Ransomware Groups

Bonaci Group is a small, short-lived ransomware group that was active in 2021 with only 3 known victims before going offline, with very little public documentation about their tactics, targets, or tooling.

Dagon Locker is a ransomware strain that first appeared in early 2023, evolved from the MountLocker/Quantum ransomware lineage, and uses IcedID as an initial access vector before deploying double-extortion attacks with ChaCha20+RSA-2048 encryption.

Termite is a ransomware group first identified in late 2024 using a modified version of Babuk ransomware code; its most notable attack was the November 2024 breach of supply-chain software firm Blue Yonder, claiming 680 GB of exfiltrated data and disrupting major customers including Starbucks.

MetaEncryptor is a ransomware group first observed in mid-2023, targeting medium-to-large enterprises in legal, technology, logistics, manufacturing, and finance sectors primarily in the UK, Europe, and Southeast Asia, using AES-256/RSA-2048 encryption and double extortion.

Avos is the threat actor group behind AvosLocker ransomware, a RaaS operation active since June 2021 that recruited affiliates to deploy ransomware against critical infrastructure including financial services, manufacturing, and government sectors across the US and a dozen other countries.

A group which seems to recycle leak from other ransomware groups

RAAS - Ransomware intégré à un fichier PDF, à faire ouvrir à vos victimes ou à insérer vous-même, Windows et Mac, ne fonctionne pas sur Linux. Tableau de vitcimes et récupération de données possible depuis votre espace abonné. Configuration de votre ransomware à votre première connexion, puis modification possible selon votre formule.

Mogilevich appeared in February 2024, rapidly claiming high-profile breaches of Epic Games, DJI, Shein, and Kick.com, but was quickly exposed as a fraud — the group's operator admitted they were "professional fraudsters" who sold fake breach data and access to a non-existent RaaS panel.

FreeCivilian is a data extortion group with suspected ties to Russian GRU military intelligence, known for targeting Ukrainian government websites — including sites offering surrender guidance to Russian troops — blending cybercrime with apparent state-aligned political objectives.

Ransomware-as-a-Service

Mamona was a short-lived ransomware rebrand attempted by the operator behind BlackLock RaaS in March 2025 that failed before reverting; as a standalone strain it operates entirely offline with no C2 communication, uses custom encryption, and targets Windows systems.