{"type":"bundle","id":"bundle--2384b46a-bce3-aa3d-1958-814ae331c0e5","spec_version":"2.1","objects":[{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3ef040d3-1181-148b-c4d9-5e0498f2a359","created":"2026-05-27T11:58:17.908Z","modified":"2026-05-27T11:58:17.908Z","name":"0apt","description":"The group appears unreliable. Most, if not all, of its alleged victims cannot be verified and appear to be randomly selected organizations. WE HAVE DECIDED TO REMOVE ENTRIES FOR THIS GROUP","labels":["ransomware"],"first_seen":"2026-01-28"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--38363ac9-453b-31f3-bd25-9be92545e815","created":"2026-05-27T11:58:17.908Z","modified":"2026-05-27T11:58:17.908Z","name":"0mega","description":"0mega is a double-extortion ransomware group that emerged in May 2022, targeting businesses across multiple sectors worldwide by encrypting files and threatening to leak stolen data; it also pivoted to cloud-based extortion by compromising Microsoft 365 admin accounts.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4b91596d-352a-0224-cdd3-8639a2f7956c","created":"2026-05-27T11:58:17.909Z","modified":"2026-05-27T11:58:17.909Z","name":"8base","description":"The 8base Ransomware group made its first appearance in early March 2022, remaining somewhat quiet after the attacks. This group operates like other ransomware actors, engaging in double extortion. <BR> However, in mid-May and June 2023, the ransomware operation saw a spike in activity against organizations from various sectors, listing 131 organizations in just 3 months.<BR> The 8base data leak site was created and made available in March 2023, claiming honesty and simplicity in its discourse.<BR> VMware published a report on 8base, drawing some similarities with the ransomware group `RansomHouse`, pointing out resemblances such as the website used by 8base and the ransom notes presented in its attacks.<BR> Interestingly, the 8base Ransomware group does not have its own ransomware developed by the group. Instead, the actors took advantage of other leaked ransomware builders to customize the ransom note and present it to the victim organization as 8base's operation.<BR>Source : https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5eca350f-c12c-601d-cf9a-66077046b1ff","created":"2026-05-27T11:58:17.909Z","modified":"2026-05-27T11:58:17.909Z","name":"Abrahams_Ax","description":"Abraham's Ax is an Iranian-linked hacktivist persona tied to Moses Staff that emerged in November 2022, primarily targeting Saudi Arabian government institutions for geopolitical reasons related to Saudi-Israeli normalization, using destructive wiper malware and data leak tactics rather than financial ransomware.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0e062e4c-2ee4-7567-9d9c-fd9cd30c295d","created":"2026-05-27T11:58:17.909Z","modified":"2026-05-27T11:58:17.909Z","name":"abyss","description":"Abyss (also known as Abyss Locker) is a ransomware operation first identified in March 2023, derived from the Babuk source code, that targets Windows and Linux/VMware ESXi systems using double-extortion tactics across healthcare, manufacturing, finance, and technology sectors — predominantly in North America.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c2c6922d-0711-185d-0b27-446184675543","created":"2026-05-27T11:58:17.909Z","modified":"2026-05-27T11:58:17.909Z","name":"adminlocker","description":"AdminLocker is a relatively low-profile ransomware strain first observed around December 2021, encrypting victim files and demanding Bitcoin ransom via a Tor-based portal, operated by a lone actor or small closed group with no evidence of an affiliate model.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4b983b63-58a6-9ba0-a7e8-dbdef13b09ab","created":"2026-05-27T11:58:17.909Z","modified":"2026-05-27T11:58:17.909Z","name":"againstthewest","description":"AgainstTheWest (ATW) is a hacktivist group active since October 2021 that targets governments and corporations perceived as authoritarian, breaching organizations like Alibaba, Sberbank, and Gazprom using custom ransomware and wiper malware for ideological disruption rather than financial profit.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--53014dd3-3be1-4577-237a-f75624f0deed","created":"2026-05-27T11:58:17.909Z","modified":"2026-05-27T11:58:17.909Z","name":"aGl0bGVyCg","description":"\"aGl0bGVyCg\" (Base64 for \"hitler\") is a reference to the Hitler-Ransomware (2016), a German-origin proof-of-concept that displayed a Hitler image, did not actually encrypt files, and demanded a 25-euro Vodafone card payment; assessed as an amateur test project rather than a serious criminal operation.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--65255b3a-8665-2220-81cb-562586461774","created":"2026-05-27T11:58:17.909Z","modified":"2026-05-27T11:58:17.909Z","name":"ailock","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--714d915c-7c60-9009-595f-19a93b96f1be","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"AiLock","description":"AiLock is a ransomware operation that emerged in early 2025, marketing itself as AI-assisted ransomware using a hybrid ChaCha20/NTRUEncrypt encryption scheme and double-extortion tactics, actively recruiting affiliates and threatening regulatory reporting if ransoms are unpaid.","labels":["ransomware"],"first_seen":"2026-03-03"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8d8f469e-d2ef-36f5-3779-7449f494f738","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"akira","description":"The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others.<br> <br> According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware.<br> <br> The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast.<br> <br> Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files.<br> <br> Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only).<br> Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--41430b33-4cdf-f81c-31f5-ddde04b60a7f","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"ako","description":"A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1a4765bb-5718-9f9c-0719-c3d565b92a6e","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"ALP-001","description":"⚠️ The group appears unreliable. Most, if not all, of its alleged victims cannot be verified. WE HAVE DECIDED TO REMOVE ENTRIES FOR THIS GROUP","labels":["ransomware"],"first_seen":"2026-03-21"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--170f6430-4821-e959-32e9-7a7d847684f2","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"alphalocker","description":"AlphaLocker is a low-cost ransomware operation built on the EDA2 open-source project that sells affiliates an admin panel, ransomware executable, and decryption key generator, lowering the barrier for entry-level cybercriminals using double-extortion tactics.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--f9ef772a-5ecc-aba7-9168-9527c51dfba0","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"alphv","description":"The operators of the ALPHV/BlackCat ransomware began their activity in December 2021, making posts on Dark Web forums to promote their affiliate program, offering other actors the opportunity to engage in a 'new type of ransomware family' developed from scratch using the Rust programming language.<BR> <BR> Some clear evidence indicates that the actors behind this new ransomware are not new to cybercrime, and there were links to other affiliate programs such as DarkSide, BlackMatter, and REvil. (After several attacks against large companies, these groups faced pressure and arrests, necessitating the termination of their operations).<BR> <BR> As a security measure, the operators of ALPHV implemented the requirement for the execution of the ransomware payload by providing an 'access token,' which is supplied by the owners of the Ransomware-as-a-Service to the affiliate. This token is added to the victim's ransom note so that they can contact the threat actor responsible for encrypting the data.<BR> <BR> ALPHV affiliates employ double and triple extortion techniques, meaning the publication of the company's name on leak sites, threats of data leakage, and lastly, threats of DDoS attacks against the organization.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--092136e3-76e1-7ab5-8435-12b0633bcbf7","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"anubis","description":"Anubis is a ransomware-as-a-service group active since December 2024 that targets healthcare, engineering, construction, and professional services sectors, offering affiliates a flexible revenue split model and an optional destructive \"wipe mode\" alongside standard encryption.","labels":["ransomware"],"first_seen":"2025-02-25"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3963d10b-9603-d43e-652a-db2cc3efaf58","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"apos","description":"Apos is a data-broker extortion group that surfaced in April 2024, focusing on data exfiltration and threatening to publish or sell stolen information rather than encrypting files, targeting technology, healthcare, manufacturing, telecom, and government sectors across multiple countries.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a4f94751-c69c-6e12-d640-d32e8404a4c3","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"apt73","description":"A new ransomware group is said to have emerged in mid-April 2024, under the name 'APT73.' It's worth noting that the group reportedly self-proclaimed as an APT, which stands for 'Advanced Persistent Threat' in the cybersecurity field.<br> <br> According to research, much of the available information about the aforementioned group came from another ransomware group known as LockBit.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b33074c8-3549-1bba-3dcd-57761dd0bac4","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"arcusmedia","description":"Arcus Media is a ransomware-as-a-service group that emerged in May 2024, employing double extortion with ChaCha20 + RSA-2048 encryption and recruiting affiliates via a referral-based vetting process, claiming 50+ victims across manufacturing, healthcare, retail, and business services globally.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--55aeafc7-78b8-790f-c835-c09f06a8d3d6","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"argonauts","description":"Argonauts is a ransomware group that emerged in September 2024, operating a double-extortion model targeting logistics, healthcare, energy, and telecom sectors, with approximately 13 claimed victims tracked via a TOR-based leak site.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--56f44dc8-e0c9-896c-9084-4287a98bd4a6","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"arkana","description":"Arkana is a ransomware group that emerged in early 2025 and gained attention by claiming an attack on U.S. broadband provider WideOpenWest (WOW!), operating a three-phase ransom/sale/leak extortion model primarily focused on telecom and internet service providers.","labels":["ransomware"],"first_seen":"2025-03-25"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--cf1fb65d-09fb-96ca-2744-80470c4b3955","created":"2026-05-27T11:58:17.910Z","modified":"2026-05-27T11:58:17.910Z","name":"arvinclub","description":"Arvin Club is a threat actor with hacktivist leanings that first appeared in May 2021, primarily publishing stolen data via a TOR site and Telegram rather than deploying file-encrypting ransomware, targeting government, education, and banking sectors globally including Iranian government entities.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9b1c1e1a-a13e-5935-4db9-5fb9968da3c4","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"atomsilo","description":"AtomSilo is a double-extortion ransomware group that emerged in September 2021, exploiting the Atlassian Confluence vulnerability (CVE-2021-26084) for initial access and demanding ransoms up to $1 million, attributed to the Chinese state-linked threat actor BRONZE STARLIGHT.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--96031d7b-4cfd-112e-a123-0dfa3119ff08","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"AuditTeam","description":"AuditTeam is a small ransomware group with approximately 5 known victims, primarily targeting organizations in East and Southeast Asia across technology and manufacturing sectors, operating a data leak site consistent with double-extortion methodology.","labels":["ransomware"],"first_seen":"2026-04-08"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9b89025c-e7a6-d932-b28f-6e15132a70d4","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"aurora","description":"Aurora is a ransomware group associated with a multi-purpose Go-based malware distributed by multiple criminal teams from mid-2022, also sold as an infostealer/botnet under the same name on underground forums.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--31da91c9-ef9b-aaee-78d6-f062df57ac7e","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"avaddon","description":"Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3fa55a22-ea1c-3d06-e5d9-0e519d6abd6e","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"avos","description":"Avos is the threat actor group behind AvosLocker ransomware, a RaaS operation active since June 2021 that recruited affiliates to deploy ransomware against critical infrastructure including financial services, manufacturing, and government sectors across the US and a dozen other countries.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0c38bd99-6d8e-f015-f07e-3f8ccb76e3b9","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"avoslocker","description":"AvosLocker is the ransomware payload of the Avos RaaS group, active from July 2021 to approximately May 2023, targeting education, manufacturing, and healthcare sectors on Windows, Linux, and VMware ESXi environments, with the US accounting for ~72% of victims.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8bf9fd4b-e091-a1ba-a7d3-947484c1b90a","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"aware","description":"Aware is a recently emerged ransomware group that operates a Tor-based data leak site with very limited public documentation and no publicly catalogued victims, tools, or TTPs in major threat intelligence databases.","labels":["ransomware"],"first_seen":"2026-01-06"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8c2d41d7-739b-6921-a4a1-d137c8bac710","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"aztroteam","description":"AztroTeam is a ransomware group with very limited public documentation and no confirmed victims, listed as offline on ransomware tracking platforms.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--e448b35b-995e-ea43-8930-7aaba83d1a33","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"babuk","description":"Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--09e6edec-d137-b282-8e9b-f64e76d88652","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"babuk2","description":"Babuk Locker 2.0, also known as Bjorka or SkyWave, after failing to make any profit from selling public databases on forums, decided to impersonate Babuk Ransomware group. He launched a blog where he claimed multiple public breaches from BreachForums as ransomware attacks","labels":["ransomware"],"first_seen":"2025-01-27"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0b845c75-8336-d80a-e2e4-7efa7c3eefba","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"babyduck","description":"BabyDuck is a ransomware group tracked on ransomware.live with approximately 180 claimed victims, appending the .babyduck extension to encrypted files, distinct from the better-known Babuk group.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--f08aa988-f5f1-4e2b-ebbd-0442638856e4","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"bashe","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1bf417bd-8716-2d5d-77a5-ce3259e81bde","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"beast","description":"Beast is a Ransomware-as-a-service (RaaS) product which provides functionality such as SMB scanning, file encryption, service and process starting and stopping, and geographic identification to avoid encryption in CIS countries.","labels":["ransomware"],"first_seen":"2025-07-29"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--432bba89-3b16-ac14-aadd-f7b4425e43e4","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"benzona","description":"Benzona is a financially motivated ransomware group that emerged in late 2024, targeting small to mid-sized organizations across manufacturing, healthcare, technology, and hospitality sectors using double-extortion tactics — encrypting files while exfiltrating data and threatening publication via a Tor-based leak site.","labels":["ransomware"],"first_seen":"2025-11-26"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--32987c4b-7a9f-b90e-7294-25fc63e7bb81","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"bert","description":"BERT is a newly emerged ransomware group first identified in mid-2025, targeting Windows and Linux platforms across healthcare, technology, and event services sectors in Asia, Europe, and the US, with ransomware derived from a Linux variant of REvil using AES encryption and multi-threaded file locking.","labels":["ransomware"],"first_seen":"2025-04-06"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1ce4b4b8-ff46-889a-0448-a06ed52cf5a7","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"bianlian","description":"BianLian ransomware operations began in late 2021. The group practices multi-pronged extortion, demanding payment for a decryptor, as well as the non-release of stolen data. The ransomware group hosts a public, TOR-based, blog to post victim identities and stolen data. Somewhat unique to BianLian at the time of their launch was their inclusion of an I2P mirror for their blog.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--d96a7fdd-d4b2-6248-a30b-b6e2627a670d","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"blackbasta","description":"\"Black Basta\" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--d623daea-d635-39f9-21b5-65be9138c4e8","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"blackbyte","description":"Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4683f05c-3fbe-87b7-a0c8-1b6355645fcf","created":"2026-05-27T11:58:17.911Z","modified":"2026-05-27T11:58:17.911Z","name":"blacklock","description":"BlackLock is a rebranded version of another ransomware group known as Eldorado. It has since become one of the most active extortion syndicates in 2025, heavily targeting technology, manufacturing, construction, finance, and retail sectors. ","labels":["ransomware"],"first_seen":"2025-05-16"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--6261405c-b8d5-855c-a95d-04f327a49966","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"blackmatter","description":"Ransomware-as-a-Service \n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ed6341a7-02d5-6287-6526-bafafd251386","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"blacknevas","description":"BlackNevas is a ransomware group first observed in November 2024, believed to be derived from the Trigona ransomware family, targeting telecommunications, manufacturing, medical, and legal industries primarily in Asia-Pacific, the UK, Italy, and Lithuania using double-extortion with a dual AES/RSA encryption scheme.","labels":["ransomware"],"first_seen":"2025-08-06"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--28780a3c-d242-408c-7287-6ba3fdbba404","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"blackout","description":"Blackout is a ransomware group that first appeared in early 2024, initially claiming attacks against healthcare entities in Canada, France, and Germany before expanding to telecommunications, mining, and manufacturing sectors, operating a double-extortion model with a data leak site.