LockBit, also recognized as LockBit Black or Lockbit 3.0, is one of the largest Ransomware Groups in the world and...
Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes;...
The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to...
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America....
The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting...
LockBit 2.0 is the second major iteration of the LockBit RaaS platform, launched in mid-2021, introducing automated domain-wide encryption via...
The group emerged in mid-February 2024 and has already listed several organizations as alleged victims of their attacks, resulting from...
INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors...
aka blackcat
The operators of the ALPHV/BlackCat ransomware began their activity in December 2021, making posts on Dark Web forums to promote...
DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue...
BianLian ransomware operations began in late 2021. The group practices multi-pronged extortion, demanding payment for a decryptor, as well as...
"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February...
Medusa is a ransomware-as-a-service operation active since June 2021 that has targeted over 300 victims across critical infrastructure sectors including...
The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by...
SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all...
The 8base Ransomware group made its first appearance in early March 2022, remaining somewhat quiet after the attacks. This group...
Lynx is a ransomware-as-a-service operation that emerged in mid-2024 as a rebrand of INC Ransomware (whose source code was sold...
Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit...
Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems....
This is not a ransomware group but a data broker
Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware...
In mid-October 2023, just a few days before the Europol operation, the source code of the Ransomware Hive was sold,...
NightSpire is a ransomware group that first emerged in March 2025 and rapidly claimed over 250 victims across retail, manufacturing,...
KillSec originated as a hacktivist group aligned with the Anonymous movement before pivoting to ransomware operations in October 2023, officially...
LockBit 5.0 ("ChuongDong") emerged in September 2025 as the group's resurgence following the February 2024 law enforcement takedown, introducing cross-platform...
Sinobi is a private vetted-affiliate RaaS group that emerged in mid-2025, believed to be a rebrand of the Lynx/INC ransomware...
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks...
The CACTUS ransomware is said to have emerged around March 2023. The group became known for exploiting vulnerabilities to gain...
According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to...
Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by...
RansomHouse is a double-extortion RaaS operation active since late 2021, attributed to the threat actor "Jolly Scorpius," targeting over 120...
Fog, which uses the .flocked extension for encrypted files, was first observed in May in campaigns by Storm-0844, a threat...
Vice Society ransomware appends the .v-society extension when encrypting Linux machines. Running a leak site on the darkweb, Possible relations...
According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.
aka Devman 2.0
Former RansomHub and INC Ransom affiliate.
aka Satanlock
Babuk Locker 2.0, also known as Bjorka or SkyWave, after failing to make any profit from selling public databases on...
CoinbaseCartel specializes in data acquisition through system access and strategic partnerships. It focus exclusively on data exfiltration—our operations never involve...
Stormous is an Arabic-speaking, pro-Russian ransomware and hacktivist group active since at least 2022, known for politically motivated attacks across...
FunkSec is an AI-assisted ransomware-as-a-service group that launched its data leak site in December 2024 and rapidly claimed over 85...
Malas is a lesser-documented ransomware group that maintains an active dark web presence; detailed information about its targets, victims, or...
World Leaks emerged in January 2025 as a rebrand of the Hunters International ransomware operation, shifting its focus from file...
Cloak is a ransomware-as-a-service operation active since late 2022, primarily targeting small-to-medium enterprises in Europe — especially Germany — across...
Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.
aka bashe
A new ransomware group is said to have emerged in mid-April 2024, under the name 'APT73.' It's worth noting that...
Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware...
Meow emerged in 2022 (resurfacing aggressively in 2024), initially operating as a RaaS using the Conti v2 codebase before transitioning...
Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections...
Sarcoma is a ransomware group that debuted in October 2024, immediately ranking among the top three most active groups globally...
Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying...
Space Bears is a double-extortion ransomware group that emerged in April 2024, distinguished by a professional "corporate" aesthetic on its...
Ragnar Locker was an elite ransomware group active from December 2019 to October 2023 that targeted large enterprises and critical...
ShinyHunters is a financially motivated data-theft and extortion group active since 2020, responsible for high-profile breaches including Ticketmaster (via Snowflake)...
NoEscape was a RaaS operation active from May to December 2023 believed to be a rebrand of the defunct Avaddon...
aka ragroup
RA Group, also known as RA World, first surfaced in April 2023, utilizing a custom variant of the Babuk ransomware.
