Ransomware Groups

Zeon was the precursor identity used by the group that rebranded as Royal in September 2022, composed primarily of former Conti "Team One" members, deliberately avoiding the RaaS model and keeping its code and infrastructure private.

Osiris is a ransomware-as-a-service operation first observed in November 2025 that uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint detection tools before deploying hybrid ECC + AES-128-CTR encryption; Symantec researchers linked its operators to former INC ransomware affiliates.

CrossLock is a short-lived Go-based ransomware group that appeared in April 2023 and went dark by July 2023, using Curve25519 and ChaCha20 encryption and double-extortion tactics with only one known confirmed victim in the IT sector in Brazil.

The Warlock ransomware and operator(s) are believed to be attributed to Storm-2603, a China-based threat actor who is also known to have deployed LockBit ransomware. There's also a crossover between victims with Black Basta. Both are RaaS and have a long list of known and unknown affiliates. Having said that, this is possibly an affiliate (likely a cybergroup) of both of those groups. The Alliance & Association would technically be Encryptor Sharing, but this is realistically more of an "Old Affiliate" that created their own ransomware encryptor and operation.

The operators of the ALPHV/BlackCat ransomware began their activity in December 2021, making posts on Dark Web forums to promote their affiliate program, offering other actors the opportunity to engage in a 'new type of ransomware family' developed from scratch using the Rust programming language.<BR> <BR> Some clear evidence indicates that the actors behind this new ransomware are not new to cybercrime, and there were links to other affiliate programs such as DarkSide, BlackMatter, and REvil. (After several attacks against large companies, these groups faced pressure and arrests, necessitating the termination of their operations).<BR> <BR> As a security measure, the operators of ALPHV implemented the requirement for the execution of the ransomware payload by providing an 'access token,' which is supplied by the owners of the Ransomware-as-a-Service to the affiliate. This token is added to the victim's ransom note so that they can contact the threat actor responsible for encrypting the data.<BR> <BR> ALPHV affiliates employ double and triple extortion techniques, meaning the publication of the company's name on leak sites, threats of data leakage, and lastly, threats of DDoS attacks against the organization.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

RansomHouse is a double-extortion RaaS operation active since late 2021, attributed to the threat actor "Jolly Scorpius," targeting over 120 organizations across healthcare, finance, transportation, and government, recently upgrading to a multi-layered dual-key encryption architecture.

CryLock (originally known as Cryakl/Fantomas since 2014) is a ransomware operation run by a Russian couple who targeted roughly 400,000 victims over eight years and earned over €64 million in Bitcoin; the operators were arrested in Spain in June 2023 and extradited to Belgium.

XP95 is a cyber-extortion group that emerged in March 2026, using a pure data-theft-and-extortion model with a Windows XP/95-themed leak site, with notable targets including Statistics South Africa (154 GB exfiltrated) and the Gauteng Provincial Government.

Encrypted Extension: .vanhelsing, .vanlocker. Targets Windows Platform only

BravoX is a selective ransomware-as-a-service operation that surfaced publicly in January 2026 after advertising on the RAMP underground forum, targeting primarily US-based organizations in healthcare and retail while applying strict affiliate vetting requirements including proof of access or a financial deposit.

RAMP (Russian Anonymous Marketplace) was a Russian-speaking dark web forum founded in 2021 that served as a central marketplace and recruitment hub for ransomware operators, affiliates, and initial access brokers — not a ransomware group itself but the backbone of the RaaS ecosystem; it was seized by the FBI in January 2026.

Kyber is a recently identified ransomware group using sophisticated hybrid encryption (AES-256-CTR with X25519 and Kyber1024), operating Tor-based communication channels and employing double-extortion with free partial decryption offered to build negotiation trust, discovered through underground forum monitoring in 2025.

Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples.