Ransomware Groups

Excelitte Logo
Group Name Group Link Activity Status Last Known Activity Date Description Screenshot
dagonlocker https://www.ransomware.live/group/dagonlocker offline None No Screenshot Available
cryptnet https://www.ransomware.live/group/cryptnet offline None According to OALabs, this ransomware has the following features: * Files are encrypted with AES CBC using a generated 256 bit key and IV.* The generated AES keys are encrypted using a hard coded RSA key and appended to the encrypted files. No Screenshot Available
cryptbb https://www.ransomware.live/group/cryptbb offline None No Screenshot Available
cryp70n1c0d3 https://www.ransomware.live/group/cryp70n1c0d3 offline None No Screenshot Available
crylock https://www.ransomware.live/group/crylock offline None No Screenshot Available
cooming https://www.ransomware.live/group/cooming offline None No Screenshot Available
ContFR https://www.ransomware.live/group/ContFR online None Screenshot
cloak https://www.ransomware.live/group/cloak online None Screenshot
lockbit3 https://www.ransomware.live/group/lockbit3 online None LockBit, also recognized as LockBit Black or Lockbit 3.0, is one of the largest Ransomware Groups in the world and has orchestrated extensive cyberattacks across various industries, impacting thousands of organizations globally with its relentless and adaptive strategies. Screenshot
conti https://www.ransomware.live/group/conti offline None Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang. No Screenshot Available
chilelocker https://www.ransomware.live/group/chilelocker offline None No Screenshot Available
ciphbit https://www.ransomware.live/group/ciphbit offline None No Screenshot Available
chort https://www.ransomware.live/group/chort online None Screenshot
cicada3301 https://www.ransomware.live/group/cicada3301 offline None No Screenshot Available
cheers https://www.ransomware.live/group/cheers offline None No Screenshot Available
cactus https://www.ransomware.live/group/cactus online None The CACTUS ransomware is said to have emerged around March 2023. The group became known for exploiting vulnerabilities to gain initial access and maintain a presence within the organization's infrastructure.<br> <br> There is little known information about the ransomware group, except that it emerged on the mentioned date and, following encryption, a text file named 'cAcTuS.readme.txt' would be created. Additionally, encrypted files were altered to the '.cts1' extension, and data exfiltration and victim extortion were conducted through the use of the service known as Tox.<br>Source: https://github.com/crocodyli/ThreatActors-TTPs Screenshot
clop https://www.ransomware.live/group/clop online None The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final payload in a phishing campaign in 2019 and was exclusively financially motivated, with attacks carried out by the threat actors TA505.<br> <br> At that time, malicious actors sent phishing emails that led to a macro-enabled document that would drop a loader called 'Get2.' After gaining an initial foothold in the system or infrastructure, the actors began using reconnaissance, lateral movement, and exfiltration techniques to prepare for the deployment of the ransomware.<br> <br> After the execution of the ransomware, Cl0p appends the extension '.clop' to the end of files, or other types of extensions such as '.CIIp, .Cllp, and .C_L_O_P,' as well as different versions of the ransom note that were also observed after encryption. Depending on the variant, any of the ransom text files were created with names like 'ClopReadMe.txt, README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.'<br> <br> The Clop operation has shifted from delivering its final payload via phishing and has begun initiating attacks using vulnerabilities that resulted in the exploitation and infection of victims' infrastructures.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs Screenshot
bluesky https://www.ransomware.live/group/bluesky offline None No Screenshot Available
blackshadow https://www.ransomware.live/group/blackshadow offline None No Screenshot Available
bonacigroup https://www.ransomware.live/group/bonacigroup offline None No Screenshot Available
blackout https://www.ransomware.live/group/blackout online None Screenshot
BrainCipher https://www.ransomware.live/group/BrainCipher offline None No Screenshot Available
blacktor https://www.ransomware.live/group/blacktor offline None No Screenshot Available
blacksuit https://www.ransomware.live/group/blacksuit online None According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware. Screenshot
babyduck https://www.ransomware.live/group/babyduck offline None No Screenshot Available
babuk https://www.ransomware.live/group/babuk offline None Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. No Screenshot Available
blackmatter https://www.ransomware.live/group/blackmatter offline None Ransomware-as-a-Service No Screenshot Available
aztroteam https://www.ransomware.live/group/aztroteam offline None No Screenshot Available
avos https://www.ransomware.live/group/avos offline None No Screenshot Available
arvinclub https://www.ransomware.live/group/arvinclub offline None No Screenshot Available
atomsilo https://www.ransomware.live/group/atomsilo offline None No Screenshot Available
arcusmedia https://www.ransomware.live/group/arcusmedia online None Screenshot
avaddon https://www.ransomware.live/group/avaddon offline None Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment. No Screenshot Available
blackbyte https://www.ransomware.live/group/blackbyte online None Ransomware. Uses dropper written in JavaScript to deploy a .NET payload. Screenshot
apt73 https://www.ransomware.live/group/apt73 online None A new ransomware group is said to have emerged in mid-April 2024, under the name 'APT73.' It's worth noting that the group reportedly self-proclaimed as an APT, which stands for 'Advanced Persistent Threat' in the cybersecurity field.<br> <br> According to research, much of the available information about the aforementioned group came from another ransomware group known as LockBit.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs Screenshot
apos https://www.ransomware.live/group/apos online None Screenshot
alphalocker https://www.ransomware.live/group/alphalocker offline None No Screenshot Available
ako https://www.ransomware.live/group/ako offline None A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet. No Screenshot Available
torch https://www.ransomlook.io/market/torch offline 2024-11-20 N/A No Screenshot Available
tor2door https://www.ransomlook.io/market/tor2door offline 2021-05-01 N/A No Screenshot Available