Group profiles

0Mega

Description

0mega is a ransomware group first observed in May 2022, operating with a double extortion model: * Encrypting victim files (adding the .0mega extension) * Threatening to leak stolen data if ransom demands are not met. Ransom notes are named DECRYPT-FILES.txt and include victim-specific details and a Tor-based negotiation portal. Unlike typical Ransomware-as-a-Service (RaaS) operations, 0mega appears to work as a closed group, selecting a limited number of high-value targets. The group employs two main tactics: * Traditional ransomware encryption of on-premise systems. * Cloud-based extortion, compromising Microsoft 365 Global Admin accounts, creating unauthorized admin users, and exfiltrating data via SharePoint. Active period: May 2022 – January 2024

parsing : enabled

Links

2023Lock

Description

2023Lock is a ransomware strain first observed in January 2024, believed to be an evolution of the Venus and Zeoticus families and a direct precursor to the later TrinityLock variant. It employs a hybrid encryption method combining XChaCha20 and curve25519xsalsa20poly1305, appending the “.2023lock” extension to encrypted files. Upon infection, it delivers ransom notes in HTML, TXT, and HTA formats containing decryption instructions. Unlike many modern ransomware groups, there is no evidence that 2023Lock engages in double extortion or data exfiltration, operating purely through file encryption to pressure victims into payment. Its codebase and operational patterns strongly align with TrinityLock, which emerged a few months later with more sophisticated extortion tactics.

Links

3Am

Description

3AM, also known as ThreeAM, is a relatively new ransomware family that emerged in late 2023, initially deployed as a fallback option when LockBit infections failed. Written in Rust for 64-bit systems, it appends the “.threeamtime” extension to encrypted files and tags them with the marker “0x666,” while deleting Volume Shadow Copies to hinder recovery. 3AM operators use a double extortion strategy, combining file encryption with data theft and threats to leak stolen information. More recent campaigns have shown increased sophistication, incorporating email bombing followed by vishing calls to convince victims to grant remote access via Microsoft Quick Assist. Attackers then deploy virtual machines containing backdoors, allowing them to remain undetected while exfiltrating data before attempting to launch the ransomware payload.

parsing : enabled

Links

8Base

Description

8Base emerged in early 2022 and rapidly escalated its ransomware operations by mid-2023, positioning itself as a “simple pen tester” while executing a relentless double-extortion scheme: encrypting files using AES-256 CBC mode (appending the “.8base” extension) and threatening to leak stolen data via a Tor-accessible leak site. The group leverages initial access methods such as phishing and SmokeLoader, disables security mechanisms like Volume Shadow Copy and firewalls, and deploys persistence via registry and startup entries. Targeting primarily small and medium-sized organizations across sectors such as manufacturing, finance, IT, and healthcare in regions including the U.S., Brazil, and Europe, 8Base has drawn comparisons to Phobos and RansomHouse for its tactics and ransom-note style. In early 2025, international law enforcement operations disrupted the group, resulting in the arrest of four key actors, seizure of servers, and warnings to hundreds of potential victims.

parsing : enabled

Links

A1Project

Description

The locker is written in C/C++/ASM. It supports all systems starting from Windows 2003, has a separate binary for ESXi, and uses a unified encrypted file format across all systems. WINDOWS: • Two encryption modes: patch-based and file header. • Extensive configuration settings: from ignoring specific paths/extensions to terminating services/processes, unlocking occupied files, working with network shares, and more. • Arguments available for shutting down Hyper-V virtual machines, deleting backups, network scanning with logged-in user tokens. • Each build includes an obfuscated PowerShell script. • Execution is password-protected. • The locker itself is shellcode for x86/x64; if you have custom execution methods, we can provide the shellcode. ESXI: • Encrypts files in patches, with configurable path exclusions. The default configuration is pre-set to avoid disrupting Windows/ESXi/Linux systems. Our commission is 20% of payouts

Links

Abrahams_Ax

Description

Abrahams_Ax, first observed in November 2022, is not a Ransomware-as-a-Service (RaaS) operation but a politically motivated hacktivist persona. The group is linked to the Iranian-associated threat actor COBALT SAPLING, which previously operated as Moses Staff. It uses double-extortion tactics focused on stealing and leaking sensitive data rather than encrypting files. Infrastructure, visual branding, and operational patterns strongly resemble those of Moses Staff, suggesting a shared origin. Its most notable incident was the breach of the Saudi Arabian Ministry of Interior, where stolen data was published alongside propaganda content. The group’s targeting appears to align with Middle Eastern geopolitical interests, particularly against Israeli- and Saudi-linked entities. No encryption methods or file extensions are publicly documented, as encryption is not part of their operations.

Links

Abyss-Data

Description

Abyss‑Data, also known as Abyss Locker, is a ransomware operation first identified around March 2023. It conducts double extortion by exfiltrating data and encrypting systems—particularly targeting VMware ESXi virtual environments—then threatening to leak stolen data via a TOR-based leak site if ransom demands aren't met. The group’s Linux variant derives from the Babuk ransomware source code with encryption resembling HelloKitty, using ChaCha–based ciphers. On Windows, Abyss Locker encrypts files (typically appending “.abyss” or randomized extensions), deletes Volume Shadow Copies, manipulates boot policy to disable recovery, and delivers ransom notes (e.g., WhatHappened.txt), often replacing the desktop wallpaper as part of its extortion tactics. Its campaigns have targeted diverse industries—finance, healthcare, manufacturing, technology—across multiple regions, with victim lists prominently featuring organizations in North America.

parsing : enabled

Links

Adminlocker

Description

AdminLocker was first observed around December 2021 and appears to be a lone operator or small group, with no clear Ransomware-as-a-Service (RaaS) model reported. It uses single-extortion tactics—encrypting files without publicly documented data exfiltration—primarily targeting enterprise and personal systems via methods such as malicious email attachments, cracked software installers, P2P downloads, and malvertising. The ransomware employs symmetric and asymmetric encryption (likely AES combined with RSA) to lock files, appending extensions such as .admin1, .admin2, .admin3, .1admin, .2admin, and .3admin; victims receive a “!!!Recovery File.txt” ransom note with instructions to pay via Tor and Bitcoin. Notable for its multiple simultaneous variants with varied extensions, it reportedly allows victims to decrypt up to five small files as “proof” before demanding ransom. No high-profile sector- or region-specific campaigns are publicly documented.

Links

Agl0Bgvycg

Description

This ransomware group (notably stylized as aGl0bGVyCg) has extremely limited publicly available information. No confirmed active period is documented, nor is there evidence of whether it operates as a RaaS (Ransomware-as-a-Service). Similarly, there is no known data about its extortion type (single or double), preferred targets, intrusion methods, encryption techniques, file extensions, or ransom note behavior. The only identifiable detail is the blog URL hitleransomware.cf, which appears to serve as its public-facing leak or command-and-control site. Overall, public threat intelligence remains too sparse to draw even basic conclusions beyond the existence of the blog site.

Links

Ailock

Description

AiLock is a Ransomware-as-a-Service (RaaS) group first identified in March 2025. It employs a double-extortion approach—encrypting files and threatening to report breaches to regulators or share stolen data with competitors if the ransom isn’t paid. Victims have just 72 hours to respond and up to five days to pay; failure to pay results in data leaks and destruction of recovery tools. The ransomware appends the extension .AiLock to encrypted files, changes file icons to a green padlock with the “AiLock” name, and replaces the desktop wallpaper with a distinctive robot-skull logo. It employs a hybrid encryption scheme, combining ChaCha20 for file encryption with NTRUEncrypt for securing metadata, and uses a multi-threaded design (path-traversal and encryption threads with IOCP) for efficiency. While active campaigns and leak sites are confirmed, specific sectors, regions, and intrusion methods remain undisclosed in public sources.

Links

Akira

Description

Akira is a ransomware group first observed in March 2023, targeting both Windows and Linux environments, with a particular focus on corporate networks and VMware ESXi servers. The group employs a double extortion model, stealing sensitive data before encrypting systems and threatening to leak it on a Tor-based leak site if ransom demands are not met. Akira typically gains initial access through exploitation of unpatched VPN services, compromised RDP credentials, phishing, or abuse of legitimate remote administration tools. Its Windows variant uses the Windows CryptoAPI to encrypt files, appending the “.akira” extension while skipping critical system folders to maintain system stability. Ransom demands have ranged from $200,000 to over $4 million, typically requested in Bitcoin, and the group has been linked to high-profile incidents affecting education, manufacturing, and healthcare sectors. Akira appears to operate independently rather than as a Ransomware-as-a-Service, and continues to evolve, with recent variants improving encryption speed and evasion techniques.

parsing : enabled

Links

Ako

Description

First observed in early January 2020 (initial victim post on January 9, 2020), Ako (also known as MedusaReborn) operates under a Ransomware-as-a-Service (RaaS) model, with daily beta builds reportedly offered for affiliates. It uses a double-extortion approach—encrypting files and exfiltrating data, with subsequent threats to leak the data via a dedicated leak site. Delivery primarily occurs via malspam, often through password-protected ZIP attachments containing malicious .scr executables. After compromise, it deletes shadow copies and disables recovery, then encrypts files—excluding certain extensions—and appends random six-character suffixes, dropping files like ako-readme.txt and id.key. Encryption is carried out using unspecified algorithms, but its behavior aligns closely with MedusaLocker variants. Known targets include networked Windows environments, potentially across multiple sectors. No notably high-profile or geographically specific incidents are detailed.

Links

Alphv

Description

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021. ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

parsing : enabled

Links

Amnesia

Description

Amnesia ransomware was first identified in May 2017, particularly affecting enterprise cloud environments. It does not appear to operate as Ransomware-as-a-Service (RaaS), and there is no public indication of a provider-led affiliate structure. The extortion model is single-stage—primarily file encryption without documented data theft or leak threats. It targets specific file types and resets their modified timestamps. Encrypted files may receive suffixes such as .amnesia, .@decrypt2017, .[Help244@Ya.RU].LOCKED, .CTB-Locker, and several others. Common ransom notes include files named HOW TO RECOVER ENCRYPTED FILES.TXT or RECOVER-FILES.HTML, typically placed in every folder. Executable names associated with its delivery include variants like guide.exe, update.exe, Happier.exe, bstarb.exe, among others. The encryption algorithm is AES-256, implemented in Delphi, and victims are instructed to contact the attackers via email addresses (e.g., decrypt@india.com). No high-profile incidents or geographic patterns have been publicly attributed to Amnesia.

Links

Ank

Links

Antibrok3Rs

Description

Antibrok3rs emerged as an access broker (not a ransomware operator itself) linked to the aftermath of the 2023 MOVEit supply-chain exploitation. From November 2024 through early 2025, this actor has posted stolen data from at least 15 energy-sector victims, including U.S. utilities such as CenterPoint Energy, Entergy, Nevada Energy, and Appalachian Power—data likely obtained via the MOVEit breach. While some analysts suspected ties to the Cl0P ransomware collective, Antibrok3rs publicly denied any such affiliation. The extortion model centers on data leakage without accompanying file encryption—a purely leak-based threat. No delivery, encryption, or ransom note behaviors have been observed, nor is there evidence of RaaS activity.

Links

Anubis

Description

Anubis is a financially motivated cybercrime group primarily known for its banking trojan operations but also linked to ransomware activity targeting corporate networks. First identified in 2016 and evolving over time, Anubis ransomware attacks have targeted Windows systems, often deployed after initial compromises by the Anubis banking malware or other access vectors such as phishing, malicious email attachments, or exploitation of unpatched vulnerabilities. The group’s ransomware encrypts files using strong symmetric encryption algorithms, appending distinctive extensions and delivering ransom notes with payment instructions via Tor. Anubis has targeted multiple sectors worldwide, including finance, retail, and government, often combining ransomware with credential theft and data exfiltration to maximize pressure on victims. Its infrastructure and tactics overlap with other financially motivated actors, suggesting possible affiliate or shared tool usage within broader cybercriminal ecosystems.

parsing : enabled

Links

Apos

Description

Apos ransomware surfaced in April 2024 and is best characterized as a data‑broker or leak‑only operation, rather than a traditional file‑encryption ransomware. It has not been observed to conduct encryption, but instead focuses on data exfiltration with threats to leak or sell the stolen information. Targets span sectors such as technology, healthcare, manufacturing, business services, telecommunications, and government—with significant victimology in Brazil, the United States, India, France, Paraguay, and Spain. Reporting suggests its activity tapered off after a few incidents, possibly indicating a one-time campaign or short-lived operation. Though some sources list multiple victims, technical details such as encryption algorithms, ransom notes, or extortion pricing are not publicly documented. Apos is sometimes listed among new or industrial-focused threats observed in Q1 2025, but remains poorly defined in public technical intel.

parsing : enabled

Links

Aptlock

Description

Aptlock surfaced in early 2025 and is characterized by a single-extortion model combined with threats of data leakage. The ransomware encrypts files on Windows systems, appending the extension .aptlock, and then changes the victim’s desktop wallpaper. Victims receive a ransom note named read_me_to_access.txt informing them that their critical company data has been exfiltrated and will be deleted or leaked if they don’t act. They are given 72 hours to initiate contact via Tor-based chat access (using credentials provided in the note), with further warnings issued if no engagement occurs within 5 days. Specific details about intrusion vectors, encryption algorithms used, or known affiliate operators remain undisclosed in public threat intelligence. No reliable evidence links Aptlock to Ransomware-as-a-Service operations or lists any known affiliates.

Links

Arcane

Description

Arcane first emerged in mid-2021 under the UNC2190 cluster and later rebranded as Sabbath, continuing its operations against critical infrastructure like hospitals, schools, and educational entities. It follows a double-extortion model—encrypting data (using ROLLCOAST/Eruption malware) while also exfiltrating sensitive information and threatening to leak it. Victims have included institutions in the U.S. and Canada across sectors such as healthcare, education, and natural resources. Initial intrusion tactics involved deployment of Cobalt Strike with custom profiles, DLL-based in-memory execution, and signed TLS certificates, plus use of stealthy GET requests ending with “kitten.gif.” Specific encryption algorithms or file extensions have not been publicly confirmed. The group appears to operate in an affiliate-style model but remains under single management rather than a full RaaS platform.

Links

Arcrypter

Description

ArcRypt (also known as ARCrypter or ChileLocker) was first identified in August 2022, originally targeting government entities in Latin America and subsequently expanding globally. The group employs a single-extortion model—there is no evidence of a data-leak threat or RaaS ecosystem. The malware encrypts files using extensions such as .crypt, .crYpt, and .crYptA3, and uniquely drops the ransom note before commencing encryption. It has variants for both Windows and Linux, including a Go-based Linux version. Communication with victims occurs via Tor-based portals, evolving over time from a single shared site to individualized mirror sites for each victim. In some cases, threat actors have instructed victims to contact them using Tox, creating a Tox profile for communication. Targets have included Chile’s government infrastructure, Colombia’s Invima agency, and organizations in China and Canada.

Links

Arcus Media

Description

Arcus Media first emerged in May 2024 and operates as a Ransomware-as-a-Service (RaaS) with a double-extortion model—encrypting data and threatening to leak it if the ransom isn't paid. The group leverages advanced capabilities including selective encryption (partial encryption of large files with the ChaCha20 cipher and RSA‑2048 key protection), privilege escalation, disabling recovery mechanisms, and terminating critical services like SQL servers and email clients to maximize disruption and thwart defense. Initial access comes through phishing, credential theft, or exploitation of vulnerabilities, with lateral movement facilitated by tools like Mimikatz and Cobalt Strike. Since its debut, Arcus Media has — by mid‑2025 — been linked to 50+ confirmed attacks, spanning industries such as business services, retail, media, healthcare, and manufacturing across the Americas, Europe, and Asia. Victims include high-profile targets like Braz Assessoria Contábil and FILSCAP.

parsing : enabled

Links

Argonauts Group

Description

Argonauts Group is a data extortion operation that surfaced around September–October 2024, primarily targeting organizations in Italy, as well as entities in Taiwan, Japan, Canada, and the U.S. It does not appear to use conventional file-encryption ransomware methods—instead, it steals data and operates a dedicated data leak site (DLS) to pressure victims into paying. Victims span sectors like technology, manufacturing, transportation/logistics, and healthcare. The group has claimed to steal substantial volumes of sensitive information—e.g., 200 GB from Ivy Life Sciences (Taiwan) and 140 GB from Japan’s Zacros—and publicly disclosed some samples on its leak site. Although some references imply prior activity back to October 2021, these appear to be less reliable and not substantiated by authoritative intel. As of now, there is no clear evidence of traditional ransomware encryption, ransom notes, or RaaS infrastructure.

parsing : enabled

Links

Arkana Security

Description

Arkana Security emerged in early 2025, debuting with a high-profile data-extortion campaign against the U.S. internet provider WideOpenWest (WOW!). The group does not appear to deploy actual ransomware encryption; rather, it operates a data-broker-led, leak-centric extortion model, with a structured "Ransom → Sale → Leak" progression. Victims so far include WOW! and several other organizations across sectors such as telecommunications, mining, finance, electronics, and music/entertainment, spanning the U.S. and UK. Arkana facilitates its threats through doxxing and "Wall of Shame" tactics, leveraging psychological pressure rather than encrypting systems. Its operations are characterized by post-intrusion lateral movement and deep backend access.

parsing : enabled

Links

Arvinclub

Description

Arvin Club first appeared around early to mid-2021, debuting on its Tor leak site with posts dating back to May 5, 2021. While frequently characterized as ransomware, there is no verified evidence of file encryption or RaaS operations—its behavior aligns more closely with data-leak and hacktivist activity. The group actively publishes stolen data via its Onion site and maintains a prominent presence on Telegram, operating both official channels and group chats (notably with Persian-language content). A known target includes India's Kendriya Vidyalaya school network among others. Arvin Club has shown ideological leanings (notably support for REvil) and claims to have “hacktivist” motivations, including activities against the Iranian regime. No encryption algorithms, file extensions, or ransom notes have been publicly documented.

parsing : enabled

Links

Astralocker

Description

AstraLocker first appeared in 2021, likely as a fork of Babuk ransomware using leaked source code. It follows a single-extortion, smash-and-grab approach: distributed directly via phishing Microsoft Word documents containing embedded OLE objects. Once executed, it kills security and backup processes, deletes shadow copies, and encrypts files using modified HC-128 and Curve25519 algorithms, appending extensions like .Astra or .babyk. A “smash-and-grab” style attack, it’s less methodical than more sophisticated campaigns—deploying ransomware immediately upon user action rather than conducting prolonged network reconnaissance. In mid-2022, the operator ceased ransomware operations, releasing decryptors and announcing a pivot to cryptojacking.