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3f0eee4e-c375-595c-e2d0-6eca2cb55678","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"blackshadow","description":"BlackShadow is an Iranian-linked hack-and-leak group (linked to the Agrius APT) that targeted Israeli companies including insurance firm Shirbit and hosting provider Cyberserve, leaking medical records of 290,000 patients, using extortion as a tool of geopolitical disruption rather than purely for financial gain.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ee724c33-fa7f-99fb-aea1-d143e9dbe8d7","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"blackshrantac","description":"BlackShrantac is a ransomware group that emerged in late 2025, targeting organizations in manufacturing, financial services, technology, and the public sector globally, employing double-extortion combined with living-off-the-land techniques to weaponize legitimate tools and disable defenses before encrypting files.","labels":["ransomware"],"first_seen":"2025-09-17"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4e7539a8-4b0c-3f2d-98f5-a8dd282b03cf","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"blacksuit","description":"According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--7dc03a4f-ce53-f6ad-2cc4-424a06f3078f","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"blacktor","description":"Blacktor is a low-profile data breach and extortion group active around 2021 with a Tor-based leak site, claiming victims in Indonesia, Italy, Venezuela, and the US, with minimal public threat-intelligence coverage.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--733a81c7-61d0-bff1-3188-22c3519015dc","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"blackwater","description":"Blackwater is a ransomware group that first surfaced in early 2026, combining file encryption with data theft and targeting healthcare organizations, with known victims including Minidoka Memorial Hospital in Idaho.","labels":["ransomware"],"first_seen":"2026-04-12"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ed2cdcb1-59c2-ddee-da49-ce5b57331cd2","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"bluebox","description":"Bluebox is a data extortion group that emerged in December 2024, employing double-extortion tactics against victims primarily in France, Sweden, and the French Caribbean, and threatening to notify data protection authorities to add regulatory pressure on victims.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--376c6bd5-ab47-7dc5-f6f1-c32473e366cd","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"bluelocker","description":"Blue Locker targets Pakistan’s vital energy sector, particularly Pakistan Petroleum","labels":["ransomware"],"first_seen":"2025-08-19"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--41a37f5b-02ea-6532-8a16-9b566cb3b46a","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"bluesky","description":"BlueSky is a financially motivated ransomware group active from mid-2022 into early 2023, using multi-threaded ChaCha20/Curve25519 encryption for fast file locking on Windows hosts, with code sharing significant overlap with Conti v2/v3 and Babuk, attributed with high confidence to Russian-origin threat actors.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5f811bdb-d946-4946-66b3-1f0d22124b23","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"bonacigroup","description":"Bonaci Group is a small, short-lived ransomware group that was active in 2021 with only 3 known victims before going offline, with very little public documentation about their tactics, targets, or tooling.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1b92302b-b480-124c-c074-ebe33c7e3be9","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"bqtlock","description":"BQTLock is a ransomware-as-a-service operation that emerged in 2025, using AES-256/RSA-4096 encryption with Monero payment demands, linked to pro-Palestinian hacktivist networks and targeting organizations with wave-based campaigns with 48-hour ransom deadlines.","labels":["ransomware"],"first_seen":"2025-07-31"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--d777e8bc-cb23-cd44-66eb-855ded365ed0","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"braincipher","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--103031f6-2931-f0a8-af83-3455806f6c7e","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"BrainCipher","description":"Brain Cipher emerged in July 2024. Both Windows and Linux variants are available. Brain Cipher using the leaked build of LockBit Black for their operations. The group suspected to have exploited CVE-2023-28252 (Microsoft Windows CLFS Driver Privilege Escalation Vulnerability). The Ransom demand ranges from $150,000 to $1,00,0000. Demand to be paid with Monero (XMR) cryptocurrency. In 2025, they have shifted their new Negotiation portal to new server with vanity TOR Domain starting with 'brain'. ","labels":["ransomware"],"first_seen":"2024-07-01"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5c70e269-d682-a8a8-d816-3caaa8fc8036","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"bravox","description":"BravoX is a selective ransomware-as-a-service operation that surfaced publicly in January 2026 after advertising on the RAMP underground forum, targeting primarily US-based organizations in healthcare and retail while applying strict affiliate vetting requirements including proof of access or a financial deposit.","labels":["ransomware"],"first_seen":"2026-02-11"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b49c7fc0-eee0-9b9c-3685-cb8ad0a8e288","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"brotherhood","description":"Brotherhood is a ransomware group that emerged in late 2025, targeting organizations in the US, Canada, and Australia across manufacturing, communications, and construction sectors, operating a Tor-based double-extortion leak site.","labels":["ransomware"],"first_seen":"2025-11-15"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--caaeac31-84e9-0c7f-8587-d692f03105bf","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"cactus","description":"The CACTUS ransomware is said to have emerged around March 2023. The group became known for exploiting vulnerabilities to gain initial access and maintain a presence within the organization's infrastructure.<br> <br> There is little known information about the ransomware group, except that it emerged on the mentioned date and, following encryption, a text file named 'cAcTuS.readme.txt' would be created. Additionally, encrypted files were altered to the '.cts1' extension, and data exfiltration and victim extortion were conducted through the use of the service known as Tox.<br>Source: https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--785a0e02-62f9-0d4f-685f-3e4b9ed4371b","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"cephalus","description":"Cephalus is a ransomware group active from mid-2025 that leverages stolen RDP credentials to deploy a Go-based ransomware payload via DLL sideloading, targeting law firms, healthcare, financial services, and IT firms across the US and Japan with 19 known victims.","labels":["ransomware"],"first_seen":"2025-08-26"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5d5bddb5-7710-2d0a-960b-cf6fea9050c1","created":"2026-05-27T11:58:17.912Z","modified":"2026-05-27T11:58:17.912Z","name":"chaos","description":"Chaos is a ransomware-as-a-service operation that emerged in early 2025, likely formed by former BlackSuit/Royal members, offering cross-platform ransomware for Windows, Linux, ESXi, and NAS to affiliates recruited on the RAMP dark web forum, excluding CIS/BRICS countries and hospitals from targeting.","labels":["ransomware"],"first_seen":"2025-03-31"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0f3b1945-3dde-7c91-cf64-090c9cf7f3b3","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"cheers","description":"Cheers is a Linux-based ransomware group that emerged in 2022, built on leaked Babuk source code and specializing in attacks against VMware ESXi servers, running a double-extortion leak site with four documented victims.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a494c0ea-429e-a7fd-52a2-33b51dc02d41","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"chilelocker","description":"ChileLocker (also known as ARCrypter) first appeared in August 2022 after attacking a Chilean government agency and quickly expanded globally, appending a \".crypt\" extension to encrypted files and recruiting affiliates under a RaaS model on criminal forums.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--d5054426-1557-09c0-e415-5e60a1664efd","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"chort","description":"Chort is a double-extortion ransomware group (whose name means \"Devil\" in Russian) that emerged in October 2024, primarily targeting US education and government sectors, with notable victims including the City of Sheboygan and Kuwait's Ministry of Finance.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--58f3afdf-1cdd-0d35-3fc4-00a3bde3e19f","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"cicada3301","description":"Cicada3301 is a ransomware-as-a-service group (tracked as Repellent Scorpius by Palo Alto) that emerged in mid-2024 using Rust-based ransomware targeting Windows, Linux, and ESXi systems, suspected to be a successor of BlackCat/ALPHV and running an affiliate program with 20% commissions.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5d824c0d-4fef-54f7-22ec-4403293ce608","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"ciphbit","description":"CiphBit is a ransomware-as-a-service group active since April 2023, targeting small-to-mid-sized businesses across the UK, Europe, and North America with 38 known victims, employing a data-broker model with selective free leaks to pressure victims alongside standard double extortion.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--04605ec8-ef15-25d2-1031-f72939f4eb88","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"cipherforce","description":"CipherForce is a newly emerged ransomware group first detected in early 2026, operating a dark web leak site and targeting technology, business services, and logistics companies across the US, China, Vietnam, India, and UAE, with at least 6 claimed victims.","labels":["ransomware"],"first_seen":"2026-02-23"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--bf25637b-0f73-fbd8-4a9f-247c78a6a96c","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"cloak","description":"Cloak is a ransomware-as-a-service operation active since late 2022, primarily targeting small-to-medium enterprises in Europe — especially Germany — across manufacturing, healthcare, education, and government sectors, with expansion into North American and Asian targets by 2025.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--846d16de-4129-06a2-f688-acf49197125f","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"clop","description":"The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final payload in a phishing campaign in 2019 and was exclusively financially motivated, with attacks carried out by the threat actors TA505.<br> <br> At that time, malicious actors sent phishing emails that led to a macro-enabled document that would drop a loader called 'Get2.' After gaining an initial foothold in the system or infrastructure, the actors began using reconnaissance, lateral movement, and exfiltration techniques to prepare for the deployment of the ransomware.<br> <br> After the execution of the ransomware, Cl0p appends the extension '.clop' to the end of files, or other types of extensions such as '.CIIp, .Cllp, and .C_L_O_P,' as well as different versions of the ransom note that were also observed after encryption. Depending on the variant, any of the ransom text files were created with names like 'ClopReadMe.txt, README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.'<br> <br> The Clop operation has shifted from delivering its final payload via phishing and has begun initiating attacks using vulnerabilities that resulted in the exploitation and infection of victims' infrastructures.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--fc3bfa42-b2dc-3820-f3f4-13b38d97f904","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"CMDOrganization","description":"CMD is a new kind of company that specializes in corporate system security and in identifying vulnerabilities across all aspects of the software used by a company. CMD operates on a global scale recognizing the critical importance of timeliness and confidentiality.","labels":["ransomware"],"first_seen":"2026-05-02"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--066151be-d8db-bc19-f536-4664341c56b9","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"coinbasecartel","description":"CoinbaseCartel specializes in data acquisition through system access and strategic partnerships. It focus exclusively on data exfiltration—our operations never involve system encryption or operational disruption.","labels":["ransomware"],"first_seen":"2025-09-15"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--174737f8-d467-43d1-b1cc-90c6f6d96336","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"ContFR","description":"RAAS - Ransomware intégré à un fichier PDF, à faire ouvrir à vos victimes ou à insérer vous-même, Windows et Mac, ne fonctionne pas sur Linux. Tableau de vitcimes et récupération de données possible depuis votre espace abonné. Configuration de votre ransomware à votre première connexion, puis modification possible selon votre formule.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--50c36d34-245f-bb58-2897-c71b2090dd3c","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"conti","description":"Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1eb1230f-5f7e-7272-362f-cc2aa53191de","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"cooming","description":"CoomingProject is a ransomware group that emerged around 2021 and operated a double-extortion scheme with multiple Tor-based leak sites; six members were identified by French authorities in February 2022, after which the group's infrastructure went offline.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--e80c1c52-678d-a74d-f1f5-bd268138a336","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"crazyhunter","description":"CrazyHunter is a Go-based ransomware group that emerged in early 2025, derived from the open-source Prince encryptor, exclusively targeting Taiwanese organizations in healthcare, education, and industrial sectors using BYOVD techniques and tools like SharpGPOAbuse for lateral movement.","labels":["ransomware"],"first_seen":"2025-03-09"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--bed01a1d-6a92-f142-6b3c-bb9f4df7f0b6","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"crosslock","description":"CrossLock is a short-lived Go-based ransomware group that appeared in April 2023 and went dark by July 2023, using Curve25519 and ChaCha20 encryption and double-extortion tactics with only one known confirmed victim in the IT sector in Brazil.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c184c9d2-b95f-fdb2-bdf5-bb5eef6ebb20","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"cry0","description":"Cry0 is a ransomware-as-a-service operation that recruits affiliates via underground forums, using a Rust-written payload with blockchain-based (Internet Computer Protocol) negotiation infrastructure to resist law enforcement takedowns and offering affiliates a 90/10 revenue split.","labels":["ransomware"],"first_seen":"2026-01-19"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--fd3c8004-8bdf-a883-e179-3eb36d825ba7","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"crylock","description":"CryLock (originally known as Cryakl/Fantomas since 2014) is a ransomware operation run by a Russian couple who targeted roughly 400,000 victims over eight years and earned over €64 million in Bitcoin; the operators were arrested in Spain in June 2023 and extradited to Belgium.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--95487dd2-129e-227d-41df-fbc97369f1d0","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.913Z","name":"cryp70n1c0d3","description":"Cryp70n1c0d3 is a low-profile ransomware group with limited public documentation; specific targets, attack methodology, and operational model remain poorly documented in open sources.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--98c07b61-d2a1-f7ea-bfd0-f1291cf51245","created":"2026-05-27T11:58:17.913Z","modified":"2026-05-27T11:58:17.914Z","name":"cryptbb","description":"CryptBB is a ransomware group with likely Russian origins active around 2023, whose payload appends random extensions to encrypted files and whose data leak site copied 8Base's source code, listing approximately 8 victims as of September 2023.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ce17915f-34c1-e054-9301-c8f53f0b366e","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"cryptnet","description":" According to OALabs, this ransomware has the following features: * Files are encrypted with AES CBC using a generated 256 bit key and IV.* The generated AES keys are encrypted using a hard coded RSA key and appended to the encrypted files.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a9a9f2bc-464e-1b93-1805-425d9db576d8","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"crypto24","description":"Crypto24 is a double-extortion ransomware-as-a-service group that surfaced on the RAMP forum in mid-2024, targeting large organizations in financial services, healthcare, manufacturing, and technology across Asia, Europe, and North America, with notable victims including CMC Group, Vietnam's second-largest ICT conglomerate.","labels":["ransomware"],"first_seen":"2025-04-08"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--95066295-6e75-92a1-d712-f908016cf6f9","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"cuba","description":"The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a relatively small but selected list of victims. The group is also known as Fidel Ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator for the ransomware and its decoder that the file has been encrypted.<br> <br> Despite its name and the Cuban nationalist style on its leak site, it is difficult to assert any connection or affiliation with the Republic of Cuba. The group has been linked to a Russian-language threat actor by Profero researchers due to some details of incorrect translation they discovered, as well as the discovery of a 404 page containing text in Russian on the threat actor's own leak site.<br> <br> According to BlackBerry, based on the analysis of the code strings used in the campaign analyzed in 2023, there were indications that the developer behind the Cuba ransomware speaks Russian.<br> <br> The ransomware operators use a double extortion approach, and following the USA, in August 2022, it was believed that the Cuba ransomware group had compromised 101 entities, demanding $145 million in ransom payments and receiving up to $60 million.<br> <br> The group used a similar set of TTPs, with only a slight change each year, as they generally consist of LOLBins (executables that are part of the operating system and can be exploited to support an attack), exploits, off-the-shelf and custom malware, as well as intrusion tools like Cobalt Strike and Metasploit.