LockBit 2.0, new RaaS program, the developers claim its "the fastest encryption software all over the world".
The group also made a comparative table with several similar programs indicating the encryption speed.
erga.com (2023-10-02-01:08)
2135
Online
2
Conti
Conti
Conti ransomware group is a global threat actor affecting victims mainly in North America and Western Europe. Conti Ransomware group is one of the most active ransomware operations, its distribution through a ransomware-as-a-service model. Conti ransomware group leaks the victim's data to their darknet website. Conti Ransomware uses its implementation of AES-256 that uses up to 32 individual logical threads, making it much faster than most ransomware.
Alliance Steel (2022-06-07-19:37)
807
Offline
3
Alphav (BlackCat)
Alphav (BlackCat)
Baumschlager Hutter Partners - Business Information (2023-07-16-17:41)
550
Online
4
CL0P
CL0P
Clop Ransomware group's main goal is to encrypt the files on the computers of victims and then the ransomware group requires payment for decrypting the information to get the files to work again. They also have their darknet website for publishing the victims' data leaks. Security researcher attributes the Clop Ransomware operation to the known threat actor: "TA505".
SMWLLC.COM (2023-09-15-00:41)
514
Online
5
Pysa (Mespinoza)
Pysa (Mespinoza)
PYSA ransomware group operates as a ransomware-as-a-service (RaaS) model. PYSA stands for “Protect Your System Amigo”, The PYSA ransomware malware is a variant of the Mespinoza ransomware. It was first seen within open-source documents in December 2019, two months after Mespinoza ransomware was spotted in the wild. PYSA affiliates can customize their malware based on options provided by the RaaS platform, and deploy it as customized. PYSA usually exfiltrates data from its victims before encrypting the files to be ransomed.
Chr Solutions (2021-12-06)
309
Offline
6
BlackBasta
BlackBasta
Raleigh Housing Authority (2023-08-21-14:08)
301
Online
7
REvil Sodinokibi
REvil Sodinokibi
Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his victims, they would threaten to publish the victim's sensitive data on their darknet blog named "Happy Blog", unless the ransom is paid. The ransomware malware code used by REvil is pretty similar to the ransomware code used by DarkSide - a different threat actor. REvil group claims to steal information after a successful attack on the supplier of the tech giant Apple and stole confidential schematics of their upcoming products.
kusd.edu (2022-11-28-21:39)
297
Offline
8
MAZE
MAZE
Maze ransomware group is one of the most known ransomware gangs, they targeted organizations worldwide across many industries. Security researchers believed that Maze operates as an affiliated network model. MAZE was one of the first groups that made a "Double Extortion Attack" involved Allied Universal, in November 2019, the group leaks their victim's data in the darknet. On November 1, 2020, MAZE announced an official press release that they are closing their operation. is malware targeting organizations worldwide across many industries. Security researchers claim that the threat actor behind the MAZE group is "TA2101".
Club Fitness (2020-11-05)
265
Offline
9
Play News
Play News
Jacobson (2023-09-29-02:47)
221
Online
10
HiveLeaks
HiveLeaks
Hive, New ransomware group with no prior breaches, Published a leak site on the darknet in June 2021 called HiveLeaks.
Files are encrypted with the ".key.hive" extension.
The ransom note referring victims to an onion site with login information to "Purchase" Hive's decryption software.
R C Stevens Construction (2023-01-16-22:41)
215
Offline
11
BianLian
BianLian
Kramer Tree Specialists, Inc (2023-09-26-16:15)
214
Online
12
Egregor
Egregor
Egregor ransomware group compromised hundreds of businesses globally, including Randstad and US retailer Kmart. Egregor referring to the collective energy of a group of people united with a common purpose - which makes sense that Egregor operates on ransomware as a service model. There are some speculations that Egregor's operation was based on the Maze ransomware group that was shut down. The Egregor group successfully breached Crytek and Ubisoft in October 2020. Finally, the Egregor ransomware operation was taken down after members of the group have been arrested in Ukraine.
