Threat Groups
668 tracked groups
qilin
Qilin (also known as Agenda) is a ransomware-as-a-service operation that emerged in 2022, initially targeting healthcare...
lockbit3
LockBit 3.0 (also known as LockBit Black) is the third major iteration of the LockBit ransomware-as-a-service platform, ...
play
Play ransomware (also known as PlayCrypt) emerged in mid-2022 and is characterized by its use of the ".play" file extens...
akira
Akira ransomware first appeared in March 2023 and quickly became one of the most active groups of that year, targeting s...
lockbit2
LockBit 2.0 (also known as LockBit Red) was the second major version of the LockBit ransomware-as-a-service platform, ac...
clop
Clop (also spelled Cl0p) is a financially motivated ransomware group attributed to the FIN11/TA505 threat cluster with a...
medusa
Medusa ransomware (not to be confused with MedusaLocker) is a ransomware-as-a-service operation that became highly activ...
incransom
INC Ransom (INCransom) is a double-extortion ransomware group that emerged in mid-2023, targeting healthcare, education,...
alphv
ALPHV (also known as BlackCat or Noberus) was a sophisticated ransomware-as-a-service operation launched in November 202...
blackbasta
Black Basta emerged in April 2022 and is widely assessed by researchers and law enforcement to be composed of former Con...
8base
8Base is a double-extortion ransomware group that first appeared in early 2022 but dramatically escalated activity in mi...
bianlian
BianLian ransomware first appeared in June 2022 and is attributed by multiple researchers and the FBI/CISA to a China-ba...
ransomhub
RansomHub is a ransomware-as-a-service operation that launched in February 2024 and rapidly became one of the most activ...
thegentlemen
The Gentlemen is a ransomware-as-a-service group that emerged in mid-2024 and rapidly accumulated victims across North A...
dispossessor
Dispossessor (also tracked as Radar) was a ransomware-adjacent data extortion operation active from August 2023 until it...
conti
Conti was one of the most prolific and financially damaging ransomware operations in history, attributed by the FBI and ...
safepay
SafePay is a double-extortion ransomware group that emerged in late 2024, quickly attracting attention for its professio...
dragonforce
DragonForce is a ransomware-as-a-service operation with roots in a Malaysian hacktivist group of the same name that was ...
hunters
Hunters International emerged in October 2023 and is widely assessed to be a rebrand or direct continuation of the Hive ...
pysa
PYSA (also known as Mespinoza) is a ransomware group active since 2019 that has primarily targeted education, healthcare...
everest
Everest is a Russian-speaking ransomware and data extortion group active since at least 2020, known for targeting critic...
sinobi
Sinobi is a data extortion and ransomware group that emerged in 2024 and is assessed to have inherited personnel and cod...
nightspire
Nightspire is a relatively new double-extortion ransomware group that emerged in early 2025 and has quickly accumulated ...
FOG
FOG ransomware is a sophisticated strain first observed in May 2024, initially targeting US educational institutions bef...
lockbit5
LockBit 5.0 (also referred to as LockBit Nation-State) is a claimed successor to LockBit 3.0 that emerged after Operatio...
rhysida
Rhysida is a ransomware group that emerged in May 2023, quickly gaining notoriety for attacking healthcare providers and...
lynx
Lynx is a ransomware-as-a-service operation that emerged in mid-2024 and is assessed to be a rebrand or direct successor...
killsec
KillSec (Kill Security) is a hacktivist-turned-cybercriminal group that emerged in late 2023, linked by researchers to I...
cactus
Cactus ransomware surfaced in March 2023 and quickly gained attention for exploiting vulnerabilities in Qlik Sense analy...
hive
Hive was a major ransomware-as-a-service operation active from June 2021 until January 2023, targeting over 1,500 organi...
ransomhouse
RansomHouse is a data extortion group and marketplace active since December 2021 that focuses on stealing data without n...
malas
sarcoma
Sarcoma is a double-extortion ransomware group that emerged in mid-2024, primarily targeting manufacturing, professional...
vicesociety
Vice Society is a ransomware group that was active from mid-2021 to 2023, distinguished by its heavy focus on the educat...
handala
Handala (also known as Handala Hack Team or Hatef) is an Iran-linked hacktivist group that emerged during the Israel-Ham...
stormous
Stormous is a pro-Russian hacktivist and ransomware group that emerged around mid-2021, believed to include members from...
nova
Nova (formerly known as RALord) is a ransomware-as-a-service operation that rebranded from RALord in late 2024. The grou...
meow
Meow ransomware is a strain that emerged in 2022, appending the ".MEOW" extension to encrypted files and primarily targe...
royal
Royal ransomware was active from September 2022 to mid-2023 and is believed to have been formed by former members of the...
