Ransomware Groups

Radar (also known as Dispossessor), active since August 2023 and led by an actor called "Brain," was a RaaS group targeting small-to-mid-sized businesses across healthcare, education, finance, and transportation in over 14 countries; it was dismantled by an FBI-led international operation in August 2024 that seized 24 servers and 9 criminal domains.

TridentLocker is a newly emerged ransomware group (surfaced mid-2025) targeting organizations managing high volumes of regulated or third-party data — including government services, telecom, and engineering firms — across the US, Canada, UK, and Asia using double-extortion tactics.

PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.

According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the README.txt file containing a ransom note. It appends the .yanluowang extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.Files encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted).

ShinyHunters is a financially motivated data-theft and extortion group active since 2020, responsible for high-profile breaches including Ticketmaster (via Snowflake) and PowerSchool; by 2025 they launched a RaaS offering called "shinysp1d3r," and in August 2025 French authorities arrested four members.

MountLocker operated as a ransomware-as-a-service from July 2020, using a standard developer/affiliate revenue split and leveraging compromised RDP credentials for initial access, propagating laterally via Windows Active Directory APIs and targeting over 2,600 file extensions.

Morpheus emerged in late 2024 as a semi-private RaaS operation whose affiliates share identical payloads with the HellCat ransomware group, targeting pharmaceutical, manufacturing, legal, and Italian ESXi environments with ransom demands reaching up to 32 BTC (~$3M USD).

Unlike many other groups, Silent claims to operate with a high level of anonymity and discretion. According to their own statement, they avoid public negotiations and encrypt minimal data. Instead, their focus is on stealing valuable confidential corporate information — and either selling it to competitors, on the dark web, or publishing it selectively.

Embargo is a Rust-based ransomware-as-a-service group that emerged in April 2024, primarily targeting US healthcare, manufacturing, and business services organizations using double extortion, assessed as a potential successor to BlackCat/ALPHV with over $34 million in ransom proceeds.

Cicada3301 is a ransomware-as-a-service group (tracked as Repellent Scorpius by Palo Alto) that emerged in mid-2024 using Rust-based ransomware targeting Windows, Linux, and ESXi systems, suspected to be a successor of BlackCat/ALPHV and running an affiliate program with 20% commissions.

Anubis is a ransomware-as-a-service group active since December 2024 that targets healthcare, engineering, construction, and professional services sectors, offering affiliates a flexible revenue split model and an optional destructive "wipe mode" alongside standard encryption.