Threat Groups
660 tracked groups
lockbit3
LockBit 3.0 (also known as LockBit Black) is the third major iteration of the LockBit ransomware-as-a-service platform, ...
everest
Everest is a Russian-speaking ransomware and data extortion group active since at least 2020, known for targeting critic...
qilin
Qilin (also known as Agenda) is a ransomware-as-a-service operation that emerged in 2022, initially targeting healthcare...
akira
Akira ransomware first appeared in March 2023 and quickly became one of the most active groups of that year, targeting s...
play
Play ransomware (also known as PlayCrypt) emerged in mid-2022 and is characterized by its use of the ".play" file extens...
clop
Clop (also spelled Cl0p) is a financially motivated ransomware group attributed to the FIN11/TA505 threat cluster with a...
cactus
Cactus ransomware surfaced in March 2023 and quickly gained attention for exploiting vulnerabilities in Qlik Sense analy...
lockbit2
LockBit 2.0 (also known as LockBit Red) was the second major version of the LockBit ransomware-as-a-service platform, ac...
incransom
INC Ransom (INCransom) is a double-extortion ransomware group that emerged in mid-2023, targeting healthcare, education,...
chaos
Chaos ransomware operates as a ransomware-as-a-service builder that has been widely distributed on underground forums si...
alphv
ALPHV (also known as BlackCat or Noberus) was a sophisticated ransomware-as-a-service operation launched in November 202...
blackbasta
Black Basta emerged in April 2022 and is widely assessed by researchers and law enforcement to be composed of former Con...
dragonforce
DragonForce is a ransomware-as-a-service operation with roots in a Malaysian hacktivist group of the same name that was ...
medusa
Medusa ransomware (not to be confused with MedusaLocker) is a ransomware-as-a-service operation that became highly activ...
ransomhub
RansomHub is a ransomware-as-a-service operation that launched in February 2024 and rapidly became one of the most activ...
safepay
SafePay is a double-extortion ransomware group that emerged in late 2024, quickly attracting attention for its professio...
8base
8Base is a double-extortion ransomware group that first appeared in early 2022 but dramatically escalated activity in mi...
thegentlemen
The Gentlemen is a ransomware-as-a-service group that emerged in mid-2024 and rapidly accumulated victims across North A...
bianlian
BianLian ransomware first appeared in June 2022 and is attributed by multiple researchers and the FBI/CISA to a China-ba...
lynx
Lynx is a ransomware-as-a-service operation that emerged in mid-2024 and is assessed to be a rebrand or direct successor...
interlock
Interlock ransomware emerged in late 2024 and is notable for deploying a custom ransomware variant that targets both Win...
conti
Conti was one of the most prolific and financially damaging ransomware operations in history, attributed by the FBI and ...
nightspire
Nightspire is a relatively new double-extortion ransomware group that emerged in early 2025 and has quickly accumulated ...
dispossessor
Dispossessor (also tracked as Radar) was a ransomware-adjacent data extortion operation active from August 2023 until it...
pysa
PYSA (also known as Mespinoza) is a ransomware group active since 2019 that has primarily targeted education, healthcare...
hunters
Hunters International emerged in October 2023 and is widely assessed to be a rebrand or direct continuation of the Hive ...
coinbasecartel
CoinbaseCartel (also known as CoinBase Cartel) is a financially motivated cybercrime group that operates a data acquisit...
killsec
KillSec (Kill Security) is a hacktivist-turned-cybercriminal group that emerged in late 2023, linked by researchers to I...
sinobi
Sinobi is a data extortion and ransomware group that emerged in 2024 and is assessed to have inherited personnel and cod...
rhysida
Rhysida is a ransomware group that emerged in May 2023, quickly gaining notoriety for attacking healthcare providers and...
lockbit5
LockBit 5.0 (also referred to as LockBit Nation-State) is a claimed successor to LockBit 3.0 that emerged after Operatio...
payload
Payload is a ransomware group that emerged in 2024, primarily targeting organizations in North America and Europe throug...
ransomhouse
RansomHouse is a data extortion group and marketplace active since December 2021 that focuses on stealing data without n...
hive
Hive was a major ransomware-as-a-service operation active from June 2021 until January 2023, targeting over 1,500 organi...
blacksuit
BlackSuit is the rebranded continuation of the Royal ransomware operation, confirmed by CISA and FBI in an August 2024 j...
handala
Handala (also known as Handala Hack Team or Hatef) is an Iran-linked hacktivist group that emerged during the Israel-Ham...
