Ransomware Groups

Spook ransomware operated briefly in September–October 2021 as a rebrand of the Prometheus ransomware group (built on the Thanos builder), conducting double-extortion attacks against global targets with a concentration in manufacturing and unusually publishing all victim names regardless of ransom payment.

Qiulong is a ransomware group that emerged around April 2024 primarily targeting Brazilian organizations using double extortion and unique tactics such as publishing identity documents of victims' family members to pressure payment.

"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.

Not a ransomware group but a hacktivist group that appeared coincidentally days before Russia’s invasion of Ukraine

Yurei is a ransomware group first observed in September 2025 whose payload is a minimally modified fork of the open-source Prince-Ransomware, using ChaCha20 encryption and propagating across SMB shares, primarily targeting food manufacturing, transportation, and IT sectors in Sri Lanka and Nigeria.

Bluebox is a data extortion group that emerged in December 2024, employing double-extortion tactics against victims primarily in France, Sweden, and the French Caribbean, and threatening to notify data protection authorities to add regulatory pressure on victims.

Sinobi is a private vetted-affiliate RaaS group that emerged in mid-2025, believed to be a rebrand of the Lynx/INC ransomware lineage, claiming 176 victims by end of 2025 through double-extortion attacks primarily against mid-market US organizations via compromised SonicWall VPN credentials.

DataKeeper is a ransomware-as-a-service operation dating back to at least 2018 that promoted an affiliate model called "CrystalPartnership RaaS," offering a Windows-focused ransomware toolkit with hybrid RSA-4096 encryption, open dark web registration, and an innovative split-payment mechanism to build affiliate trust.

DoNex is a ransomware strain that emerged in March 2024 as the latest rebrand of a lineage beginning with Muse (2022) → DarkRace (2023) → DoNex, targeting enterprises in the US and Europe using double-extortion; Avast released a free decryptor in July 2024 after discovering a cryptographic flaw.

LostTrust is a double-extortion ransomware operation that emerged in March 2023 and publicized over 50 victims within days of launching its leak site in September 2023, believed to be a rebrand of the MetaEncryptor gang, primarily targeting manufacturing, professional services, construction, and education sectors with 71% of known victims in the US.

Kraken is a Russian-speaking ransomware group that emerged in February 2025, believed to have links to the HelloKitty operation, employing a RaaS model notable for a benchmarking step that measures victim machine speed to optimize encryption, and in September 2025 launched an underground criminal forum called "The Last Haven Board."

Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files.