Security Intelligence
Ransomware Groups
A directory of known ransomware threat groups. Browse active and historical groups, their tactics, and associated attacks.
Understanding Ransomware Threat Groups
The ransomware ecosystem is run by organized threat groups that operate like businesses — with affiliate programs, negotiation teams, and dedicated leak sites. Each group has its own tactics, preferred targets, and level of sophistication. Understanding who these actors are is essential for threat intelligence teams building detection rules, incident responders attributing an attack, and risk analysts evaluating exposure to specific adversaries.
This directory catalogs every known ransomware group tracked by the community, ranked by confirmed victim count. Use it to research a group’s history, compare their activity levels, and identify which threat actors are most active right now. If your organization or industry appears among a group’s recent victims, that is an immediate signal to harden defenses against their known techniques and tooling.
Ransomware Groups Directory
0 groups
0apt
0
The group appears unreliable. Most, if not all, of its alleged victims cannot be verified and appear to be randomly...
0 victims
Full Profile →
0mega
0
0mega is a double-extortion ransomware group that emerged in May 2022, targeting businesses across multiple sectors worldwide by encrypting files...
8base
0
The 8base Ransomware group made its first appearance in early March 2022, remaining somewhat quiet after the attacks. This group...
0 victims
Full Profile →
ALP-001
0
⚠️ The group appears unreliable. Most, if not all, of its alleged victims cannot be verified. WE HAVE DECIDED TO...
0 victims
Full Profile →
Abrahams_Ax
0
Abraham's Ax is an Iranian-linked hacktivist persona tied to Moses Staff that emerged in November 2022, primarily targeting Saudi Arabian...
0 victims
Full Profile →
AiLock
0
AiLock is a ransomware operation that emerged in early 2025, marketing itself as AI-assisted ransomware using a hybrid ChaCha20/NTRUEncrypt encryption...
AuditTeam
0
AuditTeam is a small ransomware group with approximately 5 known victims, primarily targeting organizations in East and Southeast Asia across...
0 victims
Full Profile →
BrainCipher
0
Brain Cipher emerged in July 2024. Both Windows and Linux variants are available. Brain Cipher using the leaked build of...
CMDOrganization
0
CMD is a new kind of company that specializes in corporate system security and in identifying vulnerabilities across all aspects...
ContFR
0
RAAS - Ransomware intégré à un fichier PDF, à faire ouvrir à vos victimes ou à insérer vous-même, Windows et...
ElDorado
0
In September The El Dorado ransomware group have been rebrand as BlackLock
0 victims
Full Profile →
GDLockerSec
0
Our team members are from different countries and we are not interested in anything else, we are only interested in...
0 victims
Full Profile →
IMNCrew
0
IMN Crew is a data extortion and ransomware group that emerged in late March 2025, primarily targeting financial services organizations...
0 victims
Full Profile →
J
0
J is an emerging ransomware group that launched its leak site in May 2025, claiming over 41 victims by late...
0 victims
Full Profile →
Loki
0
0 victims
Full Profile →
RunSomeWares
0
RunSomeWares is an emerging ransomware group that surfaced in February 2025 with initial victims across supply-chain services, financial services, accounting,...
0 victims
Full Profile →
SenSayQ
0
SenSayQ is an emerging ransomware actor that appeared in mid-2024 using a leaked LockBit 3.0 builder for double-extortion attacks; Group-IB...
0 victims
Full Profile →
ShadowByt3$
0
ShadowByt3$ is a ransomware-as-a-service group first observed in October 2025, using multi-method extortion and communicating via Telegram and Tox, with...
0 victims
Full Profile →
ShinySp1d3r
0
Likely associated with the cybercrime group BlingLibra (ShinyHunters)
0 victims
Full Profile →
TiMc
0
TiMc is a ransomware group that emerged in early 2026, claiming high-impact attacks against Spanish IT services leader Seidor (1...
ValenciaLeaks
0
ValenciaLeaks is a data-extortion group that surfaced in August–September 2024, focused on exfiltrating large volumes of data and publishing it...
0 victims
Full Profile →
VanHelsing
0
VanHelsing is a multi-platform RaaS operation that launched on March 7, 2025, requiring a $5,000 affiliate deposit and splitting ransoms...
0 victims
Full Profile →
aGl0bGVyCg
0
"aGl0bGVyCg" (Base64 for "hitler") is a reference to the Hitler-Ransomware (2016), a German-origin proof-of-concept that displayed a Hitler image, did...
0 victims
Full Profile →
abyss
0
Abyss (also known as Abyss Locker) is a ransomware operation first identified in March 2023, derived from the Babuk source...
adminlocker
0
AdminLocker is a relatively low-profile ransomware strain first observed around December 2021, encrypting victim files and demanding Bitcoin ransom via...
0 victims
Full Profile →
againstthewest
0
AgainstTheWest (ATW) is a hacktivist group active since October 2021 that targets governments and corporations perceived as authoritarian, breaching organizations...
0 victims
Full Profile →
akira
0
The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to...
ako
0
A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids...
0 victims
Full Profile →
alphalocker
0
AlphaLocker is a low-cost ransomware operation built on the EDA2 open-source project that sells affiliates an admin panel, ransomware executable,...
alphv
0
The operators of the ALPHV/BlackCat ransomware began their activity in December 2021, making posts on Dark Web forums to promote...
0 victims
Full Profile →
anubis
0
Anubis is a ransomware-as-a-service group active since December 2024 that targets healthcare, engineering, construction, and professional services sectors, offering affiliates...
apos
0
Apos is a data-broker extortion group that surfaced in April 2024, focusing on data exfiltration and threatening to publish or...
0 victims
Full Profile →
apt73
0
A new ransomware group is said to have emerged in mid-April 2024, under the name 'APT73.' It's worth noting that...
arcusmedia
0
Arcus Media is a ransomware-as-a-service group that emerged in May 2024, employing double extortion with ChaCha20 + RSA-2048 encryption and...
0 victims
Full Profile →
argonauts
0
Argonauts is a ransomware group that emerged in September 2024, operating a double-extortion model targeting logistics, healthcare, energy, and telecom...