Interlock is a ransomware group first observed in September 2024 that targets critical infrastructure sectors including healthcare, government, education, and...
Monti is a ransomware group first observed in June 2022 that initially copied nearly all of Conti's leaked source code,...
aka Colddraw
The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a...
aka Payouts King
PayoutsKing is an active ransomware group observed through at least 2026 that has claimed attacks against a wide range of...
Arcus Media is a ransomware-as-a-service group that emerged in May 2024, employing double extortion with ChaCha20 + RSA-2048 encryption and...
Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his...
aka Pure Extraction And Ransom
Pure Extraction And Ransom (PEAR) Team is the community of highly responsible and strictly disciplined members. We are a private...
Abyss (also known as Abyss Locker) is a ransomware operation first identified in March 2023, derived from the Babuk source...
Genesis is an emerging ransomware group first observed in late 2025, targeting small to mid-sized US organizations across healthcare, retail,...
Kairos is a data extortion group active since late 2024 that focuses solely on data theft with no encryption, primarily...
RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.
aka 3Am
A new Ransomware family identified by the name '3AM' or 'ThreeAM' in September 2023. The ransomware operation was observed by...
Anubis is a ransomware-as-a-service group active since December 2024 that targets healthcare, engineering, construction, and professional services sectors, offering affiliates...
Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the...
The Warlock ransomware and operator(s) are believed to be attributed to Storm-2603, a China-based threat actor who is also known...
Cicada3301 is a ransomware-as-a-service group (tracked as Repellent Scorpius by Palo Alto) that emerged in mid-2024 using Rust-based ransomware targeting...
Dire Wolf is a sophisticated human-operated ransomware group first documented in May 2025, written in Golang using Curve25519/ChaCha20 encryption, targeting...
Karakurt is a pure data-extortion group (no encryption) assessed with high confidence to be the extortion arm of the Conti...
AvosLocker is the ransomware payload of the Avos RaaS group, active from July 2021 to approximately May 2023, targeting education,...
aka GIGAKICK
Beast is a Ransomware-as-a-service (RaaS) product which provides functionality such as SMB scanning, file encryption, service and process starting and...
Quantum ransomware, active from mid-2021 through 2022, was a rebrand of the MountLocker/AstroLocker/XingLocker lineage that operated as RaaS, known for...
RansomedVC was a short-lived extortion group active from August to November 2023 that claimed high-profile victims including Sony, innovating by...
Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP,...
BlackLock is a rebranded version of another ransomware group known as Eldorado. It has since become one of the most...
LV ransomware group main message: "Here are companies which didn't meet consumer data protection obligations. They rejected to fix their...
Flocker (also linked to the FSociety brand) is a ransomware-as-a-service group active since 2023–2024, targeting Windows and Linux systems via...
Maze ransomware group is one of the most known ransomware gangs, they targeted organizations worldwide across many industries. Security researchers...
Chaos is a ransomware-as-a-service operation that emerged in early 2025, likely formed by former BlackSuit/Royal members, offering cross-platform ransomware for...
DarkVault is a data-exfiltration and double-extortion group first identified in late 2023, targeting medium-to-large organizations in finance, professional services, legal,...
Payload is a ransomware group that emerged in early 2026, using Babuk-derived source code targeting both Windows and ESXi systems...
LostTrust is a double-extortion ransomware operation that emerged in March 2023 and publicized over 50 victims within days of launching...
Krybit is an emerging RaaS group that launched in late March 2026, offering affiliates an 80/20 revenue split with support...
This ransomware uses a combination of different crypto algorithms (ChaCha20, AES-128, Curve25519). The activity of this malware is dated to...
Tengu is a RaaS operation first observed in October 2025, following a double-extortion model and using Living Off The Land...
According to PCrisk, Trigona is ransomware that encrypts files and appends the ._locked extension to filenames. Also, it drops the...
[Cyclops](group/cyclops) rebrand
Nitrogen began as a malware loader in 2023 used to deliver BlackCat/ALPHV ransomware, then evolved into a fully independent ransomware...
Crypto24 is a double-extortion ransomware-as-a-service group that surfaced on the RAMP forum in mid-2024, targeting large organizations in financial services,...