coinbasecartel
CoinbaseCartel (also known as CoinBase Cartel) is a financially motivated cybercrime group that operates a data acquisit...
babuk2
Babuk 2.0 (also styled as Babuk Locker 2.0 or SatanLock) is a group that impersonates the original Babuk ransomware oper...
spacebears
SpaceBears is a data extortion group that emerged in 2024, focusing on stealing and publishing sensitive corporate data ...
avaddon
Avaddon was a ransomware-as-a-service operation active from June 2020 to June 2021, when the operators unexpectedly shut...
blacksuit
BlackSuit is the rebranded continuation of the Royal ransomware operation, confirmed by CISA and FBI in an August 2024 j...
ragnarlocker
RagnarLocker was a Russia-linked ransomware group active from 2019 to 2023, known for conducting its own intrusions with...
deadlock
funksec
FunkSec is an Algerian ransomware group that emerged in late 2024 and quickly generated a high victim count through a co...
snatch
Snatch ransomware (not to be confused with the 2022 data extortion group reusing the brand) is a Russia-linked operation...
worldleaks
WorldLeaks is the rebranded continuation of Hunters International, launched in January 2025 after the group ceased file-...
abyss
Abyss (Abyss Data) is a data extortion group that emerged in early 2023, focusing on stealing and publishing sensitive c...
noescape
NoEscape was a ransomware-as-a-service operation that launched in June 2023 and is assessed by multiple researchers to b...
monti
Monti is a ransomware group that emerged in June 2022, widely assessed to be a copycat or offshoot of the Conti operatio...
SilentRansomGroup
SilentRansomGroup (SRG) is a former Conti team that continued operating independently following Conti's dissolution in 2...
toufan
Toufan (also known as Toufan Al-Aqsa) is an Iran-linked hacktivist group that emerged during the Israel-Hamas conflict i...
blackbyte
BlackByte is a ransomware-as-a-service operation first observed in July 2021, assessed to be Russia-linked and notable f...
apt73
APT73 is a ransomware group that operated under the "eraleign" identity before rebranding as Bashe in October 2024. Some...
arcusmedia
Arcus Media is a ransomware-as-a-service operation that first emerged in May 2024, offering affiliates a Linux and Windo...
interlock
Interlock ransomware emerged in late 2024 and is notable for deploying a custom ransomware variant that targets both Win...
pear
PEAR (Pure Extraction And Ransom) Team is a data extortion group that emerged in 2024, focusing on publishing stolen cor...
eldorado
Eldorado is a ransomware-as-a-service operation that emerged in early 2024, offering both Windows and VMware ESXi encryp...
threeam
3AM (ThreeAM) is a ransomware group discovered in September 2023, first observed being deployed as a fallback when LockB...
ransomexx
RansomExx (also known as Defray777) is a ransomware family that targeted multiple high-profile organizations including K...
shinyhunters
ShinyHunters is a prolific data theft and extortion group responsible for numerous high-profile breaches including the 2...
cuba
Cuba ransomware is a ransomware-as-a-service operation active since at least 2019, assessed to be Russia-linked despite ...
devman
Devman is a former RansomHub and INC Ransom affiliate that began operating independently as a ransomware-as-a-service pl...
beast
Beast ransomware operates as a ransomware-as-a-service platform targeting Windows, Linux, and VMware ESXi environments. ...
revil
REvil (also known as Sodinokibi) was one of the most financially damaging ransomware-as-a-service operations in history,...
genesis
Financial interests only. <br/> We do not provide or work with affiliate programs, no collaborations either. <br/...
kairos
Kairos is a double-extortion ransomware group that emerged in 2024, operating a dark web leak site and targeting organiz...
warlock
Warlock ransomware emerged in mid-2025 and has been attributed by Microsoft, Sophos, and Trend Micro with moderate-to-hi...
cloak
Cloak is a cybercriminal ransomware group that first emerged in late 2023, targeting small to mid-size businesses across...
anubis
Anubis ransomware emerged in 2024 as a data extortion and ransomware-as-a-service platform that distinguishes itself wit...
direwolf
DirewWolf is a recently emerged double-extortion ransomware group that conducts targeted attacks against medium to large...
wannacry
WannaCry was a destructive ransomware worm deployed in May 2017 that infected over 200,000 computers across 150 countrie...
embargo
Embargo is a ransomware-as-a-service operation that emerged in mid-2024, utilizing Rust-based encryptors for both Window...
lorenz
Lorenz is a ransomware group active since early 2021, known for an unusual tactic of selling access to victim networks t...
karakurt
Karakurt is a data extortion group established in 2021 as an offshoot of the Conti ransomware operation (Wizard Spider),...