0 victims
Full Profile →
arkana
0
Arkana is a ransomware group that emerged in early 2025 and gained attention by claiming an attack on U.S. broadband...
0 victims
Full Profile →
arvinclub
0
Arvin Club is a threat actor with hacktivist leanings that first appeared in May 2021, primarily publishing stolen data via...
0 victims
Full Profile →
atomsilo
0
AtomSilo is a double-extortion ransomware group that emerged in September 2021, exploiting the Atlassian Confluence vulnerability (CVE-2021-26084) for initial access...
0 victims
Full Profile →
aurora
0
Aurora is a ransomware group associated with a multi-purpose Go-based malware distributed by multiple criminal teams from mid-2022, also sold...
avaddon
0
Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware...
0 victims
Full Profile →
avos
0
Avos is the threat actor group behind AvosLocker ransomware, a RaaS operation active since June 2021 that recruited affiliates to...
0 victims
Full Profile →
avoslocker
0
AvosLocker is the ransomware payload of the Avos RaaS group, active from July 2021 to approximately May 2023, targeting education,...
0 victims
Full Profile →
aware
0
Aware is a recently emerged ransomware group that operates a Tor-based data leak site with very limited public documentation and...
0 victims
Full Profile →
aztroteam
0
AztroTeam is a ransomware group with very limited public documentation and no confirmed victims, listed as offline on ransomware tracking...
0 victims
Full Profile →
babuk
0
Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled...
0 victims
Full Profile →
babuk2
0
Babuk Locker 2.0, also known as Bjorka or SkyWave, after failing to make any profit from selling public databases on...
0 victims
Full Profile →
babyduck
0
BabyDuck is a ransomware group tracked on ransomware.live with approximately 180 claimed victims, appending the .babyduck extension to encrypted files,...
0 victims
Full Profile →
beast
0
Beast is a Ransomware-as-a-service (RaaS) product which provides functionality such as SMB scanning, file encryption, service and process starting and...
benzona
0
Benzona is a financially motivated ransomware group that emerged in late 2024, targeting small to mid-sized organizations across manufacturing, healthcare,...
bert
0
BERT is a newly emerged ransomware group first identified in mid-2025, targeting Windows and Linux platforms across healthcare, technology, and...
0 victims
Full Profile →
bianlian
0
BianLian ransomware operations began in late 2021. The group practices multi-pronged extortion, demanding payment for a decryptor, as well as...
0 victims
Full Profile →
blackbasta
0
"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February...
0 victims
Full Profile →
blackbyte
0
Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.
0 victims
Full Profile →
blacklock
0
BlackLock is a rebranded version of another ransomware group known as Eldorado. It has since become one of the most...
0 victims
Full Profile →
blacknevas
0
BlackNevas is a ransomware group first observed in November 2024, believed to be derived from the Trigona ransomware family, targeting...
blackout
0
Blackout is a ransomware group that first appeared in early 2024, initially claiming attacks against healthcare entities in Canada, France,...
blackshadow
0
BlackShadow is an Iranian-linked hack-and-leak group (linked to the Agrius APT) that targeted Israeli companies including insurance firm Shirbit and...
0 victims
Full Profile →
blackshrantac
0
BlackShrantac is a ransomware group that emerged in late 2025, targeting organizations in manufacturing, financial services, technology, and the public...
0 victims
Full Profile →
blacksuit
0
According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.
blacktor
0
Blacktor is a low-profile data breach and extortion group active around 2021 with a Tor-based leak site, claiming victims in...
0 victims
Full Profile →
blackwater
0
Blackwater is a ransomware group that first surfaced in early 2026, combining file encryption with data theft and targeting healthcare...
bluebox
0
Bluebox is a data extortion group that emerged in December 2024, employing double-extortion tactics against victims primarily in France, Sweden,...
0 victims
Full Profile →
bluelocker
0
Blue Locker targets Pakistan’s vital energy sector, particularly Pakistan Petroleum
0 victims
Full Profile →
bluesky
0
BlueSky is a financially motivated ransomware group active from mid-2022 into early 2023, using multi-threaded ChaCha20/Curve25519 encryption for fast file...
0 victims
Full Profile →
bonacigroup
0
Bonaci Group is a small, short-lived ransomware group that was active in 2021 with only 3 known victims before going...
0 victims
Full Profile →
bqtlock
0
BQTLock is a ransomware-as-a-service operation that emerged in 2025, using AES-256/RSA-4096 encryption with Monero payment demands, linked to pro-Palestinian hacktivist...
0 victims
Full Profile →
bravox
0
BravoX is a selective ransomware-as-a-service operation that surfaced publicly in January 2026 after advertising on the RAMP underground forum, targeting...
brotherhood
0
Brotherhood is a ransomware group that emerged in late 2025, targeting organizations in the US, Canada, and Australia across manufacturing,...
0 victims
Full Profile →
cactus
0
The CACTUS ransomware is said to have emerged around March 2023. The group became known for exploiting vulnerabilities to gain...
cephalus
0
Cephalus is a ransomware group active from mid-2025 that leverages stolen RDP credentials to deploy a Go-based ransomware payload via...
0 victims
Full Profile →
chaos
0
Chaos is a ransomware-as-a-service operation that emerged in early 2025, likely formed by former BlackSuit/Royal members, offering cross-platform ransomware for...
cheers
0
Cheers is a Linux-based ransomware group that emerged in 2022, built on leaked Babuk source code and specializing in attacks...
0 victims
Full Profile →
chilelocker
0
ChileLocker (also known as ARCrypter) first appeared in August 2022 after attacking a Chilean government agency and quickly expanded globally,...
0 victims
Full Profile →
chort
0
Chort is a double-extortion ransomware group (whose name means "Devil" in Russian) that emerged in October 2024, primarily targeting US...
0 victims
Full Profile →
cicada3301
0
Cicada3301 is a ransomware-as-a-service group (tracked as Repellent Scorpius by Palo Alto) that emerged in mid-2024 using Rust-based ransomware targeting...