FOG
FOG ransomware is a sophisticated strain first observed in May 2024, initially targeting US educational institutions bef...
vicesociety
Vice Society is a ransomware group that was active from mid-2021 to 2023, distinguished by its heavy focus on the educat...
ciphbit
CiphBit is a ransomware operation first detected in early 2024, using a custom encryptor targeting Windows and network s...
malas
funksec
FunkSec is an Algerian ransomware group that emerged in late 2024 and quickly generated a high victim count through a co...
royal
Royal ransomware was active from September 2022 to mid-2023 and is believed to have been formed by former members of the...
stormous
Stormous is a pro-Russian hacktivist and ransomware group that emerged around mid-2021, believed to include members from...
worldleaks
WorldLeaks is the rebranded continuation of Hunters International, launched in January 2025 after the group ceased file-...
babuk2
Babuk 2.0 (also styled as Babuk Locker 2.0 or SatanLock) is a group that impersonates the original Babuk ransomware oper...
blackbyte
BlackByte is a ransomware-as-a-service operation first observed in July 2021, assessed to be Russia-linked and notable f...
avaddon
Avaddon was a ransomware-as-a-service operation active from June 2020 to June 2021, when the operators unexpectedly shut...
meow
Meow ransomware is a strain that emerged in 2022, appending the ".MEOW" extension to encrypted files and primarily targe...
sarcoma
Sarcoma is a double-extortion ransomware group that emerged in mid-2024, primarily targeting manufacturing, professional...
snatch
Snatch ransomware (not to be confused with the 2022 data extortion group reusing the brand) is a Russia-linked operation...
spacebears
SpaceBears is a data extortion group that emerged in 2024, focusing on stealing and publishing sensitive corporate data ...
eraleign (apt73)
Eraleign (APT73) rebranded as Bashe in October 2024 after operating under the Eraleign name, with the transition coincid...
ragnarlocker
RagnarLocker was a Russia-linked ransomware group active from 2019 to 2023, known for conducting its own intrusions with...
SilentRansomGroup
SilentRansomGroup (SRG) is a former Conti team that continued operating independently following Conti's dissolution in 2...
noescape
NoEscape was a ransomware-as-a-service operation that launched in June 2023 and is assessed by multiple researchers to b...
nova
Nova (formerly known as RALord) is a ransomware-as-a-service operation that rebranded from RALord in late 2024. The grou...
toufan
Toufan (also known as Toufan Al-Aqsa) is an Iran-linked hacktivist group that emerged during the Israel-Hamas conflict i...
pear
PEAR (Pure Extraction And Ransom) Team is a data extortion group that emerged in 2024, focusing on publishing stolen cor...
apt73
APT73 is a ransomware group that operated under the "eraleign" identity before rebranding as Bashe in October 2024. Some...
shinyhunters
ShinyHunters is a prolific data theft and extortion group responsible for numerous high-profile breaches including the 2...
devman
Devman is a former RansomHub and INC Ransom affiliate that began operating independently as a ransomware-as-a-service pl...
monti
Monti is a ransomware group that emerged in June 2022, widely assessed to be a copycat or offshoot of the Conti operatio...
eldorado
Eldorado is a ransomware-as-a-service operation that emerged in early 2024, offering both Windows and VMware ESXi encryp...
cuba
Cuba ransomware is a ransomware-as-a-service operation active since at least 2019, assessed to be Russia-linked despite ...
arcusmedia
Arcus Media is a ransomware-as-a-service operation that first emerged in May 2024, offering affiliates a Linux and Windo...
ransomexx
RansomExx (also known as Defray777) is a ransomware family that targeted multiple high-profile organizations including K...
revil
REvil (also known as Sodinokibi) was one of the most financially damaging ransomware-as-a-service operations in history,...
blackout
Blackout surfaced in February 2024, using a variant based on DarkSide and BlackMatter ransomware source code, establishi...
anubis
Anubis ransomware emerged in 2024 as a data extortion and ransomware-as-a-service platform that distinguishes itself wit...
kairos
Kairos is a double-extortion ransomware group that emerged in 2024, operating a dark web leak site and targeting organiz...
abyss
Abyss (Abyss Data) is a data extortion group that emerged in early 2023, focusing on stealing and publishing sensitive c...
cloak
Cloak is a cybercriminal ransomware group that first emerged in late 2023, targeting small to mid-size businesses across...
payoutsking
Payouts King Group is a data extortion collective that explicitly states it does not operate as a RaaS and does not use ...
karakurt
Karakurt is a data extortion group established in 2021 as an offshoot of the Conti ransomware operation (Wizard Spider),...
warlock
Warlock ransomware emerged in mid-2025 and has been attributed by Microsoft, Sophos, and Trend Micro with moderate-to-hi...
lorenz
Lorenz is a ransomware group active since early 2021, known for an unusual tactic of selling access to victim networks t...
threeam
3AM (ThreeAM) is a ransomware group discovered in September 2023, first observed being deployed as a fallback when LockB...