ransomed
cicada3301
Cicada3301 (unrelated to the 2012 internet puzzle) is a ransomware-as-a-service operation that emerged in June 2024 with...
raworld
RA World (formerly known as RA Group, active since April 2023) is a ransomware operation linked by Symantec and Palo Alt...
mallox
Mallox (also known as TargetCompany, Fargo, or Tohnichi) is a ransomware-as-a-service operation assessed to be China-lin...
payload
Payload is a ransomware group that emerged in 2024, primarily targeting organizations in North America and Europe throug...
quantum
Quantum ransomware emerged in August 2021 as a rebrand of the MountLocker operation and was subsequently linked to the C...
medusalocker
Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predec...
avoslocker
AvosLocker is a ransomware-as-a-service operation that launched in mid-2021, known for targeting critical infrastructure...
lv
parser needs to be built
blacklock
BlackLock (also known as Mamona) is a ransomware-as-a-service operation that emerged in late 2023 as an evolution of the...
braincipher
BrainCipher ransomware surfaced in mid-2024, initially gaining attention for a major attack against Indonesia's National...
donutleaks
DonutLeaks is a data extortion group that emerged in 2022, publishing stolen data from organizations that refused to pay...
payoutsking
Payouts King Group is a data extortion collective that explicitly states it does not operate as a RaaS and does not use ...
darkvault
DarkVault is a versatile threat actor that emerged in 2024, conducting both ransomware and data extortion operations aga...
AiLock
AiLock is a ransomware-as-a-service group that emerged in early 2025, marketing itself as AI-assisted and suspected by r...
krybit
tengu
Ransomware group active in data extortion.
losttrust
ryuk
Ryuk ransomware is attributed to the Russia-based Wizard Spider cybercriminal group and was one of the most damaging ran...
gunra
Gunra is an emerging ransomware group first identified in April 2025. It employs a classic double-extortion model—encryp...
maze
Maze ransomware pioneered the double-extortion model in late 2019, becoming the first major group to combine file encryp...
J
securotrop
arvinclub
Arvin Club first appeared around early to mid-2021, debuting on its Tor leak site with posts dating back to May 5, 2021....
obscura
crypto24
aka Public Data Storage <br/>Crypto24 emerged in early 2025 as a fast-growing double-extortion ransomware-as-a-service ...
knight
Knight is a Ransomware-as-a-Service (RaaS) operation first observed in August 2023, believed to be a rebrand or evolutio...
ciphbit
CiphBit is a ransomware operation first detected in early 2024, using a custom encryptor targeting Windows and network s...
marketo
midas
Midas ransomware is a data extortion group active since late 2021 that shares significant technical similarities with th...
nitrogen
Nitrogen is a data extortion group that emerged in 2023, primarily conducting data theft without encryption to pressure ...
global
Now a RaaS by BlackLock ($$$). <br/>Global Group is a newly emerged Ransomware-as-a-Service (RaaS) platform that debuted...
helldown
Helldown is a double-extortion ransomware group that emerged in late 2024, known for exploiting vulnerabilities in Zyxel...
spook
blackshrantac
aka black shrantac
metaencryptor
We are a group of young people who identify themselves as specialists in the field of network security with at least 15 ...
suncrypt
SunCrypt is a ransomware group active since 2019 that joined the Maze ransomware cartel in 2020, adopting the double-ext...
darkleakmarket
flocker
termite
Termite is a ransomware group that emerged in late 2024, gaining attention for exploiting a zero-day vulnerability in Cl...
nokoyawa
Nokoyawa ransomware is a strain active from early 2022 that shares significant code and infrastructure with the Karma an...
doppelpaymer
DoppelPaymer ransomware is attributed to the Russia-based Evil Corp cybercriminal organization and is a successor to Bit...
dragonransomware
Dragon Ransomware, is promising rapid and customizable ransomware operations for Windows systems. Key features include a...
lamashtu
trigona
Trigona ransomware was active from late 2022 to 2023, targeting businesses across multiple sectors with AES encryption a...
blackmatter
BlackMatter was a ransomware-as-a-service operation active from July to November 2021, widely assessed as a direct rebra...
dAn0n
dAn0n is a data-extortion actor that first appeared in April 2024. Operating primarily in a leak-focused extortion model...
leaktheanalyst
morpheus
siegedsec
cephalus
chaos
Chaos ransomware operates as a ransomware-as-a-service builder that has been widely distributed on underground forums si...
orion
Jan13, 2026: We believe the group might be related to Babuk-Bjorka.
brotherhood
fulcrumsec
kelvinsecurity
Kelvin Security is a cybercrime group active since at least 2013, primarily known for hacktivism, data breaches, and web...
payloadbin
underground
Underground ransomware (also known as Underground Team) is a Russia-linked group associated with the RomCom RAT threat c...
groove
Groove was a short-lived ransomware group and cybercrime gang that emerged in August 2021 and became notable for its agg...
blacknevas
BlackNevas ransomware — also referred to as “Trial Recovery” — was first observed in November 2024. It is a direct deriv...
