Ransomware Groups

This is not a ransomware group but a data broker

"Unknown" is a catch-all tracking label used on ransomware monitoring platforms for attacks where the responsible threat actor has not been positively attributed to a known named group, serving as a placeholder for unattributed incidents.

RANSOMED.VC aka Raznatovic

RansomCortex emerged in July 2024 with a narrow focus on healthcare facilities, claiming four victims within days of its first appearance including hospitals in Brazil and Canada, operating as a relatively small and niche group.

Lolnek (also known as Lolkek/GlobeImposter) is a commodity ransomware strain primarily targeting small and medium-sized businesses with relatively low ransom demands, associated with the TZW ransomware family, and unsophisticated compared to major RaaS operations with no formal affiliate program.

Pure Extraction And Ransom (PEAR) Team is the community of highly responsible and strictly disciplined members. We are a private team and have nothing common with any other threat actors. We've been monitoring this field for a long-long time. So, we understand all the processes and know well how it all works.

The 8base Ransomware group made its first appearance in early March 2022, remaining somewhat quiet after the attacks. This group operates like other ransomware actors, engaging in double extortion. <BR> However, in mid-May and June 2023, the ransomware operation saw a spike in activity against organizations from various sectors, listing 131 organizations in just 3 months.<BR> The 8base data leak site was created and made available in March 2023, claiming honesty and simplicity in its discourse.<BR> VMware published a report on 8base, drawing some similarities with the ransomware group `RansomHouse`, pointing out resemblances such as the website used by 8base and the ransom notes presented in its attacks.<BR> Interestingly, the 8base Ransomware group does not have its own ransomware developed by the group. Instead, the actors took advantage of other leaked ransomware builders to customize the ransom note and present it to the victim organization as 8base's operation.<BR>Source : https://github.com/crocodyli/ThreatActors-TTPs

BabyDuck is a ransomware group tracked on ransomware.live with approximately 180 claimed victims, appending the .babyduck extension to encrypted files, distinct from the better-known Babuk group.

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

BQTLock is a ransomware-as-a-service operation that emerged in 2025, using AES-256/RSA-4096 encryption with Monero payment demands, linked to pro-Palestinian hacktivist networks and targeting organizations with wave-based campaigns with 48-hour ransom deadlines.

World Leaks emerged in January 2025 as a rebrand of the Hunters International ransomware operation, shifting its focus from file encryption to solely stealing sensitive data and threatening to leak it unless a ransom is paid