> ransomware group tracker

Live profiles of active ransomware operations. Tracking TTPs, targets, victim counts, and law enforcement actions across the ransomware ecosystem.

30 groups tracked 26 active 19 RaaS 16449+ known victims
status:
Active RaaS since 2022-07

Qilin Agenda

Dominant RaaS operation and the most active ransomware group of 2026 for the third consecutive quarter, responsible for nearly 20% of global ransomware activity. Posted 338 victims in Q1 2026 — outpacing the bottom 50 ransomware groups combined — and continued at-pace into May 2026. Recent May 2026 victims include AppDirect (US, posted 2026-05-11), Keller Williams Real Estate – Exton (US), International Customer Care Services, Pangolin Editions, Lindabury (US legal services), The Gravity Group (2026-05-12), Sysco (US food distribution giant, 2026-05-05), Seagate Capital Construction (US, 2026-05-05), Ahorramas (Spanish consumer services, 2026-05-05), Standard-Examiner (US news, 2026-05-02), and LSM Lee (Singapore, 2026-05-02). Top targeted sectors year-to-date: Manufacturing (276), Business Services (219), Technology (166), Healthcare (158), Financial Services (115); United States is by far the most targeted country (~803 victims). Absorbed many former RansomHub affiliates after that group collapsed in April 2025. Deploys EDR-killing DLL (msimg32.dll) capable of disabling 300+ security drivers via BYOVD; technique now also seen in Warlock ransomware. KELA assessed Qilin as the single most active operation for January-May 2026, accounting for roughly 17% of all publicly claimed ransomware attacks worldwide; ransomware.live tracked 1,863 Qilin leak-site victims by May 26, 2026 (the group continued at-pace through the late-May window with new posts almost daily). A Qilin-attributed intrusion at Covenant Health was confirmed in May 2026 to have exposed personal data on nearly 480,000 individuals. Late-May 2026 victims include Semgrep (US, posted 2026-05-22), Ridge Law Firm (US, attack estimated 2026-05-12), and Gestordes (attack estimated 2026-05-03). Activity continued into early June 2026 (2026-06-02 leak-site victims include Clinica Maitenes and Nova Medical Products); ransomware.live/RansomLook tracking put Qilin at roughly 1,883 total leak-site victims by early June 2026, with cumulative sector impact led by Manufacturing (~291), Business Services (~245), and Healthcare (~168). In June 2026 a Qilin affiliate was tied to active exploitation of a critical Check Point VPN zero-day, CVE-2026-50751 (CVSS 9.3) — an IKEv1 authentication-bypass flaw in Remote Access/Mobile Access VPN that lets unauthenticated attackers establish a VPN session without a valid password; exploitation ran quietly from May 7, 2026 and accelerated in early June before CISA added the bug to its Known Exploited Vulnerabilities catalog on June 9, 2026 with a June 11 federal patch deadline. Check Point also disclosed a secondary flaw, CVE-2026-50752 (IKEv1 certificate-validation issue enabling MITM on site-to-site VPN), found during the same investigation. Qilin kept up a high leak-site tempo into mid-June 2026, claiming 15 victims across nine countries between June 2-5 (healthcare, hospitality, manufacturing, consumer services and critical infrastructure) — including Nova Medical Products (US), Clinica Maitenes (Chile), JNP ENG (South Korea), MarketJoy (US), Eat Salad (Brazil) and MEISA-Sines (Portugal, energy) — and posted roughly five more on June 9. Analysts expect Qilin to close Q2 2026 as the single most active ransomware collective globally, extending an unbroken run as the #1 threat actor since Q2 2025. In mid-June 2026 Qilin claimed Q Link Wireless (US major telecom provider, 2026-06-16) and BTX Global Logistics (US, 2026-06-17) as further victims, maintaining a near-daily leak-site tempo through the end of the quarter. Late-June 2026 leak-site claims include Lam Soon (Singapore food & beverage, 2026-06-29), Metal Sur Famin (Peru, manufacturing, 2026-06-29), Hemmersbach GmbH & Co. KG (Germany, IT services, 2026-06-30), and Chamco (Canada, manufacturing, 2026-06-30), with 18 victims claimed across manufacturing and energy in a single 24-hour period around 2026-06-11 — keeping Qilin on track to close Q2 2026 as the single most active ransomware operation globally for a twelfth consecutive month.

