Ransomware Groups

Abraham's Ax is an Iranian-linked hacktivist persona tied to Moses Staff that emerged in November 2022, primarily targeting Saudi Arabian government institutions for geopolitical reasons related to Saudi-Israeli normalization, using destructive wiper malware and data leak tactics rather than financial ransomware.

Abyss (also known as Abyss Locker) is a ransomware operation first identified in March 2023, derived from the Babuk source code, that targets Windows and Linux/VMware ESXi systems using double-extortion tactics across healthcare, manufacturing, finance, and technology sectors — predominantly in North America.

AgainstTheWest (ATW) is a hacktivist group active since October 2021 that targets governments and corporations perceived as authoritarian, breaching organizations like Alibaba, Sberbank, and Gazprom using custom ransomware and wiper malware for ideological disruption rather than financial profit.

AlphaLocker is a low-cost ransomware operation built on the EDA2 open-source project that sells affiliates an admin panel, ransomware executable, and decryption key generator, lowering the barrier for entry-level cybercriminals using double-extortion tactics.

A new ransomware group is said to have emerged in mid-April 2024, under the name 'APT73.' It's worth noting that the group reportedly self-proclaimed as an APT, which stands for 'Advanced Persistent Threat' in the cybersecurity field.<br> <br> According to research, much of the available information about the aforementioned group came from another ransomware group known as LockBit.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

Arcus Media is a ransomware-as-a-service group that emerged in May 2024, employing double extortion with ChaCha20 + RSA-2048 encryption and recruiting affiliates via a referral-based vetting process, claiming 50+ victims across manufacturing, healthcare, retail, and business services globally.

Argonauts is a ransomware group that emerged in September 2024, operating a double-extortion model targeting logistics, healthcare, energy, and telecom sectors, with approximately 13 claimed victims tracked via a TOR-based leak site.

Arkana is a ransomware group that emerged in early 2025 and gained attention by claiming an attack on U.S. broadband provider WideOpenWest (WOW!), operating a three-phase ransom/sale/leak extortion model primarily focused on telecom and internet service providers.

Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.

Babuk Locker 2.0, also known as Bjorka or SkyWave, after failing to make any profit from selling public databases on forums, decided to impersonate Babuk Ransomware group. He launched a blog where he claimed multiple public breaches from BreachForums as ransomware attacks

BlackLock is a rebranded version of another ransomware group known as Eldorado. It has since become one of the most active extortion syndicates in 2025, heavily targeting technology, manufacturing, construction, finance, and retail sectors.

BlackNevas is a ransomware group first observed in November 2024, believed to be derived from the Trigona ransomware family, targeting telecommunications, manufacturing, medical, and legal industries primarily in Asia-Pacific, the UK, Italy, and Lithuania using double-extortion with a dual AES/RSA encryption scheme.

According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.

Blue Locker targets Pakistan’s vital energy sector, particularly Pakistan Petroleum

Brain Cipher emerged in July 2024. Both Windows and Linux variants are available. Brain Cipher using the leaked build of LockBit Black for their operations. The group suspected to have exploited CVE-2023-28252 (Microsoft Windows CLFS Driver Privilege Escalation Vulnerability). The Ransom demand ranges from $150,000 to $1,00,0000. Demand to be paid with Monero (XMR) cryptocurrency. In 2025, they have shifted their new Negotiation portal to new server with vanity TOR Domain starting with 'brain'.

CoinbaseCartel specializes in data acquisition through system access and strategic partnerships. It focus exclusively on data exfiltration—our operations never involve system encryption or operational disruption.

CrazyHunter is a Go-based ransomware group that emerged in early 2025, derived from the open-source Prince encryptor, exclusively targeting Taiwanese organizations in healthcare, education, and industrial sectors using BYOVD techniques and tools like SharpGPOAbuse for lateral movement.

Dark Angels is a highly selective ransomware group active since April 2022 that targets a small number of large enterprises — including Johnson Controls — exfiltrating up to 100 TB of data per victim, and secured the largest known single ransom payment of $75 million from a Fortune 50 company in early 2024.

DarkBit is an ideologically motivated ransomware group that appeared in February 2023, primarily targeting Israeli entities — most notably the Technion Institute of Technology — with politically charged ransom notes condemning Israeli government policies, assessed to be linked to Iranian state-sponsored activity.

DarkLeakMarket is a dark web data leak marketplace active since at least 2019 that sells stolen data sourced from ransomware groups and hacking forums, with 39 known victim organizations; it operates more as a data resale market than a traditional ransomware operator.

Dark Power emerged in January 2023 as a ransomware group written in the Nim programming language, claiming 10 victims across eight countries within its first month across agriculture, education, healthcare, IT, and manufacturing sectors, demanding $10,000 ransoms payable in Monero.

Dragon Ransomware, is promising rapid and customizable ransomware operations for Windows systems. Key features include a compact 50KB file size, ultra-fast encryption speed, and a builder tool that allows users to personalize ransomware configurations. The tool will be available to the public once the team reaches 1,000 subscribers on their channel, signaling a potential rise in availability to threat actors.

Dread is a ransomware group that appears in tracking databases but has no publicly documented attacks or confirmed TTPs from major security vendors.

In September The El Dorado ransomware group have been rebrand as BlackLock