cicada3301
Cicada3301 (unrelated to the 2012 internet puzzle) is a ransomware-as-a-service operation that emerged in June 2024 with...
beast
Beast ransomware operates as a ransomware-as-a-service platform targeting Windows, Linux, and VMware ESXi environments. ...
direwolf
DirewWolf is a recently emerged double-extortion ransomware group that conducts targeted attacks against medium to large...
genesis
Financial interests only. <br/> We do not provide or work with affiliate programs, no collaborations either. <br/...
avoslocker
AvosLocker is a ransomware-as-a-service operation that launched in mid-2021, known for targeting critical infrastructure...
quantum
Quantum ransomware emerged in August 2021 as a rebrand of the MountLocker operation and was subsequently linked to the C...
raworld
RA World (formerly known as RA Group, active since April 2023) is a ransomware operation linked by Symantec and Palo Alt...
ransomed
blacknevas
BlackNevas ransomware — also referred to as “Trial Recovery” — was first observed in November 2024. It is a direct deriv...
medusalocker
Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predec...
orion
Jan13, 2026: We believe the group might be related to Babuk-Bjorka.
blacklock
BlackLock (also known as Mamona) is a ransomware-as-a-service operation that emerged in late 2023 as an evolution of the...
nitrogen
Nitrogen is a data extortion group that emerged in 2023, primarily conducting data theft without encryption to pressure ...
lv
parser needs to be built
maze
Maze ransomware pioneered the double-extortion model in late 2019, becoming the first major group to combine file encryp...
tengu
Ransomware group active in data extortion.
braincipher
BrainCipher ransomware surfaced in mid-2024, initially gaining attention for a major attack against Indonesia's National...
darkvault
DarkVault is a versatile threat actor that emerged in 2024, conducting both ransomware and data extortion operations aga...
knight
Knight is a Ransomware-as-a-Service (RaaS) operation first observed in August 2023, believed to be a rebrand or evolutio...
icarus
losttrust
trigona
Trigona ransomware was active from late 2022 to 2023, targeting businesses across multiple sectors with AES encryption a...
mallox
Mallox (also known as TargetCompany, Fargo, or Tohnichi) is a ransomware-as-a-service operation assessed to be China-lin...
ryuk
Ryuk ransomware is attributed to the Russia-based Wizard Spider cybercriminal group and was one of the most damaging ran...
metaencryptor
We are a group of young people who identify themselves as specialists in the field of network security with at least 15 ...
crypto24
aka Public Data Storage <br/>Crypto24 emerged in early 2025 as a fast-growing double-extortion ransomware-as-a-service ...
termite
Termite is a ransomware group that emerged in late 2024, gaining attention for exploiting a zero-day vulnerability in Cl...
donutleaks
DonutLeaks is a data extortion group that emerged in 2022, publishing stolen data from organizations that refused to pay...
darkleakmarket
embargo
Embargo is a ransomware-as-a-service operation that emerged in mid-2024, utilizing Rust-based encryptors for both Window...
midas
Midas ransomware is a data extortion group active since late 2021 that shares significant technical similarities with th...
J
blackshrantac
aka black shrantac
krybit
securotrop
nokoyawa
Nokoyawa ransomware is a strain active from early 2022 that shares significant code and infrastructure with the Karma an...
gunra
Gunra is an emerging ransomware group first identified in April 2025. It employs a classic double-extortion model—encryp...
helldown
Helldown is a double-extortion ransomware group that emerged in late 2024, known for exploiting vulnerabilities in Zyxel...
AiLock
AiLock is a ransomware-as-a-service group that emerged in early 2025, marketing itself as AI-assisted and suspected by r...
insomnia
spook
radar
arvinclub
Arvin Club first appeared around early to mid-2021, debuting on its Tor leak site with posts dating back to May 5, 2021....
obscura
wannacry
WannaCry was a destructive ransomware worm deployed in May 2017 that infected over 200,000 computers across 150 countrie...
suncrypt
SunCrypt is a ransomware group active since 2019 that joined the Maze ransomware cartel in 2020, adopting the double-ext...
blackmatter
BlackMatter was a ransomware-as-a-service operation active from July to November 2021, widely assessed as a direct rebra...
marketo
dAn0n
dAn0n is a data-extortion actor that first appeared in April 2024. Operating primarily in a leak-focused extortion model...
frag
Frag ransomware emerged in late 2024, primarily observed exploiting Veeam Backup & Replication vulnerabilities (CVE-2024...
dragonransomware
Dragon Ransomware, is promising rapid and customizable ransomware operations for Windows systems. Key features include a...
global
Now a RaaS by BlackLock ($$$). <br/>Global Group is a newly emerged Ransomware-as-a-Service (RaaS) platform that debuted...