0 victims
Full Profile →
ciphbit
0
CiphBit is a ransomware-as-a-service group active since April 2023, targeting small-to-mid-sized businesses across the UK, Europe, and North America with...
0 victims
Full Profile →
cipherforce
0
CipherForce is a newly emerged ransomware group first detected in early 2026, operating a dark web leak site and targeting...
0 victims
Full Profile →
cloak
0
Cloak is a ransomware-as-a-service operation active since late 2022, primarily targeting small-to-medium enterprises in Europe — especially Germany — across...
0 victims
Full Profile →
clop
0
The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting...
coinbasecartel
0
CoinbaseCartel specializes in data acquisition through system access and strategic partnerships. It focus exclusively on data exfiltration—our operations never involve...
0 victims
Full Profile →
conti
0
Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems....
0 victims
Full Profile →
cooming
0
CoomingProject is a ransomware group that emerged around 2021 and operated a double-extortion scheme with multiple Tor-based leak sites; six...
0 victims
Full Profile →
crazyhunter
0
CrazyHunter is a Go-based ransomware group that emerged in early 2025, derived from the open-source Prince encryptor, exclusively targeting Taiwanese...
0 victims
Full Profile →
crosslock
0
CrossLock is a short-lived Go-based ransomware group that appeared in April 2023 and went dark by July 2023, using Curve25519...
0 victims
Full Profile →
cry0
0
Cry0 is a ransomware-as-a-service operation that recruits affiliates via underground forums, using a Rust-written payload with blockchain-based (Internet Computer Protocol)...
crylock
0
CryLock (originally known as Cryakl/Fantomas since 2014) is a ransomware operation run by a Russian couple who targeted roughly 400,000...
0 victims
Full Profile →
cryp70n1c0d3
0
Cryp70n1c0d3 is a low-profile ransomware group with limited public documentation; specific targets, attack methodology, and operational model remain poorly documented...
0 victims
Full Profile →
cryptbb
0
CryptBB is a ransomware group with likely Russian origins active around 2023, whose payload appends random extensions to encrypted files...
0 victims
Full Profile →
cryptnet
0
According to OALabs, this ransomware has the following features: * Files are encrypted with AES CBC using a generated 256...
0 victims
Full Profile →
crypto24
0
Crypto24 is a double-extortion ransomware-as-a-service group that surfaced on the RAMP forum in mid-2024, targeting large organizations in financial services,...
cuba
0
The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a...
0 victims
Full Profile →
cyclops
0
Cyclops emerged in May 2023 as a cross-platform RaaS operation targeting Windows, macOS, and Linux systems; it rebranded as "Knight"...
0 victims
Full Profile →
d4rk4rmy
0
D4rk4rmy is a ransomware and data extortion group active since at least 2025, targeting financial services, hospitality, technology, and logistics...
0 victims
Full Profile →
dAn0n
0
dAn0n emerged in early 2024 operating a RaaS model, rapidly claiming 13 victims in May 2024 alone, predominantly targeting US-based...
0 victims
Full Profile →
dagonlocker
0
Dagon Locker is a ransomware strain that first appeared in early 2023, evolved from the MountLocker/Quantum ransomware lineage, and uses...
0 victims
Full Profile →
daixin
0
Daixin Team is a ransomware and data extortion group active since at least June 2022, exclusively targeting the US Healthcare...
darkangels
0
Dark Angels is a highly selective ransomware group active since April 2022 that targets a small number of large enterprises...
0 victims
Full Profile →
darkbit
0
DarkBit is an ideologically motivated ransomware group that appeared in February 2023, primarily targeting Israeli entities — most notably the...
0 victims
Full Profile →
darkleakmarket
0
DarkLeakMarket is a dark web data leak marketplace active since at least 2019 that sells stolen data sourced from ransomware...
0 victims
Full Profile →
darkpower
0
Dark Power emerged in January 2023 as a ransomware group written in the Nim programming language, claiming 10 victims across...
0 victims
Full Profile →
darkrace
0
DarkRace is a ransomware variant that surfaced in mid-2023 sharing strong code similarities with LockBit, employing double-extortion via a dark...
0 victims
Full Profile →
darkside
0
Darkside ransomware group has started its operation in August of 2020 with the model of RaaS (Ransomware-as-a-Service). They have become...
0 victims
Full Profile →
darkvault
0
DarkVault is a data-exfiltration and double-extortion group first identified in late 2023, targeting medium-to-large organizations in finance, professional services, legal,...
0 victims
Full Profile →
datacarry
0
DataCarry is a ransomware and data-extortion operation first observed in May 2025, operating a double-extortion model with a Tor-hosted leak...
datakeeper
0
DataKeeper is a ransomware-as-a-service operation dating back to at least 2018 that promoted an affiliate model called "CrystalPartnership RaaS," offering...
dataleak
0
Dataleak is a low-profile ransomware group with approximately 6 known victims including entities in Brazil; very limited public threat intelligence...
0 victims
Full Profile →
desolator
0
Desolator is a ransomware group that emerged in May 2025, targeting construction and engineering firms in Latin America and Europe...
0 victims
Full Profile →
direwolf
0
Dire Wolf is a sophisticated human-operated ransomware group first documented in May 2025, written in Golang using Curve25519/ChaCha20 encryption, targeting...
0 victims
Full Profile →
donex
0
DoNex is a ransomware strain that emerged in March 2024 as the latest rebrand of a lineage beginning with Muse...
0 victims
Full Profile →
donutleaks
0
Donut Leaks (D0nut) is a data-extortion group active since August 2022 that developed its own ransomware encryptor, linked to attacks...
0 victims
Full Profile →
doppelpaymer
0
Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to...
0 victims
Full Profile →
dragonforce
0
DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue...
dragonransomware
0
Dragon Ransomware, is promising rapid and customizable ransomware operations for Windows systems. Key features include a compact 50KB file size,...
0 victims
Full Profile →
dread
0
Dread is a ransomware group that appears in tracking databases but has no publicly documented attacks or confirmed TTPs from...
dunghill
0
Dunghill Leak is the data extortion site operated by the Dark Angels ransomware group, active since early 2023, targeting large...
