The dirty dozen: 12 worst ransomware groups active today

Ransomware-as-a-service (RaaS) models, double extortion tactics, and increasing adoption of AI characterize the evolving ransomware threat landscape.

Law enforcement takedowns of groups such as LockBit have contributed to making the ransomware marketplace more fragmented, with emergent players attempting to muscle in on the action.

Attackers range from nation-state actors to RaaS operations, lone operators, and data theft extortion groups. The following non-exhaustive list contains a rundown of the main currently active threat groups, selected for inclusion based on their impact or innovative features.

Akira

History: Akira is a sophisticated RaaS operation that emerged in early 2023 and remains active.

How it works: Groups deploying Akira often exploit lack of authentication in corporate VPN appliances, open RDP (remote desktop protocol) clients, and compromised credentials to attack corporate systems.

Targeted victims: The key targets are small to midsize businesses across North America, Europe, and Australia. Affected industries include manufacturing, professional and legal services, education, telecommunications, technology, and pharmaceuticals, according to Palo Alto Networks’ Unit 42 intelligence unit.

Attribution: Circumstantial evidence suggests Russian origins, and links with the defunct Conti ransomware, but attribution remains unclear. “The [threat] actor gained attention due to the ‘retro aesthetic’ applied to their DLS (data leak site) and messaging,” Shobhit Gautam, staff solutions architect for EMEA at bug bounty platform HackerOne, says.

Black Basta

History: Black Basta appeared on the ransomware scene in early 2022 and is believed to be a spin-off from Conti, a group notorious for attacking major organizations.

How it works: Black Basta usually deploys malware through exploitation of known vulnerabilities and social engineering campaigns. “Employees in the target environment are email bombed and then contacted by the group pretending to be the organization’s help desk,” according to Christiaan Beek, senior director of threat analytics at Rapid7.

Targeted victims: More than 500 organizations globally have been affected by Black Basta, according to an analysis by cloud security firm Qualys.

Attribution: Security researchers speculate Black Basta may be associated with the FIN7 cybercrime group due to similarities in custom modules for evading endpoint detection and response systems in malware samples.

Blackcat (ALPHV)

History: BlackCat, also known by the aliases ALPHV or Noberus, emerged in November 2021. It is said to be made up of former members of the now-defunct Darkside group, which infamously targeted the Colonial Pipeline.

How it works: The malware used by BlackCat targets Windows and Linux systems. BlackCat is known for using a triple-extortion strategy, which involves demanding a ransom for file decryption, pledging not to disclose stolen data, and preventing distributed denial-of-service (DDoS) attacks.

Targeted victims: The BlackCat (ALPHV) ransomware group has been responsible for several high-profile attacks most notably Caesars Entertainment (September 2023) and Change Healthcare’s UnitedHealth Group subsidiary (February 2024).

Attribution: The BlackCat group has gone dark, possibly in response to law enforcement action and the impact of the Change Healthcare attack. Its principals, likely experienced cybercriminals, have become the target of US prosecution.

BlackLock

History: BlackLock (aka El Dorado) has shown explosive growth since emerging in March 2024. Threat intel firm ReliaQuest predicts it may overtake RansomHub as the most active ransomware group this year.

How it works: The group stands apart by developing its own custom malware — a hallmark of top-tier groups like “Play” and “Qilin,” according to ReliaQuest. Its malware targets Windows, VMware ESXi (virtualized servers), and Linux environments. Attackers typically encrypt data while also exfiltrating sensitive information, threatening to publish sensitive information if extortionate demands are not met.

Targeted victims: BlackLock has targeted a wide variety of victims, including US-based real estate, manufacturing, and healthcare organizations.

Attribution: BlackLock is highly active on the RAMP forum, a Russian-language platform focused on ransomware, actively recruiting for various roles, including initial access brokers, who sell access to partially compromised networks to its affiliates. There is no definitive attribution for the makeup of the BlackLock ransomware group.

Cl0p

History: The Cl0p ransomware has a complex history dating back to 2019. Its widespread misuse over the past six years is primarily associated with Russian-speaking cybercrime groups, primarily TA505 and FIN11.

How it works: Cl0p exploits zero-day vulnerabilities to target its prey. The Cl0p group tends to avoid using conventional payloads but still relies on a leak site to extort payment from victims. “We’ve seen the group use high-profile platform vulnerabilities with minimal downtime to exfiltrate data, such as exploiting a vulnerability in Cleo file transfer software,” according to Rapid7’s Beek.

Targeted victims: Cl0p has targeted major organizations worldwide. Most notoriously, Cl0p conducted a massive campaign exploiting the MOVEit vulnerability, affecting thousands of organizations in 2023.

Attribution: The Cl0p ransomware is attributed to several (mostly Russian speaking) cybercriminal groups.

Funksec

History: FunkSec is a new RaaS group that emerged in late 2024, claiming more than 85 victims in December alone.

How it works: FunkSec uses AI in its malware development, demands low ransoms, and has “questionable credibility regarding their data leaks,” according to Rapid7’s Beek.

Targeted victims: FunkSec has claimed a large number of victims, but researchers caution some of the leaks may be rehashed or recycled from earlier breaches.

Attribution: FunkSec operates as a RaaS model, likely with Russian-speaking affiliates.