Links

Atomsilo

Description

AtomSilo emerged in September 2021 and ceased operations by year-end 2021. It functioned with a double‑extortion model, combining file encryption with data exfiltration and leak threats. The malware uses a hybrid encryption scheme—AES‑256 for file encryption and RSA‑4096 to secure the AES key—and appends the extension .ATOMSILO to encrypted files. Ransom notes follow formats like README-FILE-{computer name}-{timestamp}.hta or ATOMSILO-README.hta. Structurally and operationally, AtomSilo closely resembles the LockFile ransomware and is attributed to the Chinese state-linked actor BRONZE STARLIGHT (aka Cinnamon Tempest, DEV‑0401, Emperor Dragonfly, SLIME34), likely serving as a smokescreen for espionage-driven data theft. Victims spanned multiple industries and countries, including notable high extortion demands up to $1 million USD. The group also exploited the Atlassian Confluence vulnerability (CVE‑2021‑26084) for initial access and used DLL side‑loading for stealthy deployment.

parsing : enabled

Links

Avaddon

Description

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

Links

Avos

Description

First observed in July 2021, AvosLocker operates as a Ransomware-as-a-Service (RaaS) platform employing a double-extortion model—encrypting files and exfiltrating data with threats to leak it publicly. Its affiliates have targeted diverse environments including Windows, Linux, and VMware ESXi, particularly impacting sectors such as education, government, manufacturing, and healthcare across the U.S., Canada, and numerous other countries. Affiliates gain access through phishing emails, exploitation of vulnerabilities (notably Microsoft Exchange ProxyShell/log4j, Zoho ManageEngine), and compromised remote services. Technically, AvosLocker uses AES (with RSA-wrapped keys) for file encryption, often executing in safe mode to bypass security defenses, and directs victims to ransom notes like GET_YOUR_FILES_BACK.txt while changing the desktop wallpaper. Its data leak site operated from mid-2021 until about July–August 2023. No activity has been observed since May 2023.

Links

Avoslocker

Description

AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities. In March 2022, the FBI and US Treasury Department issued a warning about the attacks.

parsing : enabled

Links

Axxes

Description

Axxes ransomware emerged as a rebranded version of the previously known Midas ransomware group, with roots also tracing back through Haron and Avaddon lineage. It operates via a single-extortion model, encrypting files and appending the .axxes extension. Victims receive both an “RESTORE_FILES_INFO.hta” and a “.txt” ransom note. The ransomware performs extra actions like determining the device’s geolocation, modifying the Windows Firewall, changing file extensions, and terminating processes using taskkill.exe. Its known targets span the U.S., UAE, France, and China, including at least one high-profile victim—The H Dubai hotel. This group appears financially motivated, leveraging historical branding and code of earlier groups for its operations.

Links

Aztroteam

Links

Azzasec

Description

We are AzzaSec — a decentralized PMC (Private Military Contractor), RaaS (Ransomware-as-a-Service) syndicate, and botnet operator at the intersection of cyberwarfare, asymmetric operations, and underground economics. Emerging from the collapse of traditional hacktivism, we evolved into a sovereign digital force. We offer custom offensive solutions to clients with political, financial, or strategic objectives. We are stateless, leaderless, and loyal only to code.

parsing : enabled

Links

B0 Group

Description

B0 is a relatively obscure ransomware operation with very limited public reporting outside of leak site monitoring. It appears to operate a data-extortion model, with a dedicated leak site on the Tor network, and no confirmed use of encryption-based ransomware in documented incidents. The group is listed in ransomware tracking services from at least mid-2024, but there are no major vendor reports describing their victimology, intrusion methods, encryption schemes, or specific targeting patterns. Its branding and operational style suggest a small, self-contained group rather than a large RaaS platform.

Links

Babuk-Bjorka

Description

On January 26th, Babuk's dedicated leak site (DLS) was "relaunched". Bjorka (Telegram: @bjorkanesiaaaa) is the current administrator. Upon launch, the DLS was populated mainly by victims previously claimed by other groups such as RansomHub, Lockbit3, and Funksec. At this current time there is no apparent connection to the original Babuk operation besides reusing the Babuk site template and logos. The groups is also known as Babuk2 by other trackers. It is important to note that the original Babuk DLS was hosted and available up until February 26th, 2024.

parsing : enabled

Links

Babuk-Locker

Description

Babuk‑Locker emerged in early 2021 as a Ransomware‑as‑a‑Service (RaaS) gang targeting high‑value “big game” enterprises across sectors like healthcare, telecommunications, finance, education, and government. It initially deployed crypto-ransomware—encrypting files using ChaCha8 encryption with keys secured via elliptic‑curve Diffie‑Hellman—and later added a double‑extortion model involving data theft and leak site threats. Notable incidents include attacks on the Washington, D.C. Metropolitan Police Department and other organizations. In mid‑2021, Babuk’s source code was leaked, prompting both a fragmentation of its core operations and emergence of variants like Babuk Tortilla and Babuk V2. Affiliates exploited vulnerabilities in ESXi hypervisors to deliver destructive variants, and law enforcement actions eventually disrupted key operators.

parsing : enabled

Links

Babyduck

Links

Babylockerkz

Description

BabyLockerKZ is a variant of MedusaLocker ransomware, first observed in late 2023. It operates under a double‑extortion model, combining file encryption with data exfiltration and extortion. Technically, it reuses MedusaLocker’s AES + RSA‑2048 hybrid encryption, appends the .hazard file extension to encrypted files, and includes a unique autorun registry key (“BabyLockerKZ”) alongside dedicated public/private key data inserted into registry values. Initial access is achieved through opportunistic methods like RDP compromises, with lateral movement facilitated by compromised credentials and tools such as Mimikatz. The variant employs a custom toolkit codenamed paid_memes, which includes tools like "Checker" for scanning credentials, facilitating automation, and bridging toolsets for further exploitation. Starting late 2022, its operators have compromised over 100 organizations per month, initially targeting European victims before shifting toward Latin America in 2023.

Links

Backmydata

Description

BackMyData is a variant of the Phobos ransomware family, first observed in early 2024. It follows a double‑extortion model: encrypting files and threatening data exposure. The ransomware primarily targets organizations via weak or misconfigured RDP access (e.g., remote desktop services), though phishing and initial-stage payloads like SmokeLoader have also been noted. Technical behavior includes AES‑256 file encryption, with keys secured via a public RSA‑2048 key embedded in the binary. Post-infection actions involve disabling firewalls, deleting volume shadow copies, inhibiting recovery functionality, and establishing persistence through registry Run keys and startup folder entries. Encrypted files receive the extension .BACKMYDATA, and victims are left with ransom notes (info.txt, info.hta, or .backmydata) that instruct them to contact attackers via email or Session Messenger. A significant incident involved a coordinated attack on Romania’s Hipocrate Information System (HIS), impacting 26 hospitals and causing widespread system outages across nearly 100 facilities, with ransom demands of approximately 3.5 BTC (~$175,000).

Links

Balletspistol

Description

BalletsPistol is a Python-based ransomware strain distributed via GitHub. An investigative report from June 2025 reveals its delivery through a malicious ISO file hosted on a now‑removed public GitHub repository tinextacyber.com+1 . The infection chain begins when the ISO (named Invoice.iso) is downloaded and mounted, revealing a batch script (MAIN.BAT) and supporting components—including a password-protected ZIP and shortcut (.lnk) for execution. The malware performs privilege escalation (via UAC bypass using fodhelper.exe), persistence via registry and scheduled tasks, and then extracts an executable from the ZIP to commence the main payload. This binary encrypts user files with a hybrid AES + RSA scheme, adding the .iDCVObno extension to encrypted files; it also drops ransom notes (RESTORE-MY-FILES.TXT or .HTA) and changes the victim’s wallpaper.

Links

Beast

Description

Beast ransomware emerged in 2022 as an enhanced iteration of the earlier “Monster” ransomware. It operates under a Ransomware-as-a-Service (RaaS) model, offering affiliates rich customization options to create tailored binaries targeting Windows, Linux, and VMware ESXi systems. Key technical capabilities include hybrid Elliptic-Curve + ChaCha20 encryption, segmented file encryption, ZIP wrapper mode (encrypting files into zip archives with embedded ransom notes), multithreaded processing, termination of services, shadow copy deletion, hidden partition usage, and subnet scanning. Affiliates are provided configurable offline builders, enabling streamlined deployment across multiple platforms. While Beast's functional power is well-documented, details on its specific victims, sectors targeted, and leak site activity remain limited in public sources.

parsing : enabled

Links

Belsen Group

Description

aka Belesn Group. Belsen Group emerged in January 2025 as a data broker and leak-focused threat actor, not engaging in ransomware encryption. Their first major action involved publishing sensitive configuration files, VPN credentials, and IP addresses for over 15,000 Fortinet FortiGate firewalls—data likely stolen through exploitation of CVE‑2022‑40684. The group began by sharing the data freely to establish credibility, before shifting to monetized access and offering sales of network access to high-value targets such as major banks and an East African airline. Their activities place them firmly in initial access brokerage, targeting confidential infrastructure details for sale.

parsing : enabled

Links

Bert

Description

BERT ransomware (also tracked as Water Pombero) first emerged in April 2025, rapidly targeting both Windows and Linux systems across Asia, Europe, and the U.S., with confirmed victims in healthcare, technology, electronics, and event services sectors. Its Windows variant employs a PowerShell-based loader that escalates privileges, disables Defender, UAC, and the firewall, then downloads the ransomware payload. The Linux version aggressively encrypts with up to 50 concurrent threads, forcibly shuts down VMware ESXi VMs to prevent recovery, and appends extensions like .encryptedbybert or .encrypted_by_bert. BERT uses AES encryption, and later variants feature optimized multithreading via ConcurrentQueue and DiskWorker threads. Analysts note code similarities with REvil and Babuk ESXi lockers, potentially pointing to shared development lineage or code reuse.

parsing : enabled

Links

Bianlian

Description

BianLian ransomware first appeared in June 2022 as a Go-based crypto-locker but pivoted in January 2023 to a pure data-extortion model after security firms released free decryptors for early versions. In its initial phase, it used AES-256 + RSA-2048 hybrid encryption, appending the .bianlian extension to files and dropping ransom notes with Tor links. The group targets a broad set of industries—healthcare, education, government, critical manufacturing, and professional services—with confirmed victims in the U.S., U.K., Australia, and Canada. Initial access is often obtained via compromised RDP credentials, exploitation of vulnerabilities in internet-facing systems, or use of stolen VPN credentials from infostealers. Post-compromise, BianLian conducts network reconnaissance, credential harvesting, and exfiltration of sensitive files before issuing extortion threats on its leak site. The group has claimed responsibility for dozens of breaches, with ransom demands often in the $100k–$2 million USD range.

parsing : enabled

Links

Bidon

Description

BIDON is a variant of the Monti ransomware family, first observed around mid‑2023. It employs a double‑extortion strategy—encrypting victims’ files and simultaneously threatening to leak stolen data if the ransom isn’t paid. Notably, it appends the .PUUUK extension to encrypted files and drops a readme.txt ransom note outlining the extortion demands. The note offers a free decryption of two files as proof of capability and emphasizes that only authorized company personnel (e.g., top management) should engage. BIDON specifically targets corporate and enterprise organizations, not home users, and warns victims not to involve law enforcement or third-party recovery firms. It represents a shift toward more aggressive extortion tactics within the Monti lineage.

