Ransomware Groups

Excelitte Logo
Group Name Group Link Activity Status Last Known Activity Date Description Screenshot
abrahams_ax https://www.ransomlook.io/group/abrahams_ax offline 2024-02-09 N/A Screenshot
adminlocker https://www.ransomlook.io/group/adminlocker offline Never N/A No Screenshot Available
agl0bgvycg https://www.ransomlook.io/group/agl0bgvycg offline 2024-06-27 N/A Screenshot
ako https://www.ransomlook.io/group/ako offline 2021-05-01 N/A No Screenshot Available
aztroteam https://www.ransomlook.io/group/aztroteam offline 2021-05-01 N/A No Screenshot Available
avos https://www.ransomlook.io/group/avos offline 2021-05-01 N/A No Screenshot Available
24rc https://www.ransomlook.io/market/24rc offline 2024-11-20 N/A No Screenshot Available
mega https://www.ransomlook.io/market/mega offline 2024-11-20 N/A No Screenshot Available
рамп https://www.ransomlook.io/market/рамп offline 2024-11-20 N/A No Screenshot Available
xleet https://www.ransomlook.io/market/xleet offline 2024-11-20 N/A No Screenshot Available
matanga https://www.ransomlook.io/market/matanga offline 2024-11-20 N/A No Screenshot Available
winxxx https://www.ransomlook.io/market/winxxx offline 2024-11-20 N/A No Screenshot Available
0mega https://www.ransomware.live/group/0mega online None Screenshot
whm market https://www.ransomlook.io/market/whm%20market offline 2024-03-08 N/A No Screenshot Available
weedcat https://www.ransomlook.io/market/weedcat offline 2024-11-20 N/A No Screenshot Available
wayaway https://www.ransomlook.io/market/wayaway offline 2024-11-20 N/A No Screenshot Available
volna https://www.ransomlook.io/market/volna offline 2024-11-20 N/A No Screenshot Available
vice city https://www.ransomlook.io/market/vice%20city offline 2023-08-27 N/A No Screenshot Available
unicc https://www.ransomlook.io/market/unicc offline 2024-11-20 N/A No Screenshot Available
ultimate shop https://www.ransomlook.io/market/ultimate%20shop offline 2024-11-20 N/A No Screenshot Available
tornet https://www.ransomlook.io/market/tornet offline 2024-11-20 N/A No Screenshot Available
dread https://www.ransomware.live/group/dread online None Screenshot
dragonforce https://www.ransomware.live/group/dragonforce online None Screenshot
aGl0bGVyCg https://www.ransomware.live/group/aGl0bGVyCg offline None No Screenshot Available
crosslock https://www.ransomware.live/group/crosslock offline None No Screenshot Available
cyclops https://www.ransomware.live/group/cyclops offline None No Screenshot Available
darkleakmarket https://www.ransomware.live/group/darkleakmarket online None Screenshot
avoslocker https://www.ransomware.live/group/avoslocker offline None No Screenshot Available
cuba https://www.ransomware.live/group/cuba offline None The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a relatively small but selected list of victims. The group is also known as Fidel Ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator for the ransomware and its decoder that the file has been encrypted.<br> <br> Despite its name and the Cuban nationalist style on its leak site, it is difficult to assert any connection or affiliation with the Republic of Cuba. The group has been linked to a Russian-language threat actor by Profero researchers due to some details of incorrect translation they discovered, as well as the discovery of a 404 page containing text in Russian on the threat actor's own leak site.<br> <br> According to BlackBerry, based on the analysis of the code strings used in the campaign analyzed in 2023, there were indications that the developer behind the Cuba ransomware speaks Russian.<br> <br> The ransomware operators use a double extortion approach, and following the USA, in August 2022, it was believed that the Cuba ransomware group had compromised 101 entities, demanding $145 million in ransom payments and receiving up to $60 million.<br> <br> The group used a similar set of TTPs, with only a slight change each year, as they generally consist of LOLBins (executables that are part of the operating system and can be exploited to support an attack), exploits, off-the-shelf and custom malware, as well as intrusion tools like Cobalt Strike and Metasploit.<br> <br> In 2022, the group allegedly developed a relationship with operators of the Industrial Spy market, using their platform as a means of data leakage.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs No Screenshot Available
doppelpaymer https://www.ransomware.live/group/doppelpaymer offline None Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: No Screenshot Available
diavol https://www.ransomware.live/group/diavol offline None A ransomware with potential ties to Wizard Spider. No Screenshot Available
donutleaks https://www.ransomware.live/group/donutleaks online None Screenshot
hellcat https://www.ransomware.live/group/hellcat offline None No Screenshot Available
karakurt https://www.ransomware.live/group/karakurt offline None No Screenshot Available
kairos https://www.ransomware.live/group/kairos online None Screenshot
lolnek https://www.ransomware.live/group/lolnek offline None No Screenshot Available
solidbit https://www.ransomware.live/group/solidbit offline None Ransomware, written in .NET. No Screenshot Available
ransomexx https://www.ransomware.live/group/ransomexx online None RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777. Screenshot
zerotolerance https://www.ransomware.live/group/zerotolerance offline None No Screenshot Available
zeon https://www.ransomware.live/group/zeon offline None No Screenshot Available