Ransomware Intelligence & Incident Response

LockBit is a Ransomware-as-a-Service (RaaS) operation that has been one of the most prolific ransomware groups globally. Known for its fast encryption speed and double extortion tactics, LockBit operates an affiliate program and maintains a leak site for publishing stolen data.

BlackCat/ALPHV is a sophisticated Ransomware-as-a-Service operation written in Rust, making it cross-platform capable. Known for triple extortion tactics including data encryption, data theft threats, and DDoS attacks.

Cl0p is a ransomware operation known for exploiting zero-day vulnerabilities in file transfer solutions like MOVEit, GoAnywhere, and Accellion FTA. They focus heavily on data theft and extortion without always deploying encryption.

Black Basta emerged in 2022 and is believed to be comprised of former Conti ransomware members. They use QakBot and other malware for initial access and are known for rapid encryption.

Royal ransomware is operated by experienced threat actors, potentially former Conti members. They use callback phishing and target critical infrastructure.

Akira is a ransomware operation that emerged in March 2023 with a retro 1980s-themed leak site. The group primarily targets small to medium businesses and has been linked to the now-defunct Conti ransomware gang. They employ double extortion tactics and have shown rapid growth.

Play ransomware (also known as PlayCrypt) emerged in mid-2022 and has targeted numerous organizations including critical infrastructure. The group is known for exploiting ProxyNotShell vulnerabilities and other Exchange Server flaws.

Rhysida is a ransomware group that emerged in May 2023 and has quickly become a significant threat, particularly to the healthcare and education sectors. They operate a leak site and use double extortion tactics.

BianLian is a ransomware group written in Go that shifted from encryption-based attacks to pure data extortion in early 2023 after a decryptor was released. They focus on exfiltrating data and threatening publication.

Medusa is a ransomware group that operates both as standalone attacks and through an affiliate RaaS model. They are known for their aggressive negotiation tactics and have a leak site called 'Medusa Blog'.

8Base is a ransomware group that emerged in 2023 and rapidly grew to become one of the most active threat actors. They use a modified version of Phobos ransomware and target small to medium businesses.

Cactus ransomware is known for its unique self-encryption technique to evade detection. The ransomware encrypts itself to avoid antivirus detection and exploits VPN appliance vulnerabilities for initial access.

INC Ransom is a ransomware operation that emerged in mid-2023, known for exploiting Citrix NetScaler vulnerabilities (Citrix Bleed) and targeting healthcare organizations. They operate a leak site and use double extortion.