TTPs

initial access Stolen VPN credentials via IABs · Check Point VPN zero-day (CVE-2026-50751, IKEv1 auth bypass) · Phishing · Exploiting public-facing applications
execution PowerShell · Cobalt Strike · Malicious DLL sideloading (msimg32.dll)
lateral movement PsExec · RDP · WMI
exfiltration RClone · Custom C2
impact Double extortion · Data encryption · Shadow copy deletion · EDR killer targeting 300+ drivers
targets Healthcare · Manufacturing · Education · Government · Financial services · Transportation
known victims 2000+
last activity 2026-06
Active RaaS since 2023-03

Akira GOLD SAHARA

Prolific RaaS group with over 1,500 total victims since 2023 and $245M+ in collected ransoms. Q1 2026 victim count was 176, down 22% from 226 in Q4 2025, reflecting the declining yield of the late-2025 SonicWall SSL-VPN campaign as more organisations patched. Still drives an estimated 40% of cyber-insurance claims year-to-date and SonicWall devices remain present in ~86% of Akira-related incidents. Average ransom demand is now ~$1.2M. Can move from initial access to full network encryption in under four hours, with documented sub-hour smash-and-grab cases. A new SonicWall firewall-bypass vulnerability (CVE-2026-0204) continues to be weaponized in the same playbook. In April 2026 Qilin overtook Akira as the single most active group of the month; Akira held second place at roughly its March activity level. GreyNoise telemetry recorded a sharp SonicWall SonicOS API scanning surge between May 9-18, 2026, with a May 12 peak of ~597,000 sessions in 24 hours — roughly 46x the prior 30-day baseline — interpreted as Akira affiliates aggressively re-enumerating exposed appliances ahead of the next exploit wave. The campaign's original root cause remains SonicWall CVE-2024-40766 (improper access control in SonicOS), still being re-exploited on unpatched or credential-reused Gen5/6/7 appliances alongside the newer CVE-2026-0204 bypass. Akira kept posting through late May 2026 (US construction, legal, woodworking and marine SMBs on 2026-05-27 and 2026-05-29). Through mid-2026 Akira remained the second most active ransomware operation globally behind only Qilin. Leo International (US) was claimed as a victim on June 23, 2026, and a leak-site post on June 12, 2026 confirmed Akira's continued high operational tempo. Akira remained the second most active operation globally through end of June 2026, with a claim against Advanced Business Systems, Inc. (US office-solutions provider) posted 2026-06-30 threatening to leak roughly 31GB of data.

TTPs

initial access VPN exploitation (Cisco ASA/AnyConnect, SonicWall SMA100/SSL-VPN) · Compromised credentials
execution PowerShell · Batch scripts
lateral movement RDP · SMB · PsExec
exfiltration WinSCP · RClone · FileZilla
impact Double extortion · Linux/VMware ESXi encryption · Shadow copy deletion
targets Manufacturing · Professional services · Technology · Healthcare · Retail · Financial services
known victims 1520+
est. revenue $245M+ (lifetime)
last activity 2026-06

Law Enforcement Actions

  • Latvian national Deniss Zolotarjovs — who operated across Conti, Karakurt, Royal and Akira ransomware brands — sentenced to 102 months (8.5 years) in US prison (May 2026)
Resurgent RaaS since 2019-09

LockBit LockBit 3.0 / LockBit Green / LockBit 5.0

Taken down by Operation Cronos in February 2024 but launched LockBit 5.0 in September 2025 with more modular encryption and improved defense evasion. Has posted 200+ victims on its new leak site since December 2025, targeting Windows, Linux, and ESXi across the Americas, Europe, and Asia. Together with Qilin, Akira, and The Gentlemen claimed 41% of all Q1 2026 victims — posting 163 victims in Q1 2026, fourth place globally. In late 2025 LockBit formalized a cartel alliance with Qilin and DragonForce, pooling affiliate pipelines, attack infrastructure, and target intelligence, and inviting additional e-crime actors to join. LockBit 5.0's cumulative victim count reached roughly 311 by around 2026-06-20, an ~87% jump month-over-month, while its geographic mix shifted away from the US (down to ~21% of victims in Q1 2026, from ~23% previously) toward Italy (~8.6%), Brazil (~8.6%), and Turkey (~5.1%) — consistent with continued affiliate avoidance of US targets under sustained law-enforcement pressure. Activity continued into June 2026. Separately, on 2026-06-24 Europol and Microsoft's coordinated 'Operation Endgame' action dismantled 326 servers and seized 142 domains tied to the SocGholish, Amadey, and StealC infostealer/loader infrastructure that has historically fed initial access to LockBit and other ransomware operations — a disruption to the broader access-broker ecosystem LockBit affiliates draw on, not a LockBit-specific takedown.

TTPs

initial access Exploiting public-facing apps · Phishing · RDP brute force · IABs
execution PowerShell · Cobalt Strike · Metasploit
lateral movement PsExec · RDP · Mimikatz · BloodHound
exfiltration StealBit (custom) · RClone · Mega.nz
impact Triple extortion · Self-spreading encryption · Shadow copy deletion · ESXi targeting
targets Critical infrastructure · Healthcare · Finance · Government · Manufacturing
known victims 2230+
est. revenue $120M+ (pre-takedown)
last activity 2026-06

Law Enforcement Actions

  • Operation Cronos takedown (Feb 2024)
  • Multiple affiliate arrests (2024)
  • Leader 'LockBitSupp' identified as Dmitry Khoroshev (May 2024)
Active RaaS since 2019-02