Haggard & Stocking Associates Inc (2020-12-30)
206
Offline
13
8Base
8Base
C.F. Service and Supply (2023-09-29-08:48)
202
Online
14
DoppelPaymer
DoppelPaymer
Doppelpaymer ransomware group first appeared in 2019 when it launched attacks against organizations in critical industries. Security researchers believed that Doppelpaymer ransomware based on the BitPaymer ransomware which first appeared in 2017 hat there are some differences between them. In February 2020, the DoppelPaymer ransomware group has launched a data leak site in the darknet for all the victim's data leaks.
Yuba County (2021-06-24)
200
Offline
15
Royal
Royal
Afg Holdings (2023-08-04-20:26)
196
Online
16
Vice Society
Vice Society
Vice Society ransomware appends the .v-society extension when encrypting Linux machines.
Running a leak site on the darkweb, Possible relations with "HelloKitty"
Ssv Architects (2023-06-20-22:13)
183
Online
17
Avaddon
Avaddon
Avaddon Ransomware group operates as RaaS (Ransomware As A Service). They sold their service to cybercriminal affiliates. It has been around since 2019 and shuts down its operation in June 2021. The Avaddon Ransomware group is knowns for their “Triple ransom” attacks, which means that they do not only encrypt the victim’s data, they also leak it in the darknet and finally DDOS (Distributed Denial Of Service) their victims to press them to pay the ransom.
M&J Evans Construction (2021-06-09)
178
Offline
18
Everest
Everest
Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group leaks the victim's data to the darknet and they announced that any victim that will not contact them will suffer from a data leak and they will not delete hist files for future usage.
Agriloja.pt Full Leak (2023-09-18-15:26)
147
Offline
19
NetWalker
NetWalker
NetWalker ransomware group operates by the threat actor known as "CIRCUS SPIDER". The NetWalker ransomware was discovered in 2019. The group mainly targeting the Asia Pacific region but can attack globally. The group uses common attacking tools like Mimikatz and other legitimate tools (LOLBINS) like PSTools, AnyDesk, TeamViewer, NLBrute, and more. The group knowing by targeting the healthcare sector. Finally, in January 2021, Netwalker was takedown by the authorities, the police have confiscated hundreds of thousands of dollars in ransom payments collected by the Netwalker group, and they seized servers and disrupted the infrastructure and the darknet websites of the Netwalker ransomware group.
VISTEX (2021-01-26)
144
Offline
20
LV
LV
LV ransomware group main message: "Here are companies which didn't meet consumer data protection obligations. They rejected to fix their mistakes, they rejected to protect this data in the case when they could and had to ptotect it. These companies prefered to sell their private information, their employees' and customers' personal data". Security researchers claim that the LV group is utilizing the REvil ransomware group malware. The LV group claim to have compromised the corporate network of Groupe Reorev.
Unitedauto.Mx Have Been Hacked Due To Multiple Network Vulnerabilities. More Than 2Tb Of Personal Data Were Stolen. (2022-12-14-09:47)
120
Offline
21
Akira
Akira
Vertical Development (2023-09-29-14:27)
109
Online
22
Ragnar Locker
Ragnar Locker
Ragnar_Locker ransomware group first appeared in the wild at the end of December 2019. Ragnar_Locker’s operators usually compromise the victim’s network, steal information before finally dropping the ransomware that will encrypt all files in the victim’s machines. The group hosts a leak website in the darknet for data leak publishing of their victims. The main group's announcement on their website: "We are Team of Ragnar_Locker and we are cybersecurity enthusiast, cryptopunks, entrepreneurs and businessmen. Our main goal is to create cool project, that can show it's power in all it's glory and of course make profit..."