CMDOrganization
CMD is a new kind of company that specializes in corporate system security and in identifying vulnerabilities across all...
moneymessage
daixin
Daixin Team is a ransomware and data extortion group active since mid-2022, primarily targeting the US healthcare and pu...
datacarry
DataCarry is a newly observed ransomware and data-extortion operation, first seen in May 2025. It operates a double-exto...
alphalocker
crazyhunter
lapsus$
Lapsus$ is a data extortion group that emerged in late 2021, known for social engineering, SIM-swapping, and insider rec...
netwalker
NetWalker (also known as Mailto) was a ransomware operation active from 2019 to January 2021, when US and Bulgarian auth...
IMNCrew
sabbath
bravox
Ransomware group active in data extortion.
m3rx
mountlocker
ralord
d4rk4rmy
D4rk4rmy is a data-extortion focused threat actor that emerged in mid-2025, targeting high-profile organizations across ...
hellcat
HellCat is a ransomware-as-a-service operation that emerged in late 2024, with KELA researchers identifying core operato...
xinglocker
xing use a custom mountlocker exe
mosesstaff
tridentlocker
ALP-001
benzona
insomnia
nefilim
According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is remov...
onyx
ShadowByt3$
unsafe
A group which seems to recycle leak from other ransomware groups
dunghill
Dunghill Leak is the publicly branded data leak site (DLS) operated by the Dark Angels ransomware group, established cir...
redransomware
trinity
apos
Apos ransomware surfaced in April 2024 and is best characterized as a data‑broker or leak‑only operation, rather than a ...
aurora
eraleign (apt73)
Eraleign (APT73) rebranded as Bashe in October 2024 after operating under the Eraleign name, with the transition coincid...
radar
secp0
Encrypted Extension: .vanhelsing, .vanlocker. Targets Windows Platform only
teamxxx
werewolves
Werewolves is a Russia-linked ransomware group that emerged in mid-2023, using a modified version of the LockBit 3.0 sou...
argonauts
azroteam
freecivilian
pay2key
RunSomeWares
bavacai
blackout
Blackout surfaced in February 2024, using a variant based on DarkSide and BlackMatter ransomware source code, establishi...
darkside
FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable dis...
kazu
vect
weyhro
Appears to be a Data Extortion group with no encryption.
cheers
Cheers is a Linux-based ransomware variant observed starting in May 2022, engineered specifically to target VMware ESXi ...
cipherforce
For those out of the loop, you may already know us as TeamPCP or Shellforce, we have been active a while publishing data...
frag
Frag ransomware emerged in late 2024, primarily observed exploiting Veeam Backup & Replication vulnerabilities (CVE-2024...
titan
0mega
0mega is a ransomware group first observed in May 2022, operating with a double extortion model: <br/>* Encrypting victi...
cryp70n1c0d3
mindware
settra
skira
atomsilo
AtomSilo emerged in September 2021 and ceased operations by year-end 2021. It functioned with a double‑extortion model, ...
babuk
chort
Chort is a relatively new data-extortion ransomware group that surfaced in late 2024, with confirmed activity beginning ...
egregor
Egregor is a ransomware strain that appeared in September 2020, widely believed to be a rebrand or successor to the Maze...
kawa4096
madliberator
Group is also currently known as MADDLL32 and Metatron.
redalert
bert
BERT ransomware (also tracked as Water Pombero) first emerged in April 2025, rapidly targeting both Windows and Linux sy...
LeakBazaar
nasirsecurity
rook
Ransomware.
darkpower
Dark Power is a ransomware group first observed in January 2023, known for targeting small to mid-sized organizations ac...
karma
Karma is a ransomware group first observed in November 2021, operating a double-extortion model that combines data theft...
projectrelic
shaoleaks
sparta
bqtlock
aka BaqiyatLock <br/>BQTLock surfaced in July 2025 and operates as a fully-fledged Ransomware-as-a-Service (RaaS) with a...
cyclops
Cyclops ransomware was rebranded as Knight around mid‑2023, emerging initially in early 2023. It operates as a Ransomwar...
desolator
icefire
linkc
lockbit
minteye
rebornvc
samsam
blackwater
radiant
rancoz
satanlockv2
cryptbb
darkrace
DarkRace is a moderately destructive ransomware strain observed since 2024. It encrypts files and appends a randomized e...
dataleak
exitium
hellogookie
killsec3
kittykatkrew
leaknet
<br/> <br/>In the cyber-undergrounds, we're exploring shadowed corridors of the digital world in search of inside infor...
mogilevich
netrunner
pandora
Pandora ransomware was obtained by vx-underground at 2022-03-14.
raznatovic
RANSOMED.VC aka Raznatovic
robinhood
yanluowang
Ransomware.