Clop Cl0p / TA505

Specializes in mass exploitation of file-transfer software zero-days. Responsible for MOVEit (2023), GoAnywhere (2023), Cleo (2024), and the Oracle E-Business Suite campaign of late 2025/early 2026 (CVE-2025-61882). Has now publicly named 100+ alleged Oracle EBS victims on its leak site — including Harvard University, Wits University, Envoy Air, The Washington Post, Schneider Electric, Emerson, Logitech, Cox Enterprises, Pan American Silver, LKQ Corporation, Copeland, Humana, Bechtel Corporation, Fruit of the Loom, Abbott, University of Phoenix, and Entrust — with analyst estimates suggesting 100+ organisations were ultimately impacted. Approximately 40% of victims in technology and 30% in manufacturing; 80% of victims are US-based. Clop's leak site published a fresh wave of ~29 newly-named victims around 2026-06-26, including Michelin, Canon, Mazda, Estée Lauder, and Broadcom (Mazda has publicly disputed any data leakage or operational impact); 77 victim datasets were already posted via torrent/magnet links by that point, with roughly 18 of the 29 new names US-based. Separately, a new and distinct Oracle EBS flaw — CVE-2026-46817 (CVSS 9.8, unauthenticated RCE via the File Transmission component of the Oracle Payments module, patched in Oracle's May 2026 Critical Patch Update) — was confirmed under active exploitation as of 2026-06-30, with Shadowserver tracking 450+ exposed EBS instances online (nearly 200 in the US). Exploitation of CVE-2026-46817 has not yet been formally attributed to Clop or any named group, though the targeting pattern is consistent with Clop's historic Oracle EBS/PeopleSoft playbook and is being watched closely.

TTPs

initial access Zero-day exploitation of file transfer tools · Supply chain compromise
execution Web shells · Custom malware
lateral movement Minimal — focuses on data theft from initial foothold
exfiltration Direct download from compromised file transfer systems
impact Data theft and extortion · Mass victim campaigns · Leak site pressure
targets Finance · Healthcare · Government · Any org using targeted file transfer software
known victims 2730+
est. revenue $100M+ (MOVEit campaign alone)
last activity 2026-06

Law Enforcement Actions

  • Multiple arrests in Ukraine (2021)
Active Closed group since 2022-06

Play PlayCrypt

Closed ransomware group (not RaaS) targeting government agencies, police networks, and critical infrastructure primarily in Latin America and Europe. Uses custom encryption and double-extortion tactics. Posting cadence slowed notably in the second half of June 2026, with tracker snapshots showing no new confirmed leak-site victim after roughly 2026-06-17 — a possible lull rather than a confirmed disruption; no law-enforcement action or status change has been reported.

TTPs

initial access Exploiting VPN/RDP flaws · FortiOS vulnerabilities · Microsoft Exchange exploits
execution Custom tools · PowerShell
lateral movement Cobalt Strike · SystemBC · PsExec
exfiltration WinRAR archives · WinSCP
impact Double extortion · Custom encryption (.play extension) · Intermittent encryption
targets Government · Law enforcement · Critical infrastructure · Telecom
known victims 1224+
last activity 2026-06
Active RaaS Cartel since 2023-08

DragonForce

Operating as a ransomware cartel model, absorbing smaller groups like BlackLock/Mamona and spawning sub-brands like Devman. Offers white-label ransomware infrastructure to affiliates. Notably behind the Marks & Spencer attack (April 2025, ~£300M financial impact, online store offline for 46 days) deployed via Scattered Spider affiliates, along with Co-op and Harrods. Continues targeting retail, manufacturing, and pharma into May 2026, with the cartel now threatening 365+ companies on its leak site. May 2026 victims include Cult Wines (UK fine wine retailer, posted 2026-05-04). April 27, 2026 leak-site burst included MassDevelopment (US state agency), FAT Brands, IBS Website Solutions, and several mid-market US firms. May 25, 2026 saw another concentrated leak-site burst with Saver NV (Dutch waste-management operator), Veg-Fresh Farms (US agriculture), Alliance Adjustment Group (US public insurance adjusting, PA/NJ), and Xchange Technology Rentals (Germany, IT/AV equipment rental). On 2026-05-27 DragonForce ran one of its largest single-day bursts of the year — roughly 19 leak-site victims concentrated in US and Dutch real estate and healthcare — and continued into June 2026 (2026-06-01 victims include Taos Mountain Casino and Synex International), keeping it among the most active cartels globally. In June 2026 Symantec and Security Affairs reported DragonForce operators deploying Backdoor.Turn — a custom Go-based implant that routes C2 traffic through legitimate Microsoft Teams relay infrastructure by obtaining an anonymous Teams visitor token via Microsoft Skype-backed identity services and tunneling a QUIC session through a legitimate TURN relay, disguising attacker traffic as routine enterprise Teams communications. DragonForce has logged 579 confirmed victims since founding, up from 363 at the end of January 2026 — roughly 216 new victims added in under six months. In May 2026 DragonForce claimed over half of all Dutch ransomware victims that month, reflecting an active affiliate-recruitment push. Late-June 2026 claims include STNI Co., Ltd. (South Korea, virtual-technology company, attack estimated 2026-06-28, posted 2026-06-29) and Agroprime (Chile, agribusiness SaaS, posted 2026-06-29).

