Ransomware Groups

3AM is a backup ransomware that hackers use when their first choice gets blocked by security software. It is written in Rust, a programming language that makes it harder for antivirus to detect.

8Base calls themselves "honest penetration testers" but they're really just criminals. They go after small and medium businesses that can't afford big security teams. They attack many companies at once - sometimes 5-10 per day - and use aggressive public shaming tactics on their leak site.

Abyss Locker attacks the servers that run virtual machines for businesses. By targeting these systems, they can lock up many virtual servers at once, causing massive disruption.

Agenda restarts computers into Safe Mode where security software does not run, then encrypts all the files. They have versions for both Windows and Linux.

Akira is a fast-growing ransomware group that especially targets small and medium businesses - exactly the companies that often can't afford expensive security tools. They break in through VPN vulnerabilities and stolen credentials, steal data, encrypt files, and demand payment for both.

Akira is run by former Conti gang members. They break in through VPN weaknesses at schools and companies, and have a unique 1980s-style website.

Alpha Locker attacks through Citrix vulnerabilities, which many companies use for remote access. They move fast once inside, encrypting everything before IT teams can respond.

BlackCat was one of the most advanced ransomware groups until they pulled an exit scam, stealing millions from their own criminal partners and disappearing.

Arcus Media goes after TV stations, movie studios, and entertainment companies. They know these companies worry about bad publicity, so they pressure them with the threat of leaks.

Avaddon surprisingly shut down and gave victims their decryption keys for free.

Babuk attacked the DC Police and then fell apart. Their code was leaked and used by others.

BianLian used to encrypt files like other ransomware, but after security researchers released a free decryption tool, they changed tactics. Now they just steal your data without encrypting anything. Their whole game is threatening to leak your sensitive files unless you pay. It's pure blackmail without the ransomware.

BianLian stopped encrypting files after their encryption was cracked. Now they just steal data and threaten to leak it, which is actually harder to defend against.

Black Basta is one of the newest major ransomware gangs, but they've already hit hundreds of organizations. They're believed to be former members of the Conti gang that was shut down. They target big companies and critical infrastructure, often demanding millions of dollars.

Black Basta grew from the old Conti gang and has attacked hundreds of companies. They use a malware called Qakbot to get into networks before deploying ransomware.

Black Hunt mainly attacks businesses in Latin America by finding computers with remote desktop exposed to the internet. They take advantage of regions with fewer security resources.

BlackByte attacks critical infrastructure. FBI has issued multiple warnings about them.

BlackCat was one of the most dangerous ransomware gangs before law enforcement disrupted them. They were technically sophisticated - using Rust programming language for speed and to evade detection. They pulled off major attacks on healthcare, education, and critical infrastructure before the FBI took down their servers.

BlackMatter was formed by DarkSide members but quickly shut down due to pressure.

BlackSuit is basically Royal ransomware with a new name. Same experienced hackers, same tactics, just rebranded. They still go after hospitals and schools, and they're still dangerous. The FBI and CISA have warned about them specifically because they keep hitting critical infrastructure.

Brain Cipher attacked an entire country's data center in Indonesia, taking down government services for millions of people. They demanded $8 million but later released the decryptor for free.

Cactus ransomware is sneaky. Their main trick is that the ransomware encrypts itself before running, so antivirus can't recognize it as malicious. They get in through vulnerable VPNs (especially Fortinet) and use legitimate IT tools to move around your network. By the time you notice, they've already stolen your data.

Cactus encrypts its own code to hide from antivirus. It only reveals itself when it runs, making it very hard to detect. They break in through VPN weaknesses.

Cicada3301 is written in Rust, a modern programming language that lets them attack both Windows computers and Linux servers with the same code. This makes them more dangerous because they can hit more systems.

Cloak buys access to company networks from other hackers instead of breaking in themselves. They target smaller businesses because they know these companies often cannot afford fancy security tools.

Clop is the gang behind some of the biggest data theft attacks in history. In 2023, they exploited a vulnerability in MOVEit file transfer software, affecting over 2,600 organizations including major companies and government agencies. They often don't even encrypt files anymore - they just steal data and threaten to publish it unless you pay.