Termite is a ransomware group first identified in late 2024 using a modified version of Babuk ransomware code; its most...
This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is...
BlackShrantac is a ransomware group that emerged in late 2025, targeting organizations in manufacturing, financial services, technology, and the public...
Donut Leaks (D0nut) is a data-extortion group active since August 2022 that developed its own ransomware encryptor, linked to attacks...
Gunra is a financially motivated ransomware group that emerged in April 2025, using double-extortion tactics against real estate, pharmaceuticals, and...
DarkLeakMarket is a dark web data leak marketplace active since at least 2019 that sells stolen data sourced from ransomware...
Dragon Ransomware, is promising rapid and customizable ransomware operations for Windows systems. Key features include a compact 50KB file size,...
Embargo is a Rust-based ransomware-as-a-service group that emerged in April 2024, primarily targeting US healthcare, manufacturing, and business services organizations...
Securotrop is a ransomware group established in early 2025 that operates within the Qilin affiliate network while maintaining an independent...
CiphBit is a ransomware-as-a-service group active since April 2023, targeting small-to-mid-sized businesses across the UK, Europe, and North America with...
Helldown is an aggressive ransomware group first documented in August 2024, known for exploiting Zyxel firewall vulnerabilities to gain initial...
Insomnia is a data-theft and extortion group that emerged in October 2025, targeting primarily US-based healthcare organizations — stealing patient...
Nokoyawa is a double-extortion ransomware group that launched a RaaS program in 2022 (operated by threat actor "farnetwork"), primarily targeting...
Arvin Club is a threat actor with hacktivist leanings that first appeared in May 2021, primarily publishing stolen data via...
Spook ransomware operated briefly in September–October 2021 as a rebrand of the Prometheus ransomware group (built on the Thanos builder),...
Lamashtu is an extortion group that first appeared in April 2026, claiming attacks against organizations in France, Romania, and Thailand...
Obscura is a ransomware strain observed in 2025, written in Go and specifically targeting Windows domain controllers via the SYSVOL/NETLOGON...
WannaCry ransomware is a cyber attack that spreads by exploiting vulnerabilities in the Windows operating system. At its peak in...
GLOBAL GROUP is a ransomware-as-a-service operation that emerged in June 2025, reportedly launched by a known Russian-speaking threat actor, featuring...
Marketo, launched in April 2021, is a data-theft extortion marketplace that steals and sells data to third parties or back...
SunCrypt is a RaaS operation first observed in October 2019, notable for pioneering triple extortion (encryption, data publication threats, and...
AlphaLocker is a low-cost ransomware operation built on the EDA2 open-source project that sells affiliates an admin panel, ransomware executable,...
aka Trial Recovery
BlackNevas is a ransomware group first observed in November 2024, believed to be derived from the Trigona ransomware family, targeting...
MetaEncryptor is a ransomware group first observed in mid-2023, targeting medium-to-large enterprises in legal, technology, logistics, manufacturing, and finance sectors...
Frag is a ransomware group that emerged in late 2024, exploiting a critical Veeam Backup & Replication vulnerability (CVE-2024-40711) to...
aka ThreatLabz
Money Message emerged in March 2023 targeting Windows and Linux systems across banking, transportation, and professional services sectors, demanding ransoms...
PayloadBIN is a ransomware strain deployed in 2021 by Evil Corp as a rebranding of their WastedLocker/Hades/Phoenix lineage, specifically designed...
Onyx is a ransomware group first observed in April 2022, based on the Chaos ransomware builder, that is notably destructive...
KelvinSecurity is a financially motivated hacking group active since at least 2015, primarily engaged in stealing and selling databases from...
M3rx is a small ransomware group first observed in 2025, using AES-CTR/AES-GCM encryption and targeting organizations in England, the US,...
NetWalker ransomware group operates by the threat actor known as "CIRCUS SPIDER". The NetWalker ransomware was discovered in 2019. The...
Underground ransomware is deployed by the Russia-based RomCom group (Storm-0978) and has victimized companies across multiple industries since July 2023...
WereWolves is a Russian-speaking ransomware group that emerged in May 2023, using a modified LockBit 3 (Black) encryptor, operating an...
Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to...
FulcrumSec is a data extortion group active since approximately September 2025, specializing in high-speed exfiltration of cloud-hosted databases by exploiting...
Kraken is a Russian-speaking ransomware group that emerged in February 2025, believed to have links to the HelloKitty operation, employing...
VECT is a RaaS group that launched its affiliate program in December 2025 with a five-tier revenue-sharing model and a...
Lapsus$ is an internationally composed data extortion group most active from mid-2021 through 2022, executing high-profile breaches against Microsoft, Nvidia,...
Radar (also known as Dispossessor), active since August 2023 and led by an actor called "Brain," was a RaaS group...
Daixin Team is a ransomware and data extortion group active since at least June 2022, exclusively targeting the US Healthcare...
XingLocker is a ransomware group that emerged in May 2021 as part of a franchise-style RaaS model built on a...
HellCat is a ransomware-as-a-service group that formed in Q4 2024 and quickly became notable for high-profile attacks against Schneider Electric,...
LeakTheAnalyst is a data-theft extortion group that operates a dark web leak site with approximately 20 claimed victims, notable for...
BravoX is a selective ransomware-as-a-service operation that surfaced publicly in January 2026 after advertising on the RAMP underground forum, targeting...
Cephalus is a ransomware group active from mid-2025 that leverages stolen RDP credentials to deploy a Go-based ransomware payload via...
Morpheus emerged in late 2024 as a semi-private RaaS operation whose affiliates share identical payloads with the HellCat ransomware group,...
RALord is a ransomware group identified in March 2025 operating within the NOVA RaaS platform, targeting healthcare, education, hospitality, and...
Not a ransomware group but a hacktivist group that appeared coincidentally days before Russia’s invasion of Ukraine
Brotherhood is a ransomware group that emerged in late 2025, targeting organizations in the US, Canada, and Australia across manufacturing,...
D4rk4rmy is a ransomware and data extortion group active since at least 2025, targeting financial services, hospitality, technology, and logistics...
MountLocker operated as a ransomware-as-a-service from July 2020, using a standard developer/affiliate revenue split and leveraging compromised RDP credentials for...
Trinity ransomware was first discovered in May 2024, believed to be a rebrand of the Venus/2023Lock variants, using ChaCha20 encryption...
aka KaWaLocker
Kawa4096 is a ransomware group that emerged in June 2025, targeting multinational corporations across finance, education, and services sectors primarily...
Sabbath (also known as 54BB47h, operated by UNC2190) is a ransomware group active from mid-2021 that emerged as a rebrand...
Apos is a data-broker extortion group that surfaced in April 2024, focusing on data exfiltration and threatening to publish or...
DataCarry is a ransomware and data-extortion operation first observed in May 2025, operating a double-extortion model with a Tor-hosted leak...
aka darkangel
Dunghill Leak is the data extortion site operated by the Dark Angels ransomware group, active since early 2023, targeting large...
MadLiberator is a ransomware group that emerged in mid-2024, known for erratic behavior including randomized ransom demands and unpredictable encryption...
Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be...
Red Ransomware (Red CryptoApp) emerged in early 2024, debuting its "Wall of Shame" data leak site with 11 victims across...
TridentLocker is a newly emerged ransomware group (surfaced mid-2025) targeting organizations managing high volumes of regulated or third-party data —...
Cheers is a Linux-based ransomware group that emerged in 2022, built on leaked Babuk source code and specializing in attacks...
According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of...
Benzona is a financially motivated ransomware group that emerged in late 2024, targeting small to mid-sized organizations across manufacturing, healthcare,...
FreeCivilian is a data extortion group with suspected ties to Russian GRU military intelligence, known for targeting Ukrainian government websites...
Sparta is a short-lived ransomware group first observed in September 2022 that conducted double-extortion attacks primarily targeting organizations in Spain...
A group which seems to recycle leak from other ransomware groups
Weyhro is a data-extortion group (relying on data theft and leak threats without file encryption) that launched a Tor leak...
Argonauts is a ransomware group that emerged in September 2024, operating a double-extortion model targeting logistics, healthcare, energy, and telecom...
Aurora is a ransomware group associated with a multi-purpose Go-based malware distributed by multiple criminal teams from mid-2022, also sold...