0 victims
Full Profile →
ech0raix
0
The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are...
0 victims
Full Profile →
embargo
0
Embargo is a Rust-based ransomware-as-a-service group that emerged in April 2024, primarily targeting US healthcare, manufacturing, and business services organizations...
entropy
0
Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The...
0 victims
Full Profile →
ep918
0
EP918 is a low-activity ransomware group listed in tracking databases with no confirmed victims and no publicly documented attacks or...
0 victims
Full Profile →
esxiargs
0
ESXiArgs is a ransomware campaign that emerged in February 2023, targeting VMware ESXi servers by exploiting the CVE-2021-21974 vulnerability. It...
0 victims
Full Profile →
everest
0
Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit...
exitium
0
Exitium is a data extortion group first observed in early 2026, operating a Tor-based double extortion site and targeting victims...
exorcist
0
According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive...
0 victims
Full Profile →
fletchen
0
Fletchen is primarily documented as a sophisticated infostealer-as-a-service written in Rust, targeting browser credentials, cryptocurrency wallets, and financial data, used...
0 victims
Full Profile →
flocker
0
Flocker (also linked to the FSociety brand) is a ransomware-as-a-service group active since 2023–2024, targeting Windows and Linux systems via...
0 victims
Full Profile →
fog
0
Fog, which uses the .flocked extension for encrypted files, was first observed in May in campaigns by Storm-0844, a threat...
0 victims
Full Profile →
frag
0
Frag is a ransomware group that emerged in late 2024, exploiting a critical Veeam Backup & Replication vulnerability (CVE-2024-40711) to...
0 victims
Full Profile →
freecivilian
0
FreeCivilian is a data extortion group with suspected ties to Russian GRU military intelligence, known for targeting Ukrainian government websites...
0 victims
Full Profile →
fsteam
0
New possible leak site posted to a forum on November 20th, 2022, no victims at present. Unclear if its for...
0 victims
Full Profile →
fulcrumsec
0
FulcrumSec is a data extortion group active since approximately September 2025, specializing in high-speed exfiltration of cloud-hosted databases by exploiting...
funksec
0
FunkSec is an AI-assisted ransomware-as-a-service group that launched its data leak site in December 2024 and rapidly claimed over 85...
genesis
0
Genesis is an emerging ransomware group first observed in late 2025, targeting small to mid-sized US organizations across healthcare, retail,...
global
0
GLOBAL GROUP is a ransomware-as-a-service operation that emerged in June 2025, reportedly launched by a known Russian-speaking threat actor, featuring...
0 victims
Full Profile →
grief
0
Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to...
0 victims
Full Profile →
groove
0
Groove emerged in mid-2021 as a loose criminal collective linked to former Babuk gang members, known for publicly leaking Fortinet...
0 victims
Full Profile →
gunra
0
Gunra is a financially motivated ransomware group that emerged in April 2025, using double-extortion tactics against real estate, pharmaceuticals, and...
hades
0
According to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems and encrypts a variety...
0 victims
Full Profile →
haron
0
Haron appeared in July 2021 as a ransomware-as-a-service operation heavily borrowing from the defunct Avaddon ransomware (copying ransom notes and...
0 victims
Full Profile →
hellcat
0
HellCat is a ransomware-as-a-service group that formed in Q4 2024 and quickly became notable for high-profile attacks against Schneider Electric,...
0 victims
Full Profile →
helldown
0
Helldown is an aggressive ransomware group first documented in August 2024, known for exploiting Zyxel firewall vulnerabilities to gain initial...
0 victims
Full Profile →
hellogookie
0
HelloGookie is a rebrand of the HelloKitty ransomware group announced in April 2024, releasing previously stolen data from CD Projekt...
0 victims
Full Profile →
hellokitty
0
Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems....
0 victims
Full Profile →
hive
0
Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by...
0 victims
Full Profile →
holyghost
0
HolyGhost (tracked by Microsoft as DEV-0530) is a North Korean state-linked ransomware group active since June 2021, associated with the...
0 victims
Full Profile →
hotarus
0
Hotarus Corp is a ransomware group that came to attention in early 2021 after attacking Ecuador's Ministry of Finance and...
0 victims
Full Profile →
hunters
0
In mid-October 2023, just a few days before the Europol operation, the source code of the Ransomware Hive was sold,...
0 victims
Full Profile →
icefire
0
IceFire is a ransomware group first observed in 2022 that expanded to Linux in early 2023 by exploiting a vulnerability...
0 victims
Full Profile →
incransom
0
INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors...
insane
0
Insane is a short-lived ransomware group that briefly surfaced in early 2024, claiming a single victim in Thailand before going...
0 victims
Full Profile →
insomnia
0
Insomnia is a data-theft and extortion group that emerged in October 2025, targeting primarily US-based healthcare organizations — stealing patient...
0 victims
Full Profile →
interlock
0
Interlock is a ransomware group first observed in September 2024 that targets critical infrastructure sectors including healthcare, government, education, and...
kairos
0
Kairos is a data extortion group active since late 2024 that focuses solely on data theft with no encryption, primarily...
karakurt
0
Karakurt is a pure data-extortion group (no encryption) assessed with high confidence to be the extortion arm of the Conti...
karma
0
Karma is a ransomware group first observed in mid-2021, part of a lineage tracing back through Nefilim and FiveHands, operating...
0 victims
Full Profile →
kawa4096
0
Kawa4096 is a ransomware group that emerged in June 2025, targeting multinational corporations across finance, education, and services sectors primarily...
0 victims
Full Profile →
kazu
0
Kazu is an emerging ransomware group active since September 2025 that employs double-extortion tactics, targeting government, healthcare, and financial organizations...
0 victims
Full Profile →
kelvinsecurity
0
KelvinSecurity is a financially motivated hacking group active since at least 2015, primarily engaged in stealing and selling databases from...
0 victims
Full Profile →
killsec
0
KillSec originated as a hacktivist group aligned with the Anonymous movement before pivoting to ransomware operations in October 2023, officially...
kittykatkrew
0
KittyKatKrew is a newly emerged ransomware group first identified in early 2026, using both direct and double-extortion methods against US...
