the .dark_power extension to encrypted files and drops a ransom note named README.txt, giving victims 72 hours to contact them. The note typically demands payment in cryptocurrency and offers to negotiate. Victims have been observed in North America, Asia, and Europe, with attacks often involving exploitation of vulnerable public-facing systems or stolen credentials.
Dark Angels is a highly targeted ransomware and data-extortion group that emerged in spring 2022. Rather than using an affiliate-driven model, it orchestrates discreet, high-impact attacks on large organizations—often choosing one Fortune-level victim at a time. The group exfiltrates massive volumes of data (sometimes 10–100 TB), optionally deploys encryption on Windows or ESXi systems, and pressures victims via a Tor-hosted leak platform ("Dunghill Leak"). Their notable incidents include extorting a record $75 million from a Fortune 50 company in 2024 and demanding around $51 million from Johnson Controls. Dark Angels’ operations emphasize stealth and precision over disruption, often avoiding high-profile media exposure and operating with low operational visibility.
DarkBit is a politically motivated ransomware operation active since February 2023, targeting academic and public sector entities—most notably including attacks against Israeli institutions like the Technion. Written in Go (Golang) and leveraging powerful encryption routines, it employed AES-256 and supported command-line options for customizable deployments. Its behavior includes deleting volume shadow copies and encrypting files with a randomized prefix and .Darkbit extension. The group deployed their own Tor-based negotiation portal and utilized Tox messaging for communication. Their messaging contained anti-government rhetoric, suggesting ideological motivations in addition to cyber-extortion objectives.
DarkRace is a moderately destructive ransomware strain observed since 2024. It encrypts files and appends a randomized extension (e.g., .1352FF327) that varies per victim. Implemented as a 32-bit Windows application, it disables antivirus defenses, deletes volume shadow copies, terminates processes, and drops ransom note files for payment negotiation. Technical weaknesses in its encryption have enabled developers to produce a universal decryptor that works against DarkRace and related variants.
FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.
DarkVault is a versatile and opportunistic threat actor first observed in late 2023. Rather than being a traditional ransomware operation, it acts broadly as a data broker and extortion ensemble, publishing victim information—like company names and industries—via Tor-leak sites. Activities reportedly include doxing, website defacement, bomb threats, malware distribution, and swatting, suggesting a diversified cybercriminal portfolio beyond simple ransomware, often framed as an "exclusive online community." While the leak site design mirrors LockBit 3.0, there is no verified technical evidence linking DarkVault to LockBit's codebase. No ransomware executables or encryption tools have been confirmed; its role appears centered on data exposure and extortion without enforced file encryption.
Darky Lock is a commodity-style ransomware strain first identified in July 2022, derived from publicly available Babuk source code. Victim systems undergo file encryption with an added “.darky” extension, and a “Restore-My-Files.txt” ransom note is placed in all impacted locations. The malware attempts to disable backup mechanisms, including shadow copies and specific applications. Its distribution leverages phishing and trojanized installers, complemented by payloads dropped via frameworks like Empire, Metasploit, and Cobalt Strike.
DataCarry is a newly observed ransomware and data-extortion operation, first seen in May 2025. It operates a double-extortion model, exfiltrating data and threatening publication via a Tor-hosted portal. The group has already claimed multiple victims across diverse sectors including insurance, healthcare, real estate, retail, and aerospace in countries such as Latvia, Belgium, Türkiye, South Africa, Switzerland, Denmark, and the United Kingdom. The rapid emergence and multi-country reach signal a well-organized operation.
DataF Locker is a ransomware variant first observed in 2024, closely tied to the Babuk ransomware lineage. It operates under a double-extortion model, encrypting files by appending the .dataf extension and threatening to leak exfiltrated data if the ransom isn't paid. Victims receive a ransom note named How To Restore Your Files.txt, with satisfaction of specified recovery procedures. Observations suggest use of typical intrusion vectors such as phishing, exploit tools, or leaked credential abuse, although detailed delivery methods and leak infrastructure remain under-documented in high-tier intelligence reports.
DeathGrip is a Ransomware-as-a-Service (RaaS) that emerged around June 2024, offering malware payloads built with leaked LockBit 3.0 and Yashma/Chaos builders. Designed to lower technical barriers, it enables even low-skilled operators to deploy highly capable ransomware attacks. DeathGrip campaigns typically employ AES-256 encryption, delete shadow copies and recovery features, and modify system settings to hinder restoration. Earlier infections include low-tier ransom demands (e.g., around $100), reflecting entry-level targeting, though its flexible tooling allows a range of payload configurations.
DeathRansom is a ransomware family first seen in the wild in late 2019, initially appearing as a bluff—dropping ransom notes without actually encrypting files. By early 2020, the malware evolved into a functional encryptor, using a hybrid scheme of AES for file encryption and RSA to secure AES keys. Infected systems have files appended with extensions such as .wctc or .zzz depending on the campaign variant. Distribution methods include phishing emails with malicious attachments, cracked software downloads, and malicious spam campaigns. Over time, some DeathRansom operations were linked to STOP/Djvu infrastructure and later incorporated into affiliate-based criminal ecosystems.
DevMan is a ransomware variant first observed in April 2025. It is a customized derivative of the DragonForce family, leveraging attacker-operated infrastructure for double-extortion, where both data theft and encryption are employed to pressure victims. The threat is highly organized, targeting sectors such as technology, construction, public services, healthcare, and consumer services across Asia, Africa, and Europe.
DevMan 2.0 is the evolved iteration of the DevMan ransomware, first documented in July 2025. It enhances the capabilities of its predecessor with robust double-extortion tactics and operates under a Ransomware-as-a-Service (RaaS) model, offering structured leak and extortion infrastructure. Affiliates and operators are using it across diverse sectors—such as manufacturing, retail, and electronics—targeting organizations in Japan, Germany, and other countries. Demands from initial campaigns range widely, spanning from around $1 million to over $10 million USD.
Dharma is a prolific ransomware family active since at least 2016, evolving from the earlier CrySiS ransomware. It operates under a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy customized builds with their own contact emails and extensions. Dharma typically appends encrypted files with patterns like .id-[victimID].[email].dharma or other campaign-specific suffixes. Initial access is often gained through exposed Remote Desktop Protocol (RDP) services secured with weak or stolen credentials, sometimes combined with brute-force attacks. The malware encrypts files using AES with RSA to secure the keys and drops ransom notes in text files and pop-up windows. Numerous variants have emerged over time, each linked to different affiliates, making attribution difficult.
Diavol is a ransomware strain first observed in June 2021, associated with the Wizard Spider threat group—best known for operating the TrickBot malware and the Conti ransomware. It uses a double-extortion model, encrypting victim files and exfiltrating sensitive data for additional leverage. The ransomware is written in C and employs a multi-threaded encryption routine using the ChaCha20 algorithm with RSA-2048 to secure encryption keys. Early variants appended no custom extension to files, relying instead on changing file headers, but later versions began appending extensions. Initial access vectors include exploitation of vulnerable systems and the use of TrickBot or BazarLoader infections as staging points. Victims are directed to a Tor-based negotiation portal through ransom notes.
