Ransomware Groups

Pay2Key is ransomware that has been used by the threat actor Fox Kitten. The group seems to operate since July 2020, targetting mainly Israeli companies. Pay2Key has a darknet leak site to public stolen and sensitive information of their victims. Some of their victims: Intel - Habana Labs, IAI - Israel Aerospace Industries, Portnox - Network Security Solutions.

Payload is a ransomware group that emerged in early 2026, using Babuk-derived source code targeting both Windows and ESXi systems with cross-platform double-extortion attacks against healthcare, energy, real estate, and agriculture sectors, claiming 12 victims across seven countries within hours of launching its leak site.

Darkside ransomware group has started its operation in August of 2020 with the model of RaaS (Ransomware-as-a-Service). They have become known for their operations of large ransoms scale. They have announced that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can be able to pay large ransoms. Darkside ransomware group became very famous following the cyberattack of the Colonial Pipeline and Toshiba unit. The FBI finally terminate the Darkside operation and Managed to pull money from their wallets back.

[Cyclops](group/cyclops) rebrand

Medusa is a ransomware-as-a-service operation active since June 2021 that has targeted over 300 victims across critical infrastructure sectors including healthcare, education, legal, and manufacturing using double-extortion, with attacks surging 42% between 2023 and 2024 and a formal CISA advisory issued in early 2025.

Slug is a very obscure ransomware or extortion group with only a single documented victim (AerCap, the aircraft leasing company) recorded on ransomware tracking platforms; no detailed threat intelligence reports exist for this group.

Apos is a data-broker extortion group that surfaced in April 2024, focusing on data exfiltration and threatening to publish or sell stolen information rather than encrypting files, targeting technology, healthcare, manufacturing, telecom, and government sectors across multiple countries.

ShadowByt3$ is a ransomware-as-a-service group first observed in October 2025, using multi-method extortion and communicating via Telegram and Tox, with a very small confirmed victim list suggesting it remains in early-stage operation.

Reynolds is a ransomware family first identified in early 2026, notable for embedding BYOVD (Bring Your Own Vulnerable Driver) defense evasion by exploiting CVE-2025-68947 to terminate security software before encrypting files, initially attributed to Black Basta and considered attractive to RaaS affiliates.

Benzona is a financially motivated ransomware group that emerged in late 2024, targeting small to mid-sized organizations across manufacturing, healthcare, technology, and hospitality sectors using double-extortion tactics — encrypting files while exfiltrating data and threatening publication via a Tor-based leak site.

CipherForce is a newly emerged ransomware group first detected in early 2026, operating a dark web leak site and targeting technology, business services, and logistics companies across the US, China, Vietnam, India, and UAE, with at least 6 claimed victims.