0 victims
Full Profile →
kraken
0
Kraken is a Russian-speaking ransomware group that emerged in February 2025, believed to have links to the HelloKitty operation, employing...
0 victims
Full Profile →
krybit
0
Krybit is an emerging RaaS group that launched in late March 2026, offering affiliates an 80/20 revenue split with support...
0 victims
Full Profile →
kryptos
0
Kryptos is a small ransomware group first observed in October 2025, conducting simultaneous attacks across North America and Oceania on...
0 victims
Full Profile →
kyber
0
Kyber is a recently identified ransomware group using sophisticated hybrid encryption (AES-256-CTR with X25519 and Kyber1024), operating Tor-based communication channels...
la_piovra
0
ℹ️ La Piovra Ransomware is an exercise of the company Offensive Security (also known as OffSec)
0 victims
Full Profile →
lamashtu
0
Lamashtu is an extortion group that first appeared in April 2026, claiming attacks against organizations in France, Romania, and Thailand...
lapsus$
0
Lapsus$ is an internationally composed data extortion group most active from mid-2021 through 2022, executing high-profile breaches against Microsoft, Nvidia,...
leaktheanalyst
0
LeakTheAnalyst is a data-theft extortion group that operates a dark web leak site with approximately 20 claimed victims, notable for...
0 victims
Full Profile →
lilith
0
Lilith is a C/C++-based double-extortion ransomware that emerged in July 2022, targeting 64-bit Windows systems and sharing code with the...
0 victims
Full Profile →
linkc
0
Linkc is a ransomware group first observed in February 2025, operating a Tor-based data leak site and targeting US-based AI,...
lockbit
0
LockBit is one of the most prolific ransomware groups in history, operating as a full RaaS platform that at its...
0 victims
Full Profile →
lockbit2
0
LockBit 2.0 is the second major iteration of the LockBit RaaS platform, launched in mid-2021, introducing automated domain-wide encryption via...
0 victims
Full Profile →
lockbit3
0
LockBit, also recognized as LockBit Black or Lockbit 3.0, is one of the largest Ransomware Groups in the world and...
lockbit3_fs
0
LockBit 3.0 ("LockBit Black"), active since June 2022, is the third iteration of the LockBit RaaS platform incorporating code from...
lockbit5
0
LockBit 5.0 ("ChuongDong") emerged in September 2025 as the group's resurgence following the February 2024 law enforcement takedown, introducing cross-platform...
lockdata
0
LockData Auction is a dark web marketplace that emerged around May 2021 operating an invite-only stolen data auction portal, representing...
0 victims
Full Profile →
lolnek
0
Lolnek (also known as Lolkek/GlobeImposter) is a commodity ransomware strain primarily targeting small and medium-sized businesses with relatively low ransom...
0 victims
Full Profile →
lorenz
0
Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the...
0 victims
Full Profile →
losttrust
0
LostTrust is a double-extortion ransomware operation that emerged in March 2023 and publicized over 50 victims within days of launching...
0 victims
Full Profile →
lunalock
0
LunaLock emerged in September 2025 targeting creative and digital platforms, notably breaching an illustrator marketplace and a Mexican ISP, and...
0 victims
Full Profile →
lv
0
LV ransomware group main message: "Here are companies which didn't meet consumer data protection obligations. They rejected to fix their...
0 victims
Full Profile →
lynx
0
Lynx is a ransomware-as-a-service operation that emerged in mid-2024 as a rebrand of INC Ransomware (whose source code was sold...
m3rx
0
M3rx is a small ransomware group first observed in 2025, using AES-CTR/AES-GCM encryption and targeting organizations in England, the US,...
madcat
0
MadCat is a suspected fraudulent ransomware operation that surfaced briefly in late 2023, apparently linked to scammers targeting other criminals...
0 victims
Full Profile →
madliberator
0
MadLiberator is a ransomware group that emerged in mid-2024, known for erratic behavior including randomized ransom demands and unpredictable encryption...
0 victims
Full Profile →
malas
0
Malas is a lesser-documented ransomware group that maintains an active dark web presence; detailed information about its targets, victims, or...
malekteam
0
Malek Team is an Iranian-linked threat actor that emerged on October 8, 2023 (the day after the Hamas attack on...
0 victims
Full Profile →
mallox
0
This ransomware uses a combination of different crypto algorithms (ChaCha20, AES-128, Curve25519). The activity of this malware is dated to...
0 victims
Full Profile →
mamona
0
Mamona was a short-lived ransomware rebrand attempted by the operator behind BlackLock RaaS in March 2025 that failed before reverting;...
0 victims
Full Profile →
marketo
0
Marketo, launched in April 2021, is a data-theft extortion marketplace that steals and sells data to third parties or back...
0 victims
Full Profile →
maze
0
Maze ransomware group is one of the most known ransomware gangs, they targeted organizations worldwide across many industries. Security researchers...
0 victims
Full Profile →
mbc
0
MBC is a very obscure ransomware group with minimal public documentation and no significant threat intelligence reports available from mainstream...
0 victims
Full Profile →
medusa
0
Medusa is a ransomware-as-a-service operation active since June 2021 that has targeted over 300 victims across critical infrastructure sectors including...
medusalocker
0
Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP,...
0 victims
Full Profile →
meow
0
Meow emerged in 2022 (resurfacing aggressively in 2024), initially operating as a RaaS using the Conti v2 codebase before transitioning...
0 victims
Full Profile →
metaencryptor
0
MetaEncryptor is a ransomware group first observed in mid-2023, targeting medium-to-large enterprises in legal, technology, logistics, manufacturing, and finance sectors...
0 victims
Full Profile →
midas
0
This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is...
0 victims
Full Profile →
minteye
0
MintEye is a ransomware group with concentrated activity in North America, targeting professional services, construction, engineering, architecture, and logistics sectors,...