Conti was a massive criminal enterprise that fell apart after internal drama. Members scattered to other groups.

CryptNet attacks cryptocurrency companies and exchanges. They steal Bitcoin and other crypto directly while also demanding ransom, hitting victims twice.

CryptoViper runs a criminal business selling ransomware tools to other hackers. They give their partners most of the ransom money to attract skilled criminals.

Cuba attacks critical infrastructure. The FBI and CISA have issued multiple warnings.

Dark Power is unusual because it is written in Nim, a programming language rarely used for malware. They target farms and food companies, threatening the food supply.

DarkSide attacked Colonial Pipeline and caused gas shortages. They disappeared after too much attention.

Dharma is one of the oldest ransomware still being used today. It is relatively simple but effective - hackers manually break into small businesses through remote desktop and run the ransomware themselves.

Dispossessor did not last long. The FBI and police from multiple countries worked together to shut them down just months after they started operating.

Donut Leaks does not actually lock up your files - they just steal your data and threaten to post it online. This is sometimes called "extortion-only" ransomware.

DoppelPaymer attacked many hospitals and government agencies before rebranding and fading away.

DragonForce is a newer ransomware gang that uses stolen tools from the famous LockBit group. They attack factories and stores, and they are known for being very aggressive during ransom negotiations.

Dunghill steals absolutely massive amounts of data from big companies, sometimes tens of terabytes. They demand some of the largest ransoms ever seen, often tens of millions of dollars.

Egregor was Maze 2.0 but got shut down quickly by police raids.

Eldorado is a newer ransomware service written in Go programming language. They rent their ransomware to other criminals who use it to attack schools and real estate companies.

Embargo is particularly sneaky because they bring special tools that turn off security software before attacking. This makes them very hard to catch with normal antivirus programs.

Everest does not just ransom companies - they also sell access to hacked networks to other criminals. This makes them dangerous because the attack might come from someone else they sold access to.

Fog ransomware attacks schools by exploiting weaknesses in VPN software. They steal student records and school data, then demand money to unlock the systems.

FunkSec is breaking new ground by using AI to help write their ransomware code. This means they can create new versions faster and potentially make them harder to detect.

GoodDay gives victims the opposite of a good day. They run a ransomware service with a professional-looking negotiation website, targeting factories and stores.

Grief was a renamed version of an older ransomware gang. They stole data before encrypting it and threatened to leak it publicly. Unusually, they warned victims not to hire professional negotiators or they would destroy the data.

Handala is motivated by politics rather than just money. Sometimes they destroy data completely instead of ransoming it, making them a different kind of threat.

Hellcat breaks into tech companies through the tools developers use every day, like Jira. They know that tech companies will pay to protect their source code and customer data.

Hive attacked hospitals and schools until FBI shut them down. They stole $100M+ before being stopped.

Hunters International claims to be a brand new group, but security researchers found they're actually using code from Hive, a ransomware gang the FBI took down in 2023. They're essentially Hive 2.0 with a new name. They're big on stealing data and threatening to leak it - the encryption is almost secondary to the extortion.

When the FBI shut down Hive ransomware, someone took their code and started Hunters International. They attack hospitals and schools using the stolen tools.

IceFire started on Windows but moved to attacking Linux servers. They use vulnerabilities in IBM file transfer software that media companies commonly use.

INC Ransom is a newer gang that's been hitting healthcare and schools hard. They do their homework before attacking - spending time learning about their victims before striking. They use the typical playbook: steal data first, then encrypt, then demand payment or threaten to leak. They're growing fast.

INC Ransom attacks hospitals and healthcare systems. They disrupted Scottish healthcare services by encrypting hospital computers and demanding ransom.

Interlock goes after servers running FreeBSD, which is unusual because most ransomware only attacks Windows. They disrupted county government services by attacking these less common systems.

KillSec is a ransomware service that anyone can rent. They are known for being very aggressive and will quickly publish stolen data if victims do not pay.

LockBit is like a criminal franchise. The main group creates the ransomware "product" and recruits affiliates to deploy it against victims. Affiliates get 60-80% of the ransom, while LockBit takes a cut. This model has made them extremely prolific - they've attacked hospitals, schools, manufacturers, and businesses of all sizes.

