Ransomware Groups

ZeroTolerance is a low-profile ransomware group tracked on monitoring platforms with no detailed threat actor profiles, technical analysis, or named victim reports published by major threat intelligence vendors.

NetRunner is a ransomware group active from at least 2025 targeting diverse sectors including healthcare, telecommunications, manufacturing, and agriculture across Japan, Italy, the US, and Jordan, notably demanding a $100M ransom from Nippon Medical School Musashi Kosugi Hospital.

Krybit is an emerging RaaS group that launched in late March 2026, offering affiliates an 80/20 revenue split with support for Windows, Linux, ESXi, and NAS device encryption, and became notable for a public feud with rival group 0APT in which each breached and leaked the other's operator data.

Blackwater is a ransomware group that first surfaced in early 2026, combining file encryption with data theft and targeting healthcare organizations, with known victims including Minidoka Memorial Hospital in Idaho.

Lamashtu is an extortion group that first appeared in April 2026, claiming attacks against organizations in France, Romania, and Thailand across energy, pharmaceutical, and film sectors; it has not yet been confirmed as operating actual file-encrypting ransomware rather than pure data-theft extortion.

TiMc is a ransomware group that emerged in early 2026, claiming high-impact attacks against Spanish IT services leader Seidor (1 TB+ data) and oncology organization Oncologica (100 GB+), targeting Business Services, Healthcare, and IT sectors with a focus on Spanish-speaking and European targets.

⚠️ The group appears unreliable. Most, if not all, of its alleged victims cannot be verified. WE HAVE DECIDED TO REMOVE ENTRIES FOR THIS GROUP

Aurora is a ransomware group associated with a multi-purpose Go-based malware distributed by multiple criminal teams from mid-2022, also sold as an infostealer/botnet under the same name on underground forums.

M3rx is a small ransomware group first observed in 2025, using AES-CTR/AES-GCM encryption and targeting organizations in England, the US, Australia, Germany, Italy, and Switzerland, with around eight claimed victims including a Sydney-based property firm.

MNT6 is a lower-profile ransomware group claiming victims across legal, manufacturing, construction, healthcare, and logistics sectors in the US, Canada, New Zealand, and Spain, with notable claimed targets including Silfab Solar; some victim listings have been flagged as potentially unverified.

AuditTeam is a small ransomware group with approximately 5 known victims, primarily targeting organizations in East and Southeast Asia across technology and manufacturing sectors, operating a data leak site consistent with double-extortion methodology.

CMD is a new kind of company that specializes in corporate system security and in identifying vulnerabilities across all aspects of the software used by a company. CMD operates on a global scale recognizing the critical importance of timeliness and confidentiality.

ESXiArgs is a ransomware campaign that emerged in February 2023, targeting VMware ESXi servers by exploiting the CVE-2021-21974 vulnerability. It encrypts virtual machine configuration files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, .vmem) rendering VMs inaccessible. The campaign compromised thousands of unpatched servers globally, primarily affecting European organizations. A decryptor was later released by CISA and FBI.