Links

Bitransomware

Description

BitRansomware (also known as DCryptSoft or ReadMe) surfaced in November 2020, primarily as a widespread cryptolocker targeting end users in the APAC region, especially universities in Japan and Hong Kong. The malware was delivered via a malspam campaign powered by the Phorpiex botnet, distributing deceptive ZIP attachments with a screensaver-like .scr payload. Once activated, BitRansomware encrypts files and appends the .ReadMe extension—leaving ransom notes to guide victims toward payment. The campaign peaked sharply around November 4, 2020, with over 28,000 email instances detected in a single day, as seen by VMware NSX telemetry.

Links

Bjorka

Description

Hellcome Bjorkanism Bjorka emerged as a prominent data-extortion actor and hacktivist initially active in 2022, targeting Indonesian institutions with massive data leaks—including voter records, police data, and internal telecom and utility datasets. After going quiet in 2023, the actor resurfaced in early 2025, now positioning under the name Babuk2, leveraging legacy branding from the Babuk ransomware group to amplify perceived credibility and fuel data extortion operations. Notably, Bjorka has not been linked to deploying true ransomware payloads; rather, the strategy revolves around reputational leverage via data leaks and selecting branding for psychological impact.

Links

Black Nevas

Description

BlackNevas ransomware — also referred to as “Trial Recovery” — was first observed in November 2024. It is a direct derivative of the Trigona ransomware family and continues the lineage's focus on extortion over public shaming. BlackNevas operators support a double-extortion model, encrypting files using AES-256 with RSA-4112-protected keys, and appending the .-encrypted or .ENCRYPTED file extension to affected files. Hybrid payloads are available for Windows, Linux, NAS, and VMware ESXi platforms. While BlackNevas does not host its own data leak site, it reportedly collaborates with other ransomware groups for data publication — known partners include Kill Security, Hunters International, DragonForce, Blackout, Embargo Team, and Mad Liberator. The group has predominantly targeted large enterprises in sectors such as finance, telecommunications, manufacturing, healthcare, and legal. Initial access is commonly achieved via phishing or exploitation of vulnerabilities, with lateral movement facilitated through SMB enumeration and optional LAN-wide propagation.

parsing : enabled

Links

Black Suit

Description

BlackSuit first appeared in May 2023 and is a confirmed rebrand or direct evolution of Royal Ransomware. It operates as a Ransomware-as-a-Service (RaaS), employing a double-extortion model—encrypting files and stealing sensitive data for leak threats. BlackSuit targets Windows and Linux systems, including VMware ESXi environments, using the .blacksuit extension for encrypted files. Technical analysis shows strong code overlaps (≈98%) with Royal, itself believed to be run by former Conti affiliates. Victims span healthcare, critical manufacturing, education, and government sectors, with notable incidents affecting public health systems in the U.S. Initial access vectors include phishing, exploitation of public-facing applications (e.g., Citrix and Fortinet vulnerabilities), and compromised credentials purchased from initial access brokers. Ransom notes direct victims to Tor-based negotiation portals.

parsing : enabled

Links

Blackbasta

Description

BlackBasta emerged in April 2022 and is widely assessed to be operated by former Conti group members. It functions as a Ransomware-as-a-Service (RaaS), leveraging a double-extortion model—encrypting data and threatening public leaks on its Tor-based site. The malware supports Windows and Linux/VMware ESXi environments, using ChaCha20 for encryption with RSA-4096 for key protection. Encrypted files are appended with the .basta extension, and a ransom note (readme.txt) provides negotiation instructions. BlackBasta has hit victims across manufacturing, construction, healthcare, government, and critical infrastructure sectors, with confirmed targets in the U.S., Canada, U.K., Australia, and New Zealand. Initial access vectors include exploitation of known vulnerabilities (e.g., QakBot infections, ZeroLogon, PrintNightmare), phishing, and purchasing credentials from Initial Access Brokers. By mid-2024, BlackBasta was among the top five most active ransomware groups worldwide.

parsing : enabled

Links

Blackberserk

Description

Black Berserk is a relatively unsophisticated ransomware strain analyzed in late 2023. It operates under a single‑extortion model—encrypting files and demanding payment, with no documented abilities or threats for data exfiltration or public leaks. In observed cases, the malware appends the .Black extension to encrypted files (e.g., 1.jpg.Black) and leaves a ransom note titled Black_Recover.txt, which urges victims to make contact to negotiate payment or test decryption with benign files. The infection method appears opportunistic, delivered via isolated incidents or broad malware distribution—not linked to targeted campaigns or infrastructure. There is no evidence of it functioning as a RaaS operation or targeting any specific victim profiles or sectors.

Links

Blackbit

Description

BlackBit ransomware was first observed in August 2022 and is a .NET-based strain that closely mimics the design and functionality of LockBit 3.0, indicating either a fork of LockBit’s leaked builder or deliberate imitation. It uses a double-extortion model, encrypting victim files and threatening to leak stolen data via a Tor-based site. BlackBit employs AES symmetric encryption for file contents and RSA asymmetric encryption for key protection, appending the .BlackBit extension to affected files. The malware also includes features for terminating processes, deleting volume shadow copies, and disabling recovery mechanisms. Initial access vectors are not comprehensively documented but are consistent with phishing, exploitation of vulnerable public-facing services, and the use of compromised credentials. Victims have been identified across various sectors, including technology, manufacturing, and professional services, though its activity level has been far lower than LockBit’s.

Links

Blackbyte

Description

BlackByte ransomware was first observed in July 2021 and operates as a Ransomware-as-a-Service (RaaS). It uses a double-extortion model—encrypting victim files while exfiltrating sensitive data for publication on its Tor-based leak site. The ransomware is written in C# and uses AES-256 for file encryption, with keys protected by RSA public-key encryption. Early variants exploited the ProxyShell vulnerability in Microsoft Exchange servers for initial access, but later campaigns have leveraged phishing, malicious attachments, and vulnerable internet-facing systems. BlackByte appends extensions such as .blackbyte or .blackbyte2.0 to encrypted files and leaves ransom notes (BlackByte_restoremyfiles.txt) instructing victims to contact them via Tor. The group has targeted organizations worldwide, including critical infrastructure, manufacturing, and government sectors. In February 2022, the FBI and USSS released a joint advisory warning about BlackByte’s impact and offering detection signatures.

parsing : enabled

Links

Blackbyte-Crux

Description

Crux is a newly identified ransomware variant active since July 2025, which claims affiliation with the established BlackByte ransomware group. It implements a double‑extortion model—encrypting files (with the .crux extension) and threatening data leak via a Tor-based portal. A distinctive feature of Crux is its execution flow: it initiates via svchost.exe, cmd.exe, and bcdedit.exe to disable Windows recovery, followed by rapid file encryption. The ransomware has been confirmed in at least three incidents across sectors including agriculture, education, professional services, media, and nonprofits, in both the U.S. and U.K. Ransom notes consistently follow the naming pattern crux_readme_[random].txt.

parsing : enabled

Links

Blackhunt

Description

Black Hunt ransomware has been active since at least mid-2021 and operates under a double-extortion model, encrypting victim files and threatening public release of stolen data via a Tor-based leak site. It primarily targets organizations rather than individuals, with confirmed attacks in sectors including manufacturing, retail, technology, and local government. Encrypted files are appended with the .BlackHunt extension, and ransom notes (Restore_Data.txt) direct victims to Tor portals for negotiation. The ransomware is capable of terminating processes, deleting shadow copies, and disabling recovery functions to maximize impact. Initial access methods include exploitation of vulnerable RDP services and the use of compromised credentials from initial access brokers. While its activity level is smaller compared to major RaaS families, its leak site has featured victims from multiple countries, suggesting an international reach.

Links

Blackmatter

Description

BlackMatter emerged in July 2021 and quickly positioned itself as the successor to DarkSide (responsible for the Colonial Pipeline attack). It operated as a Ransomware-as-a-Service (RaaS), adopting a double-extortion model—encrypting systems while exfiltrating sensitive data for publication on its leak site. BlackMatter targeted Windows and Linux/VMware ESXi systems, using ChaCha20 for file encryption with RSA-1024 public key protection. The malware appended a custom extension per victim and dropped ransom notes (README.txt) with Tor portal links. The group focused on large organizations in industries such as critical infrastructure, agriculture, technology, and manufacturing, but claimed to avoid hospitals, nonprofits, and government entities (though some reports contradict this). Initial access methods included exploitation of known vulnerabilities, stolen credentials from brokers, and phishing campaigns. BlackMatter ceased operations in November 2021 after reported pressure from law enforcement and possible member arrests.

