| karma |
https://www.ransomware.live/group/karma |
offline |
None |
|
No Screenshot Available
|
| interlock |
https://www.ransomware.live/group/interlock |
offline |
None |
|
No Screenshot Available
|
| icefire |
https://www.ransomware.live/group/icefire |
offline |
None |
|
No Screenshot Available
|
| lockbit2 |
https://www.ransomware.live/group/lockbit2 |
offline |
None |
|
No Screenshot Available
|
| holyghost |
https://www.ransomware.live/group/holyghost |
offline |
None |
|
No Screenshot Available
|
| hotarus |
https://www.ransomware.live/group/hotarus |
offline |
None |
|
No Screenshot Available
|
| hive |
https://www.ransomware.live/group/hive |
offline |
None |
Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.
In 2022 there was a switch from GoLang to Rust.
|
No Screenshot Available
|
| incransom |
https://www.ransomware.live/group/incransom |
online |
None |
|
|
| hellogookie |
https://www.ransomware.live/group/hellogookie |
offline |
None |
|
No Screenshot Available
|
| hellokitty |
https://www.ransomware.live/group/hellokitty |
offline |
None |
Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.
|
No Screenshot Available
|
| haron |
https://www.ransomware.live/group/haron |
offline |
None |
|
No Screenshot Available
|
| helldown |
https://www.ransomware.live/group/helldown |
offline |
None |
|
No Screenshot Available
|
| hunters |
https://www.ransomware.live/group/hunters |
online |
None |
In mid-October 2023, just a few days before the Europol operation, the source code of the Ransomware Hive was sold, along with its website and older versions developed in Golang and C (although this purchase has only been reported by the actors without concrete evidence). The buyer of this new source code was the group Hunters International, who claimed to have fixed the bugs in the Ransomware Hive that were responsible for preventing file decryption in some cases. The group also stated that file encryption would not be their primary focus; instead, they would use data theft as a method to pressure victims during extortion attempts. |
|
| hades |
https://www.ransomware.live/group/hades |
offline |
None |
According to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems and encrypts a variety of data types using AES encryption. Hades Locker appends the names of encrypted files with the .~HL[5_random_characters] (first 5 characters of encryption password) extension. |
No Screenshot Available
|
| handala |
https://www.ransomware.live/group/handala |
online |
None |
Not a Ransomware Group |
|
| groove |
https://www.ransomware.live/group/groove |
offline |
None |
|
No Screenshot Available
|
| grief |
https://www.ransomware.live/group/grief |
offline |
None |
Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: |
No Screenshot Available
|
| freecivilian |
https://www.ransomware.live/group/freecivilian |
offline |
None |
|
No Screenshot Available
|
| fsteam |
https://www.ransomware.live/group/fsteam |
offline |
None |
New possible leak site posted to a forum on November 20th, 2022, no victims at present. Unclear if its for a ransomware or extortion group |
No Screenshot Available
|
| fog |
https://www.ransomware.live/group/fog |
online |
None |
Fog, which uses the .flocked extension for encrypted files, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. By June, Storm-0844 was deploying Fog more than Akira. |
|
| exorcist |
https://www.ransomware.live/group/exorcist |
offline |
None |
According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with an extension consisting of a ransom string of characters.For example, a file originally named |
No Screenshot Available
|
| flocker |
https://www.ransomware.live/group/flocker |
online |
None |
|
|
| ep918 |
https://www.ransomware.live/group/ep918 |
offline |
None |
|
No Screenshot Available
|
| everest |
https://www.ransomware.live/group/everest |
online |
None |
Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group leaks the victim's data to the darknet and they announced that any victim that will not contact them will suffer from a data leak and they will not delete hist files for future usage. |
|
| entropy |
https://www.ransomware.live/group/entropy |
offline |
None |
Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples.
|
No Screenshot Available
|
| embargo |
https://www.ransomware.live/group/embargo |
online |
None |
|
|
| ech0raix |
https://www.ransomware.live/group/ech0raix |
offline |
None |
The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption. |
No Screenshot Available
|
| dunghill |
https://www.ransomware.live/group/dunghill |
online |
None |
|
|
| donex |
https://www.ransomware.live/group/donex |
offline |
None |
|
No Screenshot Available
|
| ElDorado |
https://www.ransomware.live/group/ElDorado |
online |
None |
In September The El Dorado ransomware group have been rebrand as BlackLock |
|
| dataleak |
https://www.ransomware.live/group/dataleak |
offline |
None |
|
No Screenshot Available
|
| darkvault |
https://www.ransomware.live/group/darkvault |
online |
None |
|
|
| darkrace |
https://www.ransomware.live/group/darkrace |
offline |
None |
|
No Screenshot Available
|
| darkbit |
https://www.ransomware.live/group/darkbit |
offline |
None |
|
No Screenshot Available
|
| darkside |
https://www.ransomware.live/group/darkside |
offline |
None |
Darkside ransomware group has started its operation in August of 2020 with the model of RaaS (Ransomware-as-a-Service). They have become known for their operations of large ransoms scale. They have announced that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can be able to pay large ransoms. Darkside ransomware group became very famous following the cyberattack of the Colonial Pipeline and Toshiba unit. The FBI finally terminate the Darkside operation and Managed to pull money from their wallets back. |
No Screenshot Available
|
| darkpower |
https://www.ransomware.live/group/darkpower |
offline |
None |
|
No Screenshot Available
|
| darkangels |
https://www.ransomware.live/group/darkangels |
offline |
None |
|
No Screenshot Available
|
| dAn0n |
https://www.ransomware.live/group/dAn0n |
offline |
None |
|
No Screenshot Available
|
| dispossessor |
https://www.ransomware.live/group/dispossessor |
offline |
None |
This is not a ransomware group but a data broker |
No Screenshot Available
|
| daixin |
https://www.ransomware.live/group/daixin |
online |
None |
|
|
