Ransomware Groups

Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.

Meow emerged in 2022 (resurfacing aggressively in 2024), initially operating as a RaaS using the Conti v2 codebase before transitioning to a data-extortion-only model — selling stolen data rather than encrypting files — with a heavy focus on US healthcare and medical research organizations.

Daixin Team is a ransomware and data extortion group active since at least June 2022, exclusively targeting the US Healthcare and Public Health sector by encrypting EHR and diagnostic systems and exfiltrating patient data to pressure victims into paying ransoms.

According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.

According to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems and encrypts a variety of data types using AES encryption. Hades Locker appends the names of encrypted files with the .~HL[5_random_characters] (first 5 characters of encryption password) extension.

CiphBit is a ransomware-as-a-service group active since April 2023, targeting small-to-mid-sized businesses across the UK, Europe, and North America with 38 known victims, employing a data-broker model with selective free leaks to pressure victims alongside standard double extortion.

In mid-October 2023, just a few days before the Europol operation, the source code of the Ransomware Hive was sold, along with its website and older versions developed in Golang and C (although this purchase has only been reported by the actors without concrete evidence). The buyer of this new source code was the group Hunters International, who claimed to have fixed the bugs in the Ransomware Hive that were responsible for preventing file decryption in some cases. The group also stated that file encryption would not be their primary focus; instead, they would use data theft as a method to pressure victims during extortion attempts.

Lapsus$ is an internationally composed data extortion group most active from mid-2021 through 2022, executing high-profile breaches against Microsoft, Nvidia, Samsung, Okta, and Uber by stealing source code and threatening leaks rather than encrypting files; several members — predominantly teenagers — were arrested in the UK.

AvosLocker is the ransomware payload of the Avos RaaS group, active from July 2021 to approximately May 2023, targeting education, manufacturing, and healthcare sectors on Windows, Linux, and VMware ESXi environments, with the US accounting for ~72% of victims.

Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.

SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-2025 with a high-profile early attack against UK telematics firm Microlise stealing 1.2 TB of data.

Chaos is a ransomware-as-a-service operation that emerged in early 2025, likely formed by former BlackSuit/Royal members, offering cross-platform ransomware for Windows, Linux, ESXi, and NAS to affiliates recruited on the RAMP dark web forum, excluding CIS/BRICS countries and hospitals from targeting.