Astre - Leaked (2023-09-30-18:59)
106
Online
23
Snatch
Snatch
Fullerton India (SMFG India Credit) (2023-09-19-19:52)
101
Online
24
DarkSide
DarkSide
Darkside ransomware group has started its operation in August of 2020 with the model of RaaS (Ransomware-as-a-Service). They have become known for their operations of large ransoms scale. They have announced that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can be able to pay large ransoms. Darkside ransomware group became very famous following the cyberattack of the Colonial Pipeline and Toshiba unit. The FBI finally terminate the Darkside operation and Managed to pull money from their wallets back.
toshiba.fr (2021-05-13)
98
Offline
25
Karakurt
Karakurt
Hospice of Huntington (2023-09-22-15:21)
98
Online
26
Grief
Grief
Grief ransomware group has stolen data from several organizations so far. On their Darknet website, there is a reference to GDPR in efforts to coerce a quicker payment. The Grief ransomware website has anti-scraping protection so that indexing can’t be done automatically. Some of their recent victims are Mobile County, Alabama, and Comune di Porto Sant’Elpidio.
STIMM (2022-01-10)
91
Offline
27
BlackByte
BlackByte
HOTELES XCARET (2023-09-18-14:56)
89
Online
28
Medusa
Medusa
Windak (2023-10-02-11:43)
88
Online
29
Cuba
Cuba
Cuba ransomware is older ransomware that has been active for the past few years. The Cuba ransomware group recently switched to leaking the stolen data of their victims in the darknet. Cuba ransomware group targeting financial institutions, industry, technology, and logistics organizations. There is no indication that the group has any connection with the country of the same name.
goldmedalbakery (2023-08-19-17:46)
83
Online
30
Lorenz
Lorenz
Lorenz ransomware group slogan is: "Nothing personal it's strictly business". The group targets organizations worldwide with custom-made attacks. The stolen data of the Lorenz victims has been published on a ransomware data leak site like most of the other groups. Security researchers say that the Lorenz ransomware encryptor is the same as a ThunderCrypt. Usually, after the Lorenz group compromises a victim, they spread laterally to other devices until they gain domain admin access. Differently from other groups, Lorenz sells access to the victim's network along with the stolen data, also they are selling access and data for other threat actors.
AllCare Pharmacy (2023-10-02-18:56)
74
Online
31
Marketo
Marketo
Marketo group put up for sale network accesses and passwords of networks of companies that do not contact them. On the Marketo website, they posted: "We put up for sale network accesses and passwords of networks of companies that do not contact us.". The group mentioned the victims are currently under attack and the victims that the attack Finished. The group brings an evidence pack for each victim they are selling his data\access and the data leak size.
Vehicle Service Group (VSG) (2022-02-15-07:03)
74
Offline
32
Avos Locker
Avos Locker
AvosLocker operates as a ransomware-as-a-service (RaaS) model. AvosLocker was first seen on Dread with a user called "avos" which has posted they are looking for affiliates and provides some features about AvosLocker. In addition, they offer: hosting a leak site, negotiating with victims.
Memory Express (2021-09-26)
73
Offline
33
NoEscape
NoEscape
Kentie Systeemtechniek BV (2023-09-28-12:02)
66
Online
34
Dark Leak Market
Dark Leak Market
Dark Leak Market, One of the oldest darkweb marketplaces, selling stolen data since 2019.
Data in the market has been gathered from ransomware gang's data leak sites and hacking forums.
Huge iCloud Nudes Leak (2022-05-25-21:28)
63
Online
35
Quantum
Quantum
ChemiFlex (2022-12-09-01:33)
62
Online
36
WannaCry
WannaCry
N\A
TSMC (2018-01-08)
55
Offline
37
RansomHouse
RansomHouse
Hawkins Delafield Wood (2023-09-21-08:56)
55
Online
38
RansomEXX
RansomEXX
RansomEXX ransomware group targeted multiple companies starting in mid-2020. RansomEXX is also known as "Defray777" and "Ransom X". RansomEXX malware's payload runs only in-memory payload which making itself highly evasive and difficult to detect. In mid-2020, a Linux variant of RansomEXX was discovered, simpler than its predecessor, and lacks many features such as disabling security software and command and control communication. The RansomEXX malware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, Montreal's public transportation system, and Brazil's court system (STJ), among other victims.