Dire Wolf is a recently emerged double-extortion ransomware group that first appeared around May 2025. It is a crypto-ransomware and data broker targeting industries like manufacturing and technology across multiple countries, including the U.S., Thailand, Taiwan, Singapore, Türkiye, among others. Written in Go and delivered as a UPX-packed binary, it utilizes robust encryption (Curve25519 and ChaCha20) to lock files with a .direwolf extension, while deleting backups, disabling logging, and terminating key services to block recovery. Victims receive highly customized ransom notes containing live-chat credentials and victim-specific portals, indicating a highly professional and targeted approach.
Dispossessor, active since August 2023, was a data-extortion ransomware-as-a-service group led by the moniker "Brain". The group quickly expanded from U.S.-focused attacks to target small and mid-sized organizations globally—across sectors like healthcare, finance, transportation, education, and manufacturing. Their tactics included exploiting weak passwords and lack of multifactor authentication to gain access, followed by data exfiltration and staged extortion: victims were contacted via email or phone with links to proof-video platforms, and exposed on Tor-based leak sites if no payment was made. Many of the organizations targeted (approximately 43 identified) were across diverse countries including the U.S., Canada, Brazil, India, Germany, and more. By mid-2024, international law enforcement—including the FBI, UK National Crime Agency, and German agencies—successfully dismantled their infrastructure.
Donex is a ransomware family that emerged in early 2022 as a rebrand of the older Muse ransomware. It uses a double-extortion strategy, combining file encryption with threats to leak stolen data on a Tor-hosted portal. Written in C++, Donex encrypts files using a combination of ChaCha20 and RSA-4096 algorithms and appends a custom extension unique to each victim. The group targets a broad range of sectors, including manufacturing, logistics, and professional services, with victims reported across North America, Europe, and Asia. Initial access methods include exploitation of public-facing applications and the use of stolen RDP credentials.
Donut Leaks, first reported in August 2022, is a data-extortion group linked to high-profile breaches, including the compromise of Continental in 2022. The group does not consistently encrypt files—in some cases acting purely as a data broker—yet adopts a double-extortion model when ransomware is deployed. Their operations involve exfiltrating sensitive corporate data, then threatening public release via a dedicated leak site on Tor. Donut Leaks has targeted organizations in automotive manufacturing, IT services, and professional sectors, with confirmed victims in Europe and North America. Intrusion methods are not fully documented in public sources but likely include phishing, credential theft, and exploitation of exposed services.
DoppelPaymer is a ransomware family first identified in mid-2019, derived from the BitPaymer codebase and operated by the Evil Corp cybercrime group. It is known for its double-extortion approach, encrypting victim files with AES-256 and securing keys with RSA-2048, while also stealing sensitive data for public release if payment is not made. DoppelPaymer primarily targets large organizations, including those in healthcare, government, and manufacturing, with high ransom demands often in the millions of U.S. dollars. Infection vectors include phishing emails carrying Dridex or other loaders, exploitation of remote access services, and credential theft. Encrypted files typically retain their original name with a new extension, and ransom notes direct victims to Tor-based portals for negotiation. The group has been linked to attacks on institutions such as the City of Torrance, the State of Delaware, and hospital systems in Germany and the United States.
DragonForce is a ransomware-as-a-service (RaaS) group first identified in late 2023. Originally linked to hacktivist activity, the group pivoted to financially motivated operations by early 2024. Since then, it has accelerated into a highly organized cartel-like network, providing customizable payloads to affiliates, a sophisticated affiliate portal, and shared infrastructure for leak sites and campaigns. The group has targeted a wide range of sectors globally, including major UK retailers such as M&S, Harrods, and Co-op, along with organizations in government, logistics, and manufacturing. Its operations are known for strategic branding flexibility, enabling affiliates to operate under their own labels using DragonForce’s backend services.
Dunghill Leak is the publicly branded data leak site (DLS) operated by the Dark Angels ransomware group, established circa January 2023. Rather than a standalone encryption threat, it serves as the disclosure and extortion platform where stolen victim data is published if ransom demands are ignored. Dark Angels is known for highly targeted “big game hunting” tactics, exfiltrating tens to hundreds of terabytes of corporate data, often without encrypting systems. Victims include major industry players—like Johnson Controls, Sabre, Sysco, and a Fortune 50 firm—which reportedly paid a record-breaking $75 million USD ransom. The leak site is complemented by a mirrored Telegram channel for distributing victim announcements and maintaining negotiation traffic.
The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:
1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.
2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.
3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.
Egregor is a ransomware strain that appeared in September 2020, widely believed to be a rebrand or successor to the Maze ransomware operation, using similar infrastructure and tactics. It runs as a Ransomware-as-a-Service (RaaS), recruiting affiliates to deploy its payload in exchange for a percentage of ransom payments. Egregor employs a double-extortion model, encrypting files with ChaCha and RSA-2048 algorithms, while exfiltrating sensitive data to threaten public release. Victims receive ransom notes directing them to Tor-based portals for negotiation. The group has targeted organizations worldwide across sectors such as retail, transportation, manufacturing, and finance, with notable attacks on Barnes & Noble and Cencosud. Egregor's operations were disrupted in early 2021 through coordinated law enforcement action, leading to the arrest of suspected affiliates in Ukraine.
This group is believed to be connected to Lost Trust. El Dorado rebranded to BlackLock in September 2024.
User "$$$" on RAMP is known to be connected to the group.
Elpaco is a variant of Mimic ransomware that emerged around August 2023. Designed with significant customization and stealth in mind, it targets Windows systems by abusing the Everything search utility to optimize file discovery and accelerate encryption. Operators exploit various initial access methods—most notably RDP brute-force and the Zerologon vulnerability (CVE-2020-1472)—to gain access, escalate privileges, and deliver the payload. The ransomware uses a 7z SFX dropper, deploys multi-threaded encryption, disables recovery options, and self-deletes after execution, leaving victims with encrypted files bearing Elpaco-specific extensions. It's recognized for its adaptability and advanced features compared to earlier Mimic variants.
Embargo is a Ransomware-as-a-Service (RaaS) operation first observed in May 2024. It employs a double-extortion model, encrypting victim data while exfiltrating sensitive files for publication on a Tor-based leak site. Embargo uses a Rust-based payload that leverages AES-256 and RSA-4096 encryption, deletes volume shadow copies, and disables recovery features to prevent restoration. Its targeting appears opportunistic but has included sectors such as finance, manufacturing, and professional services across North America, Europe, and Asia. The ransomware’s customization options, negotiation portal, and leak infrastructure suggest a closed affiliate model with a focus on operational security.