werewolves
Werewolves is a Russia-linked ransomware group that emerged in mid-2023, using a modified version of the LockBit 3.0 sou...
moneymessage
bravox
Ransomware group active in data extortion.
vect
daixin
Daixin Team is a ransomware and data extortion group active since mid-2022, primarily targeting the US healthcare and pu...
fulcrumsec
lamashtu
kelvinsecurity
Kelvin Security is a cybercrime group active since at least 2013, primarily known for hacktivism, data breaches, and web...
underground
Underground ransomware (also known as Underground Team) is a Russia-linked group associated with the RomCom RAT threat c...
netwalker
NetWalker (also known as Mailto) was a ransomware operation active from 2019 to January 2021, when US and Bulgarian auth...
bavacai
doppelpaymer
DoppelPaymer ransomware is attributed to the Russia-based Evil Corp cybercriminal organization and is a successor to Bit...
ShadowByt3$
flocker
sabbath
lapsus$
Lapsus$ is a data extortion group that emerged in late 2021, known for social engineering, SIM-swapping, and insider rec...
payloadbin
xinglocker
xing use a custom mountlocker exe
morpheus
ralord
leaktheanalyst
hellcat
HellCat is a ransomware-as-a-service operation that emerged in late 2024, with KELA researchers identifying core operato...
cephalus
siegedsec
secp0
Encrypted Extension: .vanhelsing, .vanlocker. Targets Windows Platform only
bjorka
Hellcome Bjorkanism <br/>Bjorka emerged as a prominent data-extortion actor and hacktivist initially active in 2022, ta...
ALP-001
leakeddata
brotherhood
trinity
mountlocker
d4rk4rmy
D4rk4rmy is a data-extortion focused threat actor that emerged in mid-2025, targeting high-profile organizations across ...
tridentlocker
datacarry
DataCarry is a newly observed ransomware and data-extortion operation, first seen in May 2025. It operates a double-exto...
mosesstaff
m3rx
madliberator
Group is also currently known as MADDLL32 and Metatron.
dunghill
Dunghill Leak is the publicly branded data leak site (DLS) operated by the Dark Angels ransomware group, established cir...
redransomware
apos
Apos ransomware surfaced in April 2024 and is best characterized as a data‑broker or leak‑only operation, rather than a ...
nefilim
According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is remov...
malekteam
azroteam
weyhro
Appears to be a Data Extortion group with no encryption.
freecivilian
onyx
atomsilo
AtomSilo emerged in September 2021 and ceased operations by year-end 2021. It functioned with a double‑extortion model, ...
sparta
cheers
Cheers is a Linux-based ransomware variant observed starting in May 2022, engineered specifically to target VMware ESXi ...
unsafe
A group which seems to recycle leak from other ransomware groups
IMNCrew
argonauts
benzona
robinhood
mindware
alphalocker
cryp70n1c0d3
LeakBazaar
groove
Groove was a short-lived ransomware group and cybercrime gang that emerged in August 2021 and became notable for its agg...
netrunner
samsam
teamxxx
icefire
leak bazaar
darkrace
DarkRace is a moderately destructive ransomware strain observed since 2024. It encrypts files and appends a randomized e...
darkside
FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable dis...
darkpower
Dark Power is a ransomware group first observed in January 2023, known for targeting small to mid-sized organizations ac...
kazu
crazyhunter
aurora
0mega
0mega is a ransomware group first observed in May 2022, operating with a double extortion model: <br/>* Encrypting victi...
egregor
Egregor is a ransomware strain that appeared in September 2020, widely believed to be a rebrand or successor to the Maze...
blackwater
mogilevich
exitium
rook
Ransomware.
babuk
pay2key
cryptolocker
cryptbb
cipherforce
For those out of the loop, you may already know us as TeamPCP or Shellforce, we have been active a while publishing data...
ms13089
skira
bitpaymer
lockbit3_fs
CMDOrganization
CMD is a new kind of company that specializes in corporate system security and in identifying vulnerabilities across all...
radiant
AuditTeam
osyolorz collective
RunSomeWares
bert
BERT ransomware (also tracked as Water Pombero) first emerged in April 2025, rapidly targeting both Windows and Linux sy...
cyclops
Cyclops ransomware was rebranded as Knight around mid‑2023, emerging initially in early 2023. It operates as a Ransomwar...
xp95
chort
Chort is a relatively new data-extortion ransomware group that surfaced in late 2024, with confirmed activity beginning ...
karma
Karma is a ransomware group first observed in November 2021, operating a double-extortion model that combines data theft...
kawa4096
dataleak
silent
Unlike many other groups, Silent claims to operate with a high level of anonymity and discretion. According to their own...
arkana
minteye
cipherwolf
yanluowang
Ransomware.