DVA - DVision Architecture (2023-07-01-10:11)
53
Online
39
LostTrust
LostTrust
Arazoza Brothers (2023-09-28-01:10)
53
Offline
40
Rhysida
Rhysida
Federal University of Mato Grosso do Sul (2023-10-02-02:49)
51
Online
41
Cactus
Cactus
UTC Overseas (2023-09-27-17:53)
51
Online
42
Stormous
Stormous
dynamite (2023-07-24-17:09)
49
Offline
43
Prometheus
Prometheus
Prometheus ransomware group, using similar TTPs of Thanos ransomware. The Prometheus group attacks with double-extortion tactics and hosts a darknet website for posting the victim's data leak, first observed in February 2021. The group is posted sales announcements on underground forums and allows threat actors to customize a sample of the malware with a wide variety of available settings.
Agrokasa Holdings (2021-07-13)
48
Offline
44
Trigona
Trigona
Quest International (2023-10-01-17:19)
47
Online
45
Ragnarok
Ragnarok
Ragnarok ransomware group, used in targeted attacks against unpatched VPN servers like Citrix. The Ragnarok malware excludes victim’s computers that set to one of the ID of the following languages:
Russia, Belarus, Russia, Turkmenistan, Ukraine, Azerbaijan, Latvia, Kazakhstan, China. They are using evasion techniques and try to disable Windows Defender, also they have several UNIX file path references in their malware strings. Their ransomware malware uses encryption methods of AES with a dynamically generated key, then bundling this key up via RSA.
DECRYPT (2021-08-26)
46
Offline
46
Ransomed
Ransomed
NTT Docomo - Japan 1st Mobile Operator (2023-09-25-23:43)
45
Online
47
BABUK LOCKER
BABUK LOCKER
The Babuk ransomware is targeting large enterprise corporations rather than individual users. Babuk has change direction and re-organized itself as Payload Bin (Payload.Bin): "we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement." The Babuk ransomware\ Payload.bin ransomware group leaks the victim's data to their darknet website.
RAB Lighting (2021-05-14)
42
Offline
48
Nefilim
Nefilim
Nephilim ransomware group targets mid to large size enterprise companies. The group also exfiltrates victims' data and leaks it to the darknet. The group mentions the active and finished attacks on their victims. The group exploits public-facing applications for initial access like Citrix gateway and exposed Remote Desktop Protocol (RDP). The group not working as ransomware-as-a-Service (RaaS) model and proceed payments via email communications.
Jhillburn. Part 1. (2021-07-20)
42
Offline
49
Suncrypt
Suncrypt
SunCrypt ransomware group operates as a Ransomware as a Service (RaaS) model. They are using a closed affiliate program on the dark web. A new ransomware was found in-the-wild In October 2019. The new ransomware malware was written in Go and targeted Windows machines. The new version of SunCrypt ransomware is written in C/C++. The interesting part is unlike other ransomware groups that shift to Go, they shifted to C/C++. SunCrypt ransomware shared TTPs with the ransomware called QNAPCrypt (also known as eCh0raix).
SOCOTEC (2022-06-18-17:19)
42
Offline
50
BlackMatter
BlackMatter
Jobbers Meat Packing Co., Inc. (2021-10-31)
37
Offline
51
Spook
Spook
North Island (2021-10-19)
37
Offline
52
Qilin
Qilin
SIAMESE ASSET (2023-09-27-00:44)
36
Online
53
Nokoyawa
Nokoyawa
Studio Domaine LLC (2023-08-04-13:27)
36
Online
54
Medusa Locker
Medusa Locker
Confidential Files (2023-10-02-15:33)
35
Online
55
Mallox
Mallox
Kirkholm Maskiningeniører (2023-10-02-06:09)
34
Online
56
Payload.bin
Payload.bin
Payload Bin ransomware group, formerly known as "Babuk Locker" announced that will stop encrypting companies and focus on data stealing and extortion. Payload.Bin operates as a data leak website in the darknet, the website already contains the "CD Projekt" source code that was published for anyone to use.
Xing ransomware group, the group writes on its darknet website its name with a Chinese character - comes from the Mandarin word for “star”, the group may be Chinese based on its name. Xing ransomware group uses the custom variant of Mount Locker malware to encrypt its victims' files. The team threatening their victims by leaking the unencrypted data as a way to extort targets into paying.