0day Syndicate
Black X
blackshadow
BlackShadow is a state-aligned cybercrime group reportedly linked to Iran’s cyber operations, first identified in late 2...
blacktor
kraken
Kraken leak blog (hellokitty) <br/>Kraken is a ransomware family first observed in August 2018 as a Ransomware-as-a-Serv...
ms13089
nightsky
prolock
PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and loc...
secpo
sensayq
silent
Unlike many other groups, Silent claims to operate with a high level of anonymity and discretion. According to their own...
trisec
ValenciaLeaks
Official twitter account: https://x.com/ValenciaLeaks72
VanHelsing
vendetta
wastedlocker
xp95
AuditTeam
bonacigroup
dharma
Dharma is a prolific ransomware family active since at least 2016, evolving from the earlier CrySiS ransomware. It opera...
GDLockerSec
Our team members are from different countries and we are not interested in anything else, we are only interested in doll...
grief
Grief, also known as Pay or Grief, is a ransomware group that emerged in May 2021 and is widely believed to be operated ...
noname
nozelesn
PrinzEugen
qiulong
ragnarok
According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes...
ranstreet
slug
snake
vanirgroup
wallstreet
arkana
astroteam
bitpaymer
bjorka
Hellcome Bjorkanism <br/>Bjorka emerged as a prominent data-extortion actor and hacktivist initially active in 2022, ta...
cryptnet
CryptNet is a newer Ransomware-as-a-Service (RaaS) operation first identified in April 2023. It follows a double-extorti...
cryptolocker
donex
Donex is a ransomware family that emerged in early 2022 as a rebrand of the older Muse ransomware. It uses a double-exto...
hades
Hades is a ransomware group first observed in December 2020, believed by several threat intelligence firms to be operate...
lockdata
lunalock
memedusalockerdusa
netflim
orca
osiris
redact
ronggolawe
satanlock
Connected to GD Lockersec and Babuk-Bjorka. <br/> <br/>Group is aka SalanLock (from typo on victim pages).
sicarii
zeppelin
Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (...
3am
3AM, also known as ThreeAM, is a relatively new ransomware family that emerged in late 2023, initially deployed as a fal...
agelocker
bitlocker
blogxx
bluebox
ContFR
RAAS - Ransomware intégré à un fichier PDF, à faire ouvrir à vos victimes ou à insérer vous-même, Windows et Mac, ne fon...
cring
cryptowall
deathkitty
gandcrab
GandCrab was a prolific Ransomware-as-a-Service (RaaS) operation active from January 2018 to mid-2019. It quickly became...
goznym
insane
kyber
locky
malekteam
networm
nullbulge
A hacktivist group protecting artists' rights and ensuring fair compensation for their work.
pryx
ransomcortex
roadsweep
sekhmet
walocker
yurei
0apt
The group appears unreliable. Most, if not all, of its alleged victims cannot be verified and appear to be randomly sele...
0xFFF
2023lock
2023Lock is a ransomware strain first observed in January 2024, believed to be an evolution of the Venus and Zeoticus fa...
a1project
The locker is written in C/C++/ASM. <br/>It supports all systems starting from Windows 2003, has a separate binary for E...
Abrahams_Ax
Abrahams_Ax, first observed in November 2022, is not a Ransomware-as-a-Service (RaaS) operation but a politically motiva...
adminlocker
AdminLocker was first observed around December 2021 and appears to be a lone operator or small group, with no clear Rans...
againstthewest
aGl0bGVyCg
This ransomware group (notably stylized as aGl0bGVyCg) has extremely limited publicly available information. No confirme...
ako
First observed in early January 2020 (initial victim post on January 9, 2020), Ako (also known as MedusaReborn) operates...
amnesia
Amnesia ransomware was first identified in May 2017, particularly affecting enterprise cloud environments. It does not a...
ank
antibrok3rs
Antibrok3rs emerged as an access broker (not a ransomware operator itself) linked to the aftermath of the 2023 MOVEit su...
aptlock
Aptlock surfaced in early 2025 and is characterized by a single-extortion model combined with threats of data leakage. T...
arachna leak
arcane
Arcane first emerged in mid-2021 under the UNC2190 cluster and later rebranded as Sabbath, continuing its operations aga...
arcrypter
ArcRypt (also known as ARCrypter or ChileLocker) was first identified in August 2022, originally targeting government en...
argonauts group
Argonauts Group is a data extortion operation that surfaced around September–October 2024, primarily targeting organizat...