0 victims
Full Profile →
mnt6
0
MNT6 is a lower-profile ransomware group claiming victims across legal, manufacturing, construction, healthcare, and logistics sectors in the US, Canada,...
mogilevich
0
Mogilevich appeared in February 2024, rapidly claiming high-profile breaches of Epic Games, DJI, Shein, and Kick.com, but was quickly exposed...
0 victims
Full Profile →
moneymessage
0
Money Message emerged in March 2023 targeting Windows and Linux systems across banking, transportation, and professional services sectors, demanding ransoms...
monti
0
Monti is a ransomware group first observed in June 2022 that initially copied nearly all of Conti's leaked source code,...
0 victims
Full Profile →
morpheus
0
Morpheus emerged in late 2024 as a semi-private RaaS operation whose affiliates share identical payloads with the HellCat ransomware group,...
0 victims
Full Profile →
mosesstaff
0
Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be...
0 victims
Full Profile →
mountlocker
0
MountLocker operated as a ransomware-as-a-service from July 2020, using a standard developer/affiliate revenue split and leveraging compromised RDP credentials for...
0 victims
Full Profile →
ms13089
0
MS13089 is a newly emerged ransomware group (first observed December 2025) that named itself after a 2013 Microsoft Security Bulletin,...
mydecryptor
0
MyDecryptor is a low-profile ransomware group with minimal public documentation, appearing on ransomware tracking platforms but not the subject of...
0 victims
Full Profile →
n3tworm
0
N3tw0rm ransomware group is linked to Iran by many security researchers especially for the fact that the group targeting only...
0 victims
Full Profile →
nasirsecurity
0
Nasir Security is a pro-Iranian threat actor that emerged around October 2025, primarily targeting energy sector organizations in the Middle...
0 victims
Full Profile →
nefilim
0
According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of...
0 victims
Full Profile →
nemty
0
Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar...
0 victims
Full Profile →
netrunner
0
NetRunner is a ransomware group active from at least 2025 targeting diverse sectors including healthcare, telecommunications, manufacturing, and agriculture across...
netwalker
0
NetWalker ransomware group operates by the threat actor known as "CIRCUS SPIDER". The NetWalker ransomware was discovered in 2019. The...
0 victims
Full Profile →
nevada
0
Nevada Ransomware is a RaaS operation written in Rust that emerged on the RAMP dark web forum in late 2022,...
0 victims
Full Profile →
nightsky
0
Night Sky is a China-nexus ransomware group (attributed to the "Emperor Dragonfly" cluster) that emerged in late 2021, gaining notoriety...
0 victims
Full Profile →
nightspire
0
NightSpire is a ransomware group that first emerged in March 2025 and rapidly claimed over 250 victims across retail, manufacturing,...
nitrogen
0
Nitrogen began as a malware loader in 2023 used to deliver BlackCat/ALPHV ransomware, then evolved into a fully independent ransomware...
noescape
0
NoEscape was a RaaS operation active from May to December 2023 believed to be a rebrand of the defunct Avaddon...
0 victims
Full Profile →
nokoyawa
0
Nokoyawa is a double-extortion ransomware group that launched a RaaS program in 2022 (operated by threat actor "farnetwork"), primarily targeting...
0 victims
Full Profile →
noname
0
NoName (also known as CosmicBeetle) is a ransomware group active since at least 2020 targeting small and medium-sized businesses globally...
0 victims
Full Profile →
nova
0
Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying...
obscura
0
Obscura is a ransomware strain observed in 2025, written in Go and specifically targeting Windows domain controllers via the SYSVOL/NETLOGON...
0 victims
Full Profile →
onepercent
0
OnePercent Group is a cybercriminal operation active since at least November 2020 that targeted US organizations using phishing with IcedID...
0 victims
Full Profile →
onyx
0
Onyx is a ransomware group first observed in April 2022, based on the Chaos ransomware builder, that is notably destructive...
0 victims
Full Profile →
orca
0
Orca is a ransomware group that emerged in September 2024, identified as a variant of the Zeppelin malware family, targeting...
0 victims
Full Profile →
orion
0
Orion is a ransomware operation first observed in October 2025 that listed 13 alleged victims on a dark web leak...
osiris
0
Osiris is a ransomware-as-a-service operation first observed in November 2025 that uses a Bring Your Own Vulnerable Driver (BYOVD) technique...
pay2key
0
Pay2Key is ransomware that has been used by the threat actor Fox Kitten. The group seems to operate since July...
0 victims
Full Profile →
payload
0
Payload is a ransomware group that emerged in early 2026, using Babuk-derived source code targeting both Windows and ESXi systems...
payloadbin
0
PayloadBIN is a ransomware strain deployed in 2021 by Evil Corp as a rebranding of their WastedLocker/Hades/Phoenix lineage, specifically designed...
0 victims
Full Profile →
payoutsking
0
PayoutsKing is an active ransomware group observed through at least 2026 that has claimed attacks against a wide range of...
0 victims
Full Profile →
pear
0
Pure Extraction And Ransom (PEAR) Team is the community of highly responsible and strictly disciplined members. We are a private...
play
0
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America....
playboy
0
PlayBoy Locker is a ransomware-as-a-service operation that emerged in September 2024, targeting Windows, NAS, and ESXi systems across multiple sectors...
0 victims
Full Profile →
projectrelic
0
Project Relic emerged in mid-2022 as a Golang-based ransomware targeting Windows and Linux hosts, operating with a TOR-based data leak...
0 victims
Full Profile →
prolock
0
PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses...
0 victims
Full Profile →
prometheus
0
Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.
0 victims
Full Profile →
promptlock
0
First known AI-powered ransomware. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate...
0 victims
Full Profile →
pysa
0
Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware...
0 victims
Full Profile →
qilin
0
Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes;...
qiulong
0
Qiulong is a ransomware group that emerged around April 2024 primarily targeting Brazilian organizations using double extortion and unique tactics...
0 victims
Full Profile →
qlocker
0
QLocker was a financially motivated ransomware operation active in 2021 that exclusively targeted QNAP NAS devices exposed to the internet,...
0 victims
Full Profile →
quantum
0
Quantum ransomware, active from mid-2021 through 2022, was a rebrand of the MountLocker/AstroLocker/XingLocker lineage that operated as RaaS, known for...
