Ransomware Groups

Gunra is a financially motivated ransomware group that emerged in April 2025, using double-extortion tactics against real estate, pharmaceuticals, and manufacturing sectors across Japan, Egypt, Panama, Italy, and Argentina, deploying separate Windows and Linux variants with a strict five-day payment deadline.

SunCrypt is a RaaS operation first observed in October 2019, notable for pioneering triple extortion (encryption, data publication threats, and DDoS attacks on non-paying victims), operating a closed small affiliate program and partnering with TrickBot for initial access.

Arvin Club is a threat actor with hacktivist leanings that first appeared in May 2021, primarily publishing stolen data via a TOR site and Telegram rather than deploying file-encrypting ransomware, targeting government, education, and banking sectors globally including Iranian government entities.

PlayBoy Locker is a ransomware-as-a-service operation that emerged in September 2024, targeting Windows, NAS, and ESXi systems across multiple sectors on an 85/15 affiliate revenue split; its source code was reportedly sold underground by late 2024.

BlueSky is a financially motivated ransomware group active from mid-2022 into early 2023, using multi-threaded ChaCha20/Curve25519 encryption for fast file locking on Windows hosts, with code sharing significant overlap with Conti v2/v3 and Babuk, attributed with high confidence to Russian-origin threat actors.

Pro-Palestinian Group

According to OALabs, this ransomware has the following features: * Files are encrypted with AES CBC using a generated 256 bit key and IV.* The generated AES keys are encrypted using a hard coded RSA key and appended to the encrypted files.

A ransomware with potential ties to Wizard Spider.

NoEscape was a RaaS operation active from May to December 2023 believed to be a rebrand of the defunct Avaddon ransomware, targeting professional services, manufacturing, and healthcare with triple-extortion capabilities (encryption, data theft, and optional DDoS), before abruptly shutting down in an apparent exit scam.

Ragnar Locker was an elite ransomware group active from December 2019 to October 2023 that targeted large enterprises and critical infrastructure — including Capcom and Campari — claiming at least 168 victims before being taken down by a Europol-led international law enforcement operation in October 2023.

Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

Cry0 is a ransomware-as-a-service operation that recruits affiliates via underground forums, using a Rust-written payload with blockchain-based (Internet Computer Protocol) negotiation infrastructure to resist law enforcement takedowns and offering affiliates a 90/10 revenue split.