Wayne Automatic Fire Sprinklers, Inc. (2021-10-26)
23
Offline
62
Mount Locker
Mount Locker
Mount Locker ransomware group, works as a ransomware-as-a-service (RaaS) model. The main activity of the group is encryption and data exfiltration. The Mount Locker ransomware malware is using sophisticated evasion techniques. Some security researchers claim that there is a connection between Mount Locker and Astro Locker team. Mount Locker team using known attacking tools like AdFind, Bloodhound, and CobaltStrike.
Nachi America Inc. (2021-03-29)
20
Offline
63
Donut Leaks
Donut Leaks
INC RANSOMWARE... (2023-09-30-06:47)
18
Online
64
Abyss
Abyss
njsba.com (2023-09-10-10:47)
17
Online
65
Astro Team
Astro Team
Astro team \ Astro Locker appears to be a ransomware group that operates on its own but they are using very similar TTP's (Tactics, techniques, and procedures) to the Mount Locker group. Cybersecurity researchers suspect that the Astro Locker can be a variant of Mount Locker that operates as RaaS (Ransomware As A Service) with affiliates. The Astro Locker ransomware group leaks the victim's data to their darknet website.
InTown Suites (2021-05-06)
16
Offline
66
Cyclops
Cyclops
Garn Mason Orthodontics was hacked. All insurance and personal data of customers was stolen (2023-10-02-15:01)
16
Online
67
VSOP NEWS
VSOP NEWS
www.artisticstairs.com (2022-10-12-13:16)
14
Offline
68
INC_Ransom
INC_Ransom
Jacobsen Construction (2023-09-29-17:52)
14
Online
69
SynACK
SynACK
SynACK ransomware has been known since at least September 2017. In the latest SynAck ransomware variants, the malware uses the Process Doppelgänging technique in an attempt to bypass modern security solutions and antivirus solutions by exploiting how they interact with memory processes. The SynACK ransomware group does not use a payment portal, instead, they are using email or a BitMessage ID. The SynACK ransomware group hosts a darknet website for data leak publications of their victims.
Maestro Digital Mine | www.maestrodigitalmine.com (2021-07-28)
13
Offline
70
Sabbath
Sabbath
Trigyn 2.0 (2022-01-17)
13
Offline
71
Sparta
Sparta
GRUPO COPISA (2022-09-22-13:30)
13
Offline
72
Money Message
Money Message
Riverside Logistics (2023-09-03-20:13)
13
Online
73
Metaencryptor
Metaencryptor
Belzona UK Ltd (2023-09-29-18:52)
13
Online
74
UnSafe
UnSafe
G.R. Sponaugle (2023-06-18-10:39)
11
Offline
75
Daixin Team
Daixin Team
Columbus Regional Healthcare System (US) (2023-06-09-18:03)
10
Online
76
Darkrace
Darkrace
ERT (2023-06-11-09:40)
10
Offline
77
3AM
3AM
simmonsequip.com (2023-09-28-15:06)
10
Online
78
AKO
AKO
The AKO ransomware group is part of the dangerous ransomware malware distribution called "AKO". The AKO group has been around since January 2020 and is distributed on a ransomware-as-a-service (RaaS) model. The malware using sophisticated tactics of evasion and then encrypts the victim's files using a powerful encryption algorithm. The main goal for the AKO malware is to get you to pay a ransom fee to the cybercriminals who are behind the AKO ransomware group. The AKO ransomware group leaks the victim's data to their darknet website. The Tor onion URL used by the Ako Ransomware site is the same as the one used by Ranzy Leak. The use of the same URL could indicate that both groups merged, or they are cooperating similarly to the Maze cartel.
Hamilton-Brown (2020-07-08)
9
Offline
79
LockBit
LockBit
LockBit ransomware is malware that encrypts files unless a ransom will pay, the malware formerly known as “ABCD” ransomware, seems to avoid attacking systems local to Russia or any other countries within the Commonwealth of Independent States. The LockBit ransomware group targeting valuable targets and spreads the infection on a network. The ransomware group attacks enterprise and government organizations. LockBit ransomware group working as ransomware-as-a-service (RaaS) model.
