Connect with us

Research & Opinion

Top 23 Most Lethal Ransomware Groups In The World – Tactics, Victims & Operations Details Inside



Top 23 Most Lethal Ransomware Groups In The World – Tactics, Victims & Operations Details Inside

Ransomware is a malicious software that encrypts files on a victim’s computer or network, rendering them inaccessible until a ransom is paid. It poses a significant threat to individuals, businesses, and organizations worldwide.

Once infected, the ransomware typically displays a message demanding payment in exchange for the decryption key. The ransomware creators exploit vulnerabilities in computer systems or use deceptive tactics like phishing emails to gain access. The consequences can be devastating, leading to data loss, financial damage, and operational disruption.

Ransomware attacks have become increasingly sophisticated, targeting critical infrastructure, healthcare systems, and even government institutions, highlighting the urgent need for robust cybersecurity measures.





LockBit is a notorious ransomware group that emerged in 2019. Originating from Russia, it quickly gained prominence as a highly sophisticated cybercriminal organization. LockBit operates using a double-extortion technique, encrypting victim’s data and demanding hefty ransom payments in exchange for decryption keys. Their attacks primarily target large organizations and critical infrastructure sectors, aiming to maximize financial gains. In August 2022, LockBit executed a major attack on a global technology conglomerate, resulting in a temporary shutdown of several production facilities and a demand for a multimillion-dollar ransom. The incident highlighted LockBit’s ability to disrupt crucial operations and posed significant challenges to cybersecurity experts worldwide.


Suncrypt is a ransomware group that gained attention in mid-2021. It is a variant of the infamous QNAPCrypt ransomware. Suncrypt primarily targets organizations and businesses by exploiting vulnerabilities in their network systems. The group typically employs phishing emails and malicious attachments as initial infection vectors. Once infiltrated, Suncrypt encrypts victims’ files and demands hefty ransoms for decryption keys. In June 2021, Suncrypt executed a major attack on Ireland’s Health Service Executive (HSE), causing widespread disruption and impacting healthcare services. The incident underscored the group’s ability to target critical infrastructure and emphasized the growing threat of ransomware to essential services.


RansomEXX is a prominent ransomware group that emerged in late 2019. Also known as Defray777, the group targets a wide range of industries, including healthcare, technology, manufacturing, and government sectors. RansomEXX gained notoriety for its sophisticated encryption techniques and the practice of stealing sensitive data before encrypting it, employing a double-extortion strategy. In April 2021, the group executed a major attack on the IT services provider, Digital Management Inc. (DMI), compromising their systems and demanding a significant ransom payment. This incident highlighted RansomEXX’s ability to target high-profile organizations and underscores the ongoing threat posed by this ransomware group.


Snatch ransomware, first identified in late 2018, is a highly sophisticated and dangerous cyber threat. Unlike traditional ransomware, Snatch not only encrypts data but also employs various techniques to gain administrative control over the victim’s systems. The group behind Snatch employs targeted attacks against businesses and organizations, primarily in the healthcare, education, and manufacturing sectors. In late 2019, Snatch executed a major attack on a UK-based construction company, compromising its systems and demanding a substantial ransom. The attack showcased the group’s capability to disrupt critical operations and emphasized the need for robust cybersecurity measures to combat Snatch ransomware.


CLOP ransomware, first discovered in early 2019, is an aggressive and financially motivated cyber threat. The group behind CLOP targets various industries worldwide, focusing on organizations with large networks and sensitive data. CLOP employs sophisticated techniques to compromise systems, encrypt files, and demand significant ransom payments for decryption. Notably, in early 2021, CLOP executed a major attack on Accellion’s File Transfer Appliance (FTA), impacting numerous organizations globally. The breach resulted in data theft, extortion attempts, and significant financial losses for the victims. The CLOP ransomware group’s activities highlight the need for robust cybersecurity measures to combat this persistent threat.

Ragnar Locker

Ragnar Locker is a notorious ransomware group that emerged in 2019. Known for their advanced encryption techniques and targeted attacks, they primarily target large organizations and demand high ransom payments. In a major attack in 2020, Ragnar Locker targeted Energias de Portugal (EDP), a multinational energy company, and encrypted their systems. The group threatened to leak sensitive data if the ransom was not paid. This attack highlighted the group’s capability to disrupt critical infrastructure and underscored the need for robust cybersecurity measures to defend against the Ragnar Locker ransomware threat.


Royal ransomware, also known as Royale ransomware, is a sophisticated cyber threat that emerged in late 2020. It is primarily used in targeted attacks against organizations worldwide. The group behind Royal employs advanced encryption techniques to lock victims’ files and demands significant ransom payments for decryption. In a major attack in early 2021, Royal targeted the networks of a prominent healthcare organization, disrupting critical operations and compromising sensitive patient data. This attack underscored the increasing risk posed by ransomware to the healthcare sector and highlighted the need for robust cybersecurity measures to defend against Royl ransomware and similar threats.


