Ransomware Groups

RabbitHole is a low-profile ransomware group with limited publicly available threat intelligence, not appearing prominently in major threat intelligence reports, suggesting it operates at a small scale or under limited visibility.

Radiant is a financially motivated ransomware group that emerged in September 2025, conducting double- and single-extortion attacks without affiliates, drawing widespread condemnation after attacking UK childcare provider Kido International and publishing photographs, names, and home addresses of over 8,000 children.

Ranstreet is a low-profile ransomware group with very limited public documentation, appearing in ransomware tracking lists but without major vendor research reports or significant attributed attacks.

RA Group, also known as RA World, first surfaced in April 2023, utilizing a custom variant of the Babuk ransomware.

RebornVC is a rebrand of RansomedVC re-emerging in July 2025 under new leadership, using data auctions, direct extortion, and double extortion techniques with ransom demands ranging from $10,000 to $1,000,000, with confirmed victims in the US and Brazil.

Red Ransomware (Red CryptoApp) emerged in early 2024, debuting its "Wall of Shame" data leak site with 11 victims across IT, legal, hospitality, manufacturing, and education sectors predominantly in the US, using phishing and vulnerability exploitation with double-extortion tactics.

RunSomeWares is an emerging ransomware group that surfaced in February 2025 with initial victims across supply-chain services, financial services, accounting, and manufacturing, with unclear deployment of an encryptor vs. pure data-theft extortion.

SatanLock is a short-lived ransomware group that first appeared in April 2025 and abruptly shut down in July 2025 after claiming attacks against roughly 67 organizations — though over 65% of listed victims were duplicates from other groups — leaking all stolen data publicly upon shutdown.

SHAOleaks is a low-profile data leak and extortion group with minimal public documentation, operating a leak site but lacking detailed analysis by major threat intelligence firms, suggesting a very limited or short-lived operation.

Likely associated with the cybercrime group BlingLibra (ShinyHunters)

Sicarii is a pro-Israeli/Jewish-branded ransomware-as-a-service operation that emerged in late 2025, explicitly targeting Arab and Muslim-majority organizations while avoiding Israeli systems, exploiting exposed RDP services and Fortinet devices, with its admin later instructing operators to migrate to the BQTLock platform.

a former Conti team

Skira is a small ransomware group that emerged around late 2024, claiming responsibility for the breach of Carruth Compliance Consulting that exposed SSNs, W-2s, and financial records of employees across 36 US school districts, with five total claimed victims across the US, Turkey, and India.

Space Bears is a double-extortion ransomware group that emerged in April 2024, distinguished by a professional "corporate" aesthetic on its leak site, leveraging Phobos RaaS infrastructure and targeting small-to-medium organizations in manufacturing, technology, and healthcare across the US and Europe.

The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1,570 linked victims.

The Green Blood Group is an emerging ransomware operation first identified in early 2026 whose Go-based Windows payload uses ChaCha8 encryption and aggressively destroys backup and recovery options, targeting organizations in India, Senegal, Egypt, Colombia, and Belgium.

A new Ransomware family identified by the name '3AM' or 'ThreeAM' in September 2023. The ransomware operation was observed by the Symantec team, in which a ransomware affiliate attempted to deploy another ransomware, LockBit, on the target network and then switched to 3AM when LockBit was reportedly blocked.<BR> > <BR> > The ransomware operation, according to the publication on its Tor-based website, has been operating since mid-August 2023, according to the publication from its first victim.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

U-Bomb is a low-profile ransomware operation discovered in March 2023 that arrives via phishing emails and uses third-party offensive frameworks (BRC4, Sliver, Cobalt Strike) for lateral movement before deploying its encryptor, likely becoming inactive in the second half of 2023.

Underground ransomware is deployed by the Russia-based RomCom group (Storm-0978) and has victimized companies across multiple industries since July 2023 by exploiting CVE-2023-36884, encrypting files without changing extensions and deleting Volume Shadow Copies and Windows event logs in double-extortion campaigns.

ValenciaLeaks is a data-extortion group that surfaced in August–September 2024, focused on exfiltrating large volumes of data and publishing it on a dedicated leak site, with documented victims including the City of Pleasanton, CA (283 GB exfiltrated) and pharmaceutical firm Duo Pharma Biotech.

VanirGroup is an Eastern European ransomware group composed of former affiliates from Karakurt, LockBit, and Knight ransomware that emerged in mid-2024, before German law enforcement (Karlsruhe Public Prosecutor's Office) seized its leak site.

Ransomware, which appears to be a rebranding of win.cuba.

WannaCry ransomware is a cyber attack that spreads by exploiting vulnerabilities in the Windows operating system. At its peak in May 2017, WannaCry became a global threat. Cybercriminals used the ransomware to hold an organization's data hostage and extort money in the form of cryptocurrency. WannaCry spreads using EternalBlue, an exploit leaked from the National Security Agency (NSA). EternalBlue enables attackers to use a zero-day vulnerability to gain access to a system. It targets Windows computers that use a legacy version of the Server Message Block (SMB) protocol.

X001xs is a low-profile ransomware group tracked on monitoring platforms with minimal public documentation, employing standard double-extortion tactics with no detailed technical analysis published by major vendors.