Ransomware Groups

AtomSilo is a double-extortion ransomware group that emerged in September 2021, exploiting the Atlassian Confluence vulnerability (CVE-2021-26084) for initial access and demanding ransoms up to $1 million, attributed to the Chinese state-linked threat actor BRONZE STARLIGHT.

Nevada Ransomware is a RaaS operation written in Rust that emerged on the RAMP dark web forum in late 2022, offering affiliates favorable revenue splits (85/15 or 90/10) and conducting opportunistic mass attacks against a wide range of industries worldwide.

FunkSec is an AI-assisted ransomware-as-a-service group that launched its data leak site in December 2024 and rapidly claimed over 85 victims across government, technology, finance, and education sectors globally, demanding unusually low ransoms and using AI tooling to lower the technical bar for affiliates.

Maze ransomware group is one of the most known ransomware gangs, they targeted organizations worldwide across many industries. Security researchers believed that Maze operates as an affiliated network model. MAZE was one of the first groups that made a 'Double Extortion Attack' involved Allied Universal, in November 2019, the group leaks their victim's data in the darknet. On November 1, 2020, MAZE announced an official press release that they are closing their operation. is malware targeting organizations worldwide across many industries. Security researchers claim that the threat actor behind the MAZE group is 'TA2101'.

According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

VanHelsing is a multi-platform RaaS operation that launched on March 7, 2025, requiring a $5,000 affiliate deposit and splitting ransoms 80/20, supporting Windows, Linux, BSD, ARM, and ESXi targets, reaching at least five victims across the US, France, Italy, and Australia within its first two months.

Former RansomHub and INC Ransom affiliate.

Fog, which uses the .flocked extension for encrypted files, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. By June, Storm-0844 was deploying Fog more than Akira.

NetWalker ransomware group operates by the threat actor known as "CIRCUS SPIDER". The NetWalker ransomware was discovered in 2019. The group mainly targeting the Asia Pacific region but can attack globally. The group uses common attacking tools like Mimikatz and other legitimate tools (LOLBINS) like PSTools, AnyDesk, TeamViewer, NLBrute, and more. The group knowing by targeting the healthcare sector. Finally, in January 2021, Netwalker was takedown by the authorities, the police have confiscated hundreds of thousands of dollars in ransom payments collected by the Netwalker group, and they seized servers and disrupted the infrastructure and the darknet websites of the Netwalker ransomware group.

Kryptos is a small ransomware group first observed in October 2025, conducting simultaneous attacks across North America and Oceania on its debut day with a focus on professional, technical, and legal service sectors, with only 3 known documented victims.

Blacktor is a low-profile data breach and extortion group active around 2021 with a Tor-based leak site, claiming victims in Indonesia, Italy, Venezuela, and the US, with minimal public threat-intelligence coverage.

AztroTeam is a ransomware group with very limited public documentation and no confirmed victims, listed as offline on ransomware tracking platforms.

GLOBAL GROUP is a ransomware-as-a-service operation that emerged in June 2025, reportedly launched by a known Russian-speaking threat actor, featuring AI-driven ransom negotiation and a mobile control panel for affiliates, targeting healthcare, oil and gas, industrial engineering, and automotive sectors.