Ransomware Groups

VECT is a RaaS group that launched its affiliate program in December 2025 with a five-tier revenue-sharing model and a formal partnership with BreachForums; its VECT 2.0 payload contains a critical encryption flaw that irreversibly destroys files larger than 128 KB rather than encrypting them.

LockBit 5.0 ("ChuongDong") emerged in September 2025 as the group's resurgence following the February 2024 law enforcement takedown, introducing cross-platform payloads targeting Windows, Linux, and VMware ESXi with enhanced evasion capabilities and continuing the RaaS affiliate model of its predecessors.

Fletchen is primarily documented as a sophisticated infostealer-as-a-service written in Rust, targeting browser credentials, cryptocurrency wallets, and financial data, used by groups including Hunters International; its developer also advertises ransomware services on underground forums.

Donut Leaks (D0nut) is a data-extortion group active since August 2022 that developed its own ransomware encryptor, linked to attacks on Greece's DESFA gas company and Continental, believed to be an affiliate of multiple RaaS operations who pivoted to running an independent extortion platform.

This ransomware uses a combination of different crypto algorithms (ChaCha20, AES-128, Curve25519). The activity of this malware is dated to mid-June 2021. The extension of the encrypted files are set to the compromised company: .<target_company>

Lynx is a ransomware-as-a-service operation that emerged in mid-2024 as a rebrand of INC Ransomware (whose source code was sold for $300,000 on the RAMP forum), claiming ~300 victims across manufacturing, business services, technology, and transportation with an 80/20 profit split for affiliates.

Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.

FulcrumSec is a data extortion group active since approximately September 2025, specializing in high-speed exfiltration of cloud-hosted databases by exploiting unrotated API keys and misconfigured cloud permissions rather than deploying encryption, with known victims including Australian fintech youX and LexisNexis.

Cheers is a Linux-based ransomware group that emerged in 2022, built on leaked Babuk source code and specializing in attacks against VMware ESXi servers, running a double-extortion leak site with four documented victims.

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

Ransomware, written in .NET.

Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.