VanHelsing
pandora
Pandora ransomware was obtained by vx-underground at 2022-03-14.
linkc
rancoz
raznatovic
RANSOMED.VC aka Raznatovic
nullbulge
A hacktivist group protecting artists' rights and ensuring fair compensation for their work.
lockbit
projectrelic
donex
Donex is a ransomware family that emerged in early 2022 as a rebrand of the older Muse ransomware. It uses a double-exto...
bqtlock
aka BaqiyatLock <br/>BQTLock surfaced in July 2025 and operates as a fully-fledged Ransomware-as-a-Service (RaaS) with a...
PrinzEugen
orca
redalert
ValenciaLeaks
Official twitter account: https://x.com/ValenciaLeaks72
lockdata
leaknet
<br/> <br/>In the cyber-undergrounds, we're exploring shadowed corridors of the digital world in search of inside infor...
kraken
Kraken leak blog (hellokitty) <br/>Kraken is a ransomware family first observed in August 2018 as a Ransomware-as-a-Serv...
desolator
TiMc
blacktor
killsec3
grep
scarab
secpo
cryptowall
vanirgroup
rebornvc
blackshadow
BlackShadow is a state-aligned cybercrime group reportedly linked to Iran’s cyber operations, first identified in late 2...
satanlockv2
noname
shaoleaks
lockergoga
osiris
bonacigroup
snake
mnt6
ragnarok
According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes...
cry0
pryx
locky
vendetta
nasirsecurity
hellogookie
homeland
sensayq
sekhmet
bluebox
grief
Grief, also known as Pay or Grief, is a ransomware group that emerged in May 2021 and is widely believed to be operated ...
clearwater
qiulong
bitlocker
kryptos
dharma
Dharma is a prolific ransomware family active since at least 2016, evolving from the earlier CrySiS ransomware. It opera...
trisec
ContFR
RAAS - Ransomware intégré à un fichier PDF, à faire ouvrir à vos victimes ou à insérer vous-même, Windows et Mac, ne fon...
nightsky
satanlock
Connected to GD Lockersec and Babuk-Bjorka. <br/> <br/>Group is aka SalanLock (from typo on victim pages).
lunalock
cryptnet
CryptNet is a newer Ransomware-as-a-Service (RaaS) operation first identified in April 2023. It follows a double-extorti...
arachna leak
kittykatkrew
antibrok3rs
Antibrok3rs emerged as an access broker (not a ransomware operator itself) linked to the aftermath of the 2023 MOVEit su...
prolock
PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and loc...
teslacrypt
wastedlocker
datakeeper
ransomcortex
robbinhood
hades
Hades is a ransomware group first observed in December 2020, believed by several threat intelligence firms to be operate...
hddcryptor
cerber
cryptomix
prinz eugen
lechiffre
keyholder
deathkitty
satancd
cryptoware
goznym
megacode
memedusalockerdusa
sharpboys
kyber
sicarii
maui
team underground
threatmarket
darkrypt
thanos
macaw
blackbyte-crux
Crux is a newly identified ransomware variant active since July 2025, which claims affiliation with the established Blac...
wikileaksv2
Group is connected to Qilin.
insane
ranstreet
agelocker
late.lol
Affiliates: <br/>@Mr.C <br/>@Empathy <br/>@jayze <br/>@Widow <br/>@Memory <br/> <br/>
zerolockersec
roadsweep
la_piovra
ℹ️ La Piovra Ransomware is an exercise of the company Offensive Security (also known as OffSec)
pewcrypt
astroteam
fletchen
zerotolerance
cring
erebus
global3
nozelesn
samas
triplem
slug
reynolds
ronggolawe
crosslock
CrossLock ransomware was first observed in April 2023, targeting an IT services firm in Brazil using a double‑extortion ...
blogxx
walocker
synack
Abrahams_Ax
Abrahams_Ax, first observed in November 2022, is not a Ransomware-as-a-Service (RaaS) operation but a politically motiva...
netflim
aGl0bGVyCg
This ransomware group (notably stylized as aGl0bGVyCg) has extremely limited publicly available information. No confirme...
phoenixcryptolocker
cloak.su (locker leak)
zeppelin
Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (...
waissbein
killada
networm
playboy
zetarink
GDLockerSec
Our team members are from different countries and we are not interested in anything else, we are only interested in doll...
yurei
hermes
Hermes is a ransomware family first observed in the wild in February 2017, believed to have been developed by a group op...
gandcrab
GandCrab was a prolific Ransomware-as-a-Service (RaaS) operation active from January 2018 to mid-2019. It quickly became...
lambda
dread
x001xs
bytesfromheaven
mydata
wiper leak
white lock
xollam
good day
Good Day is a ransomware variant within the ARCrypter family, first observed in May 2023. It gained prominence due to it...
