Ransomware Groups

Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe. In 2022 there was a switch from GoLang to Rust.

NoName (also known as CosmicBeetle) is a ransomware group active since at least 2020 targeting small and medium-sized businesses globally using its custom ScRansom tool, exploiting vulnerabilities like EternalBlue and ZeroLogon, and becoming a RansomHub affiliate to access that platform's RaaS infrastructure.

MyDecryptor is a low-profile ransomware group with minimal public documentation, appearing on ransomware tracking platforms but not the subject of major threat intelligence reporting, suggesting it is a small or relatively inactive operation.

MintEye is a ransomware group with concentrated activity in North America, targeting professional services, construction, engineering, architecture, and logistics sectors, with victims documented in the US and Chile; limited public technical analysis is available.

Chort is a double-extortion ransomware group (whose name means "Devil" in Russian) that emerged in October 2024, primarily targeting US education and government sectors, with notable victims including the City of Sheboygan and Kuwait's Ministry of Finance.

DarkRace is a ransomware variant that surfaced in mid-2023 sharing strong code similarities with LockBit, employing double-extortion via a dark web leak site, but remained a minor player with fewer than 15 posted victims in its first half-year.

LockBit, also recognized as LockBit Black or Lockbit 3.0, is one of the largest Ransomware Groups in the world and has orchestrated extensive cyberattacks across various industries, impacting thousands of organizations globally with its relentless and adaptive strategies.

Dire Wolf is a sophisticated human-operated ransomware group first documented in May 2025, written in Golang using Curve25519/ChaCha20 encryption, targeting manufacturing and technology sectors across 13+ countries with ransoms up to $500,000, operated by a tight core team rather than a broad affiliate program.

PayoutsKing is an active ransomware group observed through at least 2026 that has claimed attacks against a wide range of industries internationally — including Del Monte Foods and V. FRAAS — across the US, UK, Germany, and Ireland using standard double-extortion tactics.