0 victims
Full Profile →
rabbithole
0
RabbitHole is a low-profile ransomware group with limited publicly available threat intelligence, not appearing prominently in major threat intelligence reports,...
0 victims
Full Profile →
radar
0
Radar (also known as Dispossessor), active since August 2023 and led by an actor called "Brain," was a RaaS group...
radiant
0
Radiant is a financially motivated ransomware group that emerged in September 2025, conducting double- and single-extortion attacks without affiliates, drawing...
0 victims
Full Profile →
ragnarlocker
0
Ragnar Locker was an elite ransomware group active from December 2019 to October 2023 that targeted large enterprises and critical...
ragnarok
0
According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese...
0 victims
Full Profile →
ralord
0
RALord is a ransomware group identified in March 2025 operating within the NOVA RaaS platform, targeting healthcare, education, hospitality, and...
ramp
0
RAMP (Russian Anonymous Marketplace) was a Russian-speaking dark web forum founded in 2021 that served as a central marketplace and...
0 victims
Full Profile →
rancoz
0
Rancoz is a Windows-targeting ransomware strain first observed in November 2022 that appends the ".rec_rans" extension to encrypted files, considered...
0 victims
Full Profile →
ranion
0
Ranion is a ransomware-as-a-service operation first observed in April 2017 that offers a low-barrier, pay-upfront model where affiliates keep 100%...
0 victims
Full Profile →
ransombay
0
Launched on April 24th, 2025 RansomBay is a new project operating under the DragonForce initiative
0 victims
Full Profile →
ransomcartel
0
Ransom Cartel is a ransomware-as-a-service operation that surfaced in December 2021, assessed by Palo Alto Unit 42 to share source...
0 victims
Full Profile →
ransomcortex
0
RansomCortex emerged in July 2024 with a narrow focus on healthcare facilities, claiming four victims within days of its first...
0 victims
Full Profile →
ransomed
0
RansomedVC was a short-lived extortion group active from August to November 2023 that claimed high-profile victims including Sony, innovating by...
0 victims
Full Profile →
ransomexx
0
RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.
ransomhouse
0
RansomHouse is a double-extortion RaaS operation active since late 2021, attributed to the threat actor "Jolly Scorpius," targeting over 120...
ransomhub
0
The group emerged in mid-February 2024 and has already listed several organizations as alleged victims of their attacks, resulting from...
0 victims
Full Profile →
ranstreet
0
Ranstreet is a low-profile ransomware group with very limited public documentation, appearing in ransomware tracking lists but without major vendor...
0 victims
Full Profile →
ranzy
0
Ranzy Locker, Former known as ThunderX. The group hosting a data leak site in the darknet where they posting sensitive...
0 victims
Full Profile →
raworld
0
RA Group, also known as RA World, first surfaced in April 2023, utilizing a custom variant of the Babuk ransomware.
0 victims
Full Profile →
rebornvc
0
RebornVC is a rebrand of RansomedVC re-emerging in July 2025 under new leadership, using data auctions, direct extortion, and double...
0 victims
Full Profile →
redalert
0
RedAlert (also called N13V) is a ransomware group first observed in July 2022 that targets both Windows and Linux VMware...
0 victims
Full Profile →
redransomware
0
Red Ransomware (Red CryptoApp) emerged in early 2024, debuting its "Wall of Shame" data leak site with 11 victims across...
0 victims
Full Profile →
revil
0
Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his...
0 victims
Full Profile →
reynolds
0
Reynolds is a ransomware family first identified in early 2026, notable for embedding BYOVD (Bring Your Own Vulnerable Driver) defense...
rhysida
0
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks...
robinhood
0
RobbinHood is a ransomware group first observed in April–May 2019, responsible for high-profile attacks on US cities including Baltimore, Maryland...
0 victims
Full Profile →
rook
0
According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them....
0 victims
Full Profile →
royal
0
According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to...
0 victims
Full Profile →
rransom
0
RRansom is a low-profile ransomware group whose dark web leak site has been listed as offline in tracking directories, with...
0 victims
Full Profile →
sabbath
0
Sabbath (also known as 54BB47h, operated by UNC2190) is a ransomware group active from mid-2021 that emerged as a rebrand...
0 victims
Full Profile →
safepay
0
SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all...
sarcoma
0
Sarcoma is a ransomware group that debuted in October 2024, immediately ranking among the top three most active groups globally...
satanlockv2
0
SatanLock is a short-lived ransomware group that first appeared in April 2025 and abruptly shut down in July 2025 after...
secp0
0
Encrypted Extension: .vanhelsing, .vanlocker. Targets Windows Platform only
securotrop
0
Securotrop is a ransomware group established in early 2025 that operates within the Qilin affiliate network while maintaining an independent...
shadow
0
Shadow is a low-profile ransomware group tracked on ransomware monitoring platforms with limited public documentation; specific attribution details regarding its...
0 victims
Full Profile →
shaoleaks
0
SHAOleaks is a low-profile data leak and extortion group with minimal public documentation, operating a leak site but lacking detailed...
0 victims
Full Profile →
shinyhunters
0
ShinyHunters is a financially motivated data-theft and extortion group active since 2020, responsible for high-profile breaches including Ticketmaster (via Snowflake)...
sicarii
0
Sicarii is a pro-Israeli/Jewish-branded ransomware-as-a-service operation that emerged in late 2025, explicitly targeting Arab and Muslim-majority organizations while avoiding Israeli...
0 victims
Full Profile →
siegedsec
0
Not a ransomware group but a hacktivist group that appeared coincidentally days before Russia’s invasion of Ukraine
0 victims
Full Profile →
silent
0
Unlike many other groups, Silent claims to operate with a high level of anonymity and discretion. According to their own...
0 victims
Full Profile →
sinobi
0
Sinobi is a private vetted-affiliate RaaS group that emerged in mid-2025, believed to be a rebrand of the Lynx/INC ransomware...
skira
0
Skira is a small ransomware group that emerged around late 2024, claiming responsibility for the breach of Carruth Compliance Consulting...