Endurance is a destructive ransomware variant first observed in 2023, developed and operated by the threat actor known as IntelBroker (also referred to as Butler Spider). Rather than encrypting files for decryption, it functions primarily as a data wiper, overwriting file contents, appending randomized filenames, and then deleting the files altogether. The source code for the malware was intentionally made public by the operator, indicating its use as both a tool and a statement. Endurance was used in high-profile breaches, including targeting government agencies, large enterprises, and telecommunications providers.
Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples.
Rebrand to Bashe in October 2024.
Eraliegn, self-styled as APT73 and formerly known as Bashe, surfaced in April 2024. Rather than conducting real ransomware campaigns, the group specializes in fabricating data breach narratives, curating or reusing existing leaked data (often from years-old breaches) and presenting it on a Tor-hosted leak site to project credibility. They claim to have breached organizations across sectors—such as banking, travel, manufacturing, and IT—targeting entities in countries including the United Kingdom, India, Indonesia, France, and Canada. However, threat analysis shows these claims are deceptive in nature rather than demonstrative of technical prowess or active network compromise.
Everest is a ransomware group active since at least December 2020, known for its double-extortion tactics. The group initially operated as a typical ransomware outfit, encrypting files with strong cryptography and appending victim-specific extensions, but later shifted toward pure data extortion—threatening to sell or release stolen data without necessarily deploying encryption. Everest targets a wide range of sectors, including government, healthcare, manufacturing, and IT services, with confirmed victims in North America, Europe, and Asia. Initial access vectors include exploitation of vulnerable public-facing applications, phishing campaigns, and credential theft for remote access services. The group maintains a Tor-based leak site to publish stolen information and advertise access to compromised networks.
Fargo is a ransomware variant that surfaced in 2022, primarily targeting Microsoft SQL Server (MSSQL) systems. Believed to be a variant of the TargetCompany ransomware family, Fargo uses brute-force or credential-stuffing attacks on exposed MSSQL instances to gain access, then executes payloads via SQL Server commands. Once deployed, it encrypts files using a combination of symmetric and asymmetric algorithms, appends the .Fargo3 (or similar) extension, and drops a ransom note directing victims to contact operators via email. It also attempts to delete system backups and shadow copies to prevent recovery. Fargo has been observed targeting organizations in multiple sectors, with a concentration of victims in South Korea and other parts of Asia.
Faust is a variant of the well-known Phobos ransomware, part of a Ransomware-as-a-Service (RaaS) ecosystem active since around May 2019. Faust employs a double-extortion model, encrypting victim files and threatening to release stolen data if ransom demands are not met. It's distributed via Office document payloads using VBA scripts and known for its fileless attack delivery, enabling stealth and evasion.
FiveHands is a ransomware family first observed in January 2021, believed to be a successor to the HelloKitty ransomware variant. It operates under a Ransomware-as-a-Service (RaaS) model and uses the double-extortion tactic, encrypting files while threatening to leak stolen data via a Tor-based site. FiveHands is written in C# and leverages the NTRUEncrypt algorithm for file encryption alongside Curve25519 for key exchange. The ransomware is commonly deployed via Malwarebytes SombRAT or Cobalt Strike beacons after initial compromise, often gained through exploitation of vulnerable VPNs, phishing, or compromised credentials. FiveHands has targeted organizations in healthcare, finance, and manufacturing across North America, Europe, and Asia.
Fog is a sophisticated ransomware strain first observed in April–May 2024, initially targeting U.S. educational institutions before expanding into sectors such as government, business services, finance, and manufacturing. The group conducts fast, double-extortion attacks: they exploit compromised VPN credentials or known vulnerabilities, deploy encryption (notably using extensions like .fog, .FLOCKED), and exfiltrate data prior to encryption to maximize victim pressure. Fog is associated with other prolific actors—such as Akira and Conti—through shared tooling, infrastructure timelines, and even cryptocurrency wallets.
Frag is a relatively new ransomware and data extortion group first seen in February 2025. The group operates a dedicated Tor-based leak site where it publishes victim details, including sector, location, and sample stolen files, as part of its double-extortion strategy. Within its first month of activity, Frag claimed over two dozen victims, spanning industries such as manufacturing, aviation, real estate, retail, and legal services, with a global footprint including the United States, the Netherlands, and Singapore. Intrusion methods have included exploitation of known vulnerabilities—such as the Veeam Backup & Replication flaw CVE-2024-40711—and compromised remote access appliances. The group’s operations and targeting style suggest experienced actors, possibly with past involvement in other ransomware projects.
FreeWorld is a ransomware variant first observed in September 2023, and is believed to be derived from the Mimic ransomware family. It is deployed through coordinated campaigns dubbed DB#JAMMER, which exploit poorly secured Microsoft SQL (MSSQL) servers exposed to the internet. Attackers gain initial access via brute force, leverage the xp_cmdshell feature to execute shell commands, disable defenses, deploy remote access tools like Cobalt Strike and AnyDesk, and eventually deliver the FreeWorld payload. The ransomware encrypts files using hybrid encryption and appends the .FreeWorldEncryption extension. Victims receive a ransom note titled FreeWorld-Contact.txt, directing them on payment and data recovery steps.
This group is also known by their malware name, FLOCKER.
FSociety is a modern Ransomware-as-a-Service (RaaS) operation that emerged around 2024, named after the fictional hacking collective from Mr. Robot. It runs a double-extortion setup—encrypting victims’ data while simultaneously threatening to leak stolen files via a Tor-hosted portal. Organized campaigns suggest collaborative operations with other cybercrime actors, marking it as a part of a growing ransomware cartel ecosystem.
FTCode is a ransomware family first observed in 2013 as a PowerShell-based threat and later resurfaced in September 2019 with enhanced capabilities. It is notable for being fileless, executing entirely in memory using PowerShell scripts, which allows it to evade traditional antivirus detection. FTCode is commonly delivered via malicious email campaigns, often using phishing attachments such as Word documents with embedded macros that execute the ransomware script. It encrypts files using the AES algorithm and appends the .FTCODE extension, leaving ransom notes instructing victims to contact the operators via email. Later variants added capabilities such as stealing credentials from browsers and email clients. FTCode campaigns have been observed globally, with a focus on Europe, particularly Italy.
Funksec, a double extortion ransomware group, emerged in late 2024 and quickly gained notoriety by breaching databases and selling access to 15 government websites within just a month. Claiming to be entirely self-taught and operating without collaboration from other groups, Funksec is a four-member team driven primarily by financial motives.
The group leverages AI for specific tasks, such as creating tools and phishing templates, though they emphasize that AI contributes to only about 20% of their operations. Notably, they have developed their own proprietary AI tool, WormGPT, a desktop application built entirely in-house.
To enhance their phishing campaigns, Funksec uses premium services like PhishingBox to create customized phishing templates, adding another layer of precision and sophistication to their methods.