LockBit 3.0 is the latest version of the most prolific ransomware. They even offered money to hackers who found bugs in their code. The police tried to shut them down but they keep coming back.

Lorenz targets companies through their VPNs. If your VPN is unpatched, you're at risk.

Lynx is a renamed version of the INC Ransom gang. They changed their name but kept attacking factories and power companies with the same techniques.

Mallox hackers look for business databases connected to the internet and try to guess the passwords. Once they get in, they steal data and lock up the entire network, demanding payment in Bitcoin.

Maze invented the tactic of stealing data before encrypting. Many groups copied their playbook.

Medusa is a ransomware gang that runs a 'name and shame' website where they post countdown timers for victims. If you don't pay before time runs out, they leak your data. They've hit schools, hospitals, and businesses. Their negotiation style is aggressive - they even charge victims extra just to extend the deadline.

Medusa attacks schools and hospitals, stealing student and patient data. They threaten victims three ways: encryption, data leaks, and denial-of-service attacks.

MedusaLocker tricks employees with fake emails to get into company networks, then locks up all the files. It especially targets hospitals and schools because they often pay quickly to get patient records and student data back.

Meow has a silly name but causes real damage. They use code stolen from the Conti gang to attack hospitals and factories, stealing patient records and manufacturing secrets before encrypting everything.

Money Message goes after big companies and steals their most valuable secrets - source code, trade secrets, and proprietary information. They demand millions in ransom.

When the Conti ransomware gang fell apart, their code was leaked online. Monti grabbed that code and started their own operation, attacking both Windows computers and Linux servers that run virtual machines.

Morpheus hides in the deepest parts of your computer, in the firmware that loads before Windows even starts. Even if you reinstall Windows, the ransomware can come back.

NetWalker attacked hospitals during COVID. They got shut down by international police.

Night Sky jumped on the famous Log4j bug that affected millions of servers. They used this vulnerability to attack VMware servers before most companies could patch them.

Nikki ransomware is a newer gang that goes after smaller companies that might not have strong security. They get in through fake emails or old VPN software that was not updated.

Nitrogen tricks IT professionals by putting fake ads on search engines. When someone searches for an IT tool, they might click a fake ad and download ransomware instead.

NoEscape is a newer ransomware gang that uses proven tactics from older groups.

Nokoyawa is particularly dangerous because they use secret Windows bugs that even Microsoft does not know about yet. This means they can break into computers even if you have all your updates installed.

NoName does not just encrypt your files - they also flood your servers with traffic to take them offline. This double attack makes it harder to recover and pressures victims to pay faster.

Nova attacks stores and online shops, especially around big shopping days like Black Friday. They threaten to leak customer credit card numbers to pressure payment.

Obsidian attacks law firms and accountants because they handle secret information about lots of clients. One breach can expose many companies secrets at once.

Phobos has been around for years and specializes in attacking small businesses. They find computers with remote desktop exposed to the internet and guess passwords until they get in.

Phoenix is made up of experienced ransomware criminals from other groups that got shut down. They know how to avoid security software because they have done this before.

Play ransomware is one of the most active groups targeting businesses right now. They break in, steal your data, encrypt your files, and demand payment for both - if you don't pay, they publish your data online. They're known for targeting companies with 100-1000 employees that have valuable data but may have security gaps.

Play attacks city governments and companies by exploiting email servers and firewalls. They caused major disruption to Oakland city services.

PYSA specializes in attacking schools. They steal student and staff data for extortion.

Qilin attacked hospital laboratories in the UK, stopping blood tests and other medical tests. This put patients at risk and showed how dangerous ransomware attacks on healthcare can be.

Quantum works incredibly fast - they can encrypt your entire network in just 4 hours.

QuantumShift works extremely fast. Once they get into a network, they can lock up everything in just a few hours. Speed is their main weapon - by the time you notice, it is too late.

RA Group used free ransomware code from Babuk to start their own criminal operation. They especially like attacking insurance companies and financial firms through their virtual machine servers.