aztroteam
moisha
ghost
aka Cring / Ghost (Cring) <br/> <br/>Beginning early 2021, Ghost actors began attacking victims whose internet facing se...
mbc
j group
miga
#MakeIsraelGreatAgain
jigsaw
Jigsaw is a ransomware family first observed in April 2016, notorious for its psychological intimidation tactics. It enc...
mario esxi
nvrmre
AKA Lemon
cooming
previous clearnet domain coomingproject.com
vandev
sugar
piratelock
root
polyvice
wiki ransomware
lokilocker
vurten
enciphered
aka xoriste
inpivx
vasalocker
w3crypto
thegreenbloodgroup
ranion
megazord
ransomedvc2
RansomedVC2 aka RebornVC aka RansomedVC (rebrand) under new leadership.
shadow
darkbit
naga
deadbydawn
zixer2
vfokx
malphas
phantom
muliaka
robbing hood
weaxor
adminlocker
AdminLocker was first observed around December 2021 and appears to be a lone operator or small group, with no clear Rans...
mamona
belsen group
aka Belesn Group. <br/>Belsen Group emerged in January 2025 as a data broker and leak-focused threat actor, not engaging...
globeimposter
GlobeImposter is a ransomware family that first appeared in mid-2017, designed to mimic the appearance and naming conven...
lcryptorx
lilith
ox thief
aptlock
Aptlock surfaced in early 2025 and is characterized by a single-extortion model combined with threats of data leakage. T...
madcat
cryptedpay
CryptedPay is a standalone ransomware strain observed around early 2025, that encrypts files using AES-256 and appends t...
zeoticus2
ranzy
monolock
mydecryptor
prometheus
Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.
0xFFF
turkish crypter
unknown
ctblocker
aka Critroni <br/>CTB‑Locker emerged in mid‑2014, introducing a new era of ransomware by leveraging elliptic curve crypt...
xelera
haron
Haron is a ransomware group that emerged in July 2021 and is believed to share operational similarities with the Avaddon...
soleenya
kirov
kuiper
Kuiper is a relatively new ransomware strain first analyzed in April 2023, notable for being written in Rust and designe...
core
Core ransomware surfaced in early 2025 as a new variant within the broader Makop family. It employs a single-extortion m...
slam
clop torrents
v is vendetta
cyberex
blackbit
BlackBit ransomware was first observed in August 2022 and is a .NET-based strain that closely mimics the design and func...
sicari
nemesis
krypt
fakersa
elpaco
Elpaco is a variant of Mimic ransomware that emerged around August 2023. Designed with significant customization and ste...
ShinySp1d3r
Likely associated with the cybercrime group BlingLibra (ShinyHunters)
toxic
lyrix
rapture
tommyleaks
mcafee
hyflock
zeoticus
darkhav0c
unsafeleak
jo of satan
onepercent
rransom
desolated
elcometa
punisher
cerberimposter
Cerber Imposer is a post-2019 rebrand of the Cerber ransomware family, resurfacing in late 2021 with updated targeting o...
lockbit4
paradise
kawa
kasseika
Kasseika is a ransomware variant first publicly reported in January 2024, identified as a new evolution of the BlackMatt...
backmydata
BackMyData is a variant of the Phobos ransomware family, first observed in early 2024. It follows a double‑extortion mod...
endurance
Endurance is a destructive ransomware variant first observed in 2023, developed and operated by the threat actor known a...
lynxr
yashma
proton
bluesky
BlueSky ransomware first emerged in July 2022 and is characterized by aggressive, high-speed file encryption using a mul...
dataf locker
DataF Locker is a ransomware variant first observed in 2024, closely tied to the Babuk ransomware lineage. It operates u...
quicklock
ransomcartel
buddyransome
jaff
Jaff is a ransomware family first discovered in May 2017, notable for its distribution via large-scale spam campaigns op...
aware
locus
arcrypter
ArcRypt (also known as ARCrypter or ChileLocker) was first identified in August 2022, originally targeting government en...
colossus
Colossus ransomware was first observed in September 2021, when ZeroFox researchers uncovered the variant attacking a U.S...
exorcist
Ransomware.
promptlock
First known AI-powered ransomware. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama ...
tuborg
nemty
Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed throug...
cryakl
also known as “Fantomas”. <br/>Cryakl first appeared in 2014, spreading primarily across Eastern Europe and Russia via p...