Links

Blackout

Description

Blackout surfaced in February 2024 and operates using a double-extortion model. Targets span sectors like healthcare, mining, telecommunications, and food & beverage—in countries including France, Canada, Mexico, Croatia, and Spain. This ransomware employs conventional cryptographic techniques (details unspecified), appends a custom extension to encrypted files, and presents victims with ransom demands via a Tor-based leak/negotiation site. The operation runs as a crypto-ransomware and data broker, combining extortion with data publication threats.

parsing : enabled

Links

Blackshadow

Description

BlackShadow is a state-aligned cybercrime group reportedly linked to Iran’s cyber operations, first identified in late 2020. Their operations blend data exfiltration with ransom threats, notably targeting Israeli organizations such as Cyberserve—a web hosting provider—and leaking data to inflict reputational damage. Victims included entities like Atraf (an LGBTQ dating app), tour booking services, and museums, reflecting political or ideological motivations over financial gain. Despite carrying out extortion, there is no evidence that BlackShadow employs typical encryption-based ransomware mechanics; instead, they leverage stolen data and the threat of public exposure.

Links

Blacksnake

Description

BlackSnake is a Ransomware-as-a-Service (RaaS) operation that first appeared in August 2022, when its operators began recruiting affiliates on underground forums with an unusually low revenue share of 15%. It primarily targets home users rather than large enterprises and does not maintain a public leak site. Built on the Chaos ransomware code base, it features both file encryption and a cryptocurrency clipper module to steal funds from victims. The ransomware is developed in .NET and includes safeguards to avoid execution in Turkish or Azerbaijani environments, suggesting geographic targeting preferences. Infections result in encrypted files and ransom notes instructing victims to make contact via email for payment negotiations. The group’s operational scale and visibility remain limited compared to major RaaS families.

Links

Blacktor

parsing : enabled

Links

Bluebox

Description

parsing : enabled

Links

Bluesky

Description

BlueSky ransomware first emerged in July 2022 and is characterized by aggressive, high-speed file encryption using a multithreaded architecture. Written with code elements reminiscent of Conti v3, it encrypts files using ChaCha20 secured with RSA‑4096, and further employs Curve25519 for key agreement. Delivery commonly comes through trojanized downloads from risky websites (e.g., “crack” or “keygen” hosts) or phishing emails. The malware also spreads laterally via SMB and evades detection by hiding threads using NtSetInformationThread. Once deployed, it renames encrypted files with the .bluesky extension and drops ransom notes in both HTML and TXT formats. Unlike double-extortion threats, BlueSky does not operate a public leak site and appears focused solely on disrupting file access. Observed activity spans large enterprises to SMBs, but the volume of attacks remained relatively low through early 2023.

Links

Bober

Links

Bonacigroup

Links

Bqtlock

Description

aka BaqiyatLock BQTLock surfaced in July 2025 and operates as a fully-fledged Ransomware-as-a-Service (RaaS) with a double-extortion model. It employs AES-256 for file encryption, with keys secured by RSA-4096, appending the .BQTLOCK extension to encrypted files. Victims receive ransom notes such as READ_ME-NOW_*.txt, warning that failure to make contact within 48 hours doubles the ransom, and that decryption keys will be destroyed after seven days. The group offers tiered pricing "waves" with different XMR (Monero) amounts for quicker decryption—e.g., Wave 1 might cost 13 XMR, while Wave 3 could be 40 XMR. Targets include organizations such as U.S. military alumni networks and educational institutions.

parsing : enabled

Links

Br0K3R

Description

Br0k3r is not a conventional ransomware gang, but rather an Iran-linked cyber espionage and access brokerage group leveraging its foothold within victim networks to facilitate ransomware operations. Active since around 2017, the group provides privileged domain access—often sold or shared directly—with known ransomware operators such as ALPHV/BlackCat, NoEscape, and RansomHouse, receiving a portion of each successful ransom payout. Victims have included U.S. schools, municipal governments, financial and healthcare organizations, as well as targets in Israel, Azerbaijan, and the UAE. Br0k3r’s strategy merges espionage with criminal collaboration, allowing them to support both state-aligned intelligence objectives and financial incentives.

Links

Brain Cipher

Description

Brain Cipher ransomware surfaced in mid-2024, rapidly gaining notoriety after a high-impact attack on Indonesia’s National Data Center, which disrupted over 160 government services including immigration systems. The group operates with a double-extortion model, encrypting data using a LockBit 3.0-based payload (Salsa20/RSA hybrid) and threatening leaks via a Tor-hosted portal. Distinct behaviors include encrypting both file contents and filenames, and customizing encrypted file names with appended random extensions. Initial access methods include phishing and purchases from initial-access brokers. Ransom demands have ranged from tens of thousands up to $8 million USD, though victims have sometimes been offered decryption keys without payment. Victims span sectors such as government, healthcare, education, media, and manufacturing across Southeast Asia, Europe, and the Americas.

parsing : enabled

Links

Buddyransome

Links

Bytesfromheaven

Links

C3Rb3R

Description

Cerber ransomware, active since 2016, has resurfaced occasionally using the name C3RB3R. It operates as a semi-private Ransomware-as-a-Service (RaaS) and targets both Windows and Linux environments. Cerber typically uses AES + RSA cryptographic methods and appends the .L0CK3D extension to encrypted files. It executes operations via phishing, malicious macros, and has even leveraged vulnerabilities such as Atlassian Confluence’s CVE-2023-22518 for deployment. Victims are directed to Tor-hosted payment portals for decryption instructions.

Links

Cactus

Description

Cactus ransomware surfaced in March 2023 and has quickly become one of the fastest-growing and most aggressive ransomware-as-a-service (RaaS) variants. It follows a double-extortion model, encrypting files and threatening to leak stolen data to pressure victims. Cactus is notable for its ability to encrypt its own executable, evading detection by anti-malware tools, and for exploiting vulnerabilities in VPN appliances (e.g., Qlik Sense, Fortinet VPN) to gain initial access. Targets span global enterprises—including Schneider Electric and the Housing Authority of Los Angeles—and the group appears highly adaptable, often deploying the BackConnect persistence tool commonly associated with Black Basta. The ransomware changes file extensions to variants like .cts0 or .cts1, and places a ransom note named cAcTuS.readme.txt.

parsing : enabled

Links

Catb

Description

CatB ransomware was first observed in late 2022, gaining attention for abusing DLL hijacking via the Microsoft Distributed Transaction Coordinator (MSDTC) service—loading a malicious payload through DLL sideloading methods. The malware arrives in a two-stage dropper: the first DLL unpacks and launches the main payload (commonly named oci.dll), which subsequently encrypts files using hybrid RSA/AES cryptography. Unlike conventional ransomware, CatB does not rename files or distribute typical ransom notes; instead, it prepends the ransom message directly to the start of each encrypted file, making detection more difficult. Victims are instructed to contact the attackers via email (e.g., catB9991@protonmail.com or fishA001@protonmail.com), with the ransom demand escalating daily. Initial analysis suggests CatB may be a rebrand or evolution of Pandora ransomware, sharing various code artifacts and operational behavior.

Links

Cerberimposter

Description

Cerber Imposer is a post-2019 rebrand of the Cerber ransomware family, resurfacing in late 2021 with updated targeting of enterprise environments. Unlike its classic counterpart, Cerber Imposer utilizes the .locked file extension and includes a unique recovery note named __$$RECOVERY_README$$__.html. It does not reuse the original Cerber codebase; instead it borrows branding while operating under new cryptographic implementations and deployment tactics. Threat actors have leveraged known remote code execution vulnerabilities in Atlassian Confluence (CVE-2021-26084) and GitLab (CVE-2021-22205) to deliver this ransomware. The rebranded variant has compromised servers in the U.S., Germany, China, and Russia, indicating a broader scope of targeting than originally seen with early Cerber campaigns.

Links

Cerbersyslock

Description

CerBerSysLock first appeared in December 2017 as a cryptoransomware imposter, leveraging Cerber-style branding to deceive victims. It uses XOR-based encryption to lock files and appends extensions such as .CerBerSysLocked0009881. Victims receive a ransom note titled “HOW TO DECRYPT FILES.txt”, which falsely claims to be from the Cerber ransomware. The note includes an email contact—TerraBytefiles@scryptmail.com—and instructs victims to reference their ID (e.g., "CerBerSysLocked0009881") when communicating. The ransomware is technically linked to the Xorist family and is generally considered an opportunistic, low-profile scam rather than part of a broader Ransomware-as-a-Service (RaaS) operation.

Links

Chaos

Description

Chaos is a rapidly evolving Ransomware-as-a-Service (RaaS) group first observed in early 2025. It is considered distinct and unaffiliated with the Chaos Ransomware Builder that originated around 2021. Known for highly aggressive double-extortion operations, Chaos targets organizations across multiple platforms—Windows, ESXi, Linux, and NAS—with fast, configurable encryption mechanisms and optional partial-file targeting for stealth. Attackers gain access through vulnerabilities, phishing, or brokered credentials, then encrypt files while threatening to leak or destroy stolen data. Notable incidents include the breach of Optima Tax Relief, in which the group exfiltrated 69 GB of sensitive data before encrypting systems.

parsing : enabled

Links

Cheers

Description

Cheers is a Linux-based ransomware variant observed starting in May 2022, engineered specifically to target VMware ESXi servers. The malware was developed from leaked Babuk ransomware source code and leverages the SOSEMANUK stream cipher combined with ECDH key exchange for encryption. It terminates all running virtual machines before renaming and encrypting log files and VM-related extensions—like .vmdk, .vmsn, and .vswp—appending a .Cheers extension. A ransom note titled "How To Restore Your Files.txt" is dropped per directory. The ransomware is attributed to the Chinese-affiliated group BRONZE STARLIGHT (also known as Emperor Dragonfly, DEV-0401), which has previously deployed other strains like Rook, NightSky, and Pandora. Cheers targets a range of industry sectors, with confirmed victims across healthcare, finance, logistics, and manufacturing.

parsing : enabled

Links

Chilelocker

Description

ChileLocker first emerged in August 2022 and is considered part of the broader ARCrypter ransomware family. It employs a double-extortion model, encrypting Windows and Linux/VMware ESXi systems and threatening data leaks. ChileLocker uses the NTRU public key cryptosystem for encryption and typically appends the .crypt extension to affected files. Following encryption, it drops a ransom note—often named readme_for_unlock.txt—and directs victims to a password-protected Tor negotiation portal, with the password provided in the note. The group also disables recovery mechanisms by deleting shadow copies. Its initial access tactics include exploitation of misconfigured RDP access, phishing, malicious installers, botnets, fake updates, and malvertising. The ransomware has impacted victims across various regions, including Chile, Mexico, Canada, Spain, and others.