After the interview, during some casual chit-chat, it came to light that the owner of Funksec was also behind an underground forum called DarkZone, which had been built in collaboration with GhostSec in the past.
https://osint10x.com/threat-actor-interview-spotlighting-on-funksec-ransomware-group/
GandCrab was a prolific Ransomware-as-a-Service (RaaS) operation active from January 2018 to mid-2019. It quickly became one of the most widespread ransomware families due to its affiliate-based distribution model, where operators provided the ransomware to partners in exchange for a revenue share (reportedly 30–40%). GandCrab used a double-extortion approach in later stages, encrypting files with a combination of Salsa20 and RSA-2048 algorithms and appending extensions that varied by version (e.g., .GDCB, .KRAB, .CRAB). Initial access vectors included phishing emails with malicious attachments, exploit kits (notably RIG and GrandSoft), and remote desktop protocol (RDP) attacks. GandCrab’s operators claimed to have earned over $150 million before publicly announcing their retirement in June 2019, after which decryption keys for all versions were released.
Our team members are from different countries and we are not interested in anything else, we are only interested in dollars.
We do not allow CIS, Cuba, North Korea and China to be targeted.
Re-attacks are not allowed for target companies that have already made payments.
We do not allow non-profit hospitals and some non-profit organizations be targeted.
Financial interests only.
We do not provide or work with affiliate programs, no collaborations either.
The requested payment must be made within a specified time frame, otherwise the price may be increased, we will begin to publish the data we have about your company and notify the company's customers and suppliers.
Charitable, non-profit, and medical institutions are only hacked if they have reputation gaps known from open sources or discovered in company data. However, this is only data extraction; live support systems are not affected.
Data is always destroyed after payment; we do not attack the same company twice.
Interesting fact: once, the total amount of claims against a breached company exceeded its entire capitalization. We know how to create trouble, though it is in our mutual interest to avoid it.
To make the data leak more valuable, the most important information is published in a separate folder for each company called “parsed” and is also published on darkweb forums.
aka Cring / Ghost (Cring)
Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.
Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
Now a RaaS by BlackLock ($$$).
Global Group is a newly emerged Ransomware-as-a-Service (RaaS) platform that debuted in June 2025 on the Ramp4u cybercrime forum. Marketed as a successor to the Mamona and BlackLock ransomware families, it leverages a Golang-based, cross-platform payload that supports execution on Windows, macOS, and Linux. This group stands out by incorporating AI-driven chatbots to manage victim negotiations, promoting scalability and efficiency—even for affiliates lacking language skills. Within its first weeks of operation, Global Group claimed numerous victims across industries such as healthcare, automotive services, and facilities management, located in the U.S., U.K., Australia, and Brazil.
Globe is a ransomware family that first appeared in August 2016, notable for its highly customizable codebase that allows operators to configure ransom note text, encryption algorithms, and file extensions. Globe uses symmetric encryption (RC4 or AES) to lock files and typically appends custom extensions such as .GLOBE, .PURPLE, .HNY, or others set by the attacker. The malware is distributed through malicious spam emails with infected attachments, compromised websites, and exploit kits. Globe’s flexibility made it attractive to low-skilled actors, resulting in many different variants in the wild. The family has primarily targeted small to medium-sized businesses and individual users across multiple regions, with no clear geographic focus.
GlobeImposter is a ransomware family that first appeared in mid-2017, designed to mimic the appearance and naming conventions of the earlier Globe ransomware but built on entirely different code. It uses strong encryption algorithms, typically AES combined with RSA, and appends a variety of file extensions to encrypted data—such as .crypt, .doc, .png, .jpg, .spreadsheet, and many more—depending on the campaign. GlobeImposter is primarily distributed via malicious spam campaigns with infected attachments, compromised RDP services, and exploit kits. It drops a ransom note (often named how_to_back_files.html or similar) instructing victims to contact the attackers via email. Over the years, GlobeImposter has spawned hundreds of variants, making it one of the more persistent commodity ransomware threats targeting small businesses and individuals globally.
Good Day is a ransomware variant within the ARCrypter family, first observed in May 2023. It gained prominence due to its reticent financial extortion model and custom branding—victims are greeted with a “Good day” message upon landing on individualized Tor-based victim portals. The malware is typically delivered via phishing campaigns disguising payloads as legitimate Windows updates. It utilizes a robust encryption workflow, including deletion of volume shadow copies and process evasion mechanisms. Notably, Good Day has been linked to the Cloak ransomware group through shared data leak infrastructure and overlapping leak portal behaviors.
Grief, also known as Pay or Grief, is a ransomware group that emerged in May 2021 and is widely believed to be operated by actors linked to the Evil Corp cybercrime syndicate. It operates as a Ransomware-as-a-Service (RaaS) platform, using a double-extortion strategy: encrypting files while threatening to leak stolen data via its Tor-based leak site. Grief’s ransomware payload uses strong encryption (commonly RSA-2048 + AES-256) and typically appends the .grief extension to files. The group has targeted organizations across multiple sectors, including government, finance, education, and manufacturing, with a focus on U.S. and European entities. Grief has been associated with infrastructure and code overlaps from the earlier DoppelPaymer ransomware and uses phishing emails, malicious attachments, and compromised RDP credentials for intrusion. In late 2021, the U.S. Treasury’s OFAC issued sanctions against Grief due to its ties with Evil Corp, making ransom payments to the group legally risky for victims in the U.S.
Groove was a short-lived ransomware group and cybercrime gang that emerged in August 2021 and became notable for its aggressive, publicity-driven tactics. Unlike traditional Ransomware-as-a-Service (RaaS) groups, Groove functioned more as a loose criminal collective, encouraging other threat actors to join forces in attacking U.S. entities, particularly in the government and financial sectors. The group ran a Tor-based leak site where it published stolen data, but its operators claimed to focus more on building an “underground alliance” than on ransomware deployment itself. Analysts noted overlaps between Groove and actors behind Babuk and BlackMatter, as well as forum personas known for data theft operations. By early 2022, Groove’s activity had largely ceased, with some experts suggesting the group was either a short-term recruitment campaign or a misinformation effort.
Gunra is an emerging ransomware group first identified in April 2025. It employs a classic double-extortion model—encrypting sensitive data and exfiltrating it for publication via a Tor-hosted leak site. Since its emergence, Gunra has struck a diverse set of global targets—reportedly spanning sectors like manufacturing, healthcare, IT, real estate, agriculture, and consulting in countries including Brazil, Japan, Canada, Turkey, South Korea, Taiwan, Egypt, and the U.S.
Gwisin is a targeted ransomware group first publicly reported in July 2022, believed to operate primarily within South Korea. The group’s name means “ghost” in Korean, reflecting its stealthy approach. Gwisin has been observed conducting attacks on critical sectors, including healthcare, pharmaceutical, and manufacturing industries. It uses custom-built payloads tailored for each victim, capable of encrypting both Windows and Linux/VMware ESXi environments, and often executes attacks during national holidays to maximize operational disruption. Gwisin employs a double-extortion model—exfiltrating sensitive data before encryption—and communicates with victims in Korean-language ransom notes. Initial access vectors are not fully confirmed in open-source reporting, but suspected methods include exploiting vulnerable VPN appliances and leveraging stolen administrative credentials. The group is known for extensive pre-encryption reconnaissance to identify high-value systems and backups.
Hades is a ransomware group first observed in December 2020, believed by several threat intelligence firms to be operated by, or closely linked to, the Evil Corp cybercrime syndicate. The group has primarily targeted large enterprises in the United States, Canada, and Germany, conducting big-game hunting operations. Hades is not known to operate as an open Ransomware-as-a-Service (RaaS) platform; instead, attacks appear to be conducted by the core operators. It uses a double-extortion model, encrypting systems and threatening to leak stolen data via a Tor-based portal. The ransomware payload is typically deployed after extensive network reconnaissance and lateral movement, often through compromised VPN credentials and exploitation of exposed services. Encrypted files are appended with the .hades extension, and ransom notes direct victims to unique Tor portals for negotiation. Notable sectors affected include manufacturing, transportation, and consumer goods.
Handala (also known as Handala Hack Team, Hatef, Hamsa) is a pro-Palestinian hacktivist group first observed in December 2023. Its operations focus on politically motivated cyber campaigns targeting Israeli entities and organizations associated with Israel globally. Handala employs destructive tactics—primarily using multi-stage wiper malware that affects both Windows and Linux systems—alongside data theft and public exposure through leak sites. They are also known for orchestrating phishing campaigns that masquerade as legitimate alerts (e.g., spoofing CrowdStrike), followed by disabling defenses, injection via AutoIT or Delphi loaders, and destructive payload deployment.
Haron is a ransomware group that emerged in July 2021 and is believed to share operational similarities with the Avaddon ransomware, which shut down the month prior. Haron uses a double-extortion model—encrypting victims’ data and threatening to publish stolen files on a Tor-based leak site. The ransomware is written in C# and uses the Salsa20 encryption algorithm with RSA-1024 for key protection. File extensions are typically not changed during encryption, but ransom notes named HOW TO RESTORE YOUR FILES.txt are dropped across affected systems. Initial access methods are not comprehensively documented in public sources but may include phishing campaigns and exploitation of exposed RDP services. Haron’s leak site and negotiation structure closely resemble Avaddon’s, suggesting either code reuse or a shared affiliate network.
HellCat is a relatively recent ransomware group first observed in late 2024, known for its data-theft and extortion campaigns targeting high-profile organizations. It operates a double-extortion model, exfiltrating sensitive information and threatening to publish it on its Tor-based leak site if ransom demands are not met. The group has been linked to multiple significant breaches, including incidents involving Schneider Electric and Capgemini, where large volumes of corporate data were allegedly stolen. HellCat’s payloads and leak infrastructure suggest a custom-built platform rather than a widely shared RaaS, and some incidents have involved only data exposure without confirmed encryption events. The group has drawn attention for recruiting or collaborating with high-profile threat actors, including the persona “Grep,” who acts as a public representative in some extortion cases.
Helldown is an emerging ransomware group first identified in August 2024, known for its fast-evolving and cross-platform threat capabilities. It exploits critical vulnerabilities—most notably CVE-2024-42057 in Zyxel firewalls—for initial access and demonstrates modular design and anti-detection mechanisms. Helldown targets both Windows and Linux environments, including VMware and ESXi systems. It employs a double-extortion strategy: encrypting files with randomized extensions via executables like hellenc.exe, and threatening victims with data dump releases via its Tor-hosted leak site.
HelloKitty is a ransomware family first observed in November 2020, named after a string found in its binary. It operates as a human-operated, big-game hunting ransomware, manually deployed after network intrusion and reconnaissance. HelloKitty uses a double-extortion model—encrypting files and threatening to leak stolen data on a Tor-based site. The malware encrypts files using AES-256 in CBC mode with RSA-2048 to protect keys, appending extensions such as .crypted or campaign-specific suffixes. Distribution typically occurs via compromised RDP credentials, phishing, or exploitation of known vulnerabilities. The group gained notoriety in February 2021 after attacking CD Projekt Red, the developer of The Witcher and Cyberpunk 2077, stealing source code for several games. Subsequent variants have targeted both Windows and Linux systems, including ESXi servers.
Help_restoremydata is a ransomware variant identified around late 2024/early 2025, notable for appending the .help_restoremydata extension to encrypted files. It changes the victim’s desktop wallpaper and drops a ransom note titled HOW_TO_RECOVERY_FILES.html to instruct victims on how to pay for decryption. Initial discovery appears to stem from underground forum monitoring and threat intelligence assessments, marking it as emerging but not widely distributed. Technical details beyond these behaviors—such as encryption algorithms or distribution mechanisms—have not been documented in major cybersecurity advisories.
.help_restoremydata
ext : .help_restoremydata
note : HOW_TO_RECOVERY_FILES.html
Hermes is a ransomware family first observed in the wild in February 2017, believed to have been developed by a group operating out of Asia. It originally appeared as a Ransomware-as-a-Service (RaaS) offering on underground forums but later saw deployment in targeted attacks. Hermes uses AES-256 encryption to lock victim files and appends a variety of extensions (including .hrm and campaign-specific variants). The ransom note, often named DECRYPT_INFORMATION.html or DECRYPT_INFORMATION.txt, provides payment instructions via email. The ransomware gained notoriety in 2018 when it was used as a destructive wiper in the Far Eastern International Bank (FEIB) heist in Taiwan, where attackers deployed Hermes to cover their tracks after a SWIFT fraud operation. Over time, Hermes code has been re-used and integrated into other ransomware families, including some Ryuk builds, suggesting code sharing or purchase from the original developer. Distribution vectors have included phishing campaigns, malicious attachments, and exploitation of RDP services.
Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.
In 2022 there was a switch from GoLang to Rust.
HolyGhost is a ransomware group first publicly reported in July 2022, believed to be operated by a North Korean state-sponsored threat actor tracked as APT43 or Andariel, a subgroup of the Lazarus Group. The group has been active since at least June 2021, using a double-extortion model that combines encryption of victim files with threats to leak stolen data via a Tor site. Early HolyGhost variants (BTLC_C.exe) used a custom file extension .h0lyenc, while later builds added more robust encryption, obfuscation, and evasion capabilities. Targeted victims include small and medium-sized businesses in manufacturing, finance, education, and event planning, primarily in the United States, South Korea, Brazil, and India. Intrusion methods include exploitation of vulnerable public-facing applications, credential theft, and possibly the use of purchased access from other threat actors. Unlike purely criminal groups, HolyGhost is suspected of being leveraged for both revenue generation and strategic cyber operations in support of DPRK objectives.