arkana security
Arkana Security emerged in early 2025, debuting with a high-profile data-extortion campaign against the U.S. internet pr...
astralocker
AstraLocker first appeared in 2021, likely as a fork of Babuk ransomware using leaked source code. It follows a single-e...
avos
First observed in July 2021, AvosLocker operates as a Ransomware-as-a-Service (RaaS) platform employing a double-extorti...
aware
axxes
Axxes ransomware emerged as a rebranded version of the previously known Midas ransomware group, with roots also tracing ...
aztroteam
azzasec
We are AzzaSec — a decentralized PMC (Private Military Contractor), RaaS (Ransomware-as-a-Service) syndicate, and botne...
b0 group
B0 is a relatively obscure ransomware operation with very limited public reporting outside of leak site monitoring. It a...
babuk-bjorka
On January 26th, Babuk's dedicated leak site (DLS) was "relaunched". Bjorka (Telegram: @bjorkanesiaaaa) is the current a...
babuk-locker
Babuk‑Locker emerged in early 2021 as a Ransomware‑as‑a‑Service (RaaS) gang targeting high‑value “big game” enterprises ...
babyduck
babylockerkz
BabyLockerKZ is a variant of MedusaLocker ransomware, first observed in late 2023. It operates under a double‑extortion ...
backmydata
BackMyData is a variant of the Phobos ransomware family, first observed in early 2024. It follows a double‑extortion mod...
balletspistol
BalletsPistol is a Python-based ransomware strain distributed via GitHub. An investigative report from June 2025 reveals...
belsen group
aka Belesn Group. <br/>Belsen Group emerged in January 2025 as a data broker and leak-focused threat actor, not engaging...
bidon
BIDON is a variant of the Monti ransomware family, first observed around mid‑2023. It employs a double‑extortion strateg...
bitransomware
BitRansomware (also known as DCryptSoft or ReadMe) surfaced in November 2020, primarily as a widespread cryptolocker tar...
black witch
blackberserk
Black Berserk is a relatively unsophisticated ransomware strain analyzed in late 2023. It operates under a single‑extort...
blackbit
BlackBit ransomware was first observed in August 2022 and is a .NET-based strain that closely mimics the design and func...
blackbyte-crux
Crux is a newly identified ransomware variant active since July 2025, which claims affiliation with the established Blac...
blackfield
blackhunt
Black Hunt ransomware has been active since at least mid-2021 and operates under a double-extortion model, encrypting vi...
blacksnake
BlackSnake is a Ransomware-as-a-Service (RaaS) operation that first appeared in August 2022, when its operators began re...
bluelocker
Blue Locker targets Pakistan’s vital energy sector, particularly Pakistan Petroleum
bluesky
BlueSky ransomware first emerged in July 2022 and is characterized by aggressive, high-speed file encryption using a mul...
bober
br0k3r
Br0k3r is not a conventional ransomware gang, but rather an Iran-linked cyber espionage and access brokerage group lever...
buddyransome
bytesfromheaven
C3RB3R
Cerber ransomware, active since 2016, has resurfaced occasionally using the name C3RB3R. It operates as a semi-private R...
catb
CatB ransomware was first observed in late 2022, gaining attention for abusing DLL hijacking via the Microsoft Distribut...
cerber
cerberimposter
Cerber Imposer is a post-2019 rebrand of the Cerber ransomware family, resurfacing in late 2021 with updated targeting o...
cerbersyslock
CerBerSysLock first appeared in December 2017 as a cryptoransomware imposter, leveraging Cerber-style branding to deceiv...
chilelocker
ChileLocker first emerged in August 2022 and is considered part of the broader ARCrypter ransomware family. It employs a...
cipherwolf
clearwater
cloak.su (locker leak)
clop torrents
colossus
Colossus ransomware was first observed in September 2021, when ZeroFox researchers uncovered the variant attacking a U.S...
cooming
previous clearnet domain coomingproject.com
core
Core ransomware surfaced in early 2025 as a new variant within the broader Makop family. It employs a single-extortion m...
crazyhunter team
CrazyHunter is a rising ransomware threat first detected in early 2025, with particularly dangerous campaigns targeting ...
crosslock
CrossLock ransomware was first observed in April 2023, targeting an IT services firm in Brazil using a double‑extortion ...
cry0
cryakl
also known as “Fantomas”. <br/>Cryakl first appeared in 2014, spreading primarily across Eastern Europe and Russia via p...
crylock
CryLock is a ransomware variant that emerged around April 2020, evolving from the Cryakl (Fantomas) ransomware family. I...
crynox
Crynox (sometimes referred to as “Crynox Ransomware”) appears to be a generic file-locker threat that appends .crynox to...