Links

Chort

Description

Chort is a relatively new data-extortion ransomware group that surfaced in late 2024, with confirmed activity beginning in October–November 2024. It operates under a double-extortion model—exfiltrating sensitive data before encrypting systems—and organizes victims via a Tor-hosted data leak site (DLS). The group has targeted organizations in the U.S. education sector (including schools and nonprofits) and in Kuwait's agriculture sector, among others. Technical behaviors include execution via PowerShell and removal of shadow copies to disrupt recovery. The group's approach emphasizes public pressure through data exposure rather than technical innovation.

parsing : enabled

Links

Cicada3301

Description

Cicada3301 is a sophisticated Ransomware-as-a-Service (RaaS) group that emerged in June 2024. It’s written in Rust and supports cross-platform operations, targeting Windows, Linux, VMware ESXi, NAS, and even PowerPC systems. Technically, its ransomware shares many traits with BlackCat/ALPHV, such as use of ChaCha20 encryption, Rust-based structure, similar configuration interfaces, and methods for shutting down virtual machines and deleting snapshots. Cicada3301 also implements double-extortion tactics—encrypting or exfiltrating data and publishing it on Tor-based leak sites. The group appears to have established an affiliate program, demonstrated through their deployment interfaces and recruitment tactics via forums like RAMP. Operations are believed to be highly professional, possibly involving former ALPHV developers or affiliates.

parsing : enabled

Links

Ciphbit

Description

CiphBit is a crypto-ransomware first detected in April 2023. It utilizes a double-extortion model, encrypting files and threatening to leak stolen data via a Tor-hosted portal if ransom demands are not met. The malware appends encrypted files with a vector including a unique victim ID, the attacker’s email address (onionmail.org), and a four-character random extension—making file identification and recovery especially difficult. Victims span various sectors including banking, manufacturing, healthcare, logistics, and professional services across North America and Europe. The group is classified as a data broker due to its evolving extortion methods involving free leaks and selective leaks to pressure victims. Recent high-profile victims include iptelecom GmbH (Germany) and Therma Seal Insulation Systems (USA), reaffirming its cross-industry reach and impact.

parsing : enabled

Links

Cloak

Description

Cloak is a cybercriminal ransomware group that first appeared publicly in mid-2023, operating with a double-extortion model. It deploys an ARCrypter variant derived from Babuk, delivered via loaders that terminate security and backup services, delete shadow copies, and install encrypted payloads using algorithms like HC-128 combined with Curve25519 key generation. Victims include entities such as the Virginia Attorney General’s Office, whose IT systems were disrupted and whose data (134 GB) was exfiltrated and listed on Cloak’s Tor leak site. Cloak has been linked to other ARCrypter variants like Good Day, sharing victim portals and infrastructure. Its operations reportedly use initial access brokers, phishing, malvertising, and exploit kits for network infiltration.

parsing : enabled

Links

Cloak.Su (Locker Leak)

Links

Clop

Description

Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: "Dont Worry C|0P" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.

parsing : enabled

Links

Clop Torrents

parsing : enabled

Links

Colossus

Description

Colossus ransomware was first observed in September 2021, when ZeroFox researchers uncovered the variant attacking a U.S.-based automotive group. It employs a double-extortion model, using Themida packing and sandbox evasion to disable defenses and deliver encrypted payloads. Victims are urged to visit a support site—hosted at a domain like colossus.support—to negotiate payment, or face large-scale data dumps and increasing ransom amounts tied to countdown timers. Operators demonstrated familiarity with RaaS playbooks, drawing architectural parallels to groups like EpsilonRed, BlackCocaine, and REvil/Sodinokibi.

Links

Contfr

Description

Launched around September 2024, ContFR is a French-speaking RaaS that uses a Tor-hosted platform to provide ransomware embedded in PDF files (targeting both Windows and macOS). The group offers a tiered subscription model—“TEST,” “BASIC,” and “ELITE”—allowing affiliates varying degrees of customization, offline capability, and support based on the package purchased. As of the latest reporting, no victims are publicly listed, though data leak publications likely require a subscription to access. The operation suggests an organized, business‑like structure, distinct from opportunistic one‑off strains.

Links

Conti

Description

Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.

Links

Cooming

Description

previous clearnet domain coomingproject.com

parsing : enabled

Links

Core

Description

Core ransomware surfaced in early 2025 as a new variant within the broader Makop family. It employs a single-extortion model, focusing on encrypting files and demanding payment, without public data-leak threats. The malware appends the .core extension to encrypted files and is delivered via typical exploit vectors known to RaaS campaigns. Core does not showcase advanced double-extortion tactics seen in other modern strains, but it stands out for its familial lineage and continued evolution from Makop ancestors.

Links

Crazyhunter Team

Description

CrazyHunter is a rising ransomware threat first detected in early 2025, with particularly dangerous campaigns targeting Taiwanese critical infrastructure sectors such as healthcare, education, manufacturing, and industrial services. Technically sophisticated, its toolkit is composed of approximately 80% open-source tools, including the Prince Ransomware Builder (for encryption), ZammoCide (for defense evasion via BYOVD techniques), and SharpGPOAbuse (enabling lateral movement via Group Policy). In a notable incident like the February attack on Mackay Memorial Hospital, attackers employed a USB-based infection vector, then escalated privileges using vulnerable signed drivers (e.g., zam64.sys) to disable security defenses. The ransomware appends extensions like .Hunted3 and displays “Decryption Instructions.txt” as ransom notes. The group maintains a data leak site where it publicly claims multiple Taiwanese organizations as victims.

parsing : enabled

Links

Crosslock

Description

CrossLock ransomware was first observed in April 2023, targeting an IT services firm in Brazil using a double‑extortion approach—encrypting data and threatening to leak it publicly. Written in Go, it uses a hybrid encryption scheme combining ChaCha20 for file encryption with Curve25519 for key protection. Victims see their files renamed with the .crlk extension and ransom notes titled ---CrossLock_readme_To_Decrypt---.txt. The malware includes advanced techniques like Event Tracing for Windows (ETW) bypass and process mimicking (e.g., Cybereason processes) for stealth. It was publicly tracked until July 2023, after which activity (and its leak site) went offline.

parsing : enabled

Links

Cryakl

Description

also known as “Fantomas”. Cryakl first appeared in 2014, spreading primarily across Eastern Europe and Russia via phishing emails with malicious attachments. It uses an asymmetric RSA-based encryption scheme, appending victim-specific IDs and contact emails into filenames and ransom notes. The ransomware operates under a RaaS-like model, distributing builds to affiliates for broader dissemination. In 2018, Belgian law enforcement seized Cryakl’s command-and-control infrastructure and recovered decryption keys, enabling victims to restore files via free tools like Kaspersky’s RakhniDecryptor and the NoMoreRansom project.

Links

Crylock

Description

CryLock is a ransomware variant that emerged around April 2020, evolving from the Cryakl (Fantomas) ransomware family. It follows a semi-affiliate model, offering customizable options for partners—such as variable encryption routines, network scanning for lateral movement, shadow copy deletion, and process termination—and flexible delivery methods. During encryption, CryLock renames files to include the developer email, a unique victim ID, and a randomized three-letter extension. Victims typically encounter a countdown timer in a pop-up ransom message that warns about escalating ransom costs and potential loss of decryption capabilities.

Links

Crynox

Description

Crynox (sometimes referred to as “Crynox Ransomware”) appears to be a generic file-locker threat that appends .crynox to encrypted files and drops a ransom note (read_it.txt) instructing victims to contact crynoxWARE@proton.me. It seems to use RSA-4096 and AES for encryption and may change desktop wallpaper, but there's no evidence of double-extortion or leak site operation. Distribution methods cited include phishing, pirated software, and malicious websites.

Links

Cryp70N1C0D3

Links

Crypt Ransomware

Description

.crYpt MD5: 54EFAC23D7B524D56BEDBCE887E11849 Babuk Variant

Links

Cryptbb

parsing : enabled

Links

Cryptedpay

Description

CryptedPay is a standalone ransomware strain observed around early 2025, that encrypts files using AES-256 and appends the .CRYPTEDPAY extension. Victims receive a ransom note (README.txt), have their desktop wallpaper changed, and are instructed to pay approximately $280 in Monero (XMR). The ransomware imposes a 62-hour deadline, threatening permanent file loss if not paid.

Links

Cryptnet

Description

CryptNet is a newer Ransomware-as-a-Service (RaaS) operation first identified in April 2023. It follows a double-extortion model, performing data exfiltration before encrypting files. Written in .NET and obfuscated with .NET Reactor, CryptNet utilizes AES-256 (CBC) and RSA-2048 encryption. Its codebase shares strong similarities with Chaos and Yashma ransomware families.

parsing : enabled

Links

Crypto24

Description

aka Public Data Storage Crypto24 emerged in early 2025 as a fast-growing double-extortion ransomware-as-a-service (RaaS) group. It targets organizations across industries such as financial services, healthcare, logistics, and technology, with notable victims in Malaysia, Colombia, Egypt, and India. The group executes rapid infiltration—often leveraging stolen credentials—encrypts files (appending the .crypto24 extension), and exfiltrates significant volumes of data (e.g., 2 TB from Vietnam’s CMC Group). Affiliate-oriented operations are indicated by their presence on RAMP forums, suggesting professional recruitment and offering free decryption for small file samples to entice victims.

parsing : enabled

Links

Cryptxxx

Description

CryptXXX is a ransomware strain that first appeared in April 2016, developed by the same group behind the Reveton and Angler Exploit Kit operations. It uses a single-extortion model, encrypting victim files with RSA-4096 and AES-256 encryption, appending the .crypt or .crypt1 extensions in early versions, and later variants dropping different extensions. Distribution was largely via the Angler and Neutrino exploit kits, targeting unpatched browsers, plugins, and malicious email attachments. CryptXXX also included credential theft capabilities, harvesting from browsers and FTP clients, and in some variants, a file-stealing module. Notable campaigns affected victims globally, with a strong concentration in North America and Europe. Operations were disrupted in mid-2016 when security researchers from Kaspersky Lab released decryption tools, forcing the group to release updated, harder-to-crack versions.