Groove emerged in mid-2021 as a loose criminal collective linked to former Babuk gang members, known for publicly leaking Fortinet...
Ransomware, potential rebranding of win.sfile.
TeamXXX is an emerging ransomware group that launched its leak site in June 2025, claiming victims across healthcare, agriculture, hospitality,...
Cryp70n1c0d3 is a low-profile ransomware group with limited public documentation; specific targets, attack methodology, and operational model remain poorly documented...
IceFire is a ransomware group first observed in 2022 that expanded to Linux in early 2023 by exploiting a vulnerability...
CrazyHunter is a Go-based ransomware group that emerged in early 2025, derived from the open-source Prince encryptor, exclusively targeting Taiwanese...
Dark Power emerged in January 2023 as a ransomware group written in the Nim programming language, claiming 10 victims across...
DarkRace is a ransomware variant that surfaced in mid-2023 sharing strong code similarities with LockBit, employing double-extortion via a dark...
Darkside ransomware group has started its operation in August of 2020 with the model of RaaS (Ransomware-as-a-Service). They have become...
Blackout is a ransomware group that first appeared in early 2024, initially claiming attacks against healthcare entities in Canada, France,...
Kazu is an emerging ransomware group active since September 2025 that employs double-extortion tactics, targeting government, healthcare, and financial organizations...
According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them....
Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled...
CryptBB is a ransomware group with likely Russian origins active around 2023, whose payload appends random extensions to encrypted files...
Mogilevich appeared in February 2024, rapidly claiming high-profile breaches of Epic Games, DJI, Shein, and Kick.com, but was quickly exposed...
Qiulong is a ransomware group that emerged around April 2024 primarily targeting Brazilian organizations using double extortion and unique tactics...
Radiant is a financially motivated ransomware group that emerged in September 2025, conducting double- and single-extortion attacks without affiliates, drawing...
Skira is a small ransomware group that emerged around late 2024, claiming responsibility for the breach of Carruth Compliance Consulting...
0mega is a double-extortion ransomware group that emerged in May 2022, targeting businesses across multiple sectors worldwide by encrypting files...
BERT is a newly emerged ransomware group first identified in mid-2025, targeting Windows and Linux platforms across healthcare, technology, and...
Blackwater is a ransomware group that first surfaced in early 2026, combining file encryption with data theft and targeting healthcare...
Chort is a double-extortion ransomware group (whose name means "Devil" in Russian) that emerged in October 2024, primarily targeting US...
Cyclops emerged in May 2023 as a cross-platform RaaS operation targeting Windows, macOS, and Linux systems; it rebranded as "Knight"...
Karma is a ransomware group first observed in mid-2021, part of a lineage tracing back through Nefilim and FiveHands, operating...
Malek Team is an Iranian-linked threat actor that emerged on October 8, 2023 (the day after the Hamas attack on...
Pay2Key is ransomware that has been used by the threat actor Fox Kitten. The group seems to operate since July...
Arkana is a ransomware group that emerged in early 2025 and gained attention by claiming an attack on U.S. broadband...
CipherForce is a newly emerged ransomware group first detected in early 2026, operating a dark web leak site and targeting...
Dataleak is a low-profile ransomware group with approximately 6 known victims including entities in Brazil; very limited public threat intelligence...
NetRunner is a ransomware group active from at least 2025 targeting diverse sectors including healthcare, telecommunications, manufacturing, and agriculture across...
Rancoz is a Windows-targeting ransomware strain first observed in November 2022 that appends the ".rec_rans" extension to encrypted files, considered...
RedAlert (also called N13V) is a ransomware group first observed in July 2022 that targets both Windows and Linux VMware...
Unlike many other groups, Silent claims to operate with a high level of anonymity and discretion. According to their own...
According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the...
AtomSilo is a double-extortion ransomware group that emerged in September 2021, exploiting the Atlassian Confluence vulnerability (CVE-2021-26084) for initial access...
BQTLock is a ransomware-as-a-service operation that emerged in 2025, using AES-256/RSA-4096 encryption with Monero payment demands, linked to pro-Palestinian hacktivist...
DoNex is a ransomware strain that emerged in March 2024 as the latest rebrand of a lineage beginning with Muse...