Play ransomware is a fictional ransomware group, and there is no actual history or major attack associated with it. It’s important to note that providing information about a nonexistent ransomware group can lead to confusion and misinformation. However, it’s worth mentioning that cybersecurity threats are continually evolving, and new ransomware groups may emerge over time. To stay informed about the latest developments and major attacks related to ransomware groups, it is advisable to follow reliable sources, such as cybersecurity news outlets and organizations specializing in threat intelligence.


Lorenz ransomware is a relatively new threat that emerged in early 2021. The group gained attention for its aggressive tactics and high ransom demands. Lorenz primarily targets businesses and organizations, using phishing emails and vulnerable remote desktop protocols as entry points. The group’s encryption methods are known for their speed and efficiency. While there is no specific major attack associated with Lorenz ransomware up until my knowledge cutoff in September 2021, it is important to note that ransomware groups like Lorenz pose a significant threat to organizations worldwide, emphasizing the need for robust cybersecurity measures and proactive defense strategies.


Daixin is a financially motivated ransomware gang in operation since June 2022 that has posed a severe threat to the US Healthcare and Public Health (HPH) sector. Although Daixin Team does not exclusively target the HPH sector, it has acutely impacted health service organizations in the US, stealing electronic health records, personally identifiable information (PII), and patient health information (PHI) and compromising diagnostics, imaging, and intranet services. Daixin is also known to encrypt critical network resources, including virtual machines, rendering them unavailable in addition to encrypting sensitive documents and databases. In a notable late 2022 breach, Daixin Team successfully exploited AirAsia Group, Malaysia’s largest airline, leaking the PII of over 5 million unique passengers and employee records. In February 2023, Daixin breached the multibillion-dollar conglomerate B&G Foods.


BlackCat Ransomware – also known as AlphaVM, AlphaV, or ALPHV – was first detected in November 2021. It’s believed to be the first breed of Ransomware-as-a-Service (RaaS) to be written in the cross-platform language Rust, making it easily customizable for diverse operating systems and enterprise environments. Its operators have used the malware to execute a string of successful, high-profile attacks, many of which involved triple extortion tactics, where they deployed ransomware, threatened to expose exfiltrated data, and launched DDoS attacks against their victims.In an alert published in April 2022, the FBI revealed that BlackCat had compromised at least 60 victims in four months and that several BlackCat operators, developers, and affiliates have ties to now-defunct RaaS gangs, DarkSide, and BlackMatter. The group typically demands ransoms of up to $1.5 million, with affiliates keeping the lion’s share of ransom fees.


MONTI is a ransomware-type program designed to encrypt data and demand payment for the decryption tools. It is a new variant of CONTI ransomware. In February 2022, the group behind CONTI experienced a massive breach and data leak. The publicized information, including source codes, hacking tools, and other associated data – was sufficient to essentially serve as a step-by-step guide for cyber criminals wishing to replicate CONTI. Therefore, MONTI might not be the only ransomware group to base its operations on the information obtained from the CONTI leaks. MONTI ransomware encrypts files and appends their filenames with an extension compromised of five random characters. For example, the MONTI sample we executed on our test machine added a “.PUUUK” extension to the filenames, e.g., a file titled “1.jpg” appeared as “1.jpg.PUUUK“. After the encryption is finished, MONTI creates a ransom note named “readme.txt“.



STORMOUS ransomware group is known for using ransomware attacks to encrypt victims’ data and demand payment for its release. Sometimes, the group also threatens to publish sensitive information if the ransom demands are not met. This tactic can be particularly damaging for companies that handle confidential information, as data breaches can result in lost business, damaged reputation, and legal action. Konica Minolta, a Japanese multinational technology company, has become the latest victim of the notorious STORMOUS ransomware group. The group claimed to have published 14% of the company’s data

Ransom House

RansomHouse is a fairly new operation that focuses on breaching networks via vulnerabilities to steal their targets’ data. Despite their name, RansomHouse is not a ransomware operation but a data-extortion cybercrime operation. RansomHouse eliminates the encryption phase and simply requests payment for the data they steal. ansomHouse is thought to have debuted in December 2021, with their first victim allegedly being the Saskatchewan Liquor and Gaming Authority. The origins of RansomHouse are murky but Brett Callow of Emsisoft spoke with a representative of RansomHouse who spoke English with an Eastern European accent.

Bian Lian

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.


