LockBit 2.0, new RaaS program, the developers claim its "the fastest encryption software all over the world". The group also made a comparative table with several similar programs indicating the encryption speed.

Conti ransomware group is a global threat actor affecting victims mainly in North America and Western Europe. Conti Ransomware group is one of the most active ransomware operations, its distribution through a ransomware-as-a-service model. Conti ransomware group leaks the victim's data to their darknet website. Conti Ransomware uses its implementation of AES-256 that uses up to 32 individual logical threads, making it much faster than most ransomware.

Clop Ransomware group's main goal is to encrypt the files on the computers of victims and then the ransomware group requires payment for decrypting the information to get the files to work again. They also have their darknet website for publishing the victims' data leaks. Security researcher attributes the Clop Ransomware operation to the known threat actor: "TA505".

PYSA ransomware group operates as a ransomware-as-a-service (RaaS) model. PYSA stands for “Protect Your System Amigo”, The PYSA ransomware malware is a variant of the Mespinoza ransomware. It was first seen within open-source documents in December 2019, two months after Mespinoza ransomware was spotted in the wild. PYSA affiliates can customize their malware based on options provided by the RaaS platform, and deploy it as customized. PYSA usually exfiltrates data from its victims before encrypting the files to be ransomed.

Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his victims, they would threaten to publish the victim's sensitive data on their darknet blog named "Happy Blog", unless the ransom is paid. The ransomware malware code used by REvil is pretty similar to the ransomware code used by DarkSide - a different threat actor. REvil group claims to steal information after a successful attack on the supplier of the tech giant Apple and stole confidential schematics of their upcoming products.

Maze ransomware group is one of the most known ransomware gangs, they targeted organizations worldwide across many industries. Security researchers believed that Maze operates as an affiliated network model. MAZE was one of the first groups that made a "Double Extortion Attack" involved Allied Universal, in November 2019, the group leaks their victim's data in the darknet. On November 1, 2020, MAZE announced an official press release that they are closing their operation. is malware targeting organizations worldwide across many industries. Security researchers claim that the threat actor behind the MAZE group is "TA2101".

Hive, New ransomware group with no prior breaches, Published a leak site on the darknet in June 2021 called HiveLeaks. Files are encrypted with the ".key.hive" extension. The ransom note referring victims to an onion site with login information to "Purchase" Hive's decryption software.

Egregor ransomware group compromised hundreds of businesses globally, including Randstad and US retailer Kmart. Egregor referring to the collective energy of a group of people united with a common purpose - which makes sense that Egregor operates on ransomware as a service model. There are some speculations that Egregor's operation was based on the Maze ransomware group that was shut down. The Egregor group successfully breached Crytek and Ubisoft in October 2020. Finally, the Egregor ransomware operation was taken down after members of the group have been arrested in Ukraine.

Doppelpaymer ransomware group first appeared in 2019 when it launched attacks against organizations in critical industries. Security researchers believed that Doppelpaymer ransomware based on the BitPaymer ransomware which first appeared in 2017 hat there are some differences between them. In February 2020, the DoppelPaymer ransomware group has launched a data leak site in the darknet for all the victim's data leaks.

Vice Society ransomware appends the .v-society extension when encrypting Linux machines. Running a leak site on the darkweb, Possible relations with "HelloKitty"

Avaddon Ransomware group operates as RaaS (Ransomware As A Service). They sold their service to cybercriminal affiliates. It has been around since 2019 and shuts down its operation in June 2021. The Avaddon Ransomware group is knowns for their “Triple ransom” attacks, which means that they do not only encrypt the victim’s data, they also leak it in the darknet and finally DDOS (Distributed Denial Of Service) their victims to press them to pay the ransom.

Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group leaks the victim's data to the darknet and they announced that any victim that will not contact them will suffer from a data leak and they will not delete hist files for future usage.

NetWalker ransomware group operates by the threat actor known as "CIRCUS SPIDER". The NetWalker ransomware was discovered in 2019. The group mainly targeting the Asia Pacific region but can attack globally. The group uses common attacking tools like Mimikatz and other legitimate tools (LOLBINS) like PSTools, AnyDesk, TeamViewer, NLBrute, and more. The group knowing by targeting the healthcare sector. Finally, in January 2021, Netwalker was takedown by the authorities, the police have confiscated hundreds of thousands of dollars in ransom payments collected by the Netwalker group, and they seized servers and disrupted the infrastructure and the darknet websites of the Netwalker ransomware group.

LV ransomware group main message: "Here are companies which didn't meet consumer data protection obligations. They rejected to fix their mistakes, they rejected to protect this data in the case when they could and had to ptotect it. These companies prefered to sell their private information, their employees' and customers' personal data". Security researchers claim that the LV group is utilizing the REvil ransomware group malware. The LV group claim to have compromised the corporate network of Groupe Reorev.

Ragnar_Locker ransomware group first appeared in the wild at the end of December 2019. Ragnar_Locker’s operators usually compromise the victim’s network, steal information before finally dropping the ransomware that will encrypt all files in the victim’s machines. The group hosts a leak website in the darknet for data leak publishing of their victims. The main group's announcement on their website: "We are Team of Ragnar_Locker and we are cybersecurity enthusiast, cryptopunks, entrepreneurs and businessmen. Our main goal is to create cool project, that can show it's power in all it's glory and of course make profit..."

Darkside ransomware group has started its operation in August of 2020 with the model of RaaS (Ransomware-as-a-Service). They have become known for their operations of large ransoms scale. They have announced that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can be able to pay large ransoms. Darkside ransomware group became very famous following the cyberattack of the Colonial Pipeline and Toshiba unit. The FBI finally terminate the Darkside operation and Managed to pull money from their wallets back.

Grief ransomware group has stolen data from several organizations so far. On their Darknet website, there is a reference to GDPR in efforts to coerce a quicker payment. The Grief ransomware website has anti-scraping protection so that indexing can’t be done automatically. Some of their recent victims are Mobile County, Alabama, and Comune di Porto Sant’Elpidio.

Cuba ransomware is older ransomware that has been active for the past few years. The Cuba ransomware group recently switched to leaking the stolen data of their victims in the darknet. Cuba ransomware group targeting financial institutions, industry, technology, and logistics organizations. There is no indication that the group has any connection with the country of the same name.

Lorenz ransomware group slogan is: "Nothing personal it's strictly business". The group targets organizations worldwide with custom-made attacks. The stolen data of the Lorenz victims has been published on a ransomware data leak site like most of the other groups. Security researchers say that the Lorenz ransomware encryptor is the same as a ThunderCrypt. Usually, after the Lorenz group compromises a victim, they spread laterally to other devices until they gain domain admin access. Differently from other groups, Lorenz sells access to the victim's network along with the stolen data, also they are selling access and data for other threat actors.

Marketo group put up for sale network accesses and passwords of networks of companies that do not contact them. On the Marketo website, they posted: "We put up for sale network accesses and passwords of networks of companies that do not contact us.". The group mentioned the victims are currently under attack and the victims that the attack Finished. The group brings an evidence pack for each victim they are selling his data\access and the data leak size.

AvosLocker operates as a ransomware-as-a-service (RaaS) model. AvosLocker was first seen on Dread with a user called "avos" which has posted they are looking for affiliates and provides some features about AvosLocker. In addition, they offer: hosting a leak site, negotiating with victims.

Dark Leak Market, One of the oldest darkweb marketplaces, selling stolen data since 2019. Data in the market has been gathered from ransomware gang's data leak sites and hacking forums.

