| netwalker |
https://www.ransomware.live/group/netwalker |
offline |
None |
NetWalker ransomware group operates by the threat actor known as |
No Screenshot Available
|
| play |
https://www.ransomware.live/group/play |
online |
None |
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises.<br> <br> On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs |
|
| nemty |
https://www.ransomware.live/group/nemty |
offline |
None |
Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.
|
No Screenshot Available
|
| n3tworm |
https://www.ransomware.live/group/n3tworm |
offline |
None |
N3tw0rm ransomware group is linked to Iran by many security researchers especially for the fact that the group targeting only Israeli companies. Like other ransomware groups, N3tw0rm has a data leak site in the darknet. Due to the low ransom price the group requested and lack of response to negotiations, some security researchers believe that the N3tw0rm group's main goal is to be used for sowing chaos for Israeli interests and not for profit.
|
No Screenshot Available
|
| nefilim |
https://www.ransomware.live/group/nefilim |
offline |
None |
According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.
|
No Screenshot Available
|
| noescape |
https://www.ransomware.live/group/noescape |
offline |
None |
|
No Screenshot Available
|
| mount-locker |
https://www.ransomware.live/group/mount-locker |
offline |
None |
|
No Screenshot Available
|
| mydecryptor |
https://www.ransomware.live/group/mydecryptor |
offline |
None |
|
No Screenshot Available
|
| mosesstaff |
https://www.ransomware.live/group/mosesstaff |
online |
None |
Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data. |
|
| monti |
https://www.ransomware.live/group/monti |
online |
None |
|
|
| mindware |
https://www.ransomware.live/group/mindware |
offline |
None |
Ransomware, potential rebranding of win.sfile.
|
No Screenshot Available
|
| midas |
https://www.ransomware.live/group/midas |
offline |
None |
This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy.
|
No Screenshot Available
|
| moneymessage |
https://www.ransomware.live/group/moneymessage |
online |
None |
|
|
| mogilevich |
https://www.ransomware.live/group/mogilevich |
offline |
None |
|
No Screenshot Available
|
| medusalocker |
https://www.ransomware.live/group/medusalocker |
online |
None |
Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.
|
|
| metaencryptor |
https://www.ransomware.live/group/metaencryptor |
offline |
None |
|
No Screenshot Available
|
| mbc |
https://www.ransomware.live/group/mbc |
offline |
None |
|
No Screenshot Available
|
| marketo |
https://www.ransomware.live/group/marketo |
offline |
None |
|
No Screenshot Available
|
| maze |
https://www.ransomware.live/group/maze |
offline |
None |
Maze ransomware group is one of the most known ransomware gangs, they targeted organizations worldwide across many industries. Security researchers believed that Maze operates as an affiliated network model. MAZE was one of the first groups that made a 'Double Extortion Attack' involved Allied Universal, in November 2019, the group leaks their victim's data in the darknet. On November 1, 2020, MAZE announced an official press release that they are closing their operation. is malware targeting organizations worldwide across many industries. Security researchers claim that the threat actor behind the MAZE group is 'TA2101'. |
No Screenshot Available
|
| malekteam |
https://www.ransomware.live/group/malekteam |
online |
None |
|
|
| mallox |
https://www.ransomware.live/group/mallox |
online |
None |
This ransomware uses a combination of different crypto algorithms (ChaCha20, AES-128, Curve25519). The activity of this malware is dated to mid-June 2021. The extension of the encrypted files are set to the compromised company: .<target_company> |
|
| meow |
https://www.ransomware.live/group/meow |
offline |
None |
|
No Screenshot Available
|
| malas |
https://www.ransomware.live/group/malas |
online |
None |
|
|
| medusa |
https://www.ransomware.live/group/medusa |
online |
None |
|
|
| madliberator |
https://www.ransomware.live/group/madliberator |
offline |
None |
|
No Screenshot Available
|
| madcat |
https://www.ransomware.live/group/madcat |
offline |
None |
|
No Screenshot Available
|
| lv |
https://www.ransomware.live/group/lv |
offline |
None |
LV ransomware group main message: |
No Screenshot Available
|
| losttrust |
https://www.ransomware.live/group/losttrust |
offline |
None |
|
No Screenshot Available
|
| lynx |
https://www.ransomware.live/group/lynx |
online |
None |
|
|
| lorenz |
https://www.ransomware.live/group/lorenz |
offline |
None |
Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files.
|
No Screenshot Available
|
| lockdata |
https://www.ransomware.live/group/lockdata |
offline |
None |
|
No Screenshot Available
|
| lockbit3_fs |
https://www.ransomware.live/group/lockbit3_fs |
offline |
None |
|
No Screenshot Available
|
| lockbit |
https://www.ransomware.live/group/lockbit |
offline |
None |
|
No Screenshot Available
|
| lilith |
https://www.ransomware.live/group/lilith |
offline |
None |
|
No Screenshot Available
|
| leaktheanalyst |
https://www.ransomware.live/group/leaktheanalyst |
offline |
None |
|
No Screenshot Available
|
| la_piovra |
https://www.ransomware.live/group/la_piovra |
offline |
None |
ℹ️ La Piovra Ransomware is an exercise of the company Offensive Security (also known as OffSec) |
No Screenshot Available
|
| knight |
https://www.ransomware.live/group/knight |
offline |
None |
[Cyclops](group/cyclops) rebrand |
No Screenshot Available
|
| killsec |
https://www.ransomware.live/group/killsec |
online |
None |
|
|
| kelvinsecurity |
https://www.ransomware.live/group/kelvinsecurity |
online |
None |
|
|
| insane |
https://www.ransomware.live/group/insane |
offline |
None |
|
No Screenshot Available
|