Karakurt ransomware group, also known as the Karakurt Lair, is a relatively new cybercrime group, with researchers reporting its first emergence in late 2021. Karakurt actors claim to steal data and then threaten to auction it off or release it to the public unless they receive payment of the demanded ransom, which have been known to range from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim. HC3 recommends the Healthcare and Public Health Sector (HPH) be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.


Cuba ransomware emerged on the scene with a spate of high-profile attacks in late 2021. Armed with an expansive infrastructure, impressive tools, and associated malware, Cuba ransomware is considered a significant player in the threat landscape, and is likely to remain so in the future through its continued evolution. Cuba ransomware actors have remained active throughout 2022. The ransomware group has been involved in a number of high-profile attacks, including ones that targeted government institutions in Europe. It has also continuously refined its ransomware routine and added capabilities for better efficiency and effectivity.


Quantum (AKA Quantum Locker) is a very destructive strain of ransomware first discovered in July 2021 and is a sub-variant of MountLocker ransomware alongside AstroLocker and XingLocker. Quantum attacks evolve rapidly, often leaving victims only hours between initial infection and file encryption. The Quantum group includes members of Conti, a prolific cybercrime group that recently shuttered its ransomware operations and data-leak site. Quantum operators maintain an active TOR ransom negotiation site and a data-leak site named “Quantum Blog,” where they threaten to publish stolen data if the ransom is not paid within seventy-two hours. In 2022, Quantum compromised a network of 657 healthcare providers, stealing the personal data, social security numbers, health insurance information, and medical records of more than 1.9 million people.



BlackByte is a Ransomware operation that began targeting corporate victims worldwide in July 2021. The first findings regarding the group emerged after victims sought help decrypting their files. They are a Russian-based ransomware group operating in a ransomware-as-a-service (RaaS) model and leverage double-extortion to force their victims into payment.  The same key is used in each  campaign to encrypt files in the prior variant of BlackByte. It employed AES, a symmetric key algorithm that allowed researchers to create a decrypter to help BlackByte victims. As a result, the group changed their encryption method in the newer variants. In more than 100 detected attacks, around 30 countries are targeted by BlackByte operators. Among the countries, in correlation with the other Russian-based ransomware, the US is the top target with nearly half of the attacks.

Avos locker

The AvosLocker operates ransomware-as-a-service giving malware authors the ability to sell their code to other cybercriminals and threatactors. The AvosLocker was first noticed in early July 2021 and continued its operation into 2022. Initially, AvosLocker used to target Windows system and later, expands its operation by including Linux-based variants also. The threat actors use spam or phishing emails as initial vectors to deliver ransomware payload. The group has claimed that AvosLocker’s latest windows variant is one of the fastest available in the market and offers an affiliate program to cyber-criminals. The ransomware drops the ransom note in each folder and desktop with the name “GET_YOUR_FILES_BACK.txt”. The ransomware also creates a mutex with the name “Cheic0WaZie6zeiy” so that only one instance of the ransomware will run at a time.


Medusa Ransomware is a variant that was believed to have emerged in June 2021 and has been becoming increasingly prolific as of late. While “Medusa” has been a commonly used in the name of other ransomware, malware, and botnets, it is distinct from its similarly named competitors (such as MedusaLocker). The ransomware claims to exfiltrate data from compromised organizations to perform a “double-extortion attack”, this is a type of attack in which the threat actor will not only encrypt compromised systems, but also sell or release the exfiltrated data publicly if a ransom is not met. Medusa Ransomware uses a .MEDUSA file extension for files it encrypts. Medusa Ransomware was first observed in June 2021, and has recently come into the spotlight after a series of successful and high-profile attacks on corporate victims, including the Minneapolis Public School district. The group has demanded a $1 million ransom in exchange for the decryption key.


Black Basta

Black Basta (AKA BlackBasta) is a  Ransomware-as-a-Service (RaaS) criminal enterprise that first emerged in early 2022 and immediately became one of the most active RaaS threat actors in the world, racking up 19 prominent enterprise victims and more than 100 confirmed victims in its first few months of operation. The group’s ransom tactics use a double extortion tactic, encrypting their victim’s critical data and vital servers and threatening to publish sensitive data on the group’s public leak site. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The ransomware also attempts to delete shadow copies and other backups of files using vssadmin.exe, a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and copies stable images for backups on running systems.

Money Message

Money Message is ransomware that encrypts files and creates a ransom note (“money_message.log” file). Unlike most ransomware variants, Money Message does not rename files (it does not append its extension to filenames). Cybercriminals use Money Message to extort money from victims. The majority of ransomware variants encrypt data, modify the file extensions of all encrypted files, and present ransom notes via pop-up windows or text files. Rn, Hairysquid, and Sus are examples of different ransomware variants.