Links

Crysis

Description

Crysis ransomware was first identified in early 2016 and is a long-running family that later evolved into the Dharma ransomware line. It follows a Ransomware-as-a-Service (RaaS) model, allowing affiliates to customize email addresses, extensions, and ransom notes. Crysis primarily spreads via malicious email attachments, remote desktop protocol (RDP) brute-force attacks, and software cracks. It uses strong hybrid encryption—AES for file content and RSA for key protection—and appends various extensions such as .crySis, .wallet, or attacker-specified tags. It also deletes shadow copies to hinder recovery. Over the years, it has targeted businesses and individuals worldwide, with notable prevalence in healthcare, manufacturing, and professional services sectors. In 2017, law enforcement released master decryption keys through the NoMoreRansom project, enabling recovery for earlier versions, though newer builds remain active in the wild.

Links

Cs-137

Description

Cs‑137 is a newly observed ransomware strain that first appeared in January 2025. It employs the ChaCha20 cipher for encryption and appends obfuscated filenames with a random 10-character alphanumeric identifier while preserving the original file extension. In its current testing phase, it drops a ransom note with a randomized filename (e.g. ABCDEF-README.txt) and sets a randomly named image file as the desktop wallpaper. The note references a Tor-based extortion portal—though access is not yet active, indicating the operation’s early development stage. The strategy suggests single-extortion behavior, focused on disrupting access rather than data theft or leak threats.

Links

Ctblocker

Description

aka Critroni CTB‑Locker emerged in mid‑2014, introducing a new era of ransomware by leveraging elliptic curve cryptography (ECC), Tor-based C&C communication, and Bitcoin payments—earning its name from “Curve-Tor-Bitcoin Locker.” It was packaged and sold as a ransomware kit for approximately $1,500–$3,000, allowing affiliates to deploy customized campaigns. The malware encrypts user data (including network and removable drives), changes desktop wallpapers, and appends file extensions like .CTBL, .CTB2, or randomized strings. Victims receive instructions for payment, typically within a limited timeframe, or risk permanent data loss. In 2015–2017, law enforcement and cybersecurity firms (including McAfee and Kaspersky) disrupted the network, arrested operators, and facilitated decryption tools.

Links

Cuba

Description

Cuba ransomware, active since at least 2019, is a financially motivated threat group operating a double-extortion scheme—encrypting files and exfiltrating data to pressure victims. It has targeted government agencies, healthcare providers, critical infrastructure, financial institutions, and manufacturing firms, primarily in the United States, Canada, and Europe. Distribution often involves the Hancitor (Chanitor) malware loader, phishing campaigns, and exploitation of vulnerabilities in public-facing services such as Microsoft Exchange. Cuba employs RSA and AES encryption, typically appending the .cuba extension to affected files, and drops ransom notes instructing victims to contact the attackers via Tor-based portals. In December 2021, the FBI reported that Cuba ransomware operators had compromised at least 49 entities in U.S. critical infrastructure sectors, stealing data and demanding multimillion-dollar ransoms.

parsing : enabled

Links

Cyberex

Links

Cyclops

Description

Cyclops ransomware was rebranded as Knight around mid‑2023, emerging initially in early 2023. It operates as a Ransomware-as-a-Service (RaaS), targeting multiple platforms including Windows, macOS, Linux, and ESXi systems. Crafted in Go, it uses strong encryption algorithms like ChaCha20 and Curve25519. Knight includes both a full and "lite" encryptor, supports batch attacks, hosts a Tor leak site, and offers a web portal for affiliates—positioning itself as a scalable and partner-friendly ransomware operation. Affiliates can manage deployments, track payments, and negotiate with victims through a sophisticated RaaS platform.

parsing : enabled

Links

Cylance

Links

D0Glun

Description

D0glun is a crypto-ransomware strain first observed in January 2025, believed to be derived from Babuk via an intermediary variant known as Cheng Xilun. It uses AES-256 symmetric encryption and appends filenames with patterns such as .@D0glun@<original extension> or similar. The malware encrypts files rapidly, changes the desktop wallpaper, and drops ransom notes typically named @[email protected], Desktopcxl.txt, or help.exe. The campaign has shown signs of shared infrastructure and code reuse from Cheng Xilun, but there is no confirmed evidence of a large-scale or mature operation. Its activity so far suggests it is being tested or deployed by a small group or individual rather than a structured affiliate network.

Links

D4Rk4Rmy

Description

D4rk4rmy is a data-extortion focused threat actor that emerged in mid-2025, targeting high-profile organizations across sectors like financial services, hospitality, and education. It operates primarily through leak site extortion rather than encryption, listing prominent entities—such as Bridgewater Associates, Magellan Financial, Onex Canada Asset Management, Tsai Capital, Casino de Monte-Carlo, and others—on its Tor-based platform. The group has also hit victims in technology, logistics, and university sectors across multiple continents. Their tactic centers on reputation manipulation and public exposure to pressure victims into negotiations.

parsing : enabled

Links

Dagonlocker

Description

Dagon Locker is a double-extortion ransomware family that surfaced around September 2022. It represents an evolution of the MountLocker and Quantum ransomware lines. The group employs strong encryption using ChaCha20 protected by RSA-2048 and appends the .dagoned extension to encrypted files. It provides operators flexibility through command-line options to control encryption behavior, such as skipping logs, deletions, or process termination. Notably, Dagon Locker is frequently distributed via phishing campaigns and as part of Brodin-based initial access chains. It operates under a Ransomware-as-a-Service (RaaS) model, engaging affiliates to launch customized campaigns—particularly targeting organizations in South Korea.

Links

Daixin

Description

Daixin Team is a ransomware and data extortion group active since at least June 2022, known for targeting the healthcare sector, including hospitals, clinics, and related service providers. The group employs a double-extortion model—exfiltrating sensitive data before encrypting systems—and has leaked protected health information (PHI) to pressure victims. Intrusions often involve exploiting VPN vulnerabilities (notably in Fortinet FortiOS) and using compromised credentials for initial access. The ransomware uses AES for file encryption with RSA to protect the keys, and ransom notes direct victims to a Tor-based portal. The U.S. CISA, FBI, and HHS have issued joint advisories warning of the group’s impact on healthcare delivery and patient safety

parsing : enabled

Links

Dan0N

Description

dAn0n is a data-extortion actor that first appeared in April 2024. Operating primarily in a leak-focused extortion model, they publish stolen data on a Tor-hosted site rather than encrypting files. Their victims include organizations across sectors like business services, technology, healthcare, transportation, and legal—all largely based in the United States, with a few in Ireland and South Korea. Activity surged in May 2024, landing them in the top 10 most active ransomware actors that month. Despite limited branding efforts, their smaller operational footprint has allowed for swift, targeted breaches that prioritize rapid data exposure over elaborate cryptographic tactics.

parsing : enabled

Links

Dark Power

Description

Dark Power is a ransomware group first observed in January 2023, known for targeting small to mid-sized organizations across education, healthcare, manufacturing, and information technology sectors. The group uses a double-extortion model, encrypting files and threatening to leak exfiltrated data via a Tor-based site if ransom demands are not met. Written in the Nim programming language, Dark Power ransomware appends the .dark_power extension to encrypted files and drops a ransom note named README.txt, giving victims 72 hours to contact them. The note typically demands payment in cryptocurrency and offers to negotiate. Victims have been observed in North America, Asia, and Europe, with attacks often involving exploitation of vulnerable public-facing systems or stolen credentials.

parsing : enabled

Links

Darkangel

Description

Dark Angels is a highly targeted ransomware and data-extortion group that emerged in spring 2022. Rather than using an affiliate-driven model, it orchestrates discreet, high-impact attacks on large organizations—often choosing one Fortune-level victim at a time. The group exfiltrates massive volumes of data (sometimes 10–100 TB), optionally deploys encryption on Windows or ESXi systems, and pressures victims via a Tor-hosted leak platform ("Dunghill Leak"). Their notable incidents include extorting a record $75 million from a Fortune 50 company in 2024 and demanding around $51 million from Johnson Controls. Dark Angels’ operations emphasize stealth and precision over disruption, often avoiding high-profile media exposure and operating with low operational visibility.

Links

Darkbit01

Description

DarkBit is a politically motivated ransomware operation active since February 2023, targeting academic and public sector entities—most notably including attacks against Israeli institutions like the Technion. Written in Go (Golang) and leveraging powerful encryption routines, it employed AES-256 and supported command-line options for customizable deployments. Its behavior includes deleting volume shadow copies and encrypting files with a randomized prefix and .Darkbit extension. The group deployed their own Tor-based negotiation portal and utilized Tox messaging for communication. Their messaging contained anti-government rhetoric, suggesting ideological motivations in addition to cyber-extortion objectives.

Links

Darkhav0C

Description

Links

Darkrace

Description

DarkRace is a moderately destructive ransomware strain observed since 2024. It encrypts files and appends a randomized extension (e.g., .1352FF327) that varies per victim. Implemented as a 32-bit Windows application, it disables antivirus defenses, deletes volume shadow copies, terminates processes, and drops ransom note files for payment negotiation. Technical weaknesses in its encryption have enabled developers to produce a universal decryptor that works against DarkRace and related variants.

parsing : enabled

Links

Darkrypt

Links

Darkside

Description

FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.