TTPs

initial access Phishing · Compromised credentials · Exploiting public-facing apps · Scattered Spider-style social engineering
execution PowerShell · Custom loaders · Backdoor.Turn (Go-based C2 via Microsoft Teams relay, QUIC tunneling)
lateral movement RDP · PsExec · AnyDesk
exfiltration RClone · Custom tools
impact Double extortion · Cartel-model operations · C2 concealment in Microsoft Teams relay traffic
targets Manufacturing · Retail · Professional services · Pharmaceutical · Hospitality
known victims 579+
last activity 2026-06
Reduced activity RaaS since 2022-06

Medusa MedusaLocker

Prolific RaaS operation linked to Storm-1175 and Lazarus Group deployments. Weaponizes zero-day and N-day vulnerabilities for high-velocity attacks, often moving from initial access to ransomware deployment within 24 hours. Has exploited 16+ vulnerabilities across major enterprise software, including (most recently) CVE-2026-1731 in BeyondTrust Remote Support / Privileged Remote Access, CVE-2026-23760 in SmarterMail (exploited a week before public disclosure), and CVE-2025-10035 in GoAnywhere MFT (also pre-disclosure). Heaviest impact in healthcare, education, professional services, and finance across Australia, the UK, and the US. The Medusa leak site recorded no new victims after February 14, 2026 — 100+ days without a public claim as of late June 2026, suggesting the group has suspended public operations or transitioned fully to private negotiations. Storm-1175 and Lazarus Group continue to deploy Medusa payloads in isolated incidents independently of the core group's leak-site activity.

TTPs

initial access Zero-day exploitation (BeyondTrust CVE-2026-1731, Citrix NetScaler, TrueConf, SmarterMail, GoAnywhere MFT) · N-day vulnerability exploitation · Phishing
execution PowerShell · Cobalt Strike · Custom loaders
lateral movement RDP · PsExec · WMI
exfiltration RClone · Custom tools
impact Double extortion · Data encryption · Critical service disruption
targets Healthcare · Education · Professional services · Finance · Critical infrastructure
known victims 545+
last activity 2026-02
Active RaaS since 2025-03

NightSpire

Originally a closed group handling all operations in-house, NightSpire announced a RaaS affiliate program in April 2026 and began publicly recruiting affiliates. Go-based ransomware payload uses hybrid encryption for speed. Primarily targets SMBs with less mature security across 30+ countries. Posted 74 victims on its data leak site in Q1 2026 and another 15 in April 2026, reaching 259+ claimed victims by May 1, 2026 across 28 industries. Continued at pace into June 2026, reaching 283 claimed victims by June 12, 2026. Top sectors: Manufacturing (35), Business Services (25), Healthcare (22), Technology (21), Consumer Services (13). Top countries: United States (71), France (11), Spain (10), India (10), Turkey (9). Ransom demands range from $150K to $2M. Late-June 2026 victims include Grupo Riquelme (Paraguayan conglomerate, posted 2026-06-25, attack estimated 2026-06-13, alleging theft of financial/banking data, customer databases, and HR/ERP data) and Artistic Smiles (US consumer-services business, posted 2026-06-19).

TTPs

initial access Exploiting public-facing applications · Compromised credentials
execution Custom Go-based ransomware · PowerShell
lateral movement RDP · PsExec
exfiltration Custom exfiltration tools
impact Double extortion · Data encryption · Large-scale data exfiltration (up to 350GB)
targets Manufacturing · Technology · Healthcare · Construction · Business services · Telecom
known victims 283+
last activity 2026-06
Active Hacktivist since 2024-01

Handala Handala Hack

Iranian-linked hacktivist group affiliated with MOIS. Primarily targets Israeli organizations but expanded targeting after Operation Epic Fury in February 2026. Claimed 23 victims in March 2026 alone. Operations focus on disruption and influence rather than financial gain. Around 2026-06-24/25 an IRGC-linked Telegram channel publicly confirmed, for the first time, that Yahya Hosseini Panjaki (aka Yahya Hamidi) — Iran's deputy intelligence minister for Israel affairs, killed in an Israeli strike on 2026-02-28 — had served as Handala's commander, formally confirming the group as a MOIS front rather than an independent hacktivist collective. Handala also made several disputed claims in June 2026, including breach of FBI drone footage tied to World Cup security (no verifiable evidence presented, per SITE Intelligence Group), a breach of California Water Service exposing billing PII (~2026-06-11; technical assessment found the compromised systems do not control water treatment/distribution, contrary to the group's framing), and responsibility for a Tel Aviv car bombing (~2026-06-04) claiming the victim was a senior Mossad official — a claim sourced only to Iranian state media and not corroborated by Israeli authorities.

