Russian-speaking ransomware-as-a-service operation that emerged in 2022 as a Phobos affiliate, deploying a modified Phobos encryptor with double-extortion tactics. Targeted small and medium-sized bus…
Ransomware-as-a-service operation active since March 2023, characterized by an unusually retro 1980s-terminal-styled leak site. CISA estimated $42M+ in extracted ransoms across 250+ organizations wit…
Russian-speaking ransomware-as-a-service operation, first observed November 2021, notable as the first prominent ransomware family written in Rust. Operated the affiliate program responsible for the…
DPRK state-sponsored intrusion set publicly attributed to the Reconnaissance General Bureau's 3rd Bureau (Andariel). Treated by MITRE as a sub-cluster of Lazarus Group; conducts both espionage agains…
Russian-speaking closed-affiliate ransomware operation widely assessed as a Conti spinoff that began encrypting victims in April 2022, days before the Conti brand wound down following the February 20…
Russian-speaking ransomware-as-a-service operation operating under the Royal brand from September 2022 to June 2023, then rebranding as BlackSuit. Confirmed as a direct continuation by FBI/CISA in jo…
Russian-speaking double-extortion crew historically aligned with TA505/FIN11. Specialized in mass exploitation of managed-file-transfer software zero-days: Accellion FTA (2020), GoAnywhere MFT (early…
Russian-speaking ransomware operation that ran the dominant double-extortion brand of 2020-2022. After the group publicly declared support for the Russian invasion of Ukraine in February 2022, an ins…
Russian-speaking ransomware-as-a-service operation active from August 2020 to May 2021, when an affiliate's compromise of Colonial Pipeline triggered the fuel-supply crisis on the U.S. East Coast and…
Russian cybercrime syndicate publicly attributed by the U.S. Treasury OFAC in December 2019, which sanctioned founder Maksim Yakubets. Operators of the Dridex banking trojan, the BitPaymer and Wasted…
Long-running financially-motivated crew historically tied to the Carbanak intrusion set. Initially targeted point-of-sale systems in the U.S. hospitality and retail sectors (300+ companies, 1,000+ lo…
Pro-Palestine hacktivist persona operated by the Iranian MOIS-affiliated **Void Manticore** cluster — see the parent actor entry for the full attribution chain. Named for the Naji al-Ali cartoon char…
Russian-speaking ransomware-as-a-service operation active from mid-2021 through January 2023. Best known publicly for the May 2022 compromise of the Costa Rican government — which prompted Costa Rica…
Russian-speaking ransomware-as-a-service operation active since mid-2023, notable for sustained targeting of UK NHS trusts and U.S. healthcare providers. Major UK incidents: **NHS Dumfries and Gallow…
DPRK state-sponsored umbrella set associated with the Reconnaissance General Bureau. Mixes financially-motivated operations (including major cryptocurrency exchange thefts and SWIFT-network bank intr…
Russian-speaking ransomware-as-a-service operation that by mid-2023 was the most prolific ransomware brand on public leak-site tracking by victim count. Disrupted in February 2024 by Operation Cronos…
Iranian state-affiliated intrusion set publicly attributed by FBI, CISA, and DC3 in joint advisory AA24-241A as connected to the Government of Iran and operating partly through an Iranian IT-services…
Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Mic…
Russian-speaking ransomware-as-a-service operation tracked by vendors as Qilin (and earlier as Agenda). Best known publicly for the 3 June 2024 compromise of Synnovis — the pathology-services provide…
Russian-speaking ransomware-as-a-service operation announced via RAMP forum on 2 February 2024 by a user 'koley', widely assessed as the primary destination for displaced ALPHV/BlackCat and LockBit a…
Russian ransomware-as-a-service operation derived from GandCrab in April 2019. Conducted the 2021 Kaseya VSA supply-chain compromise (~1,500 downstream victims via 60 MSPs), the JBS Foods $11M ransom…
Russian military-intelligence (GRU Unit 74455) intrusion set responsible for some of the most destructive cyberattacks publicly attributed to a nation-state: the 2015 and 2016 Ukrainian power-grid ou…