Hotarus is a ransomware and data extortion group first observed in March 2021, believed to be linked to threat actors of Latin American origin. The group has targeted entities in South America and the United States, including financial institutions, government agencies, and private companies. Hotarus is known for deploying both custom ransomware and publicly available tools, alongside stealing sensitive information for double-extortion purposes. The group has been observed exploiting vulnerable web services, using stolen credentials, and leveraging publicly available post-exploitation frameworks to gain persistence in victim networks. Encrypted files are typically appended with extensions such as .hotarus or campaign-specific identifiers, and ransom notes direct victims to communicate via encrypted email services. Notably, in some campaigns, Hotarus deployed data leak threats without encrypting files, focusing solely on exposure as a pressure tactic.
Hunters International is a ransomware group first identified in October 2023, believed to have taken over or rebranded from the now-defunct Hive ransomware operation. Shortly after its emergence, security researchers found significant code overlaps with Hive, suggesting that Hunters International either acquired Hive’s source code or involved former Hive developers. The group operates a double-extortion model—encrypting victim data and threatening to leak it on a Tor-based site. It has targeted organizations worldwide across healthcare, manufacturing, education, and government sectors. The ransomware is written in Rust, supports both Windows and Linux/ESXi environments, and appends extensions such as .locked to encrypted files. Initial access is typically obtained via compromised RDP credentials, phishing campaigns, or vulnerabilities in exposed systems.
Insane is a relatively obscure ransomware family first reported in late 2021, with few confirmed incidents in public threat intelligence. It encrypts victim files using symmetric encryption (AES) combined with RSA for key protection and appends the .insane extension to affected files. The ransom note, typically named INSANE_README.txt, directs victims to contact the operators via email for decryption instructions. Based on limited reporting, Insane does not appear to operate as a Ransomware-as-a-Service (RaaS) platform; instead, it seems to be deployed by the core operators in targeted attacks. Initial access methods are not well-documented, but suspected vectors include phishing attachments and exploitation of exposed RDP services. The group’s small footprint in open-source intelligence suggests limited distribution or use in highly selective campaigns.
Jaff is a ransomware family first discovered in May 2017, notable for its distribution via large-scale spam campaigns operated by the Necurs botnet. These campaigns delivered malicious PDF attachments that contained embedded Word documents with macros, which, when enabled, downloaded the ransomware payload. Jaff encrypts victim files using RSA and AES encryption and appends extensions such as .jaff, .wlu, or .sVn depending on the variant. The ransom note, typically named ReadMe.html or ReadMe.bmp, directs victims to a payment site hosted on the Tor network. The ransomware demands payment in Bitcoin and displays a custom payment portal interface. Jaff was initially believed to be linked to the Locky ransomware operators due to similarities in distribution methods, ransom portal design, and its use of Necurs, though later analysis suggested it was operated by a separate group. Its activity was short-lived, with most campaigns ceasing within weeks of its discovery.
Jigsaw is a ransomware family first observed in April 2016, notorious for its psychological intimidation tactics. It encrypts files using AES encryption and appends various extensions (e.g., .fun, .kkk, .btc) depending on the variant. The ransomware’s ransom note features imagery of the “Billy” puppet from the Saw movie franchise and displays a countdown timer. Jigsaw is unique in that it deletes a portion of the victim’s files every hour until the ransom is paid, escalating the number of deletions over time to increase pressure. The note typically instructs victims to pay in Bitcoin via email communication. The malware is written in .NET, and numerous versions have circulated since its emergence, many of which are decryptable due to coding flaws. Jigsaw has mainly been spread via malicious email attachments and exploit kits. While it had a period of high activity in 2016–2017, most modern antivirus tools can easily detect and block it.
JSWorm is a ransomware family that first appeared in May 2019 and is notable for undergoing multiple rebrands and evolutions, later appearing under names such as Nemty, Nefilim, Offwhite, Fusion, and Milihpen. Initially, it was distributed via malicious spam emails containing JavaScript files, hence the “JS” in its name. Later versions moved to targeted intrusions, leveraging compromised RDP services and vulnerable network appliances for initial access. JSWorm encrypts files using AES-256 encryption with RSA-2048 for key protection and appends campaign-specific extensions (e.g., .JSWORM, .Nemty, .Nephilim). The group adopted a double-extortion model in its later stages, stealing data before encryption and threatening to leak it via Tor-hosted sites. Its victimology spans various sectors worldwide, including manufacturing, energy, healthcare, and professional services. The continuous rebranding suggests an effort to evade detection, disrupt attribution, and maintain pressure on victims.
Karakurt is a financially motivated cybercrime group first publicly identified in June 2021, specializing in data extortion without file encryption. Instead of deploying ransomware to lock systems, Karakurt focuses on gaining access to victim networks, exfiltrating sensitive data, and threatening to leak it on its Tor-based site unless payment is made. The group has targeted victims across North America and Europe in industries including healthcare, manufacturing, education, and professional services. Intrusion methods include phishing, exploitation of vulnerabilities, and purchasing access from initial access brokers. Karakurt’s leak site lists stolen files in stages to pressure victims, sometimes publishing entire data sets if ransoms are not paid. The group is believed to have operational links to the Conti ransomware syndicate, based on shared infrastructure, overlapping victimology, and timing of activity.
Karma is a ransomware group first observed in November 2021, operating a double-extortion model that combines data theft with encryption. The group primarily targets enterprises across various sectors, including healthcare, manufacturing, and technology, with confirmed victims in North America, Europe, and Asia. Karma is believed to be a rebrand or evolution of the FiveHands ransomware, itself derived from the earlier HelloKitty codebase, based on overlaps in encryption methods and ransom portal design. The ransomware appends the .KARMA extension to encrypted files and leaves ransom notes named KARMA-README.txt, directing victims to a Tor-based negotiation site. Initial access is typically obtained through compromised VPN credentials, exploitation of vulnerabilities in public-facing systems, and use of access brokers. Unlike some groups, Karma operators claim to avoid encrypting systems in healthcare emergency services, instead focusing on exfiltration and extortion.
Kasseika is a ransomware variant first publicly reported in January 2024, identified as a new evolution of the BlackMatter/LockBit ransomware codebase. The malware appends the .kasseika extension to encrypted files and uses a double-extortion model, combining file encryption with threats to publish stolen data on a Tor-based leak site. Early analysis revealed that Kasseika shares several traits with LockBit 3.0, including encryption routines, obfuscation methods, and ransom note structure, but with modified branding and negotiation portals. Initial access vectors have not been widely confirmed, though patterns from related ransomware suggest the use of compromised credentials, RDP exploitation, and vulnerabilities in public-facing services. Victims have been observed in North America, Europe, and Asia, spanning industries like manufacturing, logistics, and professional services.
Kelvin Security is a cybercrime group active since at least 2013, primarily known for hacktivism, data breaches, and website defacements rather than traditional ransomware operations. The group has claimed responsibility for intrusions targeting government agencies, educational institutions, and private companies across multiple regions, including Latin America, Europe, and the Middle East. While it has engaged in data theft and leak threats, there is no confirmed evidence that Kelvin Security operates a ransomware encryption component. Instead, their extortion model focuses on stealing sensitive data and threatening public disclosure, often publicizing breaches via social media and underground forums. The group’s activities have been linked to politically motivated campaigns as well as financially motivated breaches. Victim selection appears opportunistic, exploiting vulnerabilities in web servers, poorly configured databases, and exposed credentials.