TTPs

initial access Exploiting public-facing applications · Supply chain compromise · Phishing
execution Custom malware · Web shells
lateral movement RDP · Credential dumping
exfiltration Custom tools · Direct data theft
impact Data destruction · Data theft and leak · Propaganda operations
targets Technology · Government · Defense · Critical infrastructure · Energy · Healthcare
known victims 142+
last activity 2026-06
Active Closed group since 2024-10

SafePay

Emerged in late 2024, scaling aggressively through 2025-2026 with former Black Basta members among its ranks. Operates classic double-extortion — stealing data, encrypting systems, and publishing victims on Tor-based leak sites. Surpassed 483 claimed victims by May 25, 2026 and remained one of the most active groups globally. May 2026 victims include Energy Action (Australian energy management firm), Boots Transport (Canada, 2026-05-04), Maiadouro.pt (Portugal), Hokuyo 2006 Co. (Japan), and Dahlgrens Cement AB (Sweden). Over 90% of victims are small or mid-sized businesses; top sectors are Business Services (62), Manufacturing (61), Technology (48), Consumer Services (39), and Education (38). United States accounts for 198 victims, Germany 94, United Kingdom 30, Canada 29, Australia 15. Uses modified LockBit source code and runs ~24-hour encryption timelines. Remained one of the most active groups into June 2026 (6 new leak-site victims on 2026-06-02 across transportation/logistics and professional services in Germany and Italy); an April 2026 listing of Malaysian crane maker Favelle Favco included a claimed 237GB / ~140,000-file dump exposing Australian employee IDs and internal records. By June 2, 2026 cumulative victim count reached roughly 490 organisations; a German victim (hellmold-plank.de) was posted around 2026-06-27, keeping SafePay among the most active operations through the end of June.

TTPs

initial access Compromised credentials · Exploiting public-facing applications · IABs
execution Custom loaders · PowerShell
lateral movement RDP · PsExec · SMB
exfiltration RClone · Custom tools
impact Double extortion · Data encryption · Leak site pressure
targets Manufacturing · Professional services · Technology · Healthcare · Finance
known victims 500+
last activity 2026-06
Defunct RaaS since 2022-04

Black Basta Vanilla Tempest

Formerly one of the top-tier RaaS operations until its collapse in early 2025. Members have migrated to successor groups including SafePay. The group's alleged leader Oleg Nefedov was placed on EUROPOL Most Wanted and INTERPOL Red Notice lists.

TTPs

initial access Phishing (QakBot, DarkGate) · Exploiting public-facing applications · IABs
execution PowerShell · Cobalt Strike · SystemBC
lateral movement PsExec · RDP · Mimikatz · Impacket
exfiltration RClone · WinSCP
impact Double extortion · Data encryption · ESXi targeting
targets Healthcare · Finance · Manufacturing · Government · Technology
known victims 500+
est. revenue $100M+ (lifetime)
last activity 2025-12

Law Enforcement Actions

  • LE raids on two suspects in Ukraine and Germany (Jan 2026)
  • Leader Oleg Nefedov placed on EUROPOL Most Wanted and INTERPOL Red Notice (Jan 2026)
  • Conti 'loader' developer Oleksii Oleksiyovych Lytvynenko (Ukrainian, extradited from Ireland) pleaded guilty 2026-06-10 to wire-fraud conspiracy tied to Conti operations that extorted $150M+ from 1,000+ victims; sentencing set for 2026-09-10 as part of DOJ's Operation Riptide (Black Basta is a Conti-lineage successor brand)
Active RaaS since 2025-06