<br> <br> In 2022, the group allegedly developed a relationship with operators of the Industrial Spy market, using their platform as a means of data leakage.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9ad08878-dc38-c1d6-baec-c3a02ad8874a","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"cyclops","description":"Cyclops emerged in May 2023 as a cross-platform RaaS operation targeting Windows, macOS, and Linux systems; it rebranded as \"Knight\" in August 2023 and its codebase was ultimately sold, with affiliates largely migrating to RansomHub.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b14eb780-88fe-d5f4-dbd3-68e91872ce25","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"d4rk4rmy","description":"D4rk4rmy is a ransomware and data extortion group active since at least 2025, targeting financial services, hospitality, technology, and logistics sectors, operating a RaaS model with notable claimed victims including the Monte Carlo casino resort.","labels":["ransomware"],"first_seen":"2025-07-07"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--68efd0c3-b5f0-5aaa-a296-f2ef8eeed1f5","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"dagonlocker","description":"Dagon Locker is a ransomware strain that first appeared in early 2023, evolved from the MountLocker/Quantum ransomware lineage, and uses IcedID as an initial access vector before deploying double-extortion attacks with ChaCha20+RSA-2048 encryption.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--39c74fc8-e0d2-b875-9fc9-dcb06339f7a4","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"daixin","description":"Daixin Team is a ransomware and data extortion group active since at least June 2022, exclusively targeting the US Healthcare and Public Health sector by encrypting EHR and diagnostic systems and exfiltrating patient data to pressure victims into paying ransoms.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c9b6cf75-894a-9377-168d-a01031dca163","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"dAn0n","description":"dAn0n emerged in early 2024 operating a RaaS model, rapidly claiming 13 victims in May 2024 alone, predominantly targeting US-based organizations in business services and filling the vacuum left by disruptions to LockBit and BlackCat/ALPHV.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--348a41fb-f810-aa70-8fdb-47a78a5f21a5","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"darkangels","description":"Dark Angels is a highly selective ransomware group active since April 2022 that targets a small number of large enterprises — including Johnson Controls — exfiltrating up to 100 TB of data per victim, and secured the largest known single ransom payment of $75 million from a Fortune 50 company in early 2024.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--e7988f2e-5edd-8280-9194-5718a80f509c","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"darkbit","description":"DarkBit is an ideologically motivated ransomware group that appeared in February 2023, primarily targeting Israeli entities — most notably the Technion Institute of Technology — with politically charged ransom notes condemning Israeli government policies, assessed to be linked to Iranian state-sponsored activity.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3cc7d554-8e93-8e81-f832-6b7dbca74988","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"darkleakmarket","description":"DarkLeakMarket is a dark web data leak marketplace active since at least 2019 that sells stolen data sourced from ransomware groups and hacking forums, with 39 known victim organizations; it operates more as a data resale market than a traditional ransomware operator.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0e5f3777-8517-2dca-cf6f-1c5c4b74d8d4","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"darkpower","description":"Dark Power emerged in January 2023 as a ransomware group written in the Nim programming language, claiming 10 victims across eight countries within its first month across agriculture, education, healthcare, IT, and manufacturing sectors, demanding $10,000 ransoms payable in Monero.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--779be7fe-53d4-b7e5-8e2c-2a47566d36c0","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"darkrace","description":"DarkRace is a ransomware variant that surfaced in mid-2023 sharing strong code similarities with LockBit, employing double-extortion via a dark web leak site, but remained a minor player with fewer than 15 posted victims in its first half-year.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--92117ce1-1e98-294a-2227-04bdbaab6805","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"darkside","description":"Darkside ransomware group has started its operation in August of 2020 with the model of RaaS (Ransomware-as-a-Service). They have become known for their operations of large ransoms scale. They have announced that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can be able to pay large ransoms. Darkside ransomware group became very famous following the cyberattack of the Colonial Pipeline and Toshiba unit. The FBI finally terminate the Darkside operation and Managed to pull money from their wallets back.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8f4e2833-49f8-9e2b-0c41-df190a22b262","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"darkvault","description":"DarkVault is a data-exfiltration and double-extortion group first identified in late 2023, targeting medium-to-large organizations in finance, professional services, legal, and technology sectors across Europe, the UK, and North America, with a suspected connection to LockBit.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--bc81d879-15e9-dd2f-1a46-12fbb029ad03","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"datacarry","description":"DataCarry is a ransomware and data-extortion operation first observed in May 2025, operating a double-extortion model with a Tor-hosted leak portal and claiming victims across insurance, healthcare, aerospace, legal, and retail sectors in at least six countries.","labels":["ransomware"],"first_seen":"2025-05-26"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4c142cc3-8f12-ecad-762e-b5e6cecbe891","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"datakeeper","description":"DataKeeper is a ransomware-as-a-service operation dating back to at least 2018 that promoted an affiliate model called \"CrystalPartnership RaaS,\" offering a Windows-focused ransomware toolkit with hybrid RSA-4096 encryption, open dark web registration, and an innovative split-payment mechanism to build affiliate trust.","labels":["ransomware"],"first_seen":"2026-01-14"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--519da3de-3100-b80a-7b74-96692cf13614","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"dataleak","description":"Dataleak is a low-profile ransomware group with approximately 6 known victims including entities in Brazil; very limited public threat intelligence exists on this group's tools, TTPs, or origins.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0455895d-397c-aeda-21ec-62c0c28f7263","created":"2026-05-27T11:58:17.914Z","modified":"2026-05-27T11:58:17.914Z","name":"desolator","description":"Desolator is a ransomware group that emerged in May 2025, targeting construction and engineering firms in Latin America and Europe and technology companies in Asia, actively recruiting pen testers, initial access brokers, and social engineers via dark web forums to build an affiliate program.","labels":["ransomware"],"first_seen":"2025-08-30"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--f0d6875f-7995-4b58-dd73-7827d90968e2","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"devman","description":"Former RansomHub and INC Ransom affiliate.","labels":["ransomware"],"first_seen":"2025-04-06"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0231e4f6-e4da-02b8-c268-93f8d5059778","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"diavol","description":"A ransomware with potential ties to Wizard Spider.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3a983853-3434-0240-5589-81bc25f2059a","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"direwolf","description":"Dire Wolf is a sophisticated human-operated ransomware group first documented in May 2025, written in Golang using Curve25519/ChaCha20 encryption, targeting manufacturing and technology sectors across 13+ countries with ransoms up to $500,000, operated by a tight core team rather than a broad affiliate program.","labels":["ransomware"],"first_seen":"2025-05-22"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--2f17816c-44d3-dc39-34fb-d26651f5bcdd","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"dispossessor","description":"This is not a ransomware group but a data broker","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b4303fe6-b4f9-7ab2-f7b3-3ee95ff95d4a","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"donex","description":"DoNex is a ransomware strain that emerged in March 2024 as the latest rebrand of a lineage beginning with Muse (2022) → DarkRace (2023) → DoNex, targeting enterprises in the US and Europe using double-extortion; Avast released a free decryptor in July 2024 after discovering a cryptographic flaw.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ae985e50-457a-14cc-ec55-06fa53aefecb","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"donutleaks","description":"Donut Leaks (D0nut) is a data-extortion group active since August 2022 that developed its own ransomware encryptor, linked to attacks on Greece's DESFA gas company and Continental, believed to be an affiliate of multiple RaaS operations who pivoted to running an independent extortion platform.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--d266dda5-a328-30a9-93c7-593845fb5ab3","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"doppelpaymer","description":"Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: \".how2decrypt.txt\".\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--dfb2c571-702b-9579-8ff9-f87f6f5436f9","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"dragonforce","description":"DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue share, then rebranded as a \"ransomware cartel\" in 2025, gaining notoriety for high-profile attacks on UK retailers Marks & Spencer, Co-op, and Harrods.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a1ea9dd6-0043-3956-2f42-3321ac551e3f","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"dragonransomware","description":"Dragon Ransomware, is promising rapid and customizable ransomware operations for Windows systems. Key features include a compact 50KB file size, ultra-fast encryption speed, and a builder tool that allows users to personalize ransomware configurations. The tool will be available to the public once the team reaches 1,000 subscribers on their channel, signaling a potential rise in availability to threat actors.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0d689d2a-8f5e-f2f0-5089-074101bbd2b5","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"dread","description":"Dread is a ransomware group that appears in tracking databases but has no publicly documented attacks or confirmed TTPs from major security vendors.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9326499b-ee20-de02-47b3-d7ab74ee9013","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"dunghill","description":"Dunghill Leak is the data extortion site operated by the Dark Angels ransomware group, active since early 2023, targeting large enterprises across healthcare, finance, industrial, and technology sectors using a highly selective non-affiliate model, and responsible for a record-breaking $75 million ransom payment in 2024.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--f2a163aa-ae8e-fe29-9d81-49f13daf0173","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"ech0raix","description":"The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--09cc0783-5ac7-9beb-0dd9-87be03253c49","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"ElDorado","description":"In September The El Dorado ransomware group have been rebrand as BlackLock ","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9fc073e6-d2f9-8cd0-9b7d-7aa0dfb701e4","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"embargo","description":"Embargo is a Rust-based ransomware-as-a-service group that emerged in April 2024, primarily targeting US healthcare, manufacturing, and business services organizations using double extortion, assessed as a potential successor to BlackCat/ALPHV with over $34 million in ransom proceeds.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--67671a2f-53dd-910a-8b35-840edb6a0a1e","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"entropy","description":"Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples. \n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--7b407914-93b4-7589-321a-20e9328cc148","created":"2026-05-27T11:58:17.915Z","modified":"2026-05-27T11:58:17.915Z","name":"ep918","description":"EP918 is a low-activity ransomware group listed in tracking databases with no confirmed victims and no publicly documented attacks or operational details.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b3fb2d21-e28b-a7f4-24c6-d1c033e45744","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"esxiargs","description":"ESXiArgs is a ransomware campaign that emerged in February 2023, targeting VMware ESXi servers by exploiting the CVE-2021-21974 vulnerability. It encrypts virtual machine configuration files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, .vmem) rendering VMs inaccessible. The campaign compromised thousands of unpatched servers globally, primarily affecting European organizations. A decryptor was later released by CISA and FBI.","labels":["ransomware"],"first_seen":"2023-02-03"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--61e0625d-5fb4-8107-62d6-1a4147641b42","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"everest","description":"Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group leaks the victim's data to the darknet and they announced that any victim that will not contact them will suffer from a data leak and they will not delete hist files for future usage.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0800acaf-14f9-bb59-7e04-4a6b5e764dae","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"exitium","description":"Exitium is a data extortion group first observed in early 2026, operating a Tor-based double extortion site and targeting victims via bulk data exfiltration followed by public naming-and-shaming, with known victims including a Brazilian agro-industrial firm and a US county appraisal district.","labels":["ransomware"],"first_seen":"2026-03-17"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8d30d455-ca80-0085-151b-836d0827b697","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"exorcist","description":"According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with an extension consisting of a ransom string of characters.For example, a file originally named \"1.jpg\" could appear as something similar to \"1.jpg.rnyZoV\" following encryption. After this process is complete, Exorcist ransomware changes the desktop wallpaper and drops HTML applications - \"[random-string]-decrypt.hta\" (e.g. \"rnyZoV-decrypt.hta\") - into affected folders. These files contain identical ransom messages.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--66440293-2434-df0a-7ea6-4d5313002b06","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"fletchen","description":"Fletchen is primarily documented as a sophisticated infostealer-as-a-service written in Rust, targeting browser credentials, cryptocurrency wallets, and financial data, used by groups including Hunters International; its developer also advertises ransomware services on underground forums.","labels":["ransomware"],"first_seen":"2026-01-03"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--dbf311a7-4b2e-9164-9f37-76eef4368c9c","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"flocker","description":"Flocker (also linked to the FSociety brand) is a ransomware-as-a-service group active since 2023–2024, targeting Windows and Linux systems via phishing, compromised RDP, and exploit kits using a double extortion model, and observed collaborating with FunkSec.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b0421654-6057-e865-9fec-dec71043ffe7","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"fog","description":"Fog, which uses the .flocked extension for encrypted files, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. By June, Storm-0844 was deploying Fog more than Akira.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b45df01c-f1ae-a7fa-d1c5-8d82c8fc7030","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"frag","description":"Frag is a ransomware group that emerged in late 2024, exploiting a critical Veeam Backup & Replication vulnerability (CVE-2024-40711) to compromise targets in industrial sectors, with blockchain analysis linking it to a shared wallet cluster with the Akira group.","labels":["ransomware"],"first_seen":"2025-03-24"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ffadb67e-f287-a4f2-f63f-999a3c7d0804","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"freecivilian","description":"FreeCivilian is a data extortion group with suspected ties to Russian GRU military intelligence, known for targeting Ukrainian government websites — including sites offering surrender guidance to Russian troops — blending cybercrime with apparent state-aligned political objectives.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4a8325d0-0b79-5bf0-3c6e-9ed3048f5082","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"fsteam","description":"New possible leak site posted to a forum on November 20th, 2022, no victims at present. Unclear if its for a ransomware or extortion group","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--f9024ba5-38a6-2eb9-8a95-c3f4678a9621","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"fulcrumsec","description":"FulcrumSec is a data extortion group active since approximately September 2025, specializing in high-speed exfiltration of cloud-hosted databases by exploiting unrotated API keys and misconfigured cloud permissions rather than deploying encryption, with known victims including Australian fintech youX and LexisNexis.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c6cbe9cc-da00-a1df-9720-c7603edd5452","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"funksec","description":"FunkSec is an AI-assisted ransomware-as-a-service group that launched its data leak site in December 2024 and rapidly claimed over 85 victims across government, technology, finance, and education sectors globally, demanding unusually low ransoms and using AI tooling to lower the technical bar for affiliates.