Kryptos is a small ransomware group first observed in October 2025, conducting simultaneous attacks across North America and Oceania on...
LockBit is one of the most prolific ransomware groups in history, operating as a full RaaS platform that at its...
LockData Auction is a dark web marketplace that emerged around May 2021 operating an invite-only stolen data auction portal, representing...
MintEye is a ransomware group with concentrated activity in North America, targeting professional services, construction, engineering, architecture, and logistics sectors,...
Orca is a ransomware group that emerged in September 2024, identified as a variant of the Zeppelin malware family, targeting...
Pandora ransomware was obtained by vx-underground at 2022-03-14.
Project Relic emerged in mid-2022 as a Golang-based ransomware targeting Windows and Linux hosts, operating with a TOR-based data leak...
RANSOMED.VC aka Raznatovic
Blacktor is a low-profile data breach and extortion group active around 2021 with a Tor-based leak site, claiming victims in...
Desolator is a ransomware group that emerged in May 2025, targeting construction and engineering firms in Latin America and Europe...
Exitium is a data extortion group first observed in early 2026, operating a Tor-based double extortion site and targeting victims...
Linkc is a ransomware group first observed in February 2025, operating a Tor-based data leak site and targeting US-based AI,...
aka ms13-089
MS13089 is a newly emerged ransomware group (first observed December 2025) that named itself after a 2013 Microsoft Security Bulletin,...
RansomCortex emerged in July 2024 with a narrow focus on healthcare facilities, claiming four victims within days of its first...
SatanLock is a short-lived ransomware group that first appeared in April 2025 and abruptly shut down in July 2025 after...
SHAOleaks is a low-profile data leak and extortion group with minimal public documentation, operating a leak site but lacking detailed...
BlackShadow is an Iranian-linked hack-and-leak group (linked to the Agrius APT) that targeted Israeli companies including insurance firm Shirbit and...
Bluebox is a data extortion group that emerged in December 2024, employing double-extortion tactics against victims primarily in France, Sweden,...
Bonaci Group is a small, short-lived ransomware group that was active in 2021 with only 3 known victims before going...
Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to...
HelloGookie is a rebrand of the HelloKitty ransomware group announced in April 2024, releasing previously stolen data from CD Projekt...
MNT6 is a lower-profile ransomware group claiming victims across legal, manufacturing, construction, healthcare, and logistics sectors in the US, Canada,...
NoName (also known as CosmicBeetle) is a ransomware group active since at least 2020 targeting small and medium-sized businesses globally...
According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese...
aka RansomedVC2
RebornVC is a rebrand of RansomedVC re-emerging in July 2025 under new leadership, using data auctions, direct extortion, and double...
Trisec is a Tunisian-origin ransomware group that emerged in February 2024, claiming affiliation with the Tunisian government and operating as...
VanirGroup is an Eastern European ransomware group composed of former affiliates from Karakurt, LockBit, and Knight ransomware that emerged in...
Ransomware, which appears to be a rebranding of win.cuba.
Yurei is a ransomware group first observed in September 2025 whose payload is a minimally modified fork of the open-source...
According to OALabs, this ransomware has the following features: * Files are encrypted with AES CBC using a generated 256...
KittyKatKrew is a newly emerged ransomware group first identified in early 2026, using both direct and double-extortion methods against US...
LunaLock emerged in September 2025 targeting creative and digital platforms, notably breaching an illustrator marketplace and a Mexican ISP, and...
Night Sky is a China-nexus ransomware group (attributed to the "Emperor Dragonfly" cluster) that emerged in late 2021, gaining notoriety...
Osiris is a ransomware-as-a-service operation first observed in November 2025 that uses a Bring Your Own Vulnerable Driver (BYOVD) technique...
PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses...
CrossLock is a short-lived Go-based ransomware group that appeared in April 2023 and went dark by July 2023, using Curve25519...
According to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems and encrypts a variety...
Insane is a short-lived ransomware group that briefly surfaced in early 2024, claiming a single victim in Thailand before going...
ℹ️ La Piovra Ransomware is an exercise of the company Offensive Security (also known as OffSec)
Nasir Security is a pro-Iranian threat actor that emerged around October 2025, primarily targeting energy sector organizations in the Middle...