Links

Darkvault

Description

DarkVault is a versatile and opportunistic threat actor first observed in late 2023. Rather than being a traditional ransomware operation, it acts broadly as a data broker and extortion ensemble, publishing victim information—like company names and industries—via Tor-leak sites. Activities reportedly include doxing, website defacement, bomb threats, malware distribution, and swatting, suggesting a diversified cybercriminal portfolio beyond simple ransomware, often framed as an "exclusive online community." While the leak site design mirrors LockBit 3.0, there is no verified technical evidence linking DarkVault to LockBit's codebase. No ransomware executables or encryption tools have been confirmed; its role appears centered on data exposure and extortion without enforced file encryption.

parsing : enabled

Links

Darkwave

Description

Written in python

Links

Darkylock

Description

Darky Lock is a commodity-style ransomware strain first identified in July 2022, derived from publicly available Babuk source code. Victim systems undergo file encryption with an added “.darky” extension, and a “Restore-My-Files.txt” ransom note is placed in all impacted locations. The malware attempts to disable backup mechanisms, including shadow copies and specific applications. Its distribution leverages phishing and trojanized installers, complemented by payloads dropped via frameworks like Empire, Metasploit, and Cobalt Strike.

Links

Datacarry

Description

DataCarry is a newly observed ransomware and data-extortion operation, first seen in May 2025. It operates a double-extortion model, exfiltrating data and threatening publication via a Tor-hosted portal. The group has already claimed multiple victims across diverse sectors including insurance, healthcare, real estate, retail, and aerospace in countries such as Latvia, Belgium, Türkiye, South Africa, Switzerland, Denmark, and the United Kingdom. The rapid emergence and multi-country reach signal a well-organized operation.

parsing : enabled

Links

Dataf Locker

Description

DataF Locker is a ransomware variant first observed in 2024, closely tied to the Babuk ransomware lineage. It operates under a double-extortion model, encrypting files by appending the .dataf extension and threatening to leak exfiltrated data if the ransom isn't paid. Victims receive a ransom note named How To Restore Your Files.txt, with satisfaction of specified recovery procedures. Observations suggest use of typical intrusion vectors such as phishing, exploit tools, or leaked credential abuse, although detailed delivery methods and leak infrastructure remain under-documented in high-tier intelligence reports.

Links

Dataleak

parsing : enabled

Links

Deadbydawn

Links

Deathgrip

Description

DeathGrip is a Ransomware-as-a-Service (RaaS) that emerged around June 2024, offering malware payloads built with leaked LockBit 3.0 and Yashma/Chaos builders. Designed to lower technical barriers, it enables even low-skilled operators to deploy highly capable ransomware attacks. DeathGrip campaigns typically employ AES-256 encryption, delete shadow copies and recovery features, and modify system settings to hinder restoration. Earlier infections include low-tier ransom demands (e.g., around $100), reflecting entry-level targeting, though its flexible tooling allows a range of payload configurations.

Links

Deathransom

Description

DeathRansom is a ransomware family first seen in the wild in late 2019, initially appearing as a bluff—dropping ransom notes without actually encrypting files. By early 2020, the malware evolved into a functional encryptor, using a hybrid scheme of AES for file encryption and RSA to secure AES keys. Infected systems have files appended with extensions such as .wctc or .zzz depending on the campaign variant. Distribution methods include phishing emails with malicious attachments, cracked software downloads, and malicious spam campaigns. Over time, some DeathRansom operations were linked to STOP/Djvu infrastructure and later incorporated into affiliate-based criminal ecosystems.

Links

Delta

Links

Desolated

Description

Links

Devman

Description

DevMan is a ransomware variant first observed in April 2025. It is a customized derivative of the DragonForce family, leveraging attacker-operated infrastructure for double-extortion, where both data theft and encryption are employed to pressure victims. The threat is highly organized, targeting sectors such as technology, construction, public services, healthcare, and consumer services across Asia, Africa, and Europe.

parsing : enabled

Links

Devman2

Description

DevMan 2.0 is the evolved iteration of the DevMan ransomware, first documented in July 2025. It enhances the capabilities of its predecessor with robust double-extortion tactics and operates under a Ransomware-as-a-Service (RaaS) model, offering structured leak and extortion infrastructure. Affiliates and operators are using it across diverse sectors—such as manufacturing, retail, and electronics—targeting organizations in Japan, Germany, and other countries. Demands from initial campaigns range widely, spanning from around $1 million to over $10 million USD.

parsing : enabled

Links

Dharma

Description

Dharma is a prolific ransomware family active since at least 2016, evolving from the earlier CrySiS ransomware. It operates under a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy customized builds with their own contact emails and extensions. Dharma typically appends encrypted files with patterns like .id-[victimID].[email].dharma or other campaign-specific suffixes. Initial access is often gained through exposed Remote Desktop Protocol (RDP) services secured with weak or stolen credentials, sometimes combined with brute-force attacks. The malware encrypts files using AES with RSA to secure the keys and drops ransom notes in text files and pop-up windows. Numerous variants have emerged over time, each linked to different affiliates, making attribution difficult.

Links

Diavol

Description

Diavol is a ransomware strain first observed in June 2021, associated with the Wizard Spider threat group—best known for operating the TrickBot malware and the Conti ransomware. It uses a double-extortion model, encrypting victim files and exfiltrating sensitive data for additional leverage. The ransomware is written in C and employs a multi-threaded encryption routine using the ChaCha20 algorithm with RSA-2048 to secure encryption keys. Early variants appended no custom extension to files, relying instead on changing file headers, but later versions began appending extensions. Initial access vectors include exploitation of vulnerable systems and the use of TrickBot or BazarLoader infections as staging points. Victims are directed to a Tor-based negotiation portal through ransom notes.

Links

Direwolf

Description

Dire Wolf is a recently emerged double-extortion ransomware group that first appeared around May 2025. It is a crypto-ransomware and data broker targeting industries like manufacturing and technology across multiple countries, including the U.S., Thailand, Taiwan, Singapore, Türkiye, among others. Written in Go and delivered as a UPX-packed binary, it utilizes robust encryption (Curve25519 and ChaCha20) to lock files with a .direwolf extension, while deleting backups, disabling logging, and terminating key services to block recovery. Victims receive highly customized ransom notes containing live-chat credentials and victim-specific portals, indicating a highly professional and targeted approach.

parsing : enabled

Links

Dispossessor

Description

Dispossessor, active since August 2023, was a data-extortion ransomware-as-a-service group led by the moniker "Brain". The group quickly expanded from U.S.-focused attacks to target small and mid-sized organizations globally—across sectors like healthcare, finance, transportation, education, and manufacturing. Their tactics included exploiting weak passwords and lack of multifactor authentication to gain access, followed by data exfiltration and staged extortion: victims were contacted via email or phone with links to proof-video platforms, and exposed on Tor-based leak sites if no payment was made. Many of the organizations targeted (approximately 43 identified) were across diverse countries including the U.S., Canada, Brazil, India, Germany, and more. By mid-2024, international law enforcement—including the FBI, UK National Crime Agency, and German agencies—successfully dismantled their infrastructure.

parsing : enabled

Links

Donex

Description

Donex is a ransomware family that emerged in early 2022 as a rebrand of the older Muse ransomware. It uses a double-extortion strategy, combining file encryption with threats to leak stolen data on a Tor-hosted portal. Written in C++, Donex encrypts files using a combination of ChaCha20 and RSA-4096 algorithms and appends a custom extension unique to each victim. The group targets a broad range of sectors, including manufacturing, logistics, and professional services, with victims reported across North America, Europe, and Asia. Initial access methods include exploitation of public-facing applications and the use of stolen RDP credentials.

parsing : enabled

Links

Donutleaks

Description

Donut Leaks, first reported in August 2022, is a data-extortion group linked to high-profile breaches, including the compromise of Continental in 2022. The group does not consistently encrypt files—in some cases acting purely as a data broker—yet adopts a double-extortion model when ransomware is deployed. Their operations involve exfiltrating sensitive corporate data, then threatening public release via a dedicated leak site on Tor. Donut Leaks has targeted organizations in automotive manufacturing, IT services, and professional sectors, with confirmed victims in Europe and North America. Intrusion methods are not fully documented in public sources but likely include phishing, credential theft, and exploitation of exposed services.

parsing : enabled

Links

Doppelpaymer

Description

DoppelPaymer is a ransomware family first identified in mid-2019, derived from the BitPaymer codebase and operated by the Evil Corp cybercrime group. It is known for its double-extortion approach, encrypting victim files with AES-256 and securing keys with RSA-2048, while also stealing sensitive data for public release if payment is not made. DoppelPaymer primarily targets large organizations, including those in healthcare, government, and manufacturing, with high ransom demands often in the millions of U.S. dollars. Infection vectors include phishing emails carrying Dridex or other loaders, exploitation of remote access services, and credential theft. Encrypted files typically retain their original name with a new extension, and ransom notes direct victims to Tor-based portals for negotiation. The group has been linked to attacks on institutions such as the City of Torrance, the State of Delaware, and hospital systems in Germany and the United States.

Links

Dragonforce

Description

DragonForce is a ransomware-as-a-service (RaaS) group first identified in late 2023. Originally linked to hacktivist activity, the group pivoted to financially motivated operations by early 2024. Since then, it has accelerated into a highly organized cartel-like network, providing customizable payloads to affiliates, a sophisticated affiliate portal, and shared infrastructure for leak sites and campaigns. The group has targeted a wide range of sectors globally, including major UK retailers such as M&S, Harrods, and Co-op, along with organizations in government, logistics, and manufacturing. Its operations are known for strategic branding flexibility, enabling affiliates to operate under their own labels using DragonForce’s backend services.

parsing : enabled

Links