Ransomware Groups

EP918 is a low-activity ransomware group listed in tracking databases with no confirmed victims and no publicly documented attacks or operational details.

Malas is a lesser-documented ransomware group that maintains an active dark web presence; detailed information about its targets, victims, or operational model is limited in public reporting.

Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks and deploy their payloads.<br> <br> The group threatens to publicly distribute exfiltrated data if the ransom is not paid, and it's worth mentioning that Rhysida is still in the early stages of development.<br> <br> The ransomware leaves PDF notes in the affected folders, instructing victims to contact the group through its portal, and payment is made via Bitcoin.<br> <br> After encryption, the ransomware appends the extension '.ryshida' to encrypted files.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

BlackShrantac is a ransomware group that emerged in late 2025, targeting organizations in manufacturing, financial services, technology, and the public sector globally, employing double-extortion combined with living-off-the-land techniques to weaponize legitimate tools and disable defenses before encrypting files.

The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a relatively small but selected list of victims. The group is also known as Fidel Ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator for the ransomware and its decoder that the file has been encrypted.<br> <br> Despite its name and the Cuban nationalist style on its leak site, it is difficult to assert any connection or affiliation with the Republic of Cuba. The group has been linked to a Russian-language threat actor by Profero researchers due to some details of incorrect translation they discovered, as well as the discovery of a 404 page containing text in Russian on the threat actor's own leak site.<br> <br> According to BlackBerry, based on the analysis of the code strings used in the campaign analyzed in 2023, there were indications that the developer behind the Cuba ransomware speaks Russian.<br> <br> The ransomware operators use a double extortion approach, and following the USA, in August 2022, it was believed that the Cuba ransomware group had compromised 101 entities, demanding $145 million in ransom payments and receiving up to $60 million.<br> <br> The group used a similar set of TTPs, with only a slight change each year, as they generally consist of LOLBins (executables that are part of the operating system and can be exploited to support an attack), exploits, off-the-shelf and custom malware, as well as intrusion tools like Cobalt Strike and Metasploit.<br> <br> In 2022, the group allegedly developed a relationship with operators of the Industrial Spy market, using their platform as a means of data leakage.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

Shadow is a low-profile ransomware group tracked on ransomware monitoring platforms with limited public documentation; specific attribution details regarding its targets, origin, or scale remain sparse in published threat intelligence reports.

Nitrogen began as a malware loader in 2023 used to deliver BlackCat/ALPHV ransomware, then evolved into a fully independent ransomware operator by mid-2024, operating its own strain derived from leaked Conti 2 builder code and conducting double-extortion attacks primarily linked to Eastern European infrastructure.

Rancoz is a Windows-targeting ransomware strain first observed in November 2022 that appends the ".rec_rans" extension to encrypted files, considered a Vice Society copycat, deployed against a small number of organizations using double extortion and linked to the same developer as the "Buddy" ransomware.

Orca is a ransomware group that emerged in September 2024, identified as a variant of the Zeppelin malware family, targeting organizations in manufacturing and logistics across Taiwan, Tunisia, Austria, and France, claiming to avoid hospitals, government institutions, and non-profits.

Trinity ransomware was first discovered in May 2024, believed to be a rebrand of the Venus/2023Lock variants, using ChaCha20 encryption and double-extortion via a Tor leak site; the US HHS flagged it as a specific threat to the healthcare sector after confirmed attacks on healthcare organizations.