| robinhood |
https://www.ransomware.live/group/robinhood |
online |
None |
|
|
| redransomware |
https://www.ransomware.live/group/redransomware |
offline |
None |
|
No Screenshot Available
|
| redalert |
https://www.ransomware.live/group/redalert |
offline |
None |
|
No Screenshot Available
|
| raznatovic |
https://www.ransomware.live/group/raznatovic |
offline |
None |
RANSOMED.VC aka Raznatovic |
No Screenshot Available
|
| royal |
https://www.ransomware.live/group/royal |
offline |
None |
According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One. |
No Screenshot Available
|
| raworld |
https://www.ransomware.live/group/raworld |
online |
None |
RA Group, also known as RA World, first surfaced in April 2023, utilizing a custom variant of the Babuk ransomware. |
|
| rhysida |
https://www.ransomware.live/group/rhysida |
online |
None |
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks and deploy their payloads.<br> <br> The group threatens to publicly distribute exfiltrated data if the ransom is not paid, and it's worth mentioning that Rhysida is still in the early stages of development.<br> <br> The ransomware leaves PDF notes in the affected folders, instructing victims to contact the group through its portal, and payment is made via Bitcoin.<br> <br> After encryption, the ransomware appends the extension '.ryshida' to encrypted files.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs |
|
| ranstreet |
https://www.ransomware.live/group/ranstreet |
offline |
None |
|
No Screenshot Available
|
| ranzy |
https://www.ransomware.live/group/ranzy |
offline |
None |
Ranzy Locker, Former known as ThunderX. The group hosting a data leak site in the darknet where they posting sensitive information of victims who do not pay the ransom. ThunderX was launched at the end of August 2020. Soon after launching, weaknesses were found in the code, that allowed decrypting the files that the malware encrypted. The group has fixed the code and publish a new version, then released it under the name Ranzy Locker. The Tor onion URL used by the Ranzy Leak site is the same as the one used by Ako Ransomware. The use of the same URL could indicate that both groups merged, or they are cooperating similarly to the Maze cartel.
|
No Screenshot Available
|
| ransomcortex |
https://www.ransomware.live/group/ransomcortex |
offline |
None |
|
No Screenshot Available
|
| ransomed |
https://www.ransomware.live/group/ransomed |
offline |
None |
|
No Screenshot Available
|
| ransomcartel |
https://www.ransomware.live/group/ransomcartel |
offline |
None |
|
No Screenshot Available
|
| ramp |
https://www.ransomware.live/group/ramp |
online |
None |
|
|
| ranion |
https://www.ransomware.live/group/ranion |
online |
None |
|
|
| rancoz |
https://www.ransomware.live/group/rancoz |
offline |
None |
|
No Screenshot Available
|
| ransomhouse |
https://www.ransomware.live/group/ransomhouse |
online |
None |
|
|
| ragnarok |
https://www.ransomware.live/group/ragnarok |
offline |
None |
According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.
|
No Screenshot Available
|
| rabbithole |
https://www.ransomware.live/group/rabbithole |
offline |
None |
|
No Screenshot Available
|
| ragnarlocker |
https://www.ransomware.live/group/ragnarlocker |
online |
None |
|
|
| qlocker |
https://www.ransomware.live/group/qlocker |
offline |
None |
|
No Screenshot Available
|
| qiulong |
https://www.ransomware.live/group/qiulong |
offline |
None |
|
No Screenshot Available
|
| quantum |
https://www.ransomware.live/group/quantum |
offline |
None |
|
No Screenshot Available
|
| prometheus |
https://www.ransomware.live/group/prometheus |
offline |
None |
Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.
|
No Screenshot Available
|
| pysa |
https://www.ransomware.live/group/pysa |
offline |
None |
Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension |
No Screenshot Available
|
| prolock |
https://www.ransomware.live/group/prolock |
offline |
None |
PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop. |
No Screenshot Available
|
| projectrelic |
https://www.ransomware.live/group/projectrelic |
offline |
None |
|
No Screenshot Available
|
| playboy |
https://www.ransomware.live/group/playboy |
offline |
None |
|
No Screenshot Available
|
| ransomhub |
https://www.ransomware.live/group/ransomhub |
online |
None |
The group emerged in mid-February 2024 and has already listed several organizations as alleged victims of their attacks, resulting from extortion through encryption and data leaks.<br> <br> The announcement of the sale of the new Ransomware-as-a-Service (RaaS) by RansomHub was published on one of the Russian-origin forums used by cybercrime to advertise malicious services, known as RAMP4U (or RAMP). A user with the nickname and persona of 'koley' announced the affiliate program on February 2, 2024.<br> <br> In the new RaaS announcement, it was mentioned that the money laundering operation of the paid ransoms is the responsibility of the affiliate. This means that all communication and sending of the decryptor to the victim are done through chat. The split of this RaaS would be 90% of the value for the affiliate and 10% for the developer, who in this case would be the persona of Koley.<br> <br> Furthermore, according to the publication, the ransomware payload is written in Golang language, uses the asymmetric algorithm based on x25519, and encryption algorithms AES256, ChaCha20, and xChaCha20, standing out for its speed. The encryption is obfuscated using AST.<br> <br> The payload would support network propagation and encryption of data both in secure and local mode. According to Koley, the ransomware is designed to operate on platforms such as Windows, Linux, and ESXi, as well as other architectures such as ARM and MIPS.<br> <br> As pointed out by the panel and already highlighted by the intelligence team, Koley stated that the panel uses a .onion domain, allowing the affiliate to organize and manage targets and chat rooms, view access logs, automatically respond when offline, and create private blog pages.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs |
|
| payloadbin |
https://www.ransomware.live/group/payloadbin |
offline |
None |
|
No Screenshot Available
|
| pay2key |
https://www.ransomware.live/group/pay2key |
offline |
None |
Pay2Key is ransomware that has been used by the threat actor Fox Kitten. The group seems to operate since July 2020, targetting mainly Israeli companies. Pay2Key has a darknet leak site to public stolen and sensitive information of their victims. Some of their victims: Intel - Habana Labs, IAI - Israel Aerospace Industries, Portnox - Network Security Solutions.
|
No Screenshot Available
|
| qilin |
https://www.ransomware.live/group/qilin |
online |
None |
Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. |
|
| pandora |
https://www.ransomware.live/group/pandora |
offline |
None |
Pandora ransomware was obtained by vx-underground at 2022-03-14.
|
No Screenshot Available
|
| onyx |
https://www.ransomware.live/group/onyx |
offline |
None |
|
No Screenshot Available
|
| orca |
https://www.ransomware.live/group/orca |
online |
None |
|
|
| onepercent |
https://www.ransomware.live/group/onepercent |
offline |
None |
|
No Screenshot Available
|
| noname |
https://www.ransomware.live/group/noname |
offline |
None |
|
No Screenshot Available
|
| nokoyawa |
https://www.ransomware.live/group/nokoyawa |
offline |
None |
|
No Screenshot Available
|
| nitrogen |
https://www.ransomware.live/group/nitrogen |
online |
None |
|
|
| nevada |
https://www.ransomware.live/group/nevada |
offline |
None |
|
No Screenshot Available
|
| nightsky |
https://www.ransomware.live/group/nightsky |
offline |
None |
|
No Screenshot Available
|