PlayBoy Locker is a ransomware-as-a-service operation that emerged in September 2024, targeting Windows, NAS, and ESXi systems across multiple sectors...
Ranstreet is a low-profile ransomware group with very limited public documentation, appearing in ransomware tracking lists but without major vendor...
Reynolds is a ransomware family first identified in early 2026, notable for embedding BYOVD (Bring Your Own Vulnerable Driver) defense...
RobbinHood is a ransomware group first observed in April–May 2019, responsible for high-profile attacks on US cities including Baltimore, Maryland...
Encrypted Extension: .vanhelsing, .vanlocker. Targets Windows Platform only
Sicarii is a pro-Israeli/Jewish-branded ransomware-as-a-service operation that emerged in late 2025, explicitly targeting Arab and Muslim-majority organizations while avoiding Israeli...
Slug is a very obscure ransomware or extortion group with only a single documented victim (AerCap, the aircraft leasing company)...
SynAck is a sophisticated ransomware operation first spotted in 2017, known for using hybrid ECIES encryption and the Doppelganging process...
WALocker is an emerging ransomware group that came to attention in 2025, targeting organizations in Southeast Asia and government entities,...
ZeroTolerance is a low-profile ransomware group tracked on monitoring platforms with no detailed threat actor profiles, technical analysis, or named...
The group appears unreliable. Most, if not all, of its alleged victims cannot be verified and appear to be randomly...
AdminLocker is a relatively low-profile ransomware strain first observed around December 2021, encrypting victim files and demanding Bitcoin ransom via...
AgainstTheWest (ATW) is a hacktivist group active since October 2021 that targets governments and corporations perceived as authoritarian, breaching organizations...
A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids...
Avos is the threat actor group behind AvosLocker ransomware, a RaaS operation active since June 2021 that recruited affiliates to...
Aware is a recently emerged ransomware group that operates a Tor-based data leak site with very limited public documentation and...
AztroTeam is a ransomware group with very limited public documentation and no confirmed victims, listed as offline on ransomware tracking...
BabyDuck is a ransomware group tracked on ransomware.live with approximately 180 claimed victims, appending the .babyduck extension to encrypted files,...
Blue Locker targets Pakistan’s vital energy sector, particularly Pakistan Petroleum
BlueSky is a financially motivated ransomware group active from mid-2022 into early 2023, using multi-threaded ChaCha20/Curve25519 encryption for fast file...
ChileLocker (also known as ARCrypter) first appeared in August 2022 after attacking a Chilean government agency and quickly expanded globally,...
CoomingProject is a ransomware group that emerged around 2021 and operated a double-extortion scheme with multiple Tor-based leak sites; six...
Cry0 is a ransomware-as-a-service operation that recruits affiliates via underground forums, using a Rust-written payload with blockchain-based (Internet Computer Protocol)...
CryLock (originally known as Cryakl/Fantomas since 2014) is a ransomware operation run by a Russian couple who targeted roughly 400,000...
Dagon Locker is a ransomware strain that first appeared in early 2023, evolved from the MountLocker/Quantum ransomware lineage, and uses...
Dark Angels is a highly selective ransomware group active since April 2022 that targets a small number of large enterprises...
DarkBit is an ideologically motivated ransomware group that appeared in February 2023, primarily targeting Israeli entities — most notably the...
DataKeeper is a ransomware-as-a-service operation dating back to at least 2018 that promoted an affiliate model called "CrystalPartnership RaaS," offering...
A ransomware with potential ties to Wizard Spider.
Dread is a ransomware group that appears in tracking databases but has no publicly documented attacks or confirmed TTPs from...
The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are...
Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The...
EP918 is a low-activity ransomware group listed in tracking databases with no confirmed victims and no publicly documented attacks or...
ESXiArgs is a ransomware campaign that emerged in February 2023, targeting VMware ESXi servers by exploiting the CVE-2021-21974 vulnerability. It...
According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive...
Fletchen is primarily documented as a sophisticated infostealer-as-a-service written in Rust, targeting browser credentials, cryptocurrency wallets, and financial data, used...
New possible leak site posted to a forum on November 20th, 2022, no victims at present. Unclear if its for...