Knight is a Ransomware-as-a-Service (RaaS) operation first observed in August 2023, believed to be a rebrand or evolution of the Cyclops ransomware family. The ransomware targets both Windows and Linux/ESXi systems, encrypting files with strong symmetric and asymmetric cryptography and appending the .knight extension. Knight affiliates employ a double-extortion model, stealing sensitive data before encryption and threatening to leak it via a Tor-based site. Distribution methods include phishing campaigns delivering malicious attachments, exploitation of vulnerabilities in public-facing services, and use of previously compromised credentials. The ransomware is modular, allowing affiliates to deploy only the components needed for a given environment, and has been used in attacks on healthcare, manufacturing, finance, and technology sectors across North America, Europe, and Asia. Knight’s leak site lists victims with partial data dumps to pressure payment, escalating to full leaks if negotiations fail.
Kraken leak blog (hellokitty)
Kraken is a ransomware family first observed in August 2018 as a Ransomware-as-a-Service (RaaS) operation promoted on underground forums. The malware encrypts files with AES encryption (keys protected with RSA) and appends the .kraken extension to encrypted files. Early versions distributed by affiliates were bundled with Azorult spyware, enabling credential and cryptocurrency wallet theft before encryption. Kraken’s operators enforced strict rules for affiliates, including geographic restrictions on attacks, and provided customizable ransom notes and payment portals. Victims were instructed to pay in Bitcoin via Tor-hosted sites. Distribution methods included malicious email attachments, compromised RDP services, and downloads from malicious or compromised websites. Although its activity declined significantly after late 2018, Kraken remains notable for its hybrid model of ransomware deployment combined with credential theft.
Kuiper is a relatively new ransomware strain first analyzed in April 2023, notable for being written in Rust and designed to target multiple platforms, including Windows, Linux, and ESXi environments. The ransomware encrypts files with ChaCha20 symmetric encryption, securing keys with Curve25519, and appends the .kuiper extension to affected files. Kuiper operates under a double-extortion model, exfiltrating data before encryption and threatening to leak it on a Tor-hosted site if the ransom is not paid. Initial infection vectors are not widely documented, but analysis suggests potential use of compromised credentials, phishing, or exploitation of exposed services. The ransomware contains evasion techniques such as process termination, shadow copy deletion, and targeting of backup files to hinder recovery. Public reporting on Kuiper remains limited, indicating it may be in an early operational stage or used by a small number of actors.
Lapsus$ is a cyber extortion group first observed in late 2021, known for high-profile breaches and data theft campaigns against major global companies rather than traditional ransomware encryption. The group primarily focuses on data exfiltration and public leak threats without encrypting victim systems. Lapsus$ uses a combination of social engineering, SIM swapping, MFA fatigue attacks, and purchasing access from insiders or access brokers to infiltrate corporate networks. Their victim list includes Microsoft, Okta, NVIDIA, Samsung, Uber, and telecom operators, with operations targeting multiple regions worldwide. Once inside, Lapsus$ actors exfiltrate source code, proprietary data, and customer information, often leaking samples to pressure victims into negotiation. The group is known for a brash and public-facing style, communicating directly with followers on Telegram channels and occasionally mocking victims. Several members, including minors, have been arrested in the UK, but the group’s activities have persisted in some form.
In the cyber-undergrounds, we're exploring shadowed corridors of the digital world in search of inside information. we’re a digital watchdog operating at the intersection of cybersecurity, internet freedom, and investigative journalism. We delve into the hidden corners of the web, exposing truths and uncovering stories that are often buried by mainstream media or distorted by corporate interests.
This project isn’t just for tech experts or privacy advocates. It’s for everyone who values transparency, freedom, and integrity in a connected world. Operating independently, we’re free from corporate influence and political bias, enabling us to report with uncompromising honesty. Our work resonates with a diverse audience cybersecurity experts, digital rights activists, journalists, and anyone who values an internet free from control.
In a world where the lines between truth and agenda grow increasingly blurred, we’re building something bold, the space where the truth of the internet can be uncovered, untamed and unfiltered. Our project is an independent voice for digital freedom, committed to shining a light on the internet’s most vital and vulnerable spaces: cybersecurity, privacy, and the right to information without compromise.
In a landscape clouded by agendas and profit, we are here to do one thing: deliver the truth, boldly and beautifully. Join us as we push back against the systems that seek to compromise our digital freedoms and carve a path toward a more transparent, liberated internet.
Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files.
Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.
Actors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout).
The code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.
We are a group of young people who identify themselves as specialists in the field of network security with at least 15 years of experience. This blog and this work are ONLY commercial use, besides not the main one. We have nothing to do with politics, intelligence agencies and the NSB. If you are a hunter of other people's data, then download any files and (or) wait until the time expires for others and the files will be available here. If you have any personal suggestions, we are ready to consider them. Contact us on the "contacts" page. There are a lot of other data, for various reasons, not posted here and we can discuss their sale or transfer under certain conditions. Also, every incident is notified to all possible press in the region and data not intended for sale is transmitted to breached and similar forums. Subscribe to RSS, add to favorites, visit us more often.
This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy.
Mimic v.10 Ransomware-as-a-Service (RaaS). The malware is designed to target various operating systems (Windows, ESXi, NAS, FreeBSD) and features network-wide deployment, file obfuscation, backup destruction, UAC bypass, and multithreaded encryption. The service offers additional tools like NTLM password decryption and call-based extortion. They prohibit attacks on CIS countries and require active participation, with decryption tools available for a fee currently 800USD.
According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.
Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.
ABOUT US:
"Pure Extraction And Ransom (PEAR) Team is the community of highly responsible and strictly disciplined members. We are a private team and have nothing common with any other threat actors. We've been monitoring this field for a long-long time. So, we understand all the processes and know well how it all works."
PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.
Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.
According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.
Our team members are from different countries and we are not interested in anything else, we are only interested in dollars.
We do not allow CIS, Cuba, North Korea and China to be targeted.
Re-attacks are not allowed for target companies that have already made payments.
We do not allow non-profit hospitals and some non-profit organizations be targeted.
