> ransomware group tracker

Live profiles of active ransomware operations. Tracking TTPs, targets, victim counts, and law enforcement actions across the ransomware ecosystem.

6 groups tracked 6 active 4 RaaS 6400+ known victims

Active RaaS since 2022-07

Qilin Agenda

High-volume RaaS operation that surpassed 1,000 leak site victims. Collaborates with initial access brokers for stolen VPN credentials. Known for targeting healthcare, manufacturing, and education sectors.

TTPs

initial access Stolen VPN credentials via IABs · Phishing · Exploiting public-facing applications

execution PowerShell · Cobalt Strike

lateral movement PsExec · RDP · WMI

exfiltration RClone · Custom C2

impact Double extortion · Data encryption · Shadow copy deletion

targets Healthcare · Manufacturing · Education · Government

known victims 1000+

last activity 2026-03

Active RaaS since 2023-03

Akira GOLD SAHARA

Dominant RaaS group accounting for 22% of observed incidents in early 2026. Targets small to mid-size businesses across multiple sectors. Known for exploiting VPN vulnerabilities and Cisco ASA flaws.

TTPs

initial access VPN exploitation (Cisco ASA/AnyConnect) · Compromised credentials

execution PowerShell · Batch scripts

lateral movement RDP · SMB · PsExec

exfiltration WinSCP · RClone · FileZilla

impact Double extortion · Linux/VMware ESXi encryption · Shadow copy deletion

targets Manufacturing · Professional services · Technology · Healthcare

known victims 350+

est. revenue $42M+ (2024)

last activity 2026-03

Resurgent RaaS since 2019-09

LockBit LockBit 3.0 / LockBit Green

Taken down by Operation Cronos in February 2024 but resurfaced in September 2025. Has stated intent to target critical infrastructure including nuclear and power facilities. Historically the most prolific ransomware operation.

TTPs

initial access Exploiting public-facing apps · Phishing · RDP brute force · IABs

execution PowerShell · Cobalt Strike · Metasploit

lateral movement PsExec · RDP · Mimikatz · BloodHound

exfiltration StealBit (custom) · RClone · Mega.nz

impact Triple extortion · Self-spreading encryption · Shadow copy deletion · ESXi targeting

targets Critical infrastructure · Healthcare · Finance · Government · Manufacturing

known victims 2000+

est. revenue $120M+ (pre-takedown)

last activity 2026-02

Law Enforcement Actions

Operation Cronos takedown (Feb 2024)
Multiple affiliate arrests (2024)
Leader 'LockBitSupp' identified as Dmitry Khoroshev (May 2024)

Active RaaS since 2019-02

Clop Cl0p / TA505

Specializes in mass exploitation of file-transfer software zero-days. Responsible for MOVEit (2023), GoAnywhere (2023), and Cleo (2024) campaigns affecting thousands of organizations. Prefers data theft over encryption.

TTPs

initial access Zero-day exploitation of file transfer tools · Supply chain compromise

execution Web shells · Custom malware

lateral movement Minimal — focuses on data theft from initial foothold

exfiltration Direct download from compromised file transfer systems

impact Data theft and extortion · Mass victim campaigns · Leak site pressure

targets Finance · Healthcare · Government · Any org using targeted file transfer software

known victims 2500+

est. revenue $100M+ (MOVEit campaign alone)

last activity 2026-01

Law Enforcement Actions

Multiple arrests in Ukraine (2021)

Active Closed group since 2022-06

Play PlayCrypt

Closed ransomware group (not RaaS) targeting government agencies, police networks, and critical infrastructure primarily in Latin America and Europe. Uses custom encryption and double-extortion tactics.

TTPs

initial access Exploiting VPN/RDP flaws · FortiOS vulnerabilities · Microsoft Exchange exploits

execution Custom tools · PowerShell

lateral movement Cobalt Strike · SystemBC · PsExec

exfiltration WinRAR archives · WinSCP

impact Double extortion · Custom encryption (.play extension) · Intermittent encryption

targets Government · Law enforcement · Critical infrastructure · Telecom

known victims 400+

last activity 2026-03

Active RaaS Cartel since 2023-08

DragonForce

Operating as a ransomware cartel model, absorbing smaller groups like BlackLock/Mamona. Offers white-label ransomware infrastructure to affiliates. Growing rapidly in 2026.

TTPs

initial access Phishing · Compromised credentials · Exploiting public-facing apps

execution PowerShell · Custom loaders

lateral movement RDP · PsExec · AnyDesk

exfiltration RClone · Custom tools

impact Double extortion · Cartel-model operations

targets Manufacturing · Retail · Professional services

known victims 150+

last activity 2026-03