The Gentlemen

Fast-scaling RaaS that emerged mid-2025 and climbed to the #2 spot by victim count in early 2026. Founded by a threat actor known as Hastalamuerte — an experienced Qilin affiliate who left after a dispute over a ~$48K unpaid commission, which explains the group's rapid operational capability and sophistication. Public leak-site count exceeded 365 by late April 2026; ReliaQuest documented a jump from 35 victims in Q4 2025 to 182 in Q1 2026, and the group added another ~82 victims in April 2026 alone. Check Point Research mapped an underlying SystemBC C2 botnet of 1,570+ likely corporate victims — well beyond what the group publicly claims, with Bitdefender now assessing actual victim count likely exceeds 1,500. FBI issued an official warning on March 15, 2026. Top targeted sectors: Manufacturing, Technology, Healthcare, Financial Services, and Transportation/Logistics; top geographies: US, Thailand, France, Brazil, India. MAJOR EVENT (May 2026): The group's own backend infrastructure was compromised. On May 4, 2026, a Breached forum post titled 'The Gentlemen - hacked data for sale' offered the full dataset for $10K in BTC; by May 8 the seller posted a free MediaFire download link. The breach is linked to a compromise of hosting provider 4VPS, which operated parts of the gang's infrastructure. Leaked data included internal chats, affiliate operations, ransom-negotiation correspondence, attack methods, and organizational structure — revealing a small but professional syndicate of ~9 core operators. Leaked negotiations show the group threatening to release data tied to companies under NDAs with Sony and Barclays. The Gentlemen publicly claimed no critical data was exposed. A May 2026 KELA analysis of the leaked backend ranked The Gentlemen second only to Qilin for January-May 2026, with 332 publicly claimed victims (~10% of global ransomware claims for the year), and found the gang had studied the Black Basta chat leak as a playbook for phishing, credential reuse, and internal reconnaissance. KELA's May 13, 2026 cut put The Gentlemen second behind Qilin in the Jan 1-May 13 window during which all ransomware groups together posted 3,349 claimed victims globally (a ~14.5% rise vs the same period in 2025). Despite the backend leak the group stayed fully operational: on 2026-05-16 a newer BreachForums instance announced The Gentlemen as an official forum partner (granting advertising plus infrastructure and operational support), and the gang kept posting at a high tempo into June 2026 — 4 victims on 2026-05-29 and 14 on 2026-06-01, heavily weighted to healthcare and retail across North America and Asia. NOTABLE (June 2026): On June 18, 2026 ESET published detailed analysis of the group's mature, operator-maintained EDR-killer toolset — branded 'GentleKiller' — confirming The Gentlemen curates multiple EDR killers for adaptive defense evasion and has distinguished itself through this capability since early 2026. GentleKiller ships in 8+ distinct variants, each impersonating a different legitimate product (including spoofed Kaspersky, Valorant anti-cheat, Javelin, and WatchDog binaries) while abusing a different vulnerable/malicious kernel driver via BYOVD, together targeting 400+ processes across 48 security products from vendors including Microsoft Defender, CrowdStrike, SentinelOne, Sophos, and Bitdefender; the suite also incorporates third-party/leaked tools such as HexKiller, ThrottleBlood, and HavocKiller. A separate Expel investigation of an April 2026 incident found the group had used a genuine zero-day driver exploit not present on public vulnerable-driver blocklists. A Microsoft Security Blog report on May 28, 2026 dissected a self-propagating variant of the Go encryptor. On 2026-06-10 a Gentlemen-attributed attack on Mackay Sugar, Australia's second-largest raw sugar producer, forced a physical shutdown of its Farleigh and Racecourse mills during peak crushing season by crippling IT-side scheduling and historian databases without directly manipulating PLCs or variable-speed drives; the group formally claimed the attack on its leak site on 2026-06-15. By mid-June 2026 The Gentlemen's leak site listed 483 victims across 66 countries, ranking it the #2 most active ransomware operation globally by victim count. The group offers affiliates 90% revenue share — well above the 70–80% standard at competing RaaS operations — which has driven accelerated recruitment of experienced operators throughout 2026.

TTPs

initial access FortiOS/FortiProxy CVE-2024-55591 auth bypass · Brute-forced FortiGate VPN credentials (969+ validated) · Database of ~14,700 pre-exploited FortiGate devices
execution Go-based ransomware payload · PowerShell · Living-off-the-land binaries · ZeroPulse open-source remote admin (GitHub)
lateral movement PsExec · PuTTY · PowerRun.exe · Advanced IP Scanner · Nmap
exfiltration SystemBC proxy botnet · Custom tools
impact Dual extortion · XChaCha20 + Curve25519 encryption · Windows/Linux/ESXi variants · BYOVD via CVE-2025-7771 for EDR bypass · Adaptive EDR bypass generated mid-attack
targets Manufacturing · Technology · Healthcare · Financial services · Transportation & logistics
known victims 1500+
last activity 2026-06

Law Enforcement Actions

  • FBI official warning issued (2026-03-15)
  • Backend infrastructure breach via 4VPS hosting provider (2026-05-04); affiliate roster and negotiation logs leaked publicly on MediaFire (2026-05-08)
Active RaaS since 2025-06

Sinobi

Financially motivated hybrid RaaS that emerged in late June 2025. Placed fourth globally with 56 claimed victims in January 2026 before cooling to 18 victims in February 2026, suggesting operational disruption or affiliate churn. Top activity sectors are Manufacturing, Healthcare, Construction, and Technology. Payload is concealed via legitimate driver abuse and defense-evasion tooling.