crypt ransomware
.crYpt <br/>MD5: 54EFAC23D7B524D56BEDBCE887E11849 <br/> <br/>Babuk Variant
cryptedpay
CryptedPay is a standalone ransomware strain observed around early 2025, that encrypts files using AES-256 and appends t...
cryptomix
cryptoware
cryptxxx
CryptXXX is a ransomware strain that first appeared in April 2016, developed by the same group behind the Reveton and An...
crysis
Crysis ransomware was first identified in early 2016 and is a long-running family that later evolved into the Dharma ran...
cs-137
Cs‑137 is a newly observed ransomware strain that first appeared in January 2025. It employs the ChaCha20 cipher for enc...
ctblocker
aka Critroni <br/>CTB‑Locker emerged in mid‑2014, introducing a new era of ransomware by leveraging elliptic curve crypt...
cyberex
cylance
d0glun
D0glun is a crypto-ransomware strain first observed in January 2025, believed to be derived from Babuk via an intermedia...
dagonlocker
Dagon Locker is a double-extortion ransomware family that surfaced around September 2022. It represents an evolution of ...
dark shinigami
darkangel
Dark Angels is a highly targeted ransomware and data-extortion group that emerged in spring 2022. Rather than using an a...
darkangels
darkbit
darkbit01
DarkBit is a politically motivated ransomware operation active since February 2023, targeting academic and public sector...
darkhav0c
darkrypt
darkwave
Written in python
darkylock
Darky Lock is a commodity-style ransomware strain first identified in July 2022, derived from publicly available Babuk s...
dataf locker
DataF Locker is a ransomware variant first observed in 2024, closely tied to the Babuk ransomware lineage. It operates u...
datakeeper
deadbydawn
deathgrip
DeathGrip is a Ransomware-as-a-Service (RaaS) that emerged around June 2024, offering malware payloads built with leaked...
deathransom
DeathRansom is a ransomware family first seen in the wild in late 2019, initially appearing as a bluff—dropping ransom n...
delta
desolated
devman2
DevMan 2.0 is the evolved iteration of the DevMan ransomware, first documented in July 2025. It enhances the capabilitie...
diavol
Diavol is a ransomware strain first observed in June 2021, associated with the Wizard Spider threat group—best known for...
dread
ech0raix
The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom not...
elcometa
elonmusknow
elpaco
Elpaco is a variant of Mimic ransomware that emerged around August 2023. Designed with significant customization and ste...
enciphered
aka xoriste
encrypthub
endurance
Endurance is a destructive ransomware variant first observed in 2023, developed and operated by the threat actor known a...
entropy
Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomw...
ep918
erebus
eruption
Rebranded to Sabbath.
esxiargs
ESXiArgs is a ransomware campaign that emerged in February 2023, targeting VMware ESXi servers by exploiting the CVE-202...
evolution
exorcist
Ransomware.
fakersa
farattack
fargo
Fargo is a ransomware variant that surfaced in 2022, primarily targeting Microsoft SQL Server (MSSQL) systems. Believed ...
faust
Faust is a variant of the well-known Phobos ransomware, part of a Ransomware-as-a-Service (RaaS) ecosystem active since ...
fivehands
FiveHands is a ransomware family first observed in January 2021, believed to be a successor to the HelloKitty ransomware...
fletchen
freeworld
FreeWorld is a ransomware variant first observed in September 2023, and is believed to be derived from the Mimic ransomw...
frozen
fsociety
This group is also known by their malware name, FLOCKER. <br/>FSociety is a modern Ransomware-as-a-Service (RaaS) operat...
fsteam
New possible leak site posted to a forum on November 20th, 2022, no victims at present. Unclear if its for a ransomware ...
ftcode
FTCode is a ransomware family first observed in 2013 as a PowerShell-based threat and later resurfaced in September 2019...
fusion
gangbang
gazprom
ghost
aka Cring / Ghost (Cring) <br/> <br/>Beginning early 2021, Ghost actors began attacking victims whose internet facing se...
global3
globe
Globe is a ransomware family that first appeared in August 2016, notable for its highly customizable codebase that allow...
globeimposter
GlobeImposter is a ransomware family that first appeared in mid-2017, designed to mimic the appearance and naming conven...
good day
Good Day is a ransomware variant within the ARCrypter family, first observed in May 2023. It gained prominence due to it...
grep
grinch
gwisin
Gwisin is a targeted ransomware group first publicly reported in July 2022, believed to operate primarily within South K...
haron
Haron is a ransomware group that emerged in July 2021 and is believed to share operational similarities with the Avaddon...
hddcryptor
hellokitty
HelloKitty is a ransomware family first observed in November 2020, named after a string found in its binary. It operates...
