Ransomware Groups

Insomnia is a data-theft and extortion group that emerged in October 2025, targeting primarily US-based healthcare organizations — stealing patient files and threatening public exposure rather than encrypting files — and avoiding former Soviet states, consistent with Russian-speaking cybercrime norms.

Hotarus Corp is a ransomware group that came to attention in early 2021 after attacking Ecuador's Ministry of Finance and Banco Pichincha — the country's largest private bank — deploying PHP-based ransomware and claiming to have stolen tens of millions of customer records.

Nokoyawa is a double-extortion ransomware group that launched a RaaS program in 2022 (operated by threat actor "farnetwork"), primarily targeting businesses in South America across healthcare, financial services, government, and manufacturing, gaining significant attention in 2023 for exploiting a Windows CLFS zero-day (CVE-2023-28252).

Ranzy Locker, Former known as ThunderX. The group hosting a data leak site in the darknet where they posting sensitive information of victims who do not pay the ransom. ThunderX was launched at the end of August 2020. Soon after launching, weaknesses were found in the code, that allowed decrypting the files that the malware encrypted. The group has fixed the code and publish a new version, then released it under the name Ranzy Locker. The Tor onion URL used by the Ranzy Leak site is the same as the one used by Ako Ransomware. The use of the same URL could indicate that both groups merged, or they are cooperating similarly to the Maze cartel.

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others.<br> <br> According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware.<br> <br> The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast.<br> <br> Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files.<br> <br> Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only).<br> Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

The group emerged in mid-February 2024 and has already listed several organizations as alleged victims of their attacks, resulting from extortion through encryption and data leaks.<br> <br> The announcement of the sale of the new Ransomware-as-a-Service (RaaS) by RansomHub was published on one of the Russian-origin forums used by cybercrime to advertise malicious services, known as RAMP4U (or RAMP). A user with the nickname and persona of 'koley' announced the affiliate program on February 2, 2024.<br> <br> In the new RaaS announcement, it was mentioned that the money laundering operation of the paid ransoms is the responsibility of the affiliate. This means that all communication and sending of the decryptor to the victim are done through chat. The split of this RaaS would be 90% of the value for the affiliate and 10% for the developer, who in this case would be the persona of Koley.<br> <br> Furthermore, according to the publication, the ransomware payload is written in Golang language, uses the asymmetric algorithm based on x25519, and encryption algorithms AES256, ChaCha20, and xChaCha20, standing out for its speed. The encryption is obfuscated using AST.<br> <br> The payload would support network propagation and encryption of data both in secure and local mode. According to Koley, the ransomware is designed to operate on platforms such as Windows, Linux, and ESXi, as well as other architectures such as ARM and MIPS.<br> <br> As pointed out by the panel and already highlighted by the intelligence team, Koley stated that the panel uses a .onion domain, allowing the affiliate to organize and manage targets and chat rooms, view access logs, automatically respond when offline, and create private blog pages.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

Ransomware, written in Delphi.

Cryp70n1c0d3 is a low-profile ransomware group with limited public documentation; specific targets, attack methodology, and operational model remain poorly documented in open sources.

Pandora ransomware was obtained by vx-underground at 2022-03-14.

Trisec is a Tunisian-origin ransomware group that emerged in February 2024, claiming affiliation with the Tunisian government and operating as both a financially motivated and state-sponsored mercenary group, exclusively recruiting Tunisian members and reporting nine victims in the first half of 2024.