Ransomware Groups

ZeroLockerSec is a small ransomware group with very limited public documentation that became inactive by Q2 2025 with no recorded leak posts, suggesting a brief operational period before going dormant.

Orion is a ransomware operation first observed in October 2025 that listed 13 alleged victims on a dark web leak site across financial services, manufacturing, and healthcare, though analysts determined its victim list was recycled from prior LockBit and BlackCat disclosures rather than fresh compromises.

This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy.

Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.

N3tw0rm ransomware group is linked to Iran by many security researchers especially for the fact that the group targeting only Israeli companies. Like other ransomware groups, N3tw0rm has a data leak site in the darknet. Due to the low ransom price the group requested and lack of response to negotiations, some security researchers believe that the N3tw0rm group's main goal is to be used for sowing chaos for Israeli interests and not for profit.

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises.<br> <br> On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs

Groove emerged in mid-2021 as a loose criminal collective linked to former Babuk gang members, known for publicly leaking Fortinet VPN credentials to attract affiliates and calling for attacks on US government and financial targets; the group later claimed its entire operation was a hoax to mislead security researchers.

SynAck is a sophisticated ransomware operation first spotted in 2017, known for using hybrid ECIES encryption and the Doppelganging process injection technique to evade detection; in August 2021 the group rebranded as El_Cometa, transitioning to a full RaaS model and releasing master decryption keys for prior victims.

SenSayQ is an emerging ransomware actor that appeared in mid-2024 using a leaked LockBit 3.0 builder for double-extortion attacks; Group-IB links it operationally to the Brain Cipher group and its siblings EstateRansomware and "Noname," suggesting a shared operator.

Haron appeared in July 2021 as a ransomware-as-a-service operation heavily borrowing from the defunct Avaddon ransomware (copying ransom notes and leak site structure) and built on the Thanos ransomware builder, targeting enterprise organizations with a six-day negotiation window.

New possible leak site posted to a forum on November 20th, 2022, no victims at present. Unclear if its for a ransomware or extortion group

RALord is a ransomware group identified in March 2025 operating within the NOVA RaaS platform, targeting healthcare, education, hospitality, and IT sectors across multiple continents, using a Rust-based payload with an 85/15 affiliate revenue split; it later rebranded as "Nova."