RansomEXX ransomware group targeted multiple companies starting in mid-2020. RansomEXX is also known as "Defray777" and "Ransom X". RansomEXX malware's payload runs only in-memory payload which making itself highly evasive and difficult to detect. In mid-2020, a Linux variant of RansomEXX was discovered, simpler than its predecessor, and lacks many features such as disabling security software and command and control communication. The RansomEXX malware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, Montreal's public transportation system, and Brazil's court system (STJ), among other victims.

N\A

Prometheus ransomware group, using similar TTPs of Thanos ransomware. The Prometheus group attacks with double-extortion tactics and hosts a darknet website for posting the victim's data leak, first observed in February 2021. The group is posted sales announcements on underground forums and allows threat actors to customize a sample of the malware with a wide variety of available settings.

Ragnarok ransomware group, used in targeted attacks against unpatched VPN servers like Citrix. The Ragnarok malware excludes victim’s computers that set to one of the ID of the following languages: Russia, Belarus, Russia, Turkmenistan, Ukraine, Azerbaijan, Latvia, Kazakhstan, China. They are using evasion techniques and try to disable Windows Defender, also they have several UNIX file path references in their malware strings. Their ransomware malware uses encryption methods of AES with a dynamically generated key, then bundling this key up via RSA.

The Babuk ransomware is targeting large enterprise corporations rather than individual users. Babuk has change direction and re-organized itself as Payload Bin (Payload.Bin): "we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement." The Babuk ransomware\ Payload.bin ransomware group leaks the victim's data to their darknet website.

Nephilim ransomware group targets mid to large size enterprise companies. The group also exfiltrates victims' data and leaks it to the darknet. The group mentions the active and finished attacks on their victims. The group exploits public-facing applications for initial access like Citrix gateway and exposed Remote Desktop Protocol (RDP). The group not working as ransomware-as-a-Service (RaaS) model and proceed payments via email communications.

SunCrypt ransomware group operates as a Ransomware as a Service (RaaS) model. They are using a closed affiliate program on the dark web. A new ransomware was found in-the-wild In October 2019. The new ransomware malware was written in Go and targeted Windows machines. The new version of SunCrypt ransomware is written in C/C++. The interesting part is unlike other ransomware groups that shift to Go, they shifted to C/C++. SunCrypt ransomware shared TTPs with the ransomware called QNAPCrypt (also known as eCh0raix).

Payload Bin ransomware group, formerly known as "Babuk Locker" announced that will stop encrypting companies and focus on data stealing and extortion. Payload.Bin operates as a data leak website in the darknet, the website already contains the "CD Projekt" source code that was published for anyone to use.

Xing ransomware group, the group writes on its darknet website its name with a Chinese character - comes from the Mandarin word for “star”, the group may be Chinese based on its name. Xing ransomware group uses the custom variant of Mount Locker malware to encrypt its victims' files. The team threatening their victims by leaking the unencrypted data as a way to extort targets into paying.

Mount Locker ransomware group, works as a ransomware-as-a-service (RaaS) model. The main activity of the group is encryption and data exfiltration. The Mount Locker ransomware malware is using sophisticated evasion techniques. Some security researchers claim that there is a connection between Mount Locker and Astro Locker team. Mount Locker team using known attacking tools like AdFind, Bloodhound, and CobaltStrike.

Astro team \ Astro Locker appears to be a ransomware group that operates on its own but they are using very similar TTP's (Tactics, techniques, and procedures) to the Mount Locker group. Cybersecurity researchers suspect that the Astro Locker can be a variant of Mount Locker that operates as RaaS (Ransomware As A Service) with affiliates. The Astro Locker ransomware group leaks the victim's data to their darknet website.

SynACK ransomware has been known since at least September 2017. In the latest SynAck ransomware variants, the malware uses the Process Doppelgänging technique in an attempt to bypass modern security solutions and antivirus solutions by exploiting how they interact with memory processes. The SynACK ransomware group does not use a payment portal, instead, they are using email or a BitMessage ID. The SynACK ransomware group hosts a darknet website for data leak publications of their victims.