LockBit

History: LockBit is a cybercrime group operating through a ransomware-as-a-service model it was instrumental in pioneering. Despite being disrupted in 2024, LockBit has shown signs of a comeback. The malware operation remains notorious for its efficient encryption and double extortion tactics.

How it works: LockBit, despite a major takedown operation by law enforcement last year, continues to use the evermore powerful RaaS model as well as double extortion, also known as “lock and leak.” “LockBit continues to list victims, recruit affiliates, and try to reclaim its reputation on dark web forums,” Luke Donovan, head of threat intelligence, Searchlight Cyber tells CSO.

Targeted victims: LockBit targeted thousands of victims worldwide in its heyday, including government services, private sector companies, and critical infrastructure providers.

Attribution: LockBit’s use of Russian-language forums and targeting patterns have led some analysts to believe the group is based in Russia. Russian national Dmitry Yuryevich Khoroshev, named by Western law enforcement agencies last year as the developer and administrator of LockBit, faces a US indictment alongside asset freezes and travel bans. Two Russian nationals were indicted for deploying LockBit ransomware against targeted organizations.

Lynx

History: Lynx shares 48% of its source code with the earlier INC ransomware, which indicates a plausible rebranding or evolution of the same threat actor.

How it works: Lynx also operates a RaaS and employs double extortion tactics. After infiltrating a system, the ransomware can steal sensitive information and encrypt the victim’s data, effectively locking them out. To make recovery more difficult, it adds the ‘.lynx’ extension to encrypted files and deletes backup files like shadow copies.

Targeted victims: Since emerging, the ransomware has actively targeted several US and UK industries, including retail, real estate, architecture, financial services, and environmental services. The group behind Lynx attacked multiple facilities across the US between July 2024 and November 2024, which include victims associated with energy, oil, and gas, according to Palo Alto’s Unit 42 threat intel group. “According to a statement Lynx released in July 2024, they claim to be ‘ethical’ with regards to choosing victims,” Rapid7’s Beek adds.

Attribution: Lynx operates as a RaaS model, meaning it is likely used by multiple cybercriminals rather than a single entity.

Medusa

History: Medusa is a ransomware-as-a-service operation that debuted in 2022.

How it works: The group typically hacks into systems by either exploiting vulnerabilities in public-facing assets, phishing emails, or using initial access brokers.

Targeted victims: Cybercriminals behind Medusa have targeted healthcare, education, manufacturing, and retail organizations in the US, Europe, and India.

Attribution: Activity on Russian-language cybercrime forums related to Medusa suggests the core group and many of its affiliates may be from Russia or neighbouring countries but this remains unconfirmed.

Play

History: Play is a ransomware threat that emerged in June 2022. The group intensified its activities following the disruption of other major threat actors.

How it works: Attackers typically encrypt systems after exfiltrating sensitive data. Play keeps a fairly low profile on the dark web aside from its leak site, not advertising itself on dark web forums. “It has even claimed not to be an RaaS gang at all, saying it maintains a ‘closed group to guarantee the secrecy of deals,’ in spite of evidence to the contrary,” Searchlight Cyber’s Donovan explains.

Targeted victims: The group has targeted various sectors, including healthcare, telecommunications, finance, and government service.

Attribution: Play may have connections to North Korean state-aligned APT groups.

In October 2024, security researchers at Palo Alto Networks’ Unit 42 published evidence of a deployment of Play ransomware by a threat actor backed by North Korea, specifically APT45. “The link between this threat actor and Play is unclear, but demonstrates the potential for crossover between state-sponsored cyber activity and ostensibly independent cybercrime networks,” Donovan says.

Qilin

History: Qilin, also known as Agenda, is a Russia-based RaaS group that has been operating since May 2022.

How it works: The group targets Windows and Linux systems, including VMware ESXi servers, using ransomware variants written in Golang and Rust. Qilin follows a double extortion model — encrypting victims’ files and threatening to leak stolen data if the ransom is not paid.

Targeted victims: Qilin recruits affiliates on underground forums and prohibits attacks on organizations in Commonwealth of Independent States (CIS) countries bordering present-day Russia.

Attribution: The makeup of Qilin remains unknown but a Russian-speaking organized cybercrime operation is strongly suspected.

RansomHub

History: RansomHub emerged in February 2024 and quickly became a major cyber threat. The group, initially known as Cyclops and later Knight, rebranded and expanded its operations by recruiting affiliates from other disrupted ransomware groups such as LockBit and ALPHV/BlackCat.

How it works: Once inside a network, RansomHub affiliates exfiltrate data and deploy encryption tools, often utilizing legitimate administrative utilities to facilitate their malicious activities. RansomHub operates an “affiliate-friendly” RaaS model, initially offering a fixed 10% fee for those that make attacks using its ransomware and the option to collect ransom payments directly from victims before paying the core group. “These elements make it an attractive option for affiliates that are looking for a guaranteed return, where other RaaS operations have been unreliable in paying out in the past,” Searchlight Cyber’s Donovan says.

Targeted victims: RansomHub has been linked to more than 210 victims across various critical sectors, including healthcare, finance, government services, and critical infrastructure in Europe and North America, according to Rapid7.

Attribution: Attribution remains unconfirmed but circumstantial evidence points toward an organized Russian-speaking cybercrime operation with ties to other established ransomware threat actors.