REvil Beta
MD5: bed6fc04aeb785815744706239a1f243
SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf
SHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45
* Privilege escalation via CVE-2018-8453 (64-bit only)
* Rerun with RunAs to elevate privileges
* Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur
* Implements target whitelisting using GetKetboardLayoutList
* Contains debug console logging functionality
* Defines the REvil registry root key as SOFTWARE\!test
* Includes two variable placeholders in the ransom note: UID & KEY
* Terminates processes specified in the "prc" configuration key prior to encryption
* Deletes shadow copies and disables recovery
* Wipes contents of folders specified in the "wfld" configuration key prior to encryption
* Encrypts all non-whitelisted files on fixed drives
* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe
* Partially implements a background image setting to display a basic "Image text" message
* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)
------------------------------------
REvil 1.00
MD5: 65aa793c000762174b2f86077bdafaea
SHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457
SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc
* Adds 32-bit implementation of CVE-2018-8453 exploit
* Removes console debug logging
* Changes the REvil registry root key to SOFTWARE\recfg
* Removes the System/Impersonation success requirement for encrypting network mapped drives
* Adds a "wipe" key to the configuration for optional folder wiping
* Fully implements the background image setting and leverages values defined in the "img" configuration key
* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT
* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL
* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data
------------------------------------
REvil 1.01
MD5: 2abff29b4d87f30f011874b6e98959e9
SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c
SHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb
* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level
* Makes encryption of network mapped drives optional by adding the "-nolan" argument
------------------------------------
REvil 1.02
MD5: 4af953b20f3a1f165e7cf31d6156c035
SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299
SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4
* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage
* Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)
* Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories
* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories
* Hard-codes whitelisting of "sql" subfolders within program files
* Encrypts program files sub-folders that does not contain "sql" in the path
* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted
* Encodes stored strings used for URI building within the binary and decodes them in memory right before use
* Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key
------------------------------------
REvil 1.03
MD5: 3cae02306a95564b1fff4ea45a7dfc00
SHA1: 0ce2cae5287a64138d273007b34933362901783d
SHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf
* Removes lock file logic that was partially implemented in 1.02
* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)
* Encodes stored shellcode
* Adds the -path argument:
* Does not wipe folders (even if wipe == true)
* Does not set desktop background
* Does not contact the C2 server (even if net == true)
* Encrypts files in the specified folder and drops the ransom note
* Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults
* Changes registry key values from --> to:
* sub_key --> pvg
* pk_key --> sxsP
* sk_key --> BDDC8
* 0_key --> f7gVD7
* rnd_ext --> Xu7Nnkd
* stat --> sMMnxpgk
------------------------------------
REvil 1.04
MD5: 6e3efb83299d800edf1624ecbc0665e7
SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d
SHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6
* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)
* Removes the folder wipe capability
* Changes the REvil registry root key to SOFTWARE\GitForWindows
* Changes registry key values from --> to:
* pvg --> QPM
* sxsP --> cMtS
* BDDC8 --> WGg7j
* f7gVD7 --> zbhs8h
* Xu7Nnkd --> H85TP10
* sMMnxpgk --> GCZg2PXD
------------------------------------
REvil v1.05
MD5: cfefcc2edc5c54c74b76e7d1d29e69b2
SHA1: 7423c57db390def08154b77e2b5e043d92d320c7
SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea
* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.
* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' :
* SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv
* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.
* Changes registry key values from --> to:
* QPM --> tgE
* cMtS --> 8K09
* WGg7j --> xMtNc
* zbhs8h --> CTgE4a
* H85TP10 --> oE5bZg0
* GCZg2PXD --> DC408Qp4
------------------------------------
REvil v1.06
MD5: 65ff37973426c09b9ff95f354e62959e
SHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e
SHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e
* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.
* Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.
* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'
* Changes registry key values from --> to:
* tgE --> 73g
* 8K09 --> vTGj
* xMtNc --> Q7PZe
* CTgE4a --> BuCrIp
* oE5bZg0 --> lcZd7OY
* DC408Qp4 --> sLF86MWC
------------------------------------
REvil v1.07
MD5: ea4cae3d6d8150215a4d90593a4c30f2
SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e
SHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3
TBD
Risen, which is a fully optimized and high-speed program, is the result of our years of experience in the field of malware writing. Risen is written in C language and completely using winapi. We produced many products with different features and options, but we came to the conclusion that none of the options have the benefit and efficiency they should; So, instead of spending time on useless and inefficient options, we decided to spend all our time on the strength, speed and security of our cryptography, and that's how we created Risen. Software features in version 1:
-Encryption security, utilizing Chacha20 and RSA 2048 algorithms.
-High encryption speed and software optimization
-compatible with all versions of Windows on any hardware without any issues.
-Automatic option settings, its easy to using and default configuration set to the best mode.
-Utilization of Threadpool method and queue creation for encryption.
-A powerful file unlocker, unlock files without closing processes.
-Safe deletion of backups, shadow copies, and all windows logs.
-A blog, Leak website, and management panel on TOR for leaking data of non-paying companies.
Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.
History and Origins
Origins: Formerly known as "Hunters International," active since late 2023, and believed to be a reincarnation of the Hive group.
Rebranding: In January 2025, Hunters International ceased file-encrypting attacks and reemerged under the WorldLeaks banner, focusing solely on data theft and extortion.
Tactics, Techniques, and Objectives
Model: Operates as an "extortion-as-a-service" (EaaS) platform. Affiliates are provided with tools to automatically extract data.
Exfiltration & Publication: Theft of sensitive data followed by a threat of publication on a Tor site if the victim refuses to pay
No encryption: The group abandons file encryption to focus on theft, reducing complexity and risk
Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS). From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.
Zeppelin actors gain access to victim networks via RDP exploitation [T1133], exploiting SonicWall firewall vulnerabilities [T1190], and phishing campaigns [T1566]. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups [TA0007]. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-223a
-cloaksuindexophp.png){kind=link}
-eraleignewscom.png){kind=link}
-wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pydonion.png){kind=link}
-basheqtvzqwz4vp6ks5lm2ocq7i6tozqgf6vjcasj4ezmsy4bkpshhydonion.png){kind=link}
-bashe4aec32kr6zbifwd5x6xgjsmhg4tbowrbx4pneqhc5mqooyifpidonion.png){kind=link}
-basherq53eniermxovo3bkduw5qqq5bkqcml3qictfmamgvmzovykyqdonion.png){kind=link}
-basherykagbxoaiaxkgqhmhd5gbmedwb3di4ig3ouovziagosv4n77qdonion.png){kind=link}
-bashete63b3gcijfofpw6fmn3rwnmyi5aclp55n6awcfbexivexbhyadonion.png){kind=link}
-bashex7mokreyoxl6wlswxl4foi7okgs7or7aergnuiockuoq35yt3adonion.png){kind=link}
-bashed52orwi7qoyvmcfkdnuaogta4inpojfd6cthzkp4qpsq64ux4adonion.png){kind=link}
-bashedl53memptddxzb4kr5mnkzse4fmhpqeq7jb4srndswar46nofidonion.png){kind=link}
-bashefe5uezp2jtxpk24b2pyfnnfyguicgrgqufgu57mfluegotbeaydonion.png){kind=link}
-bashei5oy4zvmf2letnupwhgprdkjyssm3zxj2oyr6wfezkf3elehzqdonion.png){kind=link}
-zhuobnfsddn2myfxxdqtpxk367dqnntjf3kq7mrzdgienfxjyllq4rqdonion.png){kind=link}