The AKO ransomware group is part of the dangerous ransomware malware distribution called "AKO". The AKO group has been around since January 2020 and is distributed on a ransomware-as-a-service (RaaS) model. The malware using sophisticated tactics of evasion and then encrypts the victim's files using a powerful encryption algorithm. The main goal for the AKO malware is to get you to pay a ransom fee to the cybercriminals who are behind the AKO ransomware group. The AKO ransomware group leaks the victim's data to their darknet website. The Tor onion URL used by the Ako Ransomware site is the same as the one used by Ranzy Leak. The use of the same URL could indicate that both groups merged, or they are cooperating similarly to the Maze cartel.

LockBit ransomware is malware that encrypts files unless a ransom will pay, the malware formerly known as “ABCD” ransomware, seems to avoid attacking systems local to Russia or any other countries within the Commonwealth of Independent States. The LockBit ransomware group targeting valuable targets and spreads the infection on a network. The ransomware group attacks enterprise and government organizations. LockBit ransomware group working as ransomware-as-a-service (RaaS) model.

Pay2Key is ransomware that has been used by the threat actor Fox Kitten. The group seems to operate since July 2020, targetting mainly Israeli companies. Pay2Key has a darknet leak site to public stolen and sensitive information of their victims. Some of their victims: Intel - Habana Labs, IAI - Israel Aerospace Industries, Portnox - Network Security Solutions.

Sekhmet, The name given to the ransomware is from Ancient Egyptian mythology, which says Sekhmet was the warrior goddess of healing. Ancient Egyptian mythology has strong links to many Western occult traditions, so at the very least the gang behind both appears to have a naming convention in place. Sekhmet is older by a few months, but both share tactics such as leaking data from victims via a dedicated website. Sekhmet hosting a data leak site and publish victim's data if the ransom demanded is unpaid.

Team Snatch ransomware group, operating since the summer of 2018. Their malware rebooting their victim's computers into Safe Mode to disable any security protections and immediately starts encrypting files once the system loads. “Snatch Team” is an homage to the 2000 Guy Ritchie movie. Snatch ransomware activity came out towards the end of 2018 and it became more active during April 2019. The group using automated brute-force attacks to infiltrate company networks and then spreading laterally. Team Snatch has been seen in a wide range of attacks includes United States, Canada, and several European countries. Security researchers found that in all cases, the ransomware portion of the attack came several days to weeks after the initial network breach.

N3tw0rm ransomware group is linked to Iran by many security researchers especially for the fact that the group targeting only Israeli companies. Like other ransomware groups, N3tw0rm has a data leak site in the darknet. Due to the low ransom price the group requested and lack of response to negotiations, some security researchers believe that the N3tw0rm group's main goal is to be used for sowing chaos for Israeli interests and not for profit.

Noname ransomware group breaches companies and sells their data in the darknet. The group claims to steal massive data from their victims and give some proofs in their darknet website.

Ranzy Locker, Former known as ThunderX. The group hosting a data leak site in the darknet where they posting sensitive information of victims who do not pay the ransom. ThunderX was launched at the end of August 2020. Soon after launching, weaknesses were found in the code, that allowed decrypting the files that the malware encrypted. The group has fixed the code and publish a new version, then released it under the name Ranzy Locker. The Tor onion URL used by the Ranzy Leak site is the same as the one used by Ako Ransomware. The use of the same URL could indicate that both groups merged, or they are cooperating similarly to the Maze cartel.

Nemty ransomware group, also known as NEMTY PROJECT, operates on a Ransomware-as-a-Service (RaaS) model. Nemty developers released an announcement that offered two types of collaboration: affiliation or private partnership. The group was active in underground deep web forums. The Nemty group released different versions of their ransomware malware over time and they are using a very strong encryption algorithm. In November 2020, The group announced that they shutting down their public Ransomware-as-a-Service model and starting focusing on targeted attacks.