Ransomware Groups

CoomingProject is a ransomware group that emerged around 2021 and operated a double-extortion scheme with multiple Tor-based leak sites; six members were identified by French authorities in February 2022, after which the group's infrastructure went offline.

HellCat is a ransomware-as-a-service group that formed in Q4 2024 and quickly became notable for high-profile attacks against Schneider Electric, Telefónica, and Israel's Knesset, primarily gaining initial access via stolen Jira credentials harvested by infostealer malware, targeting critical infrastructure and government entities.

AdminLocker is a relatively low-profile ransomware strain first observed around December 2021, encrypting victim files and demanding Bitcoin ransom via a Tor-based portal, operated by a lone actor or small closed group with no evidence of an affiliate model.

0mega is a double-extortion ransomware group that emerged in May 2022, targeting businesses across multiple sectors worldwide by encrypting files and threatening to leak stolen data; it also pivoted to cloud-based extortion by compromising Microsoft 365 admin accounts.

According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with an extension consisting of a ransom string of characters.For example, a file originally named "1.jpg" could appear as something similar to "1.jpg.rnyZoV" following encryption. After this process is complete, Exorcist ransomware changes the desktop wallpaper and drops HTML applications - "[random-string]-decrypt.hta" (e.g. "rnyZoV-decrypt.hta") - into affected folders. These files contain identical ransom messages.

Quantum ransomware, active from mid-2021 through 2022, was a rebrand of the MountLocker/AstroLocker/XingLocker lineage that operated as RaaS, known for extremely fast attack timelines (under four hours from initial access to encryption) and ransom demands ranging from $150,000 to multi-million dollars.

VFOKX is a low-profile ransomware group tracked on ransomware monitoring platforms with very limited public documentation and no detailed analysis or named victims published by major threat intelligence vendors.

Desolator is a ransomware group that emerged in May 2025, targeting construction and engineering firms in Latin America and Europe and technology companies in Asia, actively recruiting pen testers, initial access brokers, and social engineers via dark web forums to build an affiliate program.

XingLocker is a ransomware group that emerged in May 2021 as part of a franchise-style RaaS model built on a customized MountLocker payload, using IcedID for initial access and Windows Active Directory APIs for worm-style lateral movement across networks.

TeamXXX is an emerging ransomware group that launched its leak site in June 2025, claiming victims across healthcare, agriculture, hospitality, financial services, and shipping sectors in the US, UK, Norway, Ireland, and Europe within its first months.

Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his victims, they would threaten to publish the victim's sensitive data on their darknet blog named 'Happy Blog', unless the ransom is paid. The ransomware malware code used by REvil is pretty similar to the ransomware code used by DarkSide - a different threat actor. REvil group claims to steal information after a successful attack on the supplier of the tech giant Apple and stole confidential schematics of their upcoming products.