help_restoremydata
Help_restoremydata is a ransomware variant identified around late 2024/early 2025, notable for appending the .help_resto...
hermes
Hermes is a ransomware family first observed in the wild in February 2017, believed to have been developed by a group op...
himalayaa
hiveleak
holyghost
HolyGhost is a ransomware group first publicly reported in July 2022, believed to be operated by a North Korean state-sp...
homeland
hotarus
Hotarus is a ransomware and data extortion group first observed in March 2021, believed to be linked to threat actors of...
hyflock
icarus
inpivx
insane ransomware
Insane is a relatively obscure ransomware family first reported in late 2021, with few confirmed incidents in public thr...
invaderx
ironchain
izis
j group
jaff
Jaff is a ransomware family first discovered in May 2017, notable for its distribution via large-scale spam campaigns op...
jigsaw
Jigsaw is a ransomware family first observed in April 2016, notorious for its psychological intimidation tactics. It enc...
jo of satan
jsworm
JSWorm is a ransomware family that first appeared in May 2019 and is notable for undergoing multiple rebrands and evolut...
justice_blade
kasseika
Kasseika is a ransomware variant first publicly reported in January 2024, identified as a new evolution of the BlackMatt...
kawa
key group
keyholder
killada
kirov
krypt
kryptina
kryptos
kuiper
Kuiper is a relatively new ransomware strain first analyzed in April 2023, notable for being written in Rust and designe...
kuza
la_piovra
ℹ️ La Piovra Ransomware is an exercise of the company Offensive Security (also known as OffSec)
lambda
lamialocker
late.lol
Affiliates: <br/>@Mr.C <br/>@Empathy <br/>@jayze <br/>@Widow <br/>@Memory <br/> <br/>
lcryptorx
leak bazaar
leakeddata
lechiffre
lilith
lockbit3_fs
lockbit4
lockergoga
locus
loki
lokilocker
lolnek
lsd
luckbit
lulzsec muslims
lynxr
lyrix
macaw
madcat
mailto
makop
malphas
mamona
mario esxi
maui
mbc
mcafee
mcrypt2019
megacode
megacortex
megazord
mespinoza
miga
#MakeIsraelGreatAgain
miliphen
mimic
mimic-guram
Mimic v.10 Ransomware-as-a-Service (RaaS). The malware is designed to target various operating systems (Windows, ESXi, N...
mnt6
moisha
monolock
monte
mortalkombat
muliaka
mydata
mydecryptor
n3tworm
naga
nblock
nemesis
nemty
Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed throug...
nevada
nvrmre
AKA Lemon
obsidian orb
oceans
octovillan
offwhite
onepercent
osyolorz collective
ox thief
paradise
paradise2
Payday
petya
pewcrypt
phalcon
phantom
phobos
phoenixcryptolocker
piratelock
playboy
polyvice
prinz eugen
prometheus
Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.
promptlock
First known AI-powered ransomware. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama ...
proton
providence
proxima
punisher
pyrx
qilin-securotrop
qlocker
login page, no posts
quicklock
quoter
ra group
rabbithole
radiant group
RAMP
ranion
ransom corp
ransombay
Launched on April 24th, 2025 RansomBay is a new project operating under the DragonForce initiative
ransomcartel
ransomedvc2
RansomedVC2 aka RebornVC aka RansomedVC (rebrand) under new leadership.
ransomware blog
Also known as MedusaLocker
ranzy
rapture
relic
reynolds
risen
Risen, which is a fully optimized and high-speed program, is the result of our years of experience in the field of malwa...
robbing hood
robbinhood
root
rransom
rtm locker
rustylocker
samas
satancd
scarab
scattered lapsus$ hunters
schoolboys
shade
shadow
sharpboys
ShinySp1d3r
Likely associated with the cybercrime group BlingLibra (ShinyHunters)
sicari
sifrecikis
silent ransom
skira team
slam
soleenya
solidbit
Ransomware, written in .NET.
spectre
sphinx
spirigatito
spring
spy corporate
sugar
sundawn
superblack
synack
synapse
targetcompany
taronis
team underground
telegram
teslacrypt
thanos
thegreenbloodgroup
thor
threatmarket
thunder x
thundercrypt
TiMc
tommyleaks
tooda
Members: <br/>Eco <br/>Ego <br/>emo <br/>elo <br/>user <br/>Dante <br/>Sevy
toxic
triple x
triplem
tssxx25
tuborg
turkish crypter
tycoon
u-bomb
unknown
unsafeleak
v is vendetta
vandev
vasalocker
vaultcrypt
vegalocker
vfokx
vsop
aka Onix/Onyx
vulcan
vurten
w3crypto
waissbein
weaxor
white lock
wiki ransomware
wikileaksv2
Group is connected to Qilin.