2023lock
2023Lock is a ransomware strain first observed in January 2024, believed to be an evolution of the Venus and Zeoticus fa...
d0glun
D0glun is a crypto-ransomware strain first observed in January 2025, believed to be derived from Babuk via an intermedia...
cs-137
Cs‑137 is a newly observed ransomware strain that first appeared in January 2025. It employs the ChaCha20 cipher for enc...
paradise2
darkangel
Dark Angels is a highly targeted ransomware and data-extortion group that emerged in spring 2022. Rather than using an a...
holyghost
HolyGhost is a ransomware group first publicly reported in July 2022, believed to be operated by a North Korean state-sp...
hotarus
Hotarus is a ransomware and data extortion group first observed in March 2021, believed to be linked to threat actors of...
mortalkombat
sundawn
makop
crysis
Crysis ransomware was first identified in early 2016 and is a long-running family that later evolved into the Dharma ran...
zeon
offwhite
arcane
Arcane first emerged in mid-2021 under the UNC2190 cluster and later rebranded as Sabbath, continuing its operations aga...
phalcon
mailto
solidbit
Ransomware, written in .NET.
farattack
superblack
eruption
Rebranded to Sabbath.
taronis
vsop
aka Onix/Onyx
ransom corp
ymir
amnesia
Amnesia ransomware was first identified in May 2017, particularly affecting enterprise cloud environments. It does not a...
babyduck
scattered lapsus$ hunters
blackfield
fsteam
New possible leak site posted to a forum on November 20th, 2022, no victims at present. Unclear if its for a ransomware ...
bidon
BIDON is a variant of the Monti ransomware family, first observed around mid‑2023. It employs a double‑extortion strateg...
radiant group
hiveleak
gazprom
telegram
ech0raix
The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom not...
diavol
Diavol is a ransomware strain first observed in June 2021, associated with the Wizard Spider threat group—best known for...
nblock
megacortex
providence
quoter
loki
rtm locker
phobos
silent ransom
mcrypt2019
crypt ransomware
.crYpt <br/>MD5: 54EFAC23D7B524D56BEDBCE887E11849 <br/> <br/>Babuk Variant
azzasec
We are AzzaSec — a decentralized PMC (Private Military Contractor), RaaS (Ransomware-as-a-Service) syndicate, and botne...
insane ransomware
Insane is a relatively obscure ransomware family first reported in late 2021, with few confirmed incidents in public thr...
himalayaa
risen
Risen, which is a fully optimized and high-speed program, is the result of our years of experience in the field of malwa...
proxima
frozen
lulzsec muslims
oceans
schoolboys
relic
skira team
ep918
thor
darkylock
Darky Lock is a commodity-style ransomware strain first identified in July 2022, derived from publicly available Babuk s...
blacksnake
BlackSnake is a Ransomware-as-a-Service (RaaS) operation that first appeared in August 2022, when its operators began re...
rustylocker
zircon
hellokitty
HelloKitty is a ransomware family first observed in November 2020, named after a string found in its binary. It operates...
qilin-securotrop
octovillan
babuk-locker
Babuk‑Locker emerged in early 2021 as a Ransomware‑as‑a‑Service (RaaS) gang targeting high‑value “big game” enterprises ...
ftcode
FTCode is a ransomware family first observed in 2013 as a PowerShell-based threat and later resurfaced in September 2019...
againstthewest
globe
Globe is a ransomware family that first appeared in August 2016, notable for its highly customizable codebase that allow...
ironchain
qlocker
login page, no posts
bober
pyrx
targetcompany
fsociety
This group is also known by their malware name, FLOCKER. <br/>FSociety is a modern Ransomware-as-a-Service (RaaS) operat...
synapse
astralocker
AstraLocker first appeared in 2021, likely as a fork of Babuk ransomware using leaked source code. It follows a single-e...
fivehands
FiveHands is a ransomware family first observed in January 2021, believed to be a successor to the HelloKitty ransomware...
gwisin
Gwisin is a targeted ransomware group first publicly reported in July 2022, believed to operate primarily within South K...
tooda
Members: <br/>Eco <br/>Ego <br/>emo <br/>elo <br/>user <br/>Dante <br/>Sevy
spectre
jsworm
JSWorm is a ransomware family that first appeared in May 2019 and is notable for undergoing multiple rebrands and evolut...
RAMP
dark shinigami
crazyhunter team
CrazyHunter is a rising ransomware threat first detected in early 2025, with particularly dangerous campaigns targeting ...
obsidian orb
ank
rabbithole
thundercrypt
lamialocker
evolution
justice_blade
chilelocker
ChileLocker first emerged in August 2022 and is considered part of the broader ARCrypter ransomware family. It employs a...
deathransom
DeathRansom is a ransomware family first seen in the wild in late 2019, initially appearing as a bluff—dropping ransom n...
invaderx
fargo
Fargo is a ransomware variant that surfaced in 2022, primarily targeting Microsoft SQL Server (MSSQL) systems. Believed ...
help_restoremydata
Help_restoremydata is a ransomware variant identified around late 2024/early 2025, notable for appending the .help_resto...
