Ransomware Groups

AiLock is a ransomware operation that emerged in early 2025, marketing itself as AI-assisted ransomware using a hybrid ChaCha20/NTRUEncrypt encryption scheme and double-extortion tactics, actively recruiting affiliates and threatening regulatory reporting if ransoms are unpaid.

A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

CryptBB is a ransomware group with likely Russian origins active around 2023, whose payload appends random extensions to encrypted files and whose data leak site copied 8Base's source code, listing approximately 8 victims as of September 2023.

DataCarry is a ransomware and data-extortion operation first observed in May 2025, operating a double-extortion model with a Tor-hosted leak portal and claiming victims across insurance, healthcare, aerospace, legal, and retail sectors in at least six countries.

Sarcoma is a ransomware group that debuted in October 2024, immediately ranking among the top three most active groups globally and surpassing 116 documented victims by mid-2025, targeting mid-market companies across manufacturing, retail, healthcare, legal, and business services with roughly 50% of victims in the United States.

Obscura is a ransomware strain observed in 2025, written in Go and specifically targeting Windows domain controllers via the SYSVOL/NETLOGON share, using Curve25519 + XChaCha20 encryption with double-extortion tactics and a 10-day payment deadline.

WereWolves is a Russian-speaking ransomware group that emerged in May 2023, using a modified LockBit 3 (Black) encryptor, operating an unusual public website that actively recruits new members and offers a bug-bounty program with rewards up to $1 million, with at least 26 victims across Russia, the US, and Europe.

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

Dunghill Leak is the data extortion site operated by the Dark Angels ransomware group, active since early 2023, targeting large enterprises across healthcare, finance, industrial, and technology sectors using a highly selective non-affiliate model, and responsible for a record-breaking $75 million ransom payment in 2024.

Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclosure.