| yanluowang |
https://www.ransomware.live/group/yanluowang |
offline |
None |
According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the README.txt file containing a ransom note. It appends the .yanluowang extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.Files encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted). |
No Screenshot Available
|
| xinof |
https://www.ransomware.live/group/xinof |
offline |
None |
|
No Screenshot Available
|
| xinglocker |
https://www.ransomware.live/group/xinglocker |
offline |
None |
|
No Screenshot Available
|
| x001xs |
https://www.ransomware.live/group/x001xs |
online |
None |
|
|
| wannacry |
https://www.ransomware.live/group/wannacry |
offline |
None |
WannaCry ransomware is a cyber attack that spreads by exploiting vulnerabilities in the Windows operating system. At its peak in May 2017, WannaCry became a global threat. Cybercriminals used the ransomware to hold an organization's data hostage and extort money in the form of cryptocurrency. WannaCry spreads using EternalBlue, an exploit leaked from the National Security Agency (NSA). EternalBlue enables attackers to use a zero-day vulnerability to gain access to a system. It targets Windows computers that use a legacy version of the Server Message Block (SMB) protocol. |
No Screenshot Available
|
| werewolves |
https://www.ransomware.live/group/werewolves |
online |
None |
|
|
| vfokx |
https://www.ransomware.live/group/vfokx |
offline |
None |
|
No Screenshot Available
|
| vendetta |
https://www.ransomware.live/group/vendetta |
offline |
None |
Ransomware, which appears to be a rebranding of win.cuba. |
No Screenshot Available
|
| vanirgroup |
https://www.ransomware.live/group/vanirgroup |
online |
None |
|
|
| ValenciaLeaks |
https://www.ransomware.live/group/ValenciaLeaks |
offline |
None |
|
No Screenshot Available
|
| unsafe |
https://www.ransomware.live/group/unsafe |
offline |
None |
A group which seems to recycle leak from other ransomware groups |
No Screenshot Available
|
| unknown |
https://www.ransomware.live/group/unknown |
offline |
None |
|
No Screenshot Available
|
| underground |
https://www.ransomware.live/group/underground |
online |
None |
|
|
| u-bomb |
https://www.ransomware.live/group/u-bomb |
offline |
None |
|
No Screenshot Available
|
| vicesociety |
https://www.ransomware.live/group/vicesociety |
offline |
None |
Vice Society ransomware appends the .v-society extension when encrypting Linux machines. Running a leak site on the darkweb, Possible relations with |
No Screenshot Available
|
| trisec |
https://www.ransomware.live/group/trisec |
offline |
None |
|
No Screenshot Available
|
| trinity |
https://www.ransomware.live/group/trinity |
online |
None |
|
|
| trigona |
https://www.ransomware.live/group/trigona |
offline |
None |
According to PCrisk, Trigona is ransomware that encrypts files and appends the ._locked extension to filenames. Also, it drops the how_to_decrypt.hta file that opens a ransom note. An example of how Trigona renames files: it renames 1.jpg to 1.jpg._locked, 2.png to 2.png._locked, and so forth.It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files. |
No Screenshot Available
|
| toufan |
https://www.ransomware.live/group/toufan |
online |
None |
Pro-Palestinian Group |
|
| termite |
https://www.ransomware.live/group/termite |
online |
None |
|
|
| threeam |
https://www.ransomware.live/group/threeam |
offline |
None |
A new Ransomware family identified by the name '3AM' or 'ThreeAM' in September 2023. The ransomware operation was observed by the Symantec team, in which a ransomware affiliate attempted to deploy another ransomware, LockBit, on the target network and then switched to 3AM when LockBit was reportedly blocked.<BR>
> <BR>
> The ransomware operation, according to the publication on its Tor-based website, has been operating since mid-August 2023, according to the publication from its first victim.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs |
No Screenshot Available
|
| suncrypt |
https://www.ransomware.live/group/suncrypt |
offline |
None |
|
No Screenshot Available
|
| sugar |
https://www.ransomware.live/group/sugar |
offline |
None |
Ransomware, written in Delphi.
|
No Screenshot Available
|
| synack |
https://www.ransomware.live/group/synack |
offline |
None |
|
No Screenshot Available
|
| stormous |
https://www.ransomware.live/group/stormous |
offline |
None |
|
No Screenshot Available
|
| sparta |
https://www.ransomware.live/group/sparta |
offline |
None |
|
No Screenshot Available
|
| spook |
https://www.ransomware.live/group/spook |
offline |
None |
|
No Screenshot Available
|
| spacebears |
https://www.ransomware.live/group/spacebears |
online |
None |
|
|
| slug |
https://www.ransomware.live/group/slug |
offline |
None |
|
No Screenshot Available
|
| shaoleaks |
https://www.ransomware.live/group/shaoleaks |
offline |
None |
|
No Screenshot Available
|
| siegedsec |
https://www.ransomware.live/group/siegedsec |
offline |
None |
Not a ransomware group but a hacktivist group that appeared coincidentally days before Russia’s invasion of Ukraine |
No Screenshot Available
|
| shadow |
https://www.ransomware.live/group/shadow |
offline |
None |
|
No Screenshot Available
|
| SenSayQ |
https://www.ransomware.live/group/SenSayQ |
offline |
None |
|
No Screenshot Available
|
| sarcoma |
https://www.ransomware.live/group/sarcoma |
online |
None |
|
|
| snatch |
https://www.ransomware.live/group/snatch |
online |
None |
Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.
|
|
| safepay |
https://www.ransomware.live/group/safepay |
offline |
None |
|
No Screenshot Available
|
| sabbath |
https://www.ransomware.live/group/sabbath |
offline |
None |
|
No Screenshot Available
|
| rransom |
https://www.ransomware.live/group/rransom |
offline |
None |
|
No Screenshot Available
|
| rook |
https://www.ransomware.live/group/rook |
offline |
None |
According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them. It also modifies filenames and creates a text file/ransom note (HowToRestoreYourFiles.txt). Rook renames files by appending the .Rook extension. For example, it renames 1.jpg to 1.jpg.Rook, 2.jpg to 2.jpg.Rook. |
No Screenshot Available
|
| revil |
https://www.ransomware.live/group/revil |
offline |
None |
Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his victims, they would threaten to publish the victim's sensitive data on their darknet blog named 'Happy Blog', unless the ransom is paid. The ransomware malware code used by REvil is pretty similar to the ransomware code used by DarkSide - a different threat actor. REvil group claims to steal information after a successful attack on the supplier of the tech giant Apple and stole confidential schematics of their upcoming products. |
No Screenshot Available
|
