Ransomware Groups

Cloak is a ransomware-as-a-service operation active since late 2022, primarily targeting small-to-medium enterprises in Europe — especially Germany — across manufacturing, healthcare, education, and government sectors, with expansion into North American and Asian targets by 2025.

ChileLocker (also known as ARCrypter) first appeared in August 2022 after attacking a Chilean government agency and quickly expanded globally, appending a ".crypt" extension to encrypted files and recruiting affiliates under a RaaS model on criminal forums.

BlackShadow is an Iranian-linked hack-and-leak group (linked to the Agrius APT) that targeted Israeli companies including insurance firm Shirbit and hosting provider Cyberserve, leaking medical records of 290,000 patients, using extortion as a tool of geopolitical disruption rather than purely for financial gain.

RansomedVC was a short-lived extortion group active from August to November 2023 that claimed high-profile victims including Sony, innovating by threatening GDPR regulatory fines as an additional extortion lever; it briefly operated as a RaaS before shutting down in an apparent exit scam following reported arrests of six members.

Linkc is a ransomware group first observed in February 2025, operating a Tor-based data leak site and targeting US-based AI, cloud, aerospace, and manufacturing companies — including H2O.ai — demanding ransoms as high as $15 million using double-extortion tactics.

Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group leaks the victim's data to the darknet and they announced that any victim that will not contact them will suffer from a data leak and they will not delete hist files for future usage.

QLocker was a financially motivated ransomware operation active in 2021 that exclusively targeted QNAP NAS devices exposed to the internet, exploiting a hard-coded credentials vulnerability to compress files into password-protected 7-Zip archives and demanding roughly $400 per victim, netting approximately $350,000 in a single month.

LockData Auction is a dark web marketplace that emerged around May 2021 operating an invite-only stolen data auction portal, representing a shift toward pure data-theft extortion with auctions for stolen corporate data starting from $50,000, rather than a traditional ransomware encryptor operation.

Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

BERT is a newly emerged ransomware group first identified in mid-2025, targeting Windows and Linux platforms across healthcare, technology, and event services sectors in Asia, Europe, and the US, with ransomware derived from a Linux variant of REvil using AES encryption and multi-threaded file locking.

Karma is a ransomware group first observed in mid-2021, part of a lineage tracing back through Nefilim and FiveHands, operating double-extortion attacks against enterprises in healthcare, manufacturing, and technology; the group was managed by threat actor "farnetwork" who ran multiple RaaS programs across related strains.

RRansom is a low-profile ransomware group whose dark web leak site has been listed as offline in tracking directories, with very limited public threat intelligence available about its targets, tactics, or scale of operations.

LockBit is one of the most prolific ransomware groups in history, operating as a full RaaS platform that at its peak accounted for an estimated 44% of all ransomware incidents globally in 2023, targeting virtually every sector worldwide through an affiliate model where developers maintain infrastructure and affiliates conduct intrusions.

Lilith is a C/C++-based double-extortion ransomware that emerged in July 2022, targeting 64-bit Windows systems and sharing code with the Babuk ransomware family, with its first confirmed victim being a large South American construction firm.