Haron appeared in July 2021 as a ransomware-as-a-service operation heavily borrowing from the defunct Avaddon ransomware (copying ransom notes and...
Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems....
HolyGhost (tracked by Microsoft as DEV-0530) is a North Korean state-linked ransomware group active since June 2021, associated with the...
Hotarus Corp is a ransomware group that came to attention in early 2021 after attacking Ecuador's Ministry of Finance and...
Kyber is a recently identified ransomware group using sophisticated hybrid encryption (AES-256-CTR with X25519 and Kyber1024), operating Tor-based communication channels...
Lilith is a C/C++-based double-extortion ransomware that emerged in July 2022, targeting 64-bit Windows systems and sharing code with the...
LockBit 3.0 ("LockBit Black"), active since June 2022, is the third iteration of the LockBit RaaS platform incorporating code from...
Lolnek (also known as Lolkek/GlobeImposter) is a commodity ransomware strain primarily targeting small and medium-sized businesses with relatively low ransom...
MadCat is a suspected fraudulent ransomware operation that surfaced briefly in late 2023, apparently linked to scammers targeting other criminals...
Mamona was a short-lived ransomware rebrand attempted by the operator behind BlackLock RaaS in March 2025 that failed before reverting;...
MBC is a very obscure ransomware group with minimal public documentation and no significant threat intelligence reports available from mainstream...
MyDecryptor is a low-profile ransomware group with minimal public documentation, appearing on ransomware tracking platforms but not the subject of...
N3tw0rm ransomware group is linked to Iran by many security researchers especially for the fact that the group targeting only...
Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar...
Nevada Ransomware is a RaaS operation written in Rust that emerged on the RAMP dark web forum in late 2022,...
OnePercent Group is a cybercriminal operation active since at least November 2020 that targeted US organizations using phishing with IcedID...
Orion is a ransomware operation first observed in October 2025 that listed 13 alleged victims on a dark web leak...
Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.
First known AI-powered ransomware. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate...
QLocker was a financially motivated ransomware operation active in 2021 that exclusively targeted QNAP NAS devices exposed to the internet,...
RabbitHole is a low-profile ransomware group with limited publicly available threat intelligence, not appearing prominently in major threat intelligence reports,...
RAMP (Russian Anonymous Marketplace) was a Russian-speaking dark web forum founded in 2021 that served as a central marketplace and...
Ranion is a ransomware-as-a-service operation first observed in April 2017 that offers a low-barrier, pay-upfront model where affiliates keep 100%...
Launched on April 24th, 2025 RansomBay is a new project operating under the DragonForce initiative
Ransom Cartel is a ransomware-as-a-service operation that surfaced in December 2021, assessed by Palo Alto Unit 42 to share source...
Ranzy Locker, Former known as ThunderX. The group hosting a data leak site in the darknet where they posting sensitive...
RRansom is a low-profile ransomware group whose dark web leak site has been listed as offline in tracking directories, with...
Shadow is a low-profile ransomware group tracked on ransomware monitoring platforms with limited public documentation; specific attribution details regarding its...
Ransomware, written in .NET.
Ransomware, written in Delphi.
The Green Blood Group is an emerging ransomware operation first identified in early 2026 whose Go-based Windows payload uses ChaCha8...
U-Bomb is a low-profile ransomware operation discovered in March 2023 that arrives via phishing emails and uses third-party offensive frameworks...
"Unknown" is a catch-all tracking label used on ransomware monitoring platforms for attacks where the responsible threat actor has not...
VFOKX is a low-profile ransomware group tracked on ransomware monitoring platforms with very limited public documentation and no detailed analysis...
X001xs is a low-profile ransomware group tracked on monitoring platforms with minimal public documentation, employing standard double-extortion tactics with no...
XINOF (also known as Fonix/FonixCrypter) is a RaaS operation that began in June 2020 with no upfront affiliate cost and...
XP95 is a cyber-extortion group that emerged in March 2026, using a pure data-theft-and-extortion model with a Windows XP/95-themed leak...
Zeon was the precursor identity used by the group that rebranded as Royal in September 2022, composed primarily of former...
ZeroLockerSec is a small ransomware group with very limited public documentation that became inactive by Q2 2025 with no recorded...