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--e7b1997a-c14e-cc61-16ad-1dca5b13d15d","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"GDLockerSec","description":"Our team members are from different countries and we are not interested in anything else, we are only interested in dollars. We do not allow CIS, Cuba, North Korea and China to be targeted. Re-attacks are not allowed for target companies that have already made payments. We do not allow non-profit hospitals and some non-profit organizations be targeted.","labels":["ransomware"],"first_seen":"2025-01-24"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--e53d17e7-540d-8488-a8fb-23e28c96885e","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"gdlockrsec","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--aeebad4a-796f-cc2e-15dc-4c6061b45ed9","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"genesis","description":"Genesis is an emerging ransomware group first observed in late 2025, targeting small to mid-sized US organizations across healthcare, retail, financial services, legal, and manufacturing using double-extortion tactics, focusing heavily on data exfiltration and public leaking.","labels":["ransomware"],"first_seen":"2025-10-21"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c9af3fe4-80a2-bfba-d299-408d0be6ad5a","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"ghostsec","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8001c274-3965-0c5c-5a6b-4ed94163b5dd","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"global","description":"GLOBAL GROUP is a ransomware-as-a-service operation that emerged in June 2025, reportedly launched by a known Russian-speaking threat actor, featuring AI-driven ransom negotiation and a mobile control panel for affiliates, targeting healthcare, oil and gas, industrial engineering, and automotive sectors.","labels":["ransomware"],"first_seen":"2025-06-04"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--63145a8f-b4f0-d932-4290-64a38b6a17e1","created":"2026-05-27T11:58:17.916Z","modified":"2026-05-27T11:58:17.916Z","name":"grief","description":"Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: \".how2decrypt.txt\".","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--82ee927c-6149-09da-41de-a17617a8d493","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"groove","description":"Groove emerged in mid-2021 as a loose criminal collective linked to former Babuk gang members, known for publicly leaking Fortinet VPN credentials to attract affiliates and calling for attacks on US government and financial targets; the group later claimed its entire operation was a hoax to mislead security researchers.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4af78720-3a4b-1049-66d7-7fb310442625","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"gunra","description":"Gunra is a financially motivated ransomware group that emerged in April 2025, using double-extortion tactics against real estate, pharmaceuticals, and manufacturing sectors across Japan, Egypt, Panama, Italy, and Argentina, deploying separate Windows and Linux variants with a strict five-day payment deadline.","labels":["ransomware"],"first_seen":"2025-04-23"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--915320df-dd5b-3b49-a99b-c9d67d33458b","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"hades","description":"According to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems and encrypts a variety of data types using AES encryption. Hades Locker appends the names of encrypted files with the .~HL[5_random_characters] (first 5 characters of encryption password) extension.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4da7cfb5-29a4-899d-5c6f-e069184304a7","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"handala","description":"Not a Ransomware Group","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--65e130bf-b11b-c85d-3c70-f94d1193e6a7","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"haron","description":"Haron appeared in July 2021 as a ransomware-as-a-service operation heavily borrowing from the defunct Avaddon ransomware (copying ransom notes and leak site structure) and built on the Thanos ransomware builder, targeting enterprise organizations with a six-day negotiation window.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--985f077c-d1bf-ec66-babc-9a0b7649b863","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"hellcat","description":"HellCat is a ransomware-as-a-service group that formed in Q4 2024 and quickly became notable for high-profile attacks against Schneider Electric, Telefónica, and Israel's Knesset, primarily gaining initial access via stolen Jira credentials harvested by infostealer malware, targeting critical infrastructure and government entities.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--cc75c3ab-3875-24c7-8606-37da51abf19a","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"helldown","description":"Helldown is an aggressive ransomware group first documented in August 2024, known for exploiting Zyxel firewall vulnerabilities to gain initial access and conducting large-scale data exfiltration averaging 70 GB per victim, targeting IT services, telecommunications, manufacturing, and healthcare primarily in the US.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--e87ebe47-b784-770b-dd96-6494521eb46c","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"hellogookie","description":"HelloGookie is a rebrand of the HelloKitty ransomware group announced in April 2024, releasing previously stolen data from CD Projekt Red and Cisco; HelloKitty/HelloGookie has been active since 2020 with its highest-profile attack being the 2021 breach of CD Projekt Red.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8e5b57b7-b620-900e-13dd-84aae2390dea","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"hellokitty","description":"Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--7640da40-2982-86a6-e462-d5a80f1c608b","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"hive","description":"Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.\nIn 2022 there was a switch from GoLang to Rust.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c8f85353-ff19-da55-067a-0c820d5e2e60","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"holyghost","description":"HolyGhost (tracked by Microsoft as DEV-0530) is a North Korean state-linked ransomware group active since June 2021, associated with the Andariel threat group, targeting small to mid-sized businesses in financial services, manufacturing, education, and entertainment globally.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4f60a034-ba8a-02cf-7fb2-41b94863dc74","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"hotarus","description":"Hotarus Corp is a ransomware group that came to attention in early 2021 after attacking Ecuador's Ministry of Finance and Banco Pichincha — the country's largest private bank — deploying PHP-based ransomware and claiming to have stolen tens of millions of customer records.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b673ae0c-e9b6-b218-6f78-8bcc726ca3d4","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"hunters","description":"In mid-October 2023, just a few days before the Europol operation, the source code of the Ransomware Hive was sold, along with its website and older versions developed in Golang and C (although this purchase has only been reported by the actors without concrete evidence). The buyer of this new source code was the group Hunters International, who claimed to have fixed the bugs in the Ransomware Hive that were responsible for preventing file decryption in some cases. The group also stated that file encryption would not be their primary focus; instead, they would use data theft as a method to pressure victims during extortion attempts.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--66d58438-3aaa-9c32-15c8-3dbfd76dcb4a","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"Icarus","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--034f91e7-5371-afc7-eea9-36683d9ccee6","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"icefire","description":"IceFire is a ransomware group first observed in 2022 that expanded to Linux in early 2023 by exploiting a vulnerability in IBM Aspera Faspex (CVE-2022-47986), targeting media and entertainment organizations in Turkey, Iran, Pakistan, and the UAE using double-extortion tactics.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--7af48120-2446-4f0a-02ca-4e5788bed150","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"IMNCrew","description":"IMN Crew is a data extortion and ransomware group that emerged in late March 2025, primarily targeting financial services organizations in the US, Croatia, and Indonesia by exploiting exposed perimeter services such as firewalls and VPNs, claiming at least five victims.","labels":["ransomware"],"first_seen":"2025-05-05"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--efc8d72d-e2c5-32ef-980c-0179d67e0835","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"incransom","description":"INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors in North America and Europe, having posted over 200 victims in 2025 alone with no sector off-limits.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8ea748b0-9b11-7e6c-c691-9083ae680887","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"insane","description":"Insane is a short-lived ransomware group that briefly surfaced in early 2024, claiming a single victim in Thailand before going quiet, with minimal documented activity or technical details available.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--75eb93fd-0de5-cc35-4658-5e9604f9ecac","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"insomnia","description":"Insomnia is a data-theft and extortion group that emerged in October 2025, targeting primarily US-based healthcare organizations — stealing patient files and threatening public exposure rather than encrypting files — and avoiding former Soviet states, consistent with Russian-speaking cybercrime norms.","labels":["ransomware"],"first_seen":"2026-02-07"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--6e749f0d-99c7-7cfc-aceb-6a549932a3ca","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"interlock","description":"Interlock is a ransomware group first observed in September 2024 that targets critical infrastructure sectors including healthcare, government, education, and technology across North America and Europe using double-extortion, with 57+ claimed victims including a major US dialysis provider exposing over two million patient records.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--189f4003-4be7-a199-f1fa-9891668ee3ab","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"j","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--6da43b94-4e49-4e88-5e69-af021f93c6d9","created":"2026-05-27T11:58:17.917Z","modified":"2026-05-27T11:58:17.917Z","name":"J","description":"J is an emerging ransomware group that launched its leak site in May 2025, claiming over 41 victims by late 2025 including FAI Aviation Group (Germany), operating primarily as a leak-site-centric extortion identity with limited public technical analysis.","labels":["ransomware"],"first_seen":"2025-05-02"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--752115f4-5427-e30c-2306-03d78fa1bf56","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"kairos","description":"Kairos is a data extortion group active since late 2024 that focuses solely on data theft with no encryption, primarily targeting small-to-mid-sized organizations in healthcare, manufacturing, and business services in the US, purchasing initial access from brokers and demanding Bitcoin payments.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a6ad4d1e-4c93-fe5a-5868-168cad8fbb06","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"karakurt","description":"Karakurt is a pure data-extortion group (no encryption) assessed with high confidence to be the extortion arm of the Conti ransomware group, active from 2021, that steals data and threatens to auction or publish it unless ransoms ranging from $25,000 to $13 million are paid.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--6d4b9ee6-2028-b809-8198-8484e790bac1","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"karma","description":"Karma is a ransomware group first observed in mid-2021, part of a lineage tracing back through Nefilim and FiveHands, operating double-extortion attacks against enterprises in healthcare, manufacturing, and technology; the group was managed by threat actor \"farnetwork\" who ran multiple RaaS programs across related strains.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0747f186-425c-0f47-0b2c-8a8b79ce5af2","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"kawa4096","description":"Kawa4096 is a ransomware group that emerged in June 2025, targeting multinational corporations across finance, education, and services sectors primarily in the US and Japan, using partial-encryption (25% of each file chunk) with Salsa20 and a leak site styled after Akira's retro terminal aesthetic, claiming at least 11 victims.","labels":["ransomware"],"first_seen":"2025-06-27"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--25c3a42a-a9a5-58d9-3211-d0d44f260352","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"kazu","description":"Kazu is an emerging ransomware group active since September 2025 that employs double-extortion tactics, targeting government, healthcare, and financial organizations primarily in Southeast Asia, the Middle East, and Latin America, with notable claimed breaches including Dubai's Ports, Customs and Free Zone Corporation with 1.94 TB exfiltrated.","labels":["ransomware"],"first_seen":"2025-11-11"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--43354805-f9df-b9cd-1f9a-cca6da64012a","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"kelvinsecurity","description":"KelvinSecurity is a financially motivated hacking group active since at least 2015, primarily engaged in stealing and selling databases from telecommunications, healthcare, and political organizations worldwide, with notable breaches including Vodafone Italia and Frost & Sullivan; the group's leader was arrested by Spanish police.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3d2d81df-73c3-5e32-3aa3-09b54b3d95ac","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"killsec","description":"KillSec originated as a hacktivist group aligned with the Anonymous movement before pivoting to ransomware operations in October 2023, officially launching a RaaS platform in June 2024 with an affiliate-friendly 88% revenue split, primarily targeting healthcare, financial services, and government sectors with over 250 documented victims as of late 2025.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8614b701-c590-34a7-19d9-4b0168c085cc","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"kittykatkrew","description":"KittyKatKrew is a newly emerged ransomware group first identified in early 2026, using both direct and double-extortion methods against US targets including the Arkansas State Crime Laboratory, operating under the alias KKK with Telegram and X/Twitter communication channels.","labels":["ransomware"],"first_seen":"2026-02-19"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ce1d801d-152d-b837-c0fc-85ec31d69aba","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"knight","description":"[Cyclops](group/cyclops) rebrand","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--686d22d6-95e2-c211-66a8-9498a3a3f198","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"kraken","description":"Kraken is a Russian-speaking ransomware group that emerged in February 2025, believed to have links to the HelloKitty operation, employing a RaaS model notable for a benchmarking step that measures victim machine speed to optimize encryption, and in September 2025 launched an underground criminal forum called \"The Last Haven Board.\"","labels":["ransomware"],"first_seen":"2025-02-09"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a05f8227-e352-4183-516d-693727c3ba10","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"krybit","description":"Krybit is an emerging RaaS group that launched in late March 2026, offering affiliates an 80/20 revenue split with support for Windows, Linux, ESXi, and NAS device encryption, and became notable for a public feud with rival group 0APT in which each breached and leaked the other's operator data.","labels":["ransomware"],"first_seen":"2026-04-03"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--44989b95-59a6-1ef8-145e-1f1fd0c5e3c5","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"kryptos","description":"Kryptos is a small ransomware group first observed in October 2025, conducting simultaneous attacks across North America and Oceania on its debut day with a focus on professional, technical, and legal service sectors, with only 3 known documented victims.","labels":["ransomware"],"first_seen":"2025-10-08"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--126f8849-a6a6-cd9d-9742-3561e37b39e8","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"kyber","description":"Kyber is a recently identified ransomware group using sophisticated hybrid encryption (AES-256-CTR with X25519 and Kyber1024), operating Tor-based communication channels and employing double-extortion with free partial decryption offered to build negotiation trust, discovered through underground forum monitoring in 2025.","labels":["ransomware"],"first_seen":"2025-10-08"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--7cd072be-9550-f756-6ecd-4722f4e256b4","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"la_piovra","description":"ℹ️  La Piovra Ransomware is an exercise of the company Offensive Security (also known as OffSec)","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--196b099f-b491-89de-c12d-cb7d58b36f1a","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"lamashtu","description":"Lamashtu is an extortion group that first appeared in April 2026, claiming attacks against organizations in France, Romania, and Thailand across energy, pharmaceutical, and film sectors; it has not yet been confirmed as operating actual file-encrypting ransomware rather than pure data-theft extortion.","labels":["ransomware"],"first_seen":"2026-04-13"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c1580987-7701-5389-a22c-a07ed7bea924","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"lapsus$","description":"Lapsus$ is an internationally composed data extortion group most active from mid-2021 through 2022, executing high-profile breaches against Microsoft, Nvidia, Samsung, Okta, and Uber by stealing source code and threatening leaks rather than encrypting files; several members — predominantly teenagers — were arrested in the UK.","labels":["ransomware"],"first_seen":"2026-03-01"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--efcedba5-7797-7abe-9c0a-8a654d72aefe","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"LeakBazaar","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--2cf7c9b9-43fe-55f2-df8f-e10fbf262a47","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"leaktheanalyst","description":"LeakTheAnalyst is a data-theft extortion group that operates a dark web leak site with approximately 20 claimed victims, notable for a 2017 operation targeting a Mandiant security researcher; the group focuses on stealing and publishing sensitive corporate data rather than deploying file-encrypting ransomware.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--e3677635-d58f-f95e-3ad5-15835ec8225c","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"lilith","description":"Lilith is a C/C++-based double-extortion ransomware that emerged in July 2022, targeting 64-bit Windows systems and sharing code with the Babuk ransomware family, with its first confirmed victim being a large South American construction firm.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--75c4db47-870e-bbde-373b-bdc389e4e39a","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"linkc","description":"Linkc is a ransomware group first observed in February 2025, operating a Tor-based data leak site and targeting US-based AI, cloud, aerospace, and manufacturing companies — including H2O.ai — demanding ransoms as high as $15 million using double-extortion tactics.","labels":["ransomware"],"first_seen":"2025-02-19"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9499dbf4-3729-2337-f3ad-e8e5afbf7c73","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"lockbit","description":"LockBit is one of the most prolific ransomware groups in history, operating as a full RaaS platform that at its peak accounted for an estimated 44% of all ransomware incidents globally in 2023, targeting virtually every sector worldwide through an affiliate model where developers maintain infrastructure and affiliates conduct intrusions.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c8b46dd2-b64c-1072-7d6e-7f4e68d473c0","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"lockbit2","description":"LockBit 2.0 is the second major iteration of the LockBit RaaS platform, launched in mid-2021, introducing automated domain-wide encryption via Active Directory Group Policy and claiming the fastest encryption speed among ransomware families, accounting for 46% of ransomware breach events in early 2022.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b018e2e5-a7a7-8768-61c1-26d8ec6aafe1","created":"2026-05-27T11:58:17.918Z","modified":"2026-05-27T11:58:17.918Z","name":"lockbit3","description":"LockBit, also recognized as LockBit Black or Lockbit 3.0, is one of the largest Ransomware Groups in the world and has orchestrated extensive cyberattacks across various industries, impacting thousands of organizations globally with its relentless and adaptive strategies.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--aae4e1fc-a852-026c-fbdd-a337a27737e5","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"lockbit3_fs","description":"LockBit 3.0 (\"LockBit Black\"), active since June 2022, is the third iteration of the LockBit RaaS platform incorporating code from BlackMatter ransomware, featuring modular encrypted payloads that evade analysis and targeting Windows and VMware ESXi environments across all sectors globally.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3fb6eaab-2668-c353-6d04-eef1784c4632","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"lockbit5","description":"LockBit 5.0 (\"ChuongDong\") emerged in September 2025 as the group's resurgence following the February 2024 law enforcement takedown, introducing cross-platform payloads targeting Windows, Linux, and VMware ESXi with enhanced evasion capabilities and continuing the RaaS affiliate model of its predecessors.","labels":["ransomware"],"first_seen":"2025-12-04"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--13df9705-4f70-e80f-70e9-c0f96fd1fbea","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"lockdata","description":"LockData Auction is a dark web marketplace that emerged around May 2021 operating an invite-only stolen data auction portal, representing a shift toward pure data-theft extortion with auctions for stolen corporate data starting from $50,000, rather than a traditional ransomware encryptor operation.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8e80f9ae-f21f-6940-edfc-71b07ea9ee24","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"Loki","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a90c9cbf-6890-484b-6682-08df6f81b123","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"lolnek","description":"Lolnek (also known as Lolkek/GlobeImposter) is a commodity ransomware strain primarily targeting small and medium-sized businesses with relatively low ransom demands, associated with the TZW ransomware family, and unsophisticated compared to major RaaS operations with no formal affiliate program.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--538d9e5a-b0ff-369b-8b56-51fb2d5b20ab","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"lorenz","description":"Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--d0f92c67-0184-6325-dd85-0a56d9d5ca10","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"losttrust","description":"LostTrust is a double-extortion ransomware operation that emerged in March 2023 and publicized over 50 victims within days of launching its leak site in September 2023, believed to be a rebrand of the MetaEncryptor gang, primarily targeting manufacturing, professional services, construction, and education sectors with 71% of known victims in the US.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ee1d3758-486e-140f-c454-142a135dff6d","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"lunalock","description":"LunaLock emerged in September 2025 targeting creative and digital platforms, notably breaching an illustrator marketplace and a Mexican ISP, and is notable for threatening to submit stolen artwork to AI companies for training if the ransom is not paid.","labels":["ransomware"],"first_seen":"2025-09-02"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--626cf6d4-f7ea-4f20-b105-43c5ee35f352","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"lv","description":"LV ransomware group main message: \"Here are companies which didn't meet consumer data protection obligations. They rejected to fix their mistakes, they rejected to protect this data in the case when they could and had to ptotect it. These companies prefered to sell their private information, their employees' and customers' personal data\". Security researchers claim that the LV group is utilizing the REvil ransomware group malware. The LV group claim to have compromised the corporate network of Groupe Reorev.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--7c180e3e-3bee-93dd-e4c2-8a4999b4cc36","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"lynx","description":"Lynx is a ransomware-as-a-service operation that emerged in mid-2024 as a rebrand of INC Ransomware (whose source code was sold for $300,000 on the RAMP forum), claiming ~300 victims across manufacturing, business services, technology, and transportation with an 80/20 profit split for affiliates.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5ffb7426-a40a-1038-4dfa-f89148dbbdc5","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"m3rx","description":"M3rx is a small ransomware group first observed in 2025, using AES-CTR/AES-GCM encryption and targeting organizations in England, the US, Australia, Germany, Italy, and Switzerland, with around eight claimed victims including a Sydney-based property firm.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--504fbd43-409b-1434-92f7-4263312add70","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"madcat","description":"MadCat is a suspected fraudulent ransomware operation that surfaced briefly in late 2023, apparently linked to scammers targeting other criminals on the dark web with fake stolen passport offers; its leak site appeared dead shortly after announcement, casting doubt on whether it ever operated as a genuine ransomware group.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4cc2b4f1-ef7e-ce00-9588-66caa0c86df1","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"madliberator","description":"MadLiberator is a ransomware group that emerged in mid-2024, known for erratic behavior including randomized ransom demands and unpredictable encryption patterns, targeting government entities including the Italian Ministry of Culture and using a data leak site to post exfiltrated files.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--96f6f0ec-8ec0-ead5-05ac-acec7c1cc5f3","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"malas","description":"Malas is a lesser-documented ransomware group that maintains an active dark web presence; detailed information about its targets, victims, or operational model is limited in public reporting.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--e065804a-1cb0-6fd2-9334-e4e7a6a5a8c7","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"malekteam","description":"Malek Team is an Iranian-linked threat actor that emerged on October 8, 2023 (the day after the Hamas attack on Israel), believed to be tied to Iranian military intelligence, primarily targeting Israeli organizations using data exfiltration and extortion, with notable attacks on Ziv Medical Center and Ono Academic College.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c4270197-8ba9-c1b7-7241-46a306342a51","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"mallox","description":"This ransomware uses a combination of different crypto algorithms (ChaCha20, AES-128, Curve25519). The activity of this malware is dated to mid-June 2021. The extension of the encrypted files are set to the compromised company: .<target_company>","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--297b4687-414d-1253-6a97-18ba615d9010","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"mamona","description":"Mamona was a short-lived ransomware rebrand attempted by the operator behind BlackLock RaaS in March 2025 that failed before reverting; as a standalone strain it operates entirely offline with no C2 communication, uses custom encryption, and targets Windows systems.","labels":["ransomware"],"first_seen":"2025-03-12"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--31c1484c-3f7c-2f13-9b6b-14d7543adcc4","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"marketo","description":"Marketo, launched in April 2021, is a data-theft extortion marketplace that steals and sells data to third parties or back to victims without encrypting files, applying aggressive pressure by emailing victims' competitors with sample data packs.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0d0e4387-4f1d-4aa9-486c-f2ada9c4c57f","created":"2026-05-27T11:58:17.919Z","modified":"2026-05-27T11:58:17.919Z","name":"maze","description":"Maze ransomware group is one of the most known ransomware gangs, they targeted organizations worldwide across many industries. Security researchers believed that Maze operates as an affiliated network model. MAZE was one of the first groups that made a 'Double Extortion Attack' involved Allied Universal, in November 2019, the group leaks their victim's data in the darknet. On November 1, 2020, MAZE announced an official press release that they are closing their operation. is malware targeting organizations worldwide across many industries. Security researchers claim that the threat actor behind the MAZE group is 'TA2101'.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--6b34aac7-5fa8-f22f-4f29-008ad3ca9b69","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"mbc","description":"MBC is a very obscure ransomware group with minimal public documentation and no significant threat intelligence reports available from mainstream security vendors.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--823e2914-31cf-f346-861d-254b6919a7f8","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"medusa","description":"Medusa is a ransomware-as-a-service operation active since June 2021 that has targeted over 300 victims across critical infrastructure sectors including healthcare, education, legal, and manufacturing using double-extortion, with attacks surging 42% between 2023 and 2024 and a formal CISA advisory issued in early 2025.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8e0867d9-406e-46cd-c27a-0279430015a0","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"medusalocker","description":"Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--404cdd7b-c109-c432-f8cc-2443b45bcfe9","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"meow","description":"Meow emerged in 2022 (resurfacing aggressively in 2024), initially operating as a RaaS using the Conti v2 codebase before transitioning to a data-extortion-only model — selling stolen data rather than encrypting files — with a heavy focus on US healthcare and medical research organizations.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ed52f828-633b-cb69-585c-a941e0b72363","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"metaencryptor","description":"MetaEncryptor is a ransomware group first observed in mid-2023, targeting medium-to-large enterprises in legal, technology, logistics, manufacturing, and finance sectors primarily in the UK, Europe, and Southeast Asia, using AES-256/RSA-2048 encryption and double extortion.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3a9023d5-efaf-19c2-ef7d-8f82da962a6a","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"midas","description":"This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b63fa583-c0e2-6770-dae7-2f761ef4cfe9","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"mindware","description":"Ransomware, potential rebranding of win.sfile.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--6f7cbc07-035d-cdbd-1ce3-b16fab53a3e8","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"minteye","description":"MintEye is a ransomware group with concentrated activity in North America, targeting professional services, construction, engineering, architecture, and logistics sectors, with victims documented in the US and Chile; limited public technical analysis is available.","labels":["ransomware"],"first_seen":"2025-12-12"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--7bb574c7-1fcd-8536-553d-ccd11611072c","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"mnt6","description":"MNT6 is a lower-profile ransomware group claiming victims across legal, manufacturing, construction, healthcare, and logistics sectors in the US, Canada, New Zealand, and Spain, with notable claimed targets including Silfab Solar; some victim listings have been flagged as potentially unverified.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9a9287d0-275b-7764-3b79-23cb6a7882b6","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"mogilevich","description":"Mogilevich appeared in February 2024, rapidly claiming high-profile breaches of Epic Games, DJI, Shein, and Kick.com, but was quickly exposed as a fraud — the group's operator admitted they were \"professional fraudsters\" who sold fake breach data and access to a non-existent RaaS panel.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--6c6a5b04-31f3-d14c-0bdc-ecda544b198c","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"moneymessage","description":"Money Message emerged in March 2023 targeting Windows and Linux systems across banking, transportation, and professional services sectors, demanding ransoms in the millions and publishing stolen data on their blog if unpaid, with most known victims based in the US.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--51f6725e-83e7-4f04-ae12-ac94c1b8a04d","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"monti","description":"Monti is a ransomware group first observed in June 2022 that initially copied nearly all of Conti's leaked source code, pivoting to target government, legal, and healthcare entities, later releasing a new Linux variant in 2023 with significantly less Conti code similarity, and experimenting with an affiliate model.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c1a1e4aa-1037-bae1-586d-8d1fd01b472e","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"morpheus","description":"Morpheus emerged in late 2024 as a semi-private RaaS operation whose affiliates share identical payloads with the HellCat ransomware group, targeting pharmaceutical, manufacturing, legal, and Italian ESXi environments with ransom demands reaching up to 32 BTC (~$3M USD).","labels":["ransomware"],"first_seen":"2025-01-07"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--eacb09af-b23b-9176-4f47-16efab76fe91","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"mosesstaff","description":"Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--93f8545a-dc70-befb-2b61-a1d194895ebf","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"mountlocker","description":"MountLocker operated as a ransomware-as-a-service from July 2020, using a standard developer/affiliate revenue split and leveraging compromised RDP credentials for initial access, propagating laterally via Windows Active Directory APIs and targeting over 2,600 file extensions.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3bbda6e1-8782-0635-2bdf-21da51957929","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"ms13089","description":"MS13089 is a newly emerged ransomware group (first observed December 2025) that named itself after a 2013 Microsoft Security Bulletin, claiming a handful of victims including a law firm, operating primarily as a double-extortion actor.","labels":["ransomware"],"first_seen":"2025-12-18"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--83effb15-1c56-0d3d-111f-69ff85b21a28","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"mydecryptor","description":"MyDecryptor is a low-profile ransomware group with minimal public documentation, appearing on ransomware tracking platforms but not the subject of major threat intelligence reporting, suggesting it is a small or relatively inactive operation.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--79eb0fe7-a261-1266-2125-844251547fea","created":"2026-05-27T11:58:17.920Z","modified":"2026-05-27T11:58:17.920Z","name":"n3tworm","description":"N3tw0rm ransomware group is linked to Iran by many security researchers especially for the fact that the group targeting only Israeli companies. Like other ransomware groups, N3tw0rm has a data leak site in the darknet. Due to the low ransom price the group requested and lack of response to negotiations, some security researchers believe that the N3tw0rm group's main goal is to be used for sowing chaos for Israeli interests and not for profit.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5c081f83-047e-4d06-25f4-ab06c601ca2e","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"nasirsecurity","description":"Nasir Security is a pro-Iranian threat actor that emerged around October 2025, primarily targeting energy sector organizations in the Middle East (UAE, Oman, Saudi Arabia, Iraq) and Israeli IT supply chain firms, using spear-phishing, BEC, and exploitation of public-facing applications.","labels":["ransomware"],"first_seen":"2025-10-11"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--482b45e5-4fdb-1644-cc75-ff0d8b19df93","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"nefilim","description":"According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--840bfa3c-6d86-e795-ac8a-8a1efffad5e6","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"nemty","description":"Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--48455108-5975-c1db-796e-fa2c173b3b39","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"netrunner","description":"NetRunner is a ransomware group active from at least 2025 targeting diverse sectors including healthcare, telecommunications, manufacturing, and agriculture across Japan, Italy, the US, and Jordan, notably demanding a $100M ransom from Nippon Medical School Musashi Kosugi Hospital.","labels":["ransomware"],"first_seen":"2026-04-03"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--60cec870-e2ae-3412-f2fb-f30cef1d1f48","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"netwalker","description":"NetWalker ransomware group operates by the threat actor known as \"CIRCUS SPIDER\". The NetWalker ransomware was discovered in 2019. The group mainly targeting the Asia Pacific region but can attack globally. The group uses common attacking tools like Mimikatz and other legitimate tools (LOLBINS) like PSTools, AnyDesk, TeamViewer, NLBrute, and more. The group knowing by targeting the healthcare sector. Finally, in January 2021, Netwalker was takedown by the authorities, the police have confiscated hundreds of thousands of dollars in ransom payments collected by the Netwalker group, and they seized servers and disrupted the infrastructure and the darknet websites of the Netwalker ransomware group.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--00e51906-df65-1a7e-e922-446590f487cf","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"nevada","description":"Nevada Ransomware is a RaaS operation written in Rust that emerged on the RAMP dark web forum in late 2022, offering affiliates favorable revenue splits (85/15 or 90/10) and conducting opportunistic mass attacks against a wide range of industries worldwide.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--19d0c892-9cb6-2d9d-3f4c-3c6c631b03cd","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"nightsky","description":"Night Sky is a China-nexus ransomware group (attributed to the \"Emperor Dragonfly\" cluster) that emerged in late 2021, gaining notoriety in early 2022 by exploiting the Log4Shell vulnerability (CVE-2021-44228) to target corporate networks across healthcare, finance, government, and manufacturing using multi-extortion tactics.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--dc7873d2-1097-f85c-6a7a-4b613a63428c","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"nightspire","description":"NightSpire is a ransomware group that first emerged in March 2025 and rapidly claimed over 250 victims across retail, manufacturing, healthcare, finance, and education sectors in the US, France, India, Taiwan, and Japan, using aggressive double-extortion with ransom deadlines as short as two days.","labels":["ransomware"],"first_seen":"2025-03-12"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9159e7f1-70d8-ac61-900d-a4485a05f8fa","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"nitrogen","description":"Nitrogen began as a malware loader in 2023 used to deliver BlackCat/ALPHV ransomware, then evolved into a fully independent ransomware operator by mid-2024, operating its own strain derived from leaked Conti 2 builder code and conducting double-extortion attacks primarily linked to Eastern European infrastructure.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--fbe5481c-778f-904a-aa9c-b39da4d88d3a","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"noescape","description":"NoEscape was a RaaS operation active from May to December 2023 believed to be a rebrand of the defunct Avaddon ransomware, targeting professional services, manufacturing, and healthcare with triple-extortion capabilities (encryption, data theft, and optional DDoS), before abruptly shutting down in an apparent exit scam.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ac5a11fd-acf0-fbbf-fdeb-9e735594ddb1","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"nokoyawa","description":"Nokoyawa is a double-extortion ransomware group that launched a RaaS program in 2022 (operated by threat actor \"farnetwork\"), primarily targeting businesses in South America across healthcare, financial services, government, and manufacturing, gaining significant attention in 2023 for exploiting a Windows CLFS zero-day (CVE-2023-28252).","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--014b5f09-a295-b8c2-500a-4c872d91fbf0","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"noname","description":"NoName (also known as CosmicBeetle) is a ransomware group active since at least 2020 targeting small and medium-sized businesses globally using its custom ScRansom tool, exploiting vulnerabilities like EternalBlue and ZeroLogon, and becoming a RansomHub affiliate to access that platform's RaaS infrastructure.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--19e05df6-b2e5-fb94-f3ee-7eed2c02d340","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"nova","description":"Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclosure.","labels":["ransomware"],"first_seen":"2025-04-28"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--61d4945b-6a7f-3916-c5fd-aca44848cf91","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"obscura","description":"Obscura is a ransomware strain observed in 2025, written in Go and specifically targeting Windows domain controllers via the SYSVOL/NETLOGON share, using Curve25519 + XChaCha20 encryption with double-extortion tactics and a 10-day payment deadline.","labels":["ransomware"],"first_seen":"2025-09-05"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--6515b784-7841-fb11-4d41-7e9590ee6847","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"onepercent","description":"OnePercent Group is a cybercriminal operation active since at least November 2020 that targeted US organizations using phishing with IcedID trojans, Cobalt Strike, and double-extortion, threatening a \"one percent leak\" of data before escalating to a full dump or sale to REvil; the FBI issued a formal flash advisory in August 2021.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1c548326-4189-feef-d17a-23c6a2da7b2b","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"onyx","description":"Onyx is a ransomware group first observed in April 2022, based on the Chaos ransomware builder, that is notably destructive — files larger than 2MB are overwritten with random data rather than encrypted, making recovery impossible even after ransom payment — claiming approximately 13 victims across six countries.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--e0c92460-8fdc-da85-36bd-9cc86b0fce0a","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"orca","description":"Orca is a ransomware group that emerged in September 2024, identified as a variant of the Zeppelin malware family, targeting organizations in manufacturing and logistics across Taiwan, Tunisia, Austria, and France, claiming to avoid hospitals, government institutions, and non-profits.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a9256178-86e8-799c-c5be-05aee17f9b70","created":"2026-05-27T11:58:17.921Z","modified":"2026-05-27T11:58:17.921Z","name":"orion","description":"Orion is a ransomware operation first observed in October 2025 that listed 13 alleged victims on a dark web leak site across financial services, manufacturing, and healthcare, though analysts determined its victim list was recycled from prior LockBit and BlackCat disclosures rather than fresh compromises.","labels":["ransomware"],"first_seen":"2026-01-14"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--d14b6c9e-eebd-d0d6-db62-dccd34678ab8","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"osiris","description":"Osiris is a ransomware-as-a-service operation first observed in November 2025 that uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint detection tools before deploying hybrid ECC + AES-128-CTR encryption; Symantec researchers linked its operators to former INC ransomware affiliates.","labels":["ransomware"],"first_seen":"2025-12-18"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5a7b2e91-9d9e-b13c-bcfc-daa0bda8bf6a","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"pandora","description":"Pandora ransomware was obtained by vx-underground at 2022-03-14.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1362780c-d2b8-868a-6baa-bf083729b95f","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"pay2key","description":"Pay2Key is ransomware that has been used by the threat actor Fox Kitten. The group seems to operate since July 2020, targetting mainly Israeli companies. Pay2Key has a darknet leak site to public stolen and sensitive information of their victims. Some of their victims: Intel - Habana Labs, IAI - Israel Aerospace Industries, Portnox - Network Security Solutions.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c30cd100-687c-5026-7789-3d8b5be70edb","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"Payday","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--239f59ed-55e7-37c7-7147-cf55ad0c1b03","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"payload","description":"Payload is a ransomware group that emerged in early 2026, using Babuk-derived source code targeting both Windows and ESXi systems with cross-platform double-extortion attacks against healthcare, energy, real estate, and agriculture sectors, claiming 12 victims across seven countries within hours of launching its leak site.","labels":["ransomware"],"first_seen":"2026-02-17"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--612c898a-9c92-011d-8185-4d2dd4df329a","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"payloadbin","description":"PayloadBIN is a ransomware strain deployed in 2021 by Evil Corp as a rebranding of their WastedLocker/Hades/Phoenix lineage, specifically designed to evade US Treasury OFAC sanctions by impersonating the unrelated Babuk gang's rebrand rather than operating as an independent group.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--24fbd48e-0644-7b26-597c-8bf577026bc3","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"payoutsking","description":"PayoutsKing is an active ransomware group observed through at least 2026 that has claimed attacks against a wide range of industries internationally — including Del Monte Foods and V. FRAAS — across the US, UK, Germany, and Ireland using standard double-extortion tactics.","labels":["ransomware"],"first_seen":"2025-07-07"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--97cfbe87-531a-be0c-6bac-7b21d616cb42","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"pear","description":"Pure Extraction And Ransom (PEAR) Team is the community of highly responsible and strictly disciplined members. We are a private team and have nothing common with any other threat actors. We've been monitoring this field for a long-long time. So, we understand all the processes and know well how it all works.","labels":["ransomware"],"first_seen":"2025-08-05"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--aba4cc9b-8af8-2df5-d4ef-aade764d6a77","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"play","description":"Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises.<br> <br> On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a78ae4b4-d2e8-c1e7-b6ef-20f163cc194f","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"playboy","description":"PlayBoy Locker is a ransomware-as-a-service operation that emerged in September 2024, targeting Windows, NAS, and ESXi systems across multiple sectors on an 85/15 affiliate revenue split; its source code was reportedly sold underground by late 2024.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c89f06d6-5f12-51c0-753a-837d021304de","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"PrinzEugen","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--30abf099-2030-c6ea-357b-6119b69a2739","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"projectrelic","description":"Project Relic emerged in mid-2022 as a Golang-based ransomware targeting Windows and Linux hosts, operating with a TOR-based data leak site and using double-extortion tactics, with operators dwelling in networks for days or weeks before encrypting.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--97b69380-edd2-b3df-c529-8b3481d1c2ad","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"prolock","description":"PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1809f7cd-0c75-acf3-4f56-d8c19782b99c","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"prometheus","description":"Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--d4bc8a1e-7246-327c-6add-49dd820afacf","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"promptlock","description":"First known AI-powered ransomware. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly","labels":["ransomware"],"first_seen":"2025-08-26"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3c2f0dbc-ec25-27af-004a-815d7058c995","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"pysa","description":"Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension \"pysa\" is probably derived from the Zanzibari Coin with the same name.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--cc96d116-5a10-e943-a435-60cfe67fbd5c","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"qilin","description":"Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--13c55631-37db-5121-5a1b-61d9a7a1c06a","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"qiulong","description":"Qiulong is a ransomware group that emerged around April 2024 primarily targeting Brazilian organizations using double extortion and unique tactics such as publishing identity documents of victims' family members to pressure payment.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8be4b20f-9e7c-f1fc-8510-ff929f125182","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"qlocker","description":"QLocker was a financially motivated ransomware operation active in 2021 that exclusively targeted QNAP NAS devices exposed to the internet, exploiting a hard-coded credentials vulnerability to compress files into password-protected 7-Zip archives and demanding roughly $400 per victim, netting approximately $350,000 in a single month.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8fb7cf7a-4699-5c95-da6a-d4cca750efb6","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"quantum","description":"Quantum ransomware, active from mid-2021 through 2022, was a rebrand of the MountLocker/AstroLocker/XingLocker lineage that operated as RaaS, known for extremely fast attack timelines (under four hours from initial access to encryption) and ransom demands ranging from $150,000 to multi-million dollars.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--cd3c59ee-daba-a12e-1e85-068bd687eb23","created":"2026-05-27T11:58:17.922Z","modified":"2026-05-27T11:58:17.922Z","name":"rabbithole","description":"RabbitHole is a low-profile ransomware group with limited publicly available threat intelligence, not appearing prominently in major threat intelligence reports, suggesting it operates at a small scale or under limited visibility.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ff2e963f-f6d0-c33a-ae94-a7f823b6e2bf","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"radar","description":"Radar (also known as Dispossessor), active since August 2023 and led by an actor called \"Brain,\" was a RaaS group targeting small-to-mid-sized businesses across healthcare, education, finance, and transportation in over 14 countries; it was dismantled by an FBI-led international operation in August 2024 that seized 24 servers and 9 criminal domains.","labels":["ransomware"],"first_seen":"2025-09-10"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--f7252b3b-6612-4954-aa44-ed7b6195a67e","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"radiant","description":"Radiant is a financially motivated ransomware group that emerged in September 2025, conducting double- and single-extortion attacks without affiliates, drawing widespread condemnation after attacking UK childcare provider Kido International and publishing photographs, names, and home addresses of over 8,000 children.","labels":["ransomware"],"first_seen":"2025-10-12"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--157da442-0198-d5ba-ee93-880d5d69582a","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ragnarlocker","description":"Ragnar Locker was an elite ransomware group active from December 2019 to October 2023 that targeted large enterprises and critical infrastructure — including Capcom and Campari — claiming at least 168 victims before being taken down by a Europol-led international law enforcement operation in October 2023.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ac3160b0-a933-ac03-d7fb-269baf8443e6","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ragnarok","description":"According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1bad0f96-e122-00a2-efb1-742109c29562","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ralord","description":"RALord is a ransomware group identified in March 2025 operating within the NOVA RaaS platform, targeting healthcare, education, hospitality, and IT sectors across multiple continents, using a Rust-based payload with an 85/15 affiliate revenue split; it later rebranded as \"Nova.\"","labels":["ransomware"],"first_seen":"2025-03-26"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--f7d9f5a9-0479-d632-8a55-34fdf3f28a19","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ramp","description":"RAMP (Russian Anonymous Marketplace) was a Russian-speaking dark web forum founded in 2021 that served as a central marketplace and recruitment hub for ransomware operators, affiliates, and initial access brokers — not a ransomware group itself but the backbone of the RaaS ecosystem; it was seized by the FBI in January 2026.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--138f6dd1-3b2a-f60d-2e0b-9da946882665","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"rancoz","description":"Rancoz is a Windows-targeting ransomware strain first observed in November 2022 that appends the \".rec_rans\" extension to encrypted files, considered a Vice Society copycat, deployed against a small number of organizations using double extortion and linked to the same developer as the \"Buddy\" ransomware.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5343b5d5-f613-6d43-b462-7a6b7ea9291c","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ranion","description":"Ranion is a ransomware-as-a-service operation first observed in April 2017 that offers a low-barrier, pay-upfront model where affiliates keep 100% of ransom payments, with packages ranging from $150 to $1,900, making it a popular entry point for less experienced attackers.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--30c31737-05a3-5f25-414a-c57e1ce3510f","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ransombay","description":"Launched on April 24th, 2025 RansomBay is a new project operating under the DragonForce initiative","labels":["ransomware"],"first_seen":"2025-05-13"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ff211935-7f9f-2145-d657-0f47d17c0301","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ransomcartel","description":"Ransom Cartel is a ransomware-as-a-service operation that surfaced in December 2021, assessed by Palo Alto Unit 42 to share source code and technical overlap with the defunct REvil group, suggesting its operators had prior access to REvil's codebase, conducting double-extortion attacks against corporate networks.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--dd6349b5-19db-96d0-9bea-342172cb9a48","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ransomcortex","description":"RansomCortex emerged in July 2024 with a narrow focus on healthcare facilities, claiming four victims within days of its first appearance including hospitals in Brazil and Canada, operating as a relatively small and niche group.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3285ae74-aadc-8635-98ba-5884ed6be8ac","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ransomed","description":"RansomedVC was a short-lived extortion group active from August to November 2023 that claimed high-profile victims including Sony, innovating by threatening GDPR regulatory fines as an additional extortion lever; it briefly operated as a RaaS before shutting down in an apparent exit scam following reported arrests of six members.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8e1790bf-4a52-7d17-962a-eea2f3e3384c","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ransomexx","description":"RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4d5c1d72-7294-a736-f8b1-8490fc201cda","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ransomhouse","description":"RansomHouse is a double-extortion RaaS operation active since late 2021, attributed to the threat actor \"Jolly Scorpius,\" targeting over 120 organizations across healthcare, finance, transportation, and government, recently upgrading to a multi-layered dual-key encryption architecture.