Ransomware Groups

Kairos is a data extortion group active since late 2024 that focuses solely on data theft with no encryption, primarily targeting small-to-mid-sized organizations in healthcare, manufacturing, and business services in the US, purchasing initial access from brokers and demanding Bitcoin payments.

Interlock is a ransomware group first observed in September 2024 that targets critical infrastructure sectors including healthcare, government, education, and technology across North America and Europe using double-extortion, with 57+ claimed victims including a major US dialysis provider exposing over two million patient records.

Launched on April 24th, 2025 RansomBay is a new project operating under the DragonForce initiative

Dataleak is a low-profile ransomware group with approximately 6 known victims including entities in Brazil; very limited public threat intelligence exists on this group's tools, TTPs, or origins.

NightSpire is a ransomware group that first emerged in March 2025 and rapidly claimed over 250 victims across retail, manufacturing, healthcare, finance, and education sectors in the US, France, India, Taiwan, and Japan, using aggressive double-extortion with ransom deadlines as short as two days.

KillSec originated as a hacktivist group aligned with the Anonymous movement before pivoting to ransomware operations in October 2023, officially launching a RaaS platform in June 2024 with an affiliate-friendly 88% revenue split, primarily targeting healthcare, financial services, and government sectors with over 250 documented victims as of late 2025.

Exitium is a data extortion group first observed in early 2026, operating a Tor-based double extortion site and targeting victims via bulk data exfiltration followed by public naming-and-shaming, with known victims including a Brazilian agro-industrial firm and a US county appraisal district.

KittyKatKrew is a newly emerged ransomware group first identified in early 2026, using both direct and double-extortion methods against US targets including the Arkansas State Crime Laboratory, operating under the alias KKK with Telegram and X/Twitter communication channels.

WALocker is an emerging ransomware group that came to attention in 2025, targeting organizations in Southeast Asia and government entities, with a notable attack breaching Myanmar's Union Civil Service Board and exposing data on approximately 200,000 government officials.

Ransomware, potential rebranding of win.sfile.

According to PCrisk, Trigona is ransomware that encrypts files and appends the ._locked extension to filenames. Also, it drops the how_to_decrypt.hta file that opens a ransom note. An example of how Trigona renames files: it renames 1.jpg to 1.jpg._locked, 2.png to 2.png._locked, and so forth.It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files.

BianLian ransomware operations began in late 2021. The group practices multi-pronged extortion, demanding payment for a decryptor, as well as the non-release of stolen data. The ransomware group hosts a public, TOR-based, blog to post victim identities and stolen data. Somewhat unique to BianLian at the time of their launch was their inclusion of an I2P mirror for their blog.