kuza
spring
lsd
vegalocker
a1project
The locker is written in C/C++/ASM. <br/>It supports all systems starting from Windows 2003, has a separate binary for E...
devman2
DevMan 2.0 is the evolved iteration of the DevMan ransomware, first documented in July 2025. It enhances the capabilitie...
xinof
C3RB3R
Cerber ransomware, active since 2016, has resurfaced occasionally using the name C3RB3R. It operates as a semi-private R...
n3tworm
key group
xleaks
darkangels
balletspistol
BalletsPistol is a Python-based ransomware strain distributed via GitHub. An investigative report from June 2025 reveals...
monte
sifrecikis
deathgrip
DeathGrip is a Ransomware-as-a-Service (RaaS) that emerged around June 2024, offering malware payloads built with leaked...
sphinx
avos
First observed in July 2021, AvosLocker operates as a Ransomware-as-a-Service (RaaS) platform employing a double-extorti...
blackberserk
Black Berserk is a relatively unsophisticated ransomware strain analyzed in late 2023. It operates under a single‑extort...
catb
CatB ransomware was first observed in late 2022, gaining attention for abusing DLL hijacking via the Microsoft Distribut...
black witch
zeta leaks
gangbang
luckbit
zero tolerance gang (ztg)
babuk-bjorka
On January 26th, Babuk's dedicated leak site (DLS) was "relaunched". Bjorka (Telegram: @bjorkanesiaaaa) is the current a...
mimic
mespinoza
darkbit01
DarkBit is a politically motivated ransomware operation active since February 2023, targeting academic and public sector...
babylockerkz
BabyLockerKZ is a variant of MedusaLocker ransomware, first observed in late 2023. It operates under a double‑extortion ...
dagonlocker
Dagon Locker is a double-extortion ransomware family that surfaced around September 2022. It represents an evolution of ...
crynox
Crynox (sometimes referred to as “Crynox Ransomware”) appears to be a generic file-locker threat that appends .crynox to...
bitransomware
BitRansomware (also known as DCryptSoft or ReadMe) surfaced in November 2020, primarily as a widespread cryptolocker tar...
nevada
darkwave
Written in python
petya
elonmusknow
zola
ransomware blog
Also known as MedusaLocker
encrypthub
ako
First observed in early January 2020 (initial victim post on January 9, 2020), Ako (also known as MedusaReborn) operates...
ra group
fusion
cryptxxx
CryptXXX is a ransomware strain that first appeared in April 2016, developed by the same group behind the Reveton and An...
mimic-guram
Mimic v.10 Ransomware-as-a-Service (RaaS). The malware is designed to target various operating systems (Windows, ESXi, N...
b0 group
B0 is a relatively obscure ransomware operation with very limited public reporting outside of leak site monitoring. It a...
freeworld
FreeWorld is a ransomware variant first observed in September 2023, and is believed to be derived from the Mimic ransomw...
tycoon
cerbersyslock
CerBerSysLock first appeared in December 2017 as a cryptoransomware imposter, leveraging Cerber-style branding to deceiv...
0apt
The group appears unreliable. Most, if not all, of its alleged victims cannot be verified and appear to be randomly sele...
izis
br0k3r
Br0k3r is not a conventional ransomware gang, but rather an Iran-linked cyber espionage and access brokerage group lever...
axxes
Axxes ransomware emerged as a rebranded version of the previously known Midas ransomware group, with roots also tracing ...
vulcan
blackhunt
Black Hunt ransomware has been active since at least mid-2021 and operates under a double-extortion model, encrypting vi...
argonauts group
Argonauts Group is a data extortion operation that surfaced around September–October 2024, primarily targeting organizat...
arkana security
Arkana Security emerged in early 2025, debuting with a high-profile data-extortion campaign against the U.S. internet pr...
abyss-data
Abyss‑Data, also known as Abyss Locker, is a ransomware operation first identified around March 2023. It conducts double...
entropy
Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomw...
cylance
shade
spirigatito
Payday
u-bomb
esxiargs
ESXiArgs is a ransomware campaign that emerged in February 2023, targeting VMware ESXi servers by exploiting the CVE-202...
miliphen
vaultcrypt
grinch
bluelocker
Blue Locker targets Pakistan’s vital energy sector, particularly Pakistan Petroleum
lolnek
kryptina
tssxx25
ransombay
Launched on April 24th, 2025 RansomBay is a new project operating under the DragonForce initiative
3am
3AM, also known as ThreeAM, is a relatively new ransomware family that emerged in late 2023, initially deployed as a fal...
crylock
CryLock is a ransomware variant that emerged around April 2020, evolving from the Cryakl (Fantomas) ransomware family. I...
thunder x
faust
Faust is a variant of the well-known Phobos ransomware, part of a Ransomware-as-a-Service (RaaS) ecosystem active since ...