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--d05812eb-0841-0c6e-0000-b05bed20f131","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ransomhub","description":"The group emerged in mid-February 2024 and has already listed several organizations as alleged victims of their attacks, resulting from extortion through encryption and data leaks.<br> <br> The announcement of the sale of the new Ransomware-as-a-Service (RaaS) by RansomHub was published on one of the Russian-origin forums used by cybercrime to advertise malicious services, known as RAMP4U (or RAMP). A user with the nickname and persona of 'koley' announced the affiliate program on February 2, 2024.<br> <br> In the new RaaS announcement, it was mentioned that the money laundering operation of the paid ransoms is the responsibility of the affiliate. This means that all communication and sending of the decryptor to the victim are done through chat. The split of this RaaS would be 90% of the value for the affiliate and 10% for the developer, who in this case would be the persona of Koley.<br> <br> Furthermore, according to the publication, the ransomware payload is written in Golang language, uses the asymmetric algorithm based on x25519, and encryption algorithms AES256, ChaCha20, and xChaCha20, standing out for its speed. The encryption is obfuscated using AST.<br> <br> The payload would support network propagation and encryption of data both in secure and local mode. According to Koley, the ransomware is designed to operate on platforms such as Windows, Linux, and ESXi, as well as other architectures such as ARM and MIPS.<br> <br> As pointed out by the panel and already highlighted by the intelligence team, Koley stated that the panel uses a .onion domain, allowing the affiliate to organize and manage targets and chat rooms, view access logs, automatically respond when offline, and create private blog pages.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--57cecd81-7599-6c73-6d07-c9226f8127c0","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ranstreet","description":"Ranstreet is a low-profile ransomware group with very limited public documentation, appearing in ransomware tracking lists but without major vendor research reports or significant attributed attacks.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9ecc8fae-6852-1695-fde8-0d11b573345f","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"ranzy","description":"Ranzy Locker, Former known as ThunderX. The group hosting a data leak site in the darknet where they posting sensitive information of victims who do not pay the ransom. ThunderX was launched at the end of August 2020. Soon after launching, weaknesses were found in the code, that allowed decrypting the files that the malware encrypted. The group has fixed the code and publish a new version, then released it under the name Ranzy Locker. The Tor onion URL used by the Ranzy Leak site is the same as the one used by Ako Ransomware. The use of the same URL could indicate that both groups merged, or they are cooperating similarly to the Maze cartel.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--f69850fe-2fde-1e84-9cab-39596284ffee","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"raworld","description":"RA Group, also known as RA World, first surfaced in April 2023, utilizing a custom variant of the Babuk ransomware.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--00c97770-caef-86e4-6c1e-0f10ee5aa137","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"raznatovic","description":"RANSOMED.VC aka Raznatovic","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--8451a903-baac-0318-ca34-d7a2a8297e74","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"rebornvc","description":"RebornVC is a rebrand of RansomedVC re-emerging in July 2025 under new leadership, using data auctions, direct extortion, and double extortion techniques with ransom demands ranging from $10,000 to $1,000,000, with confirmed victims in the US and Brazil.","labels":["ransomware"],"first_seen":"2025-07-08"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--dc0b8302-6234-a3f5-a074-56285aff0708","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"redalert","description":"RedAlert (also called N13V) is a ransomware group first observed in July 2022 that targets both Windows and Linux VMware ESXi servers, encrypting virtual machine files using the NTRUEncrypt algorithm and accepting only Monero for payment, conducting double-extortion attacks against corporate networks.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4ec9d95c-c0a1-9c94-7029-4fcd2d18d318","created":"2026-05-27T11:58:17.923Z","modified":"2026-05-27T11:58:17.923Z","name":"redransomware","description":"Red Ransomware (Red CryptoApp) emerged in early 2024, debuting its \"Wall of Shame\" data leak site with 11 victims across IT, legal, hospitality, manufacturing, and education sectors predominantly in the US, using phishing and vulnerability exploitation with double-extortion tactics.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--2d617771-94b3-faa0-8fdf-d5a2fd0fb7d5","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"revil","description":"Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his victims, they would threaten to publish the victim's sensitive data on their darknet blog named 'Happy Blog', unless the ransom is paid. The ransomware malware code used by REvil is pretty similar to the ransomware code used by DarkSide - a different threat actor. REvil group claims to steal information after a successful attack on the supplier of the tech giant Apple and stole confidential schematics of their upcoming products.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--607f125f-c57b-c160-8047-a1522c77ed17","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"reynolds","description":"Reynolds is a ransomware family first identified in early 2026, notable for embedding BYOVD (Bring Your Own Vulnerable Driver) defense evasion by exploiting CVE-2025-68947 to terminate security software before encrypting files, initially attributed to Black Basta and considered attractive to RaaS affiliates.","labels":["ransomware"],"first_seen":"2026-02-11"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4b6bdc08-0712-a39a-9c90-7271e832fee0","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"rhysida","description":"Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks and deploy their payloads.<br> <br> The group threatens to publicly distribute exfiltrated data if the ransom is not paid, and it's worth mentioning that Rhysida is still in the early stages of development.<br> <br> The ransomware leaves PDF notes in the affected folders, instructing victims to contact the group through its portal, and payment is made via Bitcoin.<br> <br> After encryption, the ransomware appends the extension '.ryshida' to encrypted files.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5815755f-c6ef-accd-7514-018cc1204a28","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"robinhood","description":"RobbinHood is a ransomware group first observed in April–May 2019, responsible for high-profile attacks on US cities including Baltimore, Maryland — demanding 13 BTC and causing months of disruption to city services — believed to operate as a limited closed-circle model rather than a broad public affiliate program.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--2c2b7608-0bad-0b14-e742-ca55683d0548","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"rook","description":"According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them. It also modifies filenames and creates a text file/ransom note (HowToRestoreYourFiles.txt). Rook renames files by appending the .Rook extension. For example, it renames 1.jpg to 1.jpg.Rook, 2.jpg to 2.jpg.Rook.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--aa43038a-fb63-14a3-b24c-02613eb13eb4","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"royal","description":"According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c3647036-f259-3a3c-522d-d3a089dbae02","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"rransom","description":"RRansom is a low-profile ransomware group whose dark web leak site has been listed as offline in tracking directories, with very limited public threat intelligence available about its targets, tactics, or scale of operations.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5a188f5b-d2f9-4414-830e-94354ba2e3c2","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"RunSomeWares","description":"RunSomeWares is an emerging ransomware group that surfaced in February 2025 with initial victims across supply-chain services, financial services, accounting, and manufacturing, with unclear deployment of an encryptor vs. pure data-theft extortion.","labels":["ransomware"],"first_seen":"2025-02-27"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9894ff89-e368-03dd-c06d-6c7a169292e2","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"sabbath","description":"Sabbath (also known as 54BB47h, operated by UNC2190) is a ransomware group active from mid-2021 that emerged as a rebrand of the Arcane ransomware, targeting critical infrastructure in the US and Canada — particularly hospitals, schools, and natural resources — using double extortion, backup destruction, and affiliate recruitment on Russian-language dark web forums.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--26c85499-0542-3349-7d63-e219ff64de41","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"safepay","description":"SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-2025 with a high-profile early attack against UK telematics firm Microlise stealing 1.2 TB of data.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--9c53df83-6749-8cb9-9d4c-095d8ed9b994","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"sarcoma","description":"Sarcoma is a ransomware group that debuted in October 2024, immediately ranking among the top three most active groups globally and surpassing 116 documented victims by mid-2025, targeting mid-market companies across manufacturing, retail, healthcare, legal, and business services with roughly 50% of victims in the United States.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--22e43212-3638-63b5-e7b0-f71383c135c9","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"satanlockv2","description":"SatanLock is a short-lived ransomware group that first appeared in April 2025 and abruptly shut down in July 2025 after claiming attacks against roughly 67 organizations — though over 65% of listed victims were duplicates from other groups — leaking all stolen data publicly upon shutdown.","labels":["ransomware"],"first_seen":"2025-07-04"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--efcc66f7-6a9f-ac8f-84d6-78960375a343","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"secp0","description":"Encrypted Extension: .vanhelsing, .vanlocker. Targets Windows Platform only","labels":["ransomware"],"first_seen":"2025-03-14"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--86c049e7-035e-0570-5b22-0f309c602f91","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"securotrop","description":"Securotrop is a ransomware group established in early 2025 that operates within the Qilin affiliate network while maintaining an independent public identity, focusing exclusively on commercial targets and deliberately avoiding healthcare and government entities, with approximately 32 documented victims.","labels":["ransomware"],"first_seen":"2025-07-22"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5bdf7b96-208f-6ac8-0150-868af87955cf","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"SenSayQ","description":"SenSayQ is an emerging ransomware actor that appeared in mid-2024 using a leaked LockBit 3.0 builder for double-extortion attacks; Group-IB links it operationally to the Brain Cipher group and its siblings EstateRansomware and \"Noname,\" suggesting a shared operator.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--0bb09d80-600e-ec3e-b9d7-793a6f859bed","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"shadow","description":"Shadow is a low-profile ransomware group tracked on ransomware monitoring platforms with limited public documentation; specific attribution details regarding its targets, origin, or scale remain sparse in published threat intelligence reports.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1f591e15-ce57-785b-3b87-652cf6bc7fb5","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"ShadowByt3$","description":"ShadowByt3$ is a ransomware-as-a-service group first observed in October 2025, using multi-method extortion and communicating via Telegram and Tox, with a very small confirmed victim list suggesting it remains in early-stage operation.","labels":["ransomware"],"first_seen":"2026-02-25"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1cb19879-6b65-639b-6516-a212b209b066","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"shaoleaks","description":"SHAOleaks is a low-profile data leak and extortion group with minimal public documentation, operating a leak site but lacking detailed analysis by major threat intelligence firms, suggesting a very limited or short-lived operation.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--af253360-0010-441a-9548-ac9ba51f1f90","created":"2026-05-27T11:58:17.924Z","modified":"2026-05-27T11:58:17.924Z","name":"shinyhunters","description":"ShinyHunters is a financially motivated data-theft and extortion group active since 2020, responsible for high-profile breaches including Ticketmaster (via Snowflake) and PowerSchool; by 2025 they launched a RaaS offering called \"shinysp1d3r,\" and in August 2025 French authorities arrested four members.","labels":["ransomware"],"first_seen":"2025-10-03"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--bcb3971a-51ed-1bd1-082f-1d67492c591c","created":"2026-05-27T11:58:17.925Z","modified":"2026-05-27T11:58:17.925Z","name":"shinysp1d3r","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1883d8bf-1c1d-966c-307c-86c7cefb5e03","created":"2026-05-27T11:58:17.925Z","modified":"2026-05-27T11:58:17.925Z","name":"ShinySp1d3r","description":"Likely associated with the cybercrime group BlingLibra (ShinyHunters)","labels":["ransomware"],"first_seen":"2025-11-15"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--1edbf39f-6ce3-69b9-0059-95ef300e5c66","created":"2026-05-27T11:58:17.925Z","modified":"2026-05-27T11:58:17.925Z","name":"sicarii","description":"Sicarii is a pro-Israeli/Jewish-branded ransomware-as-a-service operation that emerged in late 2025, explicitly targeting Arab and Muslim-majority organizations while avoiding Israeli systems, exploiting exposed RDP services and Fortinet devices, with its admin later instructing operators to migrate to the BQTLock platform.","labels":["ransomware"],"first_seen":"2025-12-30"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--abc59a28-a819-f549-d681-6667831ace93","created":"2026-05-27T11:58:17.925Z","modified":"2026-05-27T11:58:17.925Z","name":"siegedsec","description":"Not a ransomware group but a hacktivist group that appeared coincidentally days before Russia’s invasion of Ukraine","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5a9b9fc8-e986-cc2f-c943-9778b39f965e","created":"2026-05-27T11:58:17.925Z","modified":"2026-05-27T11:58:17.925Z","name":"silent","description":"Unlike many other groups, Silent claims to operate with a high level of anonymity and discretion. According to their own statement, they avoid public negotiations and encrypt minimal data. Instead, their focus is on stealing valuable confidential corporate information — and either selling it to competitors, on the dark web, or publishing it selectively.","labels":["ransomware"],"first_seen":"2025-04-23"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b38be3fc-63d1-b467-2d12-0161a75ece83","created":"2026-05-27T11:58:17.925Z","modified":"2026-05-27T11:58:17.925Z","name":"SilentRansomGroup","description":"a former Conti team","labels":["ransomware"],"first_seen":"2025-05-06"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--38b4a803-2782-ceb9-83ae-b72b2b6a04dc","created":"2026-05-27T11:58:17.925Z","modified":"2026-05-27T11:58:17.925Z","name":"sinobi","description":"Sinobi is a private vetted-affiliate RaaS group that emerged in mid-2025, believed to be a rebrand of the Lynx/INC ransomware lineage, claiming 176 victims by end of 2025 through double-extortion attacks primarily against mid-market US organizations via compromised SonicWall VPN credentials.","labels":["ransomware"],"first_seen":"2025-07-05"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a05dc3e6-81f3-1660-adf1-e65dace0c3cf","created":"2026-05-27T11:58:17.925Z","modified":"2026-05-27T11:58:17.926Z","name":"skira","description":"Skira is a small ransomware group that emerged around late 2024, claiming responsibility for the breach of Carruth Compliance Consulting that exposed SSNs, W-2s, and financial records of employees across 36 US school districts, with five total claimed victims across the US, Turkey, and India.","labels":["ransomware"],"first_seen":"2025-03-06"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--cd03861f-0ff8-922a-279f-1eab771f91f6","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"slug","description":"Slug is a very obscure ransomware or extortion group with only a single documented victim (AerCap, the aircraft leasing company) recorded on ransomware tracking platforms; no detailed threat intelligence reports exist for this group.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--6cd512a8-19ae-26ee-1999-2ea2a4970172","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"snatch","description":"Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--79d36bda-433a-506d-e5c1-15433b58509d","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"solidbit","description":"Ransomware, written in .NET.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--484aab2f-2cd0-f77b-3c30-f91521ba9a76","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"sorry","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--31fe71dd-4151-1b59-1a27-e651eabb16c2","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"spacebears","description":"Space Bears is a double-extortion ransomware group that emerged in April 2024, distinguished by a professional \"corporate\" aesthetic on its leak site, leveraging Phobos RaaS infrastructure and targeting small-to-medium organizations in manufacturing, technology, and healthcare across the US and Europe.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--754eb644-cac7-a905-defa-2b3da7e94f4a","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"sparta","description":"Sparta is a short-lived ransomware group first observed in September 2022 that conducted double-extortion attacks primarily targeting organizations in Spain before ceasing activity, gaining initial access via phishing and exploitation of unpatched systems.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5e5fe409-577f-2f74-456f-db47d3e7438c","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"spook","description":"Spook ransomware operated briefly in September–October 2021 as a rebrand of the Prometheus ransomware group (built on the Thanos builder), conducting double-extortion attacks against global targets with a concentration in manufacturing and unusually publishing all victim names regardless of ransom payment.