Ransomware Groups

Flocker (also linked to the FSociety brand) is a ransomware-as-a-service group active since 2023–2024, targeting Windows and Linux systems via phishing, compromised RDP, and exploit kits using a double extortion model, and observed collaborating with FunkSec.

Our team members are from different countries and we are not interested in anything else, we are only interested in dollars. We do not allow CIS, Cuba, North Korea and China to be targeted. Re-attacks are not allowed for target companies that have already made payments. We do not allow non-profit hospitals and some non-profit organizations be targeted.

IMN Crew is a data extortion and ransomware group that emerged in late March 2025, primarily targeting financial services organizations in the US, Croatia, and Indonesia by exploiting exposed perimeter services such as firewalls and VPNs, claiming at least five victims.

INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors in North America and Europe, having posted over 200 victims in 2025 alone with no sector off-limits.

Insane is a short-lived ransomware group that briefly surfaced in early 2024, claiming a single victim in Thailand before going quiet, with minimal documented activity or technical details available.

J is an emerging ransomware group that launched its leak site in May 2025, claiming over 41 victims by late 2025 including FAI Aviation Group (Germany), operating primarily as a leak-site-centric extortion identity with limited public technical analysis.

Kawa4096 is a ransomware group that emerged in June 2025, targeting multinational corporations across finance, education, and services sectors primarily in the US and Japan, using partial-encryption (25% of each file chunk) with Salsa20 and a leak site styled after Akira's retro terminal aesthetic, claiming at least 11 victims.

KelvinSecurity is a financially motivated hacking group active since at least 2015, primarily engaged in stealing and selling databases from telecommunications, healthcare, and political organizations worldwide, with notable breaches including Vodafone Italia and Frost & Sullivan; the group's leader was arrested by Spanish police.

ℹ️ La Piovra Ransomware is an exercise of the company Offensive Security (also known as OffSec)

LeakTheAnalyst is a data-theft extortion group that operates a dark web leak site with approximately 20 claimed victims, notable for a 2017 operation targeting a Mandiant security researcher; the group focuses on stealing and publishing sensitive corporate data rather than deploying file-encrypting ransomware.

LockBit 2.0 is the second major iteration of the LockBit RaaS platform, launched in mid-2021, introducing automated domain-wide encryption via Active Directory Group Policy and claiming the fastest encryption speed among ransomware families, accounting for 46% of ransomware breach events in early 2022.

LockBit 3.0 ("LockBit Black"), active since June 2022, is the third iteration of the LockBit RaaS platform incorporating code from BlackMatter ransomware, featuring modular encrypted payloads that evade analysis and targeting Windows and VMware ESXi environments across all sectors globally.

MadCat is a suspected fraudulent ransomware operation that surfaced briefly in late 2023, apparently linked to scammers targeting other criminals on the dark web with fake stolen passport offers; its leak site appeared dead shortly after announcement, casting doubt on whether it ever operated as a genuine ransomware group.

MadLiberator is a ransomware group that emerged in mid-2024, known for erratic behavior including randomized ransom demands and unpredictable encryption patterns, targeting government entities including the Italian Ministry of Culture and using a data leak site to post exfiltrated files.

Malek Team is an Iranian-linked threat actor that emerged on October 8, 2023 (the day after the Hamas attack on Israel), believed to be tied to Iranian military intelligence, primarily targeting Israeli organizations using data exfiltration and extortion, with notable attacks on Ziv Medical Center and Ono Academic College.

Marketo, launched in April 2021, is a data-theft extortion marketplace that steals and sells data to third parties or back to victims without encrypting files, applying aggressive pressure by emailing victims' competitors with sample data packs.

Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.

Money Message emerged in March 2023 targeting Windows and Linux systems across banking, transportation, and professional services sectors, demanding ransoms in the millions and publishing stolen data on their blog if unpaid, with most known victims based in the US.

Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.

MS13089 is a newly emerged ransomware group (first observed December 2025) that named itself after a 2013 Microsoft Security Bulletin, claiming a handful of victims including a law firm, operating primarily as a double-extortion actor.

Nasir Security is a pro-Iranian threat actor that emerged around October 2025, primarily targeting energy sector organizations in the Middle East (UAE, Oman, Saudi Arabia, Iraq) and Israeli IT supply chain firms, using spear-phishing, BEC, and exploitation of public-facing applications.

Onyx is a ransomware group first observed in April 2022, based on the Chaos ransomware builder, that is notably destructive — files larger than 2MB are overwritten with random data rather than encrypted, making recovery impossible even after ransom payment — claiming approximately 13 victims across six countries.

Project Relic emerged in mid-2022 as a Golang-based ransomware targeting Windows and Linux hosts, operating with a TOR-based data leak site and using double-extortion tactics, with operators dwelling in networks for days or weeks before encrypting.

First known AI-powered ransomware. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly