Ransomware Groups

Stormous is an Arabic-speaking, pro-Russian ransomware and hacktivist group active since at least 2022, known for politically motivated attacks across 15+ countries, collaborating with GhostSec on the GhostLocker 2.0 RaaS platform and inheriting GhostSec's RaaS operations in mid-2024.

RedAlert (also called N13V) is a ransomware group first observed in July 2022 that targets both Windows and Linux VMware ESXi servers, encrypting virtual machine files using the NTRUEncrypt algorithm and accepting only Monero for payment, conducting double-extortion attacks against corporate networks.

Tengu is a RaaS operation first observed in October 2025, following a double-extortion model and using Living Off The Land Binaries (LOLBins) to blend malicious activity with normal admin traffic, primarily targeting consumer goods, real estate, automotive, healthcare, and IT sectors.

Brotherhood is a ransomware group that emerged in late 2025, targeting organizations in the US, Canada, and Australia across manufacturing, communications, and construction sectors, operating a Tor-based double-extortion leak site.

Blackout is a ransomware group that first appeared in early 2024, initially claiming attacks against healthcare entities in Canada, France, and Germany before expanding to telecommunications, mining, and manufacturing sectors, operating a double-extortion model with a data leak site.

OnePercent Group is a cybercriminal operation active since at least November 2020 that targeted US organizations using phishing with IcedID trojans, Cobalt Strike, and double-extortion, threatening a "one percent leak" of data before escalating to a full dump or sale to REvil; the FBI issued a formal flash advisory in August 2021.

Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.

Crypto24 is a double-extortion ransomware-as-a-service group that surfaced on the RAMP forum in mid-2024, targeting large organizations in financial services, healthcare, manufacturing, and technology across Asia, Europe, and North America, with notable victims including CMC Group, Vietnam's second-largest ICT conglomerate.

The CACTUS ransomware is said to have emerged around March 2023. The group became known for exploiting vulnerabilities to gain initial access and maintain a presence within the organization's infrastructure.<br> <br> There is little known information about the ransomware group, except that it emerged on the mentioned date and, following encryption, a text file named 'cAcTuS.readme.txt' would be created. Additionally, encrypted files were altered to the '.cts1' extension, and data exfiltration and victim extortion were conducted through the use of the service known as Tox.<br>Source: https://github.com/crocodyli/ThreatActors-TTPs

Cyclops emerged in May 2023 as a cross-platform RaaS operation targeting Windows, macOS, and Linux systems; it rebranded as "Knight" in August 2023 and its codebase was ultimately sold, with affiliates largely migrating to RansomHub.

LV ransomware group main message: "Here are companies which didn't meet consumer data protection obligations. They rejected to fix their mistakes, they rejected to protect this data in the case when they could and had to ptotect it. These companies prefered to sell their private information, their employees' and customers' personal data". Security researchers claim that the LV group is utilizing the REvil ransomware group malware. The LV group claim to have compromised the corporate network of Groupe Reorev.

dAn0n emerged in early 2024 operating a RaaS model, rapidly claiming 13 victims in May 2024 alone, predominantly targeting US-based organizations in business services and filling the vacuum left by disruptions to LockBit and BlackCat/ALPHV.