Ragnar Locker attacked energy companies and manufacturers until police caught them.

Ransomed.vc had a clever threat - pay the ransom or they would report you to privacy regulators for the data breach. They tried to use GDPR fines as extra pressure.

RansomEXX attacks governments and transportation systems. They can hit both Windows computers and Linux servers, making them a threat to almost any organization.

RansomHub is the new kid on the block but they're growing fast. When BlackCat shut down, many of their hackers moved to RansomHub because it offers a better deal - affiliates keep 85% of the ransom. They've already hit hundreds of victims including major companies and seem to be taking over where other groups left off.

When BlackCat scammed their own affiliates and shut down, those criminals joined RansomHub. Now RansomHub is one of the biggest ransomware operations.

RedAlert focused on attacking Linux servers and VMware systems. They wanted to be paid in Monero, a cryptocurrency that is harder to trace than Bitcoin.

REvil pulled off some of the biggest ransomware attacks ever until Russian police shut them down.

Rhysida is a newer ransomware gang that's been hitting hospitals hard. They broke into a major children's hospital and threatened to sell patient data. The FBI and CISA issued emergency warnings about them because they keep targeting healthcare. They steal data before encrypting and threaten to auction it off if you don't pay.

Rhysida attacks important institutions like hospitals and libraries. They caused chaos at the British Library by encrypting their systems and demanding millions.

Royal was run by experienced cybercriminals who previously worked with Conti, one of the most notorious ransomware gangs. They specifically went after hospitals, schools, and city governments. The FBI warned about them multiple times because they were hitting critical services. They've since rebranded to 'BlackSuit' but the same people are behind it.

SafePay uses stolen tools from the famous LockBit gang to attack banks and insurance companies. They have an ironic name since they make payments very unsafe.

Sarcoma attacks hospitals and drug companies by using security bugs right after they become public. They race to attack before companies can install the patches.

SatanLock goes after small businesses and asks for smaller ransoms that companies might actually pay. They know small businesses often cannot afford expensive security tools.

Scattered Spider consists of young hackers who are experts at tricking people over the phone. They call IT help desks pretending to be employees and trick them into resetting passwords.

ShadowBit combines ransomware attacks with political messages. They started as hacktivists but now demand money too. They mostly target companies in the Middle East and Asia.

SiegeWare attacks smart buildings, threatening to turn off heating, air conditioning, elevators, and security cameras. This creates real physical danger for people in the buildings.

Snatch uses a clever trick - rebooting your computer to Safe Mode so antivirus can't stop them.

REvil was one of the most famous ransomware gangs ever. They attacked a software company called Kaseya and through that single attack, they encrypted thousands of businesses around the world at once.

Space Bears is a repackaged version of the old Phobos ransomware with a new negotiation website. They target smaller businesses that might be easier to pressure into paying.

Spectre goes after the big servers that run lots of smaller virtual computers. By encrypting one physical server, they can lock up dozens of virtual systems at once.

STOP/Djvu hides in pirated software and game cracks. When people download illegal software to avoid paying, they often get this ransomware that locks all their personal files.

Termite attacks companies that make software used by other businesses. By hacking one software company, they can affect thousands of businesses that use that software.

TitanLock attacks factories and industrial systems. They can not only encrypt computers but also mess with the machines that make products, which makes them especially dangerous.

Trigona hackers found weaknesses in websites and databases to break into companies. They demanded payment in Monero, a hard-to-trace cryptocurrency, making it difficult for police to follow the money.

Vice Society specializes in attacking schools and hospitals, stealing data before encrypting it.

Vortex hackers are patient and sneaky. They break into big companies and quietly look around for weeks before locking everything up. They use the company own tools to avoid detection.

Werewolves breaks the unwritten rule that ransomware gangs do not attack Russia. They target Russian companies using stolen LockBit tools, which is very unusual.

Yanluowang hackers broke into companies manually rather than using automated tools. They gained attention when they claimed to have breached Cisco, one of the largest networking companies.

Zeppelin attacked American hospitals through remote desktop connections. The FBI eventually found a way to crack their encryption and released free tools to help victims recover their files.