Homeland Title (2021-01-21)
9
Offline
80
CyphBit
CyphBit
TransTerra (2023-09-16-18:53)
8
Online
81
CryptBB
CryptBB
P1 Technical Services (2023-09-16-15:56)
8
Offline
82
Pay2Key
Pay2Key
Pay2Key is ransomware that has been used by the threat actor Fox Kitten. The group seems to operate since July 2020, targetting mainly Israeli companies. Pay2Key has a darknet leak site to public stolen and sensitive information of their victims. Some of their victims: Intel - Habana Labs, IAI - Israel Aerospace Industries, Portnox - Network Security Solutions.
Portnox (2020-12-28)
6
Offline
83
Sekhmet
Sekhmet
Sekhmet, The name given to the ransomware is from Ancient Egyptian mythology, which says Sekhmet was the warrior goddess of healing. Ancient Egyptian mythology has strong links to many Western occult traditions, so at the very least the gang behind both appears to have a naming convention in place. Sekhmet is older by a few months, but both share tactics such as leaking data from victims via a dedicated website.
Sekhmet hosting a data leak site and publish victim's data if the ransom demanded is unpaid.
CBKLAW (2020-06-29)
6
Offline
84
Team Snatch
Team Snatch
Team Snatch ransomware group, operating since the summer of 2018. Their malware rebooting their victim's computers into Safe Mode to disable any security protections and immediately starts encrypting files once the system loads. “Snatch Team” is an homage to the 2000 Guy Ritchie movie. Snatch ransomware activity came out towards the end of 2018 and it became more active during April 2019. The group using automated brute-force attacks to infiltrate company networks and then spreading laterally. Team Snatch has been seen in a wide range of attacks includes United States, Canada, and several European countries. Security researchers found that in all cases, the ransomware portion of the attack came several days to weeks after the initial network breach.
N3tw0rm ransomware group is linked to Iran by many security researchers especially for the fact that the group targeting only Israeli companies. Like other ransomware groups, N3tw0rm has a data leak site in the darknet. Due to the low ransom price the group requested and lack of response to negotiations, some security researchers believe that the N3tw0rm group's main goal is to be used for sowing chaos for Israeli interests and not for profit.
Eitan Medical (2021-05-19)
4
Offline
90
Noname
Noname
Noname ransomware group breaches companies and sells their data in the darknet. The group claims to steal massive data from their victims and give some proofs in their darknet website.
crownlaboratories.com (2021-06-21)
4
Offline
91
Omega Lock
Omega Lock
Aviacode (GeBBS) (2023-02-12-03:08)
4
Online
92
Ranzy Locker
Ranzy Locker
Ranzy Locker, Former known as ThunderX. The group hosting a data leak site in the darknet where they posting sensitive information of victims who do not pay the ransom. ThunderX was launched at the end of August 2020. Soon after launching, weaknesses were found in the code, that allowed decrypting the files that the malware encrypted. The group has fixed the code and publish a new version, then released it under the name Ranzy Locker. The Tor onion URL used by the Ranzy Leak site is the same as the one used by Ako Ransomware. The use of the same URL could indicate that both groups merged, or they are cooperating similarly to the Maze cartel.
alfortville.fr (2020-11-06)
3
Offline
93
Arvin_Club
Arvin_Club
Pasouk biological company (2023-10-02-12:57)
3
Online
94
NEMTY
NEMTY
Nemty ransomware group, also known as NEMTY PROJECT, operates on a Ransomware-as-a-Service (RaaS) model. Nemty developers released an announcement that offered two types of collaboration: affiliation or private partnership. The group was active in underground deep web forums. The Nemty group released different versions of their ransomware malware over time and they are using a very strong encryption algorithm. In November 2020, The group announced that they shutting down their public Ransomware-as-a-Service model and starting focusing on targeted attacks.