0 victims
Full Profile →
slug
0
Slug is a very obscure ransomware or extortion group with only a single documented victim (AerCap, the aircraft leasing company)...
0 victims
Full Profile →
snatch
0
Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections...
0 victims
Full Profile →
spacebears
0
Space Bears is a double-extortion ransomware group that emerged in April 2024, distinguished by a professional "corporate" aesthetic on its...
sparta
0
Sparta is a short-lived ransomware group first observed in September 2022 that conducted double-extortion attacks primarily targeting organizations in Spain...
0 victims
Full Profile →
spook
0
Spook ransomware operated briefly in September–October 2021 as a rebrand of the Prometheus ransomware group (built on the Thanos builder),...
0 victims
Full Profile →
stormous
0
Stormous is an Arabic-speaking, pro-Russian ransomware and hacktivist group active since at least 2022, known for politically motivated attacks across...
0 victims
Full Profile →
suncrypt
0
SunCrypt is a RaaS operation first observed in October 2019, notable for pioneering triple extortion (encryption, data publication threats, and...
0 victims
Full Profile →
synack
0
SynAck is a sophisticated ransomware operation first spotted in 2017, known for using hybrid ECIES encryption and the Doppelganging process...
0 victims
Full Profile →
teamxxx
0
TeamXXX is an emerging ransomware group that launched its leak site in June 2025, claiming victims across healthcare, agriculture, hospitality,...
0 victims
Full Profile →
tengu
0
Tengu is a RaaS operation first observed in October 2025, following a double-extortion model and using Living Off The Land...
0 victims
Full Profile →
termite
0
Termite is a ransomware group first identified in late 2024 using a modified version of Babuk ransomware code; its most...
thegentlemen
0
The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by...
thegreenbloodgroup
0
The Green Blood Group is an emerging ransomware operation first identified in early 2026 whose Go-based Windows payload uses ChaCha8...
threeam
0
A new Ransomware family identified by the name '3AM' or 'ThreeAM' in September 2023. The ransomware operation was observed by...
tridentlocker
0
TridentLocker is a newly emerged ransomware group (surfaced mid-2025) targeting organizations managing high volumes of regulated or third-party data —...
trigona
0
According to PCrisk, Trigona is ransomware that encrypts files and appends the ._locked extension to filenames. Also, it drops the...
0 victims
Full Profile →
trinity
0
Trinity ransomware was first discovered in May 2024, believed to be a rebrand of the Venus/2023Lock variants, using ChaCha20 encryption...
0 victims
Full Profile →
trisec
0
Trisec is a Tunisian-origin ransomware group that emerged in February 2024, claiming affiliation with the Tunisian government and operating as...
0 victims
Full Profile →
u-bomb
0
U-Bomb is a low-profile ransomware operation discovered in March 2023 that arrives via phishing emails and uses third-party offensive frameworks...
0 victims
Full Profile →
underground
0
Underground ransomware is deployed by the Russia-based RomCom group (Storm-0978) and has victimized companies across multiple industries since July 2023...
unknown
0
"Unknown" is a catch-all tracking label used on ransomware monitoring platforms for attacks where the responsible threat actor has not...
0 victims
Full Profile →
vanirgroup
0
VanirGroup is an Eastern European ransomware group composed of former affiliates from Karakurt, LockBit, and Knight ransomware that emerged in...
0 victims
Full Profile →
vect
0
VECT is a RaaS group that launched its affiliate program in December 2025 with a five-tier revenue-sharing model and a...
0 victims
Full Profile →
vfokx
0
VFOKX is a low-profile ransomware group tracked on ransomware monitoring platforms with very limited public documentation and no detailed analysis...
0 victims
Full Profile →
vicesociety
0
Vice Society ransomware appends the .v-society extension when encrypting Linux machines. Running a leak site on the darkweb, Possible relations...
0 victims
Full Profile →
walocker
0
WALocker is an emerging ransomware group that came to attention in 2025, targeting organizations in Southeast Asia and government entities,...
0 victims
Full Profile →
wannacry
0
WannaCry ransomware is a cyber attack that spreads by exploiting vulnerabilities in the Windows operating system. At its peak in...
0 victims
Full Profile →
warlock
0
The Warlock ransomware and operator(s) are believed to be attributed to Storm-2603, a China-based threat actor who is also known...
werewolves
0
WereWolves is a Russian-speaking ransomware group that emerged in May 2023, using a modified LockBit 3 (Black) encryptor, operating an...
weyhro
0
Weyhro is a data-extortion group (relying on data theft and leak threats without file encryption) that launched a Tor leak...
worldleaks
0
World Leaks emerged in January 2025 as a rebrand of the Hunters International ransomware operation, shifting its focus from file...
x001xs
0
X001xs is a low-profile ransomware group tracked on monitoring platforms with minimal public documentation, employing standard double-extortion tactics with no...
0 victims
Full Profile →
xinglocker
0
XingLocker is a ransomware group that emerged in May 2021 as part of a franchise-style RaaS model built on a...
0 victims
Full Profile →
xinof
0
XINOF (also known as Fonix/FonixCrypter) is a RaaS operation that began in June 2020 with no upfront affiliate cost and...
0 victims
Full Profile →
xp95
0
XP95 is a cyber-extortion group that emerged in March 2026, using a pure data-theft-and-extortion model with a Windows XP/95-themed leak...
yanluowang
0
According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the...
0 victims
Full Profile →
yurei
0
Yurei is a ransomware group first observed in September 2025 whose payload is a minimally modified fork of the open-source...
0 victims
Full Profile →
zeon
0
Zeon was the precursor identity used by the group that rebranded as Royal in September 2022, composed primarily of former...
0 victims
Full Profile →
zerolockersec
0
ZeroLockerSec is a small ransomware group with very limited public documentation that became inactive by Q2 2025 with no recorded...
0 victims
Full Profile →
zerotolerance
0
ZeroTolerance is a low-profile ransomware group tracked on monitoring platforms with no detailed threat actor profiles, technical analysis, or named...
0 victims
Full Profile →
Source: Ransomware.live