Russian-speaking ransomware-as-a-service operation that emerged in 2022 as a Phobos affiliate, deploying a modified Phobos encryptor with double-extortion tactics. Targeted small and medium-sized bus…
Ransomware-as-a-service operation active since March 2023, characterized by an unusually retro 1980s-terminal-styled leak site. CISA estimated $42M+ in extracted ransoms across 250+ organizations wit…
Russian-speaking ransomware-as-a-service operation, first observed November 2021, notable as the first prominent ransomware family written in Rust. Operated the affiliate program responsible for the…
Russian-speaking closed-affiliate ransomware operation widely assessed as a Conti spinoff that began encrypting victims in April 2022, days before the Conti brand wound down following the February 20…
Russian-speaking ransomware-as-a-service operation operating under the Royal brand from September 2022 to June 2023, then rebranding as BlackSuit. Confirmed as a direct continuation by FBI/CISA in jo…
Russian-speaking ransomware operation that ran the dominant double-extortion brand of 2020-2022. After the group publicly declared support for the Russian invasion of Ukraine in February 2022, an ins…
Russian-speaking ransomware-as-a-service operation active from August 2020 to May 2021, when an affiliate's compromise of Colonial Pipeline triggered the fuel-supply crisis on the U.S. East Coast and…
Russian-speaking ransomware-as-a-service operation active from mid-2021 through January 2023. Best known publicly for the May 2022 compromise of the Costa Rican government — which prompted Costa Rica…
Russian-speaking ransomware-as-a-service operation active since mid-2023, notable for sustained targeting of UK NHS trusts and U.S. healthcare providers. Major UK incidents: **NHS Dumfries and Gallow…
Russian-speaking ransomware-as-a-service operation that by mid-2023 was the most prolific ransomware brand on public leak-site tracking by victim count. Disrupted in February 2024 by Operation Cronos…
Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Mic…
Russian-speaking ransomware-as-a-service operation tracked by vendors as Qilin (and earlier as Agenda). Best known publicly for the 3 June 2024 compromise of Synnovis — the pathology-services provide…
Russian-speaking ransomware-as-a-service operation announced via RAMP forum on 2 February 2024 by a user 'koley', widely assessed as the primary destination for displaced ALPHV/BlackCat and LockBit a…
Russian ransomware-as-a-service operation derived from GandCrab in April 2019. Conducted the 2021 Kaseya VSA supply-chain compromise (~1,500 downstream victims via 60 MSPs), the JBS Foods $11M ransom…