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--7a52d4ab-b639-23e2-7230-d80f979a8737","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"stormous","description":"Stormous is an Arabic-speaking, pro-Russian ransomware and hacktivist group active since at least 2022, known for politically motivated attacks across 15+ countries, collaborating with GhostSec on the GhostLocker 2.0 RaaS platform and inheriting GhostSec's RaaS operations in mid-2024.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--cc767fb1-c6ef-c232-caf9-dd1f6e853d85","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"sugar","description":"Ransomware, written in Delphi.\n","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--2f95b8f0-5fd5-0452-351f-f69c007053dd","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"suncrypt","description":"SunCrypt is a RaaS operation first observed in October 2019, notable for pioneering triple extortion (encryption, data publication threats, and DDoS attacks on non-paying victims), operating a closed small affiliate program and partnering with TrickBot for initial access.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5073dcb6-33fd-1639-ecc8-fe74d9f10f07","created":"2026-05-27T11:58:17.926Z","modified":"2026-05-27T11:58:17.926Z","name":"synack","description":"SynAck is a sophisticated ransomware operation first spotted in 2017, known for using hybrid ECIES encryption and the Doppelganging process injection technique to evade detection; in August 2021 the group rebranded as El_Cometa, transitioning to a full RaaS model and releasing master decryption keys for prior victims.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--14ae401f-14aa-6f4d-5399-c1380957b949","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"teamxxx","description":"TeamXXX is an emerging ransomware group that launched its leak site in June 2025, claiming victims across healthcare, agriculture, hospitality, financial services, and shipping sectors in the US, UK, Norway, Ireland, and Europe within its first months.","labels":["ransomware"],"first_seen":"2025-06-10"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--aa033bda-2a7c-6092-d9d8-1213bfdfc717","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"tengu","description":"Tengu is a RaaS operation first observed in October 2025, following a double-extortion model and using Living Off The Land Binaries (LOLBins) to blend malicious activity with normal admin traffic, primarily targeting consumer goods, real estate, automotive, healthcare, and IT sectors.","labels":["ransomware"],"first_seen":"2025-10-23"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--03897489-a16c-7de3-bda9-b2fd445b4407","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"termite","description":"Termite is a ransomware group first identified in late 2024 using a modified version of Babuk ransomware code; its most notable attack was the November 2024 breach of supply-chain software firm Blue Yonder, claiming 680 GB of exfiltrated data and disrupting major customers including Starbucks.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--72ddece7-e069-27ab-4199-9c1f69025ffa","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"thegentlemen","description":"The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1,570 linked victims.","labels":["ransomware"],"first_seen":"2025-09-09"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--e2269767-5154-91a1-377e-b86311197620","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"thegreenbloodgroup","description":"The Green Blood Group is an emerging ransomware operation first identified in early 2026 whose Go-based Windows payload uses ChaCha8 encryption and aggressively destroys backup and recovery options, targeting organizations in India, Senegal, Egypt, Colombia, and Belgium.","labels":["ransomware"],"first_seen":"2026-01-29"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--d5fd5fbe-4f52-b083-6e79-1b7308968dab","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"threeam","description":"A new Ransomware family identified by the name '3AM' or 'ThreeAM' in September 2023. The ransomware operation was observed by the Symantec team, in which a ransomware affiliate attempted to deploy another ransomware, LockBit, on the target network and then switched to 3AM when LockBit was reportedly blocked.<BR> \n> <BR> \n> The ransomware operation, according to the publication on its Tor-based website, has been operating since mid-August 2023, according to the publication from its first victim.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--a7a41576-0d1e-835f-9299-159735d41ea3","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"TiMc","description":"TiMc is a ransomware group that emerged in early 2026, claiming high-impact attacks against Spanish IT services leader Seidor (1 TB+ data) and oncology organization Oncologica (100 GB+), targeting Business Services, Healthcare, and IT sectors with a focus on Spanish-speaking and European targets.","labels":["ransomware"],"first_seen":"2026-04-09"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--40a7e9ac-b062-95d6-ccc4-de8b5790aa4c","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"titan","description":"Founded 4 April 2026","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--5253e68b-1f07-a0c5-26e2-709ecf75d80f","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"toufan","description":"Pro-Palestinian Group","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--95e6e7e9-cba3-d790-1188-1d396fc58135","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"tridentlocker","description":"TridentLocker is a newly emerged ransomware group (surfaced mid-2025) targeting organizations managing high volumes of regulated or third-party data — including government services, telecom, and engineering firms — across the US, Canada, UK, and Asia using double-extortion tactics.","labels":["ransomware"],"first_seen":"2025-11-29"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--424d0958-988d-08fb-93a1-c089a1014626","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"trigona","description":"According to PCrisk, Trigona is ransomware that encrypts files and appends the ._locked extension to filenames. Also, it drops the how_to_decrypt.hta file that opens a ransom note. An example of how Trigona renames files: it renames 1.jpg to 1.jpg._locked, 2.png to 2.png._locked, and so forth.It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--934a11e6-0268-2e86-2b4b-4d1f881ae8da","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"trinity","description":"Trinity ransomware was first discovered in May 2024, believed to be a rebrand of the Venus/2023Lock variants, using ChaCha20 encryption and double-extortion via a Tor leak site; the US HHS flagged it as a specific threat to the healthcare sector after confirmed attacks on healthcare organizations.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--6b5d9f62-4712-2e15-a96f-63aaeee03ecb","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"trisec","description":"Trisec is a Tunisian-origin ransomware group that emerged in February 2024, claiming affiliation with the Tunisian government and operating as both a financially motivated and state-sponsored mercenary group, exclusively recruiting Tunisian members and reporting nine victims in the first half of 2024.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--681fb544-fa65-bfbe-b217-48b9c2b30918","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"u-bomb","description":"U-Bomb is a low-profile ransomware operation discovered in March 2023 that arrives via phishing emails and uses third-party offensive frameworks (BRC4, Sliver, Cobalt Strike) for lateral movement before deploying its encryptor, likely becoming inactive in the second half of 2023.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--be74175c-b763-7f1d-fec6-4c16999dac2e","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"underground","description":"Underground ransomware is deployed by the Russia-based RomCom group (Storm-0978) and has victimized companies across multiple industries since July 2023 by exploiting CVE-2023-36884, encrypting files without changing extensions and deleting Volume Shadow Copies and Windows event logs in double-extortion campaigns.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b23a6a84-39c0-dde5-5158-93e7c90c1e32","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"unknown","description":"\"Unknown\" is a catch-all tracking label used on ransomware monitoring platforms for attacks where the responsible threat actor has not been positively attributed to a known named group, serving as a placeholder for unattributed incidents.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--629e3fc9-48fb-5ca5-5eb9-f2cc1cd81570","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"unsafe","description":"A group which seems to recycle leak from other ransomware groups","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--29a00e57-117f-4211-e912-518b06f2c2e7","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"ValenciaLeaks","description":"ValenciaLeaks is a data-extortion group that surfaced in August–September 2024, focused on exfiltrating large volumes of data and publishing it on a dedicated leak site, with documented victims including the City of Pleasanton, CA (283 GB exfiltrated) and pharmaceutical firm Duo Pharma Biotech.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--3eedcc5d-ecae-04ea-3c60-ac0fd76d5220","created":"2026-05-27T11:58:17.928Z","modified":"2026-05-27T11:58:17.928Z","name":"vanhelsing","description":null,"labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--f3bcdbb3-595f-a2e4-9946-6502fa90a716","created":"2026-05-27T11:58:17.929Z","modified":"2026-05-27T11:58:17.929Z","name":"VanHelsing","description":"VanHelsing is a multi-platform RaaS operation that launched on March 7, 2025, requiring a $5,000 affiliate deposit and splitting ransoms 80/20, supporting Windows, Linux, BSD, ARM, and ESXi targets, reaching at least five victims across the US, France, Italy, and Australia within its first two months.","labels":["ransomware"],"first_seen":"2025-03-17"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--24e44039-6c69-a28b-4969-f36ffe60fa36","created":"2026-05-27T11:58:17.931Z","modified":"2026-05-27T11:58:17.931Z","name":"vanirgroup","description":"VanirGroup is an Eastern European ransomware group composed of former affiliates from Karakurt, LockBit, and Knight ransomware that emerged in mid-2024, before German law enforcement (Karlsruhe Public Prosecutor's Office) seized its leak site.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b6481c1b-c211-0703-b4df-0a0fc8bf5cad","created":"2026-05-27T11:58:17.931Z","modified":"2026-05-27T11:58:17.931Z","name":"vect","description":"VECT is a RaaS group that launched its affiliate program in December 2025 with a five-tier revenue-sharing model and a formal partnership with BreachForums; its VECT 2.0 payload contains a critical encryption flaw that irreversibly destroys files larger than 128 KB rather than encrypting them.","labels":["ransomware"],"first_seen":"2026-01-06"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--df5132aa-044e-960e-746f-e824c4a9b7f4","created":"2026-05-27T11:58:17.932Z","modified":"2026-05-27T11:58:17.932Z","name":"vendetta","description":"Ransomware, which appears to be a rebranding of win.cuba.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--2f112840-9d27-f291-169a-a8936d16d0db","created":"2026-05-27T11:58:17.932Z","modified":"2026-05-27T11:58:17.932Z","name":"vfokx","description":"VFOKX is a low-profile ransomware group tracked on ransomware monitoring platforms with very limited public documentation and no detailed analysis or named victims published by major threat intelligence vendors.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c31fcd81-3508-3d43-3175-4459d3011957","created":"2026-05-27T11:58:17.932Z","modified":"2026-05-27T11:58:17.932Z","name":"vicesociety","description":"Vice Society ransomware appends the .v-society extension when encrypting Linux machines. Running a leak site on the darkweb, Possible relations with \"HelloKitty\"","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--cbb12d83-5e75-cc2f-5767-047477cc999d","created":"2026-05-27T11:58:17.932Z","modified":"2026-05-27T11:58:17.932Z","name":"walocker","description":"WALocker is an emerging ransomware group that came to attention in 2025, targeting organizations in Southeast Asia and government entities, with a notable attack breaching Myanmar's Union Civil Service Board and exposing data on approximately 200,000 government officials.","labels":["ransomware"],"first_seen":"2025-06-10"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--2760e23f-10c8-6e21-c356-f13d60d3a6f1","created":"2026-05-27T11:58:17.932Z","modified":"2026-05-27T11:58:17.932Z","name":"wannacry","description":"WannaCry ransomware is a cyber attack that spreads by exploiting vulnerabilities in the Windows operating system. At its peak in May 2017, WannaCry became a global threat. Cybercriminals used the ransomware to hold an organization's data hostage and extort money in the form of cryptocurrency. WannaCry spreads using EternalBlue, an exploit leaked from the National Security Agency (NSA). EternalBlue enables attackers to use a zero-day vulnerability to gain access to a system. It targets Windows computers that use a legacy version of the Server Message Block (SMB) protocol.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--2341a4d5-a6b4-62de-ab7d-7657226f2e19","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"warlock","description":"The Warlock ransomware and operator(s) are believed to be attributed to Storm-2603, a China-based threat actor who is also known to have deployed LockBit ransomware. There's also a crossover between victims with Black Basta. Both are RaaS and have a long list of known and unknown affiliates. Having said that, this is possibly an affiliate (likely a cybergroup) of both of those groups. The Alliance & Association would technically be Encryptor Sharing, but this is realistically more of an \"Old Affiliate\" that created their own ransomware encryptor and operation.","labels":["ransomware"],"first_seen":"2025-06-10"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c626a1d5-1496-ffbb-56a4-983bc4d08984","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"werewolves","description":"WereWolves is a Russian-speaking ransomware group that emerged in May 2023, using a modified LockBit 3 (Black) encryptor, operating an unusual public website that actively recruits new members and offers a bug-bounty program with rewards up to $1 million, with at least 26 victims across Russia, the US, and Europe.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--080443c2-ac70-4c94-bd73-b7b70ee07b12","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"weyhro","description":"Weyhro is a data-extortion group (relying on data theft and leak threats without file encryption) that launched a Tor leak site in March 2025, focusing on manufacturing, financial services, and real estate sectors with victims in the US, Italy, and Canada.","labels":["ransomware"],"first_seen":"2025-03-06"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--b4ea9433-d6c4-5a6d-2110-2ee80e0760d8","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"worldleaks","description":"World Leaks emerged in January 2025 as a rebrand of the Hunters International ransomware operation, shifting its focus from file encryption to solely stealing sensitive data and threatening to leak it unless a ransom is paid","labels":["ransomware"],"first_seen":"2025-05-16"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--4d382387-de07-d8a7-9c2f-fc342552b525","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"x001xs","description":"X001xs is a low-profile ransomware group tracked on monitoring platforms with minimal public documentation, employing standard double-extortion tactics with no detailed technical analysis published by major vendors.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--c684c45d-94b5-fb08-431b-4a9592237d41","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"xinglocker","description":"XingLocker is a ransomware group that emerged in May 2021 as part of a franchise-style RaaS model built on a customized MountLocker payload, using IcedID for initial access and Windows Active Directory APIs for worm-style lateral movement across networks.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--108578f6-656a-56e4-1e48-47b4363b08fb","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"xinof","description":"XINOF (also known as Fonix/FonixCrypter) is a RaaS operation that began in June 2020 with no upfront affiliate cost and four methods of encryption per file; the operators shut down the service and released the master decryption key in January 2021, allowing free decryption for all victims.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--389aee81-0541-4df7-9425-b6f6fa50cae8","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"xp95","description":"XP95 is a cyber-extortion group that emerged in March 2026, using a pure data-theft-and-extortion model with a Windows XP/95-themed leak site, with notable targets including Statistics South Africa (154 GB exfiltrated) and the Gauteng Provincial Government.","labels":["ransomware"],"first_seen":"2026-03-17"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--7c446097-355b-34de-d3ca-6b3cdcd6850f","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"yanluowang","description":"According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the README.txt file containing a ransom note. It appends the .yanluowang extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.Files encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted).","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--24f4bf9f-13d5-401b-19b3-1bbc6a1358c8","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"yurei","description":"Yurei is a ransomware group first observed in September 2025 whose payload is a minimally modified fork of the open-source Prince-Ransomware, using ChaCha20 encryption and propagating across SMB shares, primarily targeting food manufacturing, transportation, and IT sectors in Sri Lanka and Nigeria.","labels":["ransomware"],"first_seen":"2025-09-05"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--ce16a735-854b-378c-3322-80faf1ffdddf","created":"2026-05-27T11:58:17.933Z","modified":"2026-05-27T11:58:17.933Z","name":"zeon","description":"Zeon was the precursor identity used by the group that rebranded as Royal in September 2022, composed primarily of former Conti \"Team One\" members, deliberately avoiding the RaaS model and keeping its code and infrastructure private.","labels":["ransomware"],"first_seen":null},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--fa4d8d0e-2bfa-9753-5f7a-da854e339da2","created":"2026-05-27T11:58:17.934Z","modified":"2026-05-27T11:58:17.934Z","name":"zerolockersec","description":"ZeroLockerSec is a small ransomware group with very limited public documentation that became inactive by Q2 2025 with no recorded leak posts, suggesting a brief operational period before going dormant.","labels":["ransomware"],"first_seen":"2025-04-28"},{"type":"threat-actor","spec_version":"2.1","id":"threat-actor--33753c7b-cf2c-d7ac-e4d6-690e56e7f320","created":"2026-05-27T11:58:17.934Z","modified":"2026-05-27T11:58:17.934Z","name":"zerotolerance","description":"ZeroTolerance is a low-profile ransomware group tracked on monitoring platforms with no detailed threat actor profiles, technical analysis, or named victim reports published by major threat intelligence vendors.","labels":["ransomware"],"first_seen":null}]}