Ransomware Groups

According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them. It also modifies filenames and creates a text file/ransom note (HowToRestoreYourFiles.txt). Rook renames files by appending the .Rook extension. For example, it renames 1.jpg to 1.jpg.Rook, 2.jpg to 2.jpg.Rook.

HelloGookie is a rebrand of the HelloKitty ransomware group announced in April 2024, releasing previously stolen data from CD Projekt Red and Cisco; HelloKitty/HelloGookie has been active since 2020 with its highest-profile attack being the 2021 breach of CD Projekt Red.

DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue share, then rebranded as a "ransomware cartel" in 2025, gaining notoriety for high-profile attacks on UK retailers Marks & Spencer, Co-op, and Harrods.

"aGl0bGVyCg" (Base64 for "hitler") is a reference to the Hitler-Ransomware (2016), a German-origin proof-of-concept that displayed a Hitler image, did not actually encrypt files, and demanded a 25-euro Vodafone card payment; assessed as an amateur test project rather than a serious criminal operation.

Weyhro is a data-extortion group (relying on data theft and leak threats without file encryption) that launched a Tor leak site in March 2025, focusing on manufacturing, financial services, and real estate sectors with victims in the US, Italy, and Canada.

The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final payload in a phishing campaign in 2019 and was exclusively financially motivated, with attacks carried out by the threat actors TA505.<br> <br> At that time, malicious actors sent phishing emails that led to a macro-enabled document that would drop a loader called 'Get2.' After gaining an initial foothold in the system or infrastructure, the actors began using reconnaissance, lateral movement, and exfiltration techniques to prepare for the deployment of the ransomware.<br> <br> After the execution of the ransomware, Cl0p appends the extension '.clop' to the end of files, or other types of extensions such as '.CIIp, .Cllp, and .C_L_O_P,' as well as different versions of the ransom note that were also observed after encryption. Depending on the variant, any of the ransom text files were created with names like 'ClopReadMe.txt, README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.'<br> <br> The Clop operation has shifted from delivering its final payload via phishing and has begun initiating attacks using vulnerabilities that resulted in the exploitation and infection of victims' infrastructures.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

Genesis is an emerging ransomware group first observed in late 2025, targeting small to mid-sized US organizations across healthcare, retail, financial services, legal, and manufacturing using double-extortion tactics, focusing heavily on data exfiltration and public leaking.

HolyGhost (tracked by Microsoft as DEV-0530) is a North Korean state-linked ransomware group active since June 2021, associated with the Andariel threat group, targeting small to mid-sized businesses in financial services, manufacturing, education, and entertainment globally.

Ranion is a ransomware-as-a-service operation first observed in April 2017 that offers a low-barrier, pay-upfront model where affiliates keep 100% of ransom payments, with packages ranging from $150 to $1,900, making it a popular entry point for less experienced attackers.

XINOF (also known as Fonix/FonixCrypter) is a RaaS operation that began in June 2020 with no upfront affiliate cost and four methods of encryption per file; the operators shut down the service and released the master decryption key in January 2021, allowing free decryption for all victims.

Cephalus is a ransomware group active from mid-2025 that leverages stolen RDP credentials to deploy a Go-based ransomware payload via DLL sideloading, targeting law firms, healthcare, financial services, and IT firms across the US and Japan with 19 known victims.