TTPs

initial access Compromised credentials · Exploiting public-facing applications · IABs
execution Custom loaders · PowerShell · Living-off-the-land binaries
lateral movement RDP · PsExec · SMB
exfiltration RClone · Custom tools
impact Double extortion · Data encryption · EDR evasion via BYOVD
targets Manufacturing · Healthcare · Construction · Technology
known victims 120+
last activity 2026-03
Compromised RaaS (fraudulent) since 2026-01

0APT 0APT Syndicate

Controversial RaaS that surfaced in late January 2026 and rapidly listed 253+ alleged victims by end of Q1 2026, but was widely assessed by GuidePoint and Halcyon as running a faux operation — leak samples were zero-byte files and the infrastructure was operated from an Android phone's SD card on AnLinux-Parrot. MAJOR EVENT (April–May 2026): in April 2026, 0APT breached rival group KryBit's RaaS panel and extracted staff names, credentials, cryptocurrency wallet addresses, location data, and ransom-negotiation correspondence, then attempted to extort KryBit for $2M with a threat to leak the affiliate list to the FBI. KryBit retaliated by breaching 0APT's own infrastructure, locking out its staff and dumping logs that publicly confirmed the operation was being run off a Droid phone with Parrot OS on an SD card. Leak-site download links were shown to be falsified — clicking an archive simply piped random data to a preset path. 0APT's site is now locked out and the group has gone silent; KryBit's reciprocal exposure has tarnished its own standing despite winning the feud.

TTPs

initial access Compromised credentials · Targeted intrusion of rival ransomware infrastructure
execution Custom ransomware binaries (technically sound but rarely deployed) · PowerShell
lateral movement RDP · PsExec
exfiltration Fabricated for most listed victims (zero-byte archives); legitimate exfil tooling for KryBit infrastructure breach
impact Reputation/leak-site pressure with often empty data dumps · Inter-gang doxing operations
targets Critical infrastructure (claimed) · Healthcare (claimed) · Finance (claimed) · Rival ransomware groups (confirmed)
known victims 253+
last activity 2026-04
Active Data extortion since 2025-09

CoinbaseCartel Coinbase Cartel

Pure data-extortion crew (no encryptor) that emerged in September 2025 and has scaled aggressively through early 2026, claiming 118+ victims by April. Posted 22 victims in March 2026 alone and notably listed Cognizant and Aptim. Analyst assessments (Bitdefender, FortiGuard) suggest the group is composed of affiliates drawn from ShinyHunters, Scattered Spider, and Lapsus$. Operates a Tor leak site and uses staged disclosures — limited samples first, then full publication if the victim does not pay. Remained active into June 2026, with 2026-06-02 leak-site victims including Cambridge Mobile Telematics and Panasonic Avionics (Panasonic.aero).

TTPs

initial access Vishing/social engineering (Scattered Spider playbook) · Compromised credentials · OAuth token abuse
execution Living-off-the-land binaries · PowerShell
lateral movement RDP · Cloud-to-cloud pivots
exfiltration Direct cloud data theft · Custom tools · RClone
impact Pure extortion (no encryption) · Staged leak-site disclosure · Reputational pressure
targets Healthcare · Technology · Transportation · Finance · Telecom
known victims 125+
last activity 2026-06
Active RaaS since 2020-12

Everest

Russian-speaking financially motivated group active since December 2020. Originally a pure data-exfiltration crew, evolved to dual AES/DES encryption in 2021 and now also operates as an Initial Access Broker. Recruits corporate insiders for cash/profit-sharing. Approximately 360 total victims across at least 286 documented R&DE incidents; claimed at least 25 incidents YTD in 2026, ranking as the 10th most prominent extortion collective for the year. May 2026 saw high-profile financial-services victims, including Fiserv (US payment-processing giant, posted 2026-05-03) and TSYS (US payment solutions, 2026-05-02). Specifically targets medical-imaging providers with 24-hour deadlines, weaponising HIPAA pressure and patient-care urgency. In early May 2026 Everest began publishing what it claims is 108GB of Liberty Mutual data after an alleged failure to meet its demands; Liberty Mutual attributes the exposure to a third-party vendor incident. It sustained a healthcare- and utility-heavy tempo through late May 2026, ranking among the most active groups on 2026-05-28 with about 7 new victims (including Advanced Psychiatry Associates, Sidra Kuwait Hospital and Spedition Kern).

TTPs

initial access Exploiting public-facing applications · Phishing · Credential theft for remote access services · Insider recruitment
execution PowerShell · Custom loaders
lateral movement RDP · PsExec · Mimikatz
exfiltration RClone · Custom tools
impact Double extortion (data theft + AES/DES encryption) · Leak-site pressure · Insider-assisted breaches
targets Healthcare · Technology · Manufacturing · Financial services · Government
known victims 375+
last activity 2026-05
Active RaaS since 2024-07

Lynx INC Ransom (predecessor)

RaaS operation widely assessed to be a rebrand of the INC ransomware group, active since July 2024. Highly organized with a structured affiliate program, exclusive affiliate panel, internal communications channels, and a polished technical arsenal. Has amassed 410+ confirmed victims by mid-May 2026, with the United States accounting for the largest share — a clear North American preference also extending to Canada, UK, Australia, and Germany. Top targeted sectors: Education and Technology, with significant activity also in Germany. In early 2026, Lynx executed high-volume burst campaigns including a January 5, 2026 wave that added 20 organisations to its leak site in a single day. Sustained that tempo into Q2 2026, becoming one of the two most active groups globally in the May 10 window (8 victims in 24 hours alongside Leak Bazaar). May 2026 victims include bayareaherbs.com, csb-battery.com, and funkychunky.com. Continues to be confused with INC Ransom on some leak-tracking platforms despite the operational separation. NOTABLE (June 2026): On June 24, 2026 researchers discovered exposed INC Ransom staging server directories on AEZA Group bulletproof hosting containing Windows and Linux encryptors cross-compiled for 14 CPU architectures — including PowerPC, SPARC64, IBM Z (s390x), and RISC-V — alongside GPO deployment scripts targeting a Japanese food and beverage company and 675 MB of operator tooling. The exposed tooling also showed SMB pass-the-hash lateral movement via hardcoded Administrator NTLM hashes against a Southeast Asian manufacturer spanning food production, biotechnology, and chemicals. The mainframe and POWER-series expansion represents a significant escalation — INC/Lynx is now actively pivoting toward IBM POWER, SPARC64, and z/Architecture mainframes that anchor global banking, telecom, and high-volume financial-transaction processing, extending the group's encryption capability to enterprise platforms historically outside ransomware's crosshairs; of the 14 Rust-compiled binaries recovered, only the x86-64 Linux/ESXi variants matched previously documented capability, meaning 10 of the 14 architecture targets were not previously linked to the group.

TTPs

initial access Compromised credentials · Phishing · Exploiting public-facing applications
execution Custom encryptor · PowerShell · Living-off-the-land binaries
lateral movement RDP · PsExec · SMB
exfiltration RClone · Custom tools
impact Double extortion · Advanced encryption · Windows/Linux/ESXi variants · Cross-architecture encryptors (PowerPC, SPARC64, IBM Z/s390x, RISC-V, 14 total CPU targets)
targets Education · Technology · Manufacturing · Healthcare · Professional services · Mainframe/POWER environments
known victims 410+
last activity 2026-06
Active RaaS since 2026-02

KryBit

RaaS operation that emerged in early 2026 with 25+ claimed victims across the United States, Germany, Austria, and Turkey by May 2026. Operates an 80% affiliate revenue-share model with encryptors compatible with ESXi, Linux, and Windows environments and advertised 24/7 technical support. MAJOR EVENT (April–May 2026): publicly engaged in a destructive doxing feud with rival group 0APT. After 0APT first breached KryBit's RaaS admin panel and exfiltrated staff names, credentials, wallet addresses, and ransom negotiation logs — then attempted to extort KryBit for $2M — KryBit retaliated by breaching 0APT's infrastructure and dumping evidence that 0APT was operating from a single Droid phone running Parrot OS off an SD card, confirming long-standing analyst assessments that 0APT was largely a fake operation. The retaliation locked out 0APT's staff but KryBit's exposed admin data (affiliate list, victim records, account credentials) materially increases its own risk of a law enforcement takedown and has damaged its standing with potential affiliates. Reflecting that fallout, KryBit dropped out of Bitdefender's Top 10 most active ransomware groups in the June 2026 Threat Debrief after being exposed. Despite that, KryBit continued posting through late June 2026: it claimed the Central Directorate of Tourism Police (POLITUR/CESTUR), a Dominican Republic law-enforcement agency, on 2026-06-25, and listed a Brazilian victim (mupras.com) on 2026-06-19.

TTPs

initial access Compromised credentials · Targeted intrusion of rival ransomware infrastructure
execution Custom encryptor (Windows/Linux/ESXi) · PowerShell
lateral movement RDP · PsExec
exfiltration RClone · Custom tools
impact Double extortion · Cross-platform encryption (ESXi, Linux, Windows) · Inter-gang doxing
targets Financial services · Technology · Manufacturing · Rival ransomware groups (confirmed)
known victims 33+
last activity 2026-06
Defunct RaaS since 2021-11

ALPHV/BlackCat BlackCat / Noberus

Defunct Rust-based RaaS operation that exit-scammed affiliates in early 2024 following the Change Healthcare breach. Group infrastructure was seized by FBI/Europol in December 2023 and the operation collapsed shortly after. New May 2026 development: two US-based former cybersecurity professionals, Ryan Goldberg (former incident response manager) and Kevin Martin (former ransomware negotiator), each received four-year prison sentences after pleading guilty to conspiracy charges. They collaborated with Angelo Martino to purchase access to the ALPHV platform and extorted multiple US victims between April and October 2023. Martino — a ransomware negotiator for incident-response firm DigitalMint who abused that role by sharing confidential victim information with threat actors to increase ransom payments — pleaded guilty and is scheduled to be sentenced on 2026-07-09.

TTPs

initial access Exploiting public-facing applications · Phishing · IABs
execution Rust-based ransomware · PowerShell · Cobalt Strike
lateral movement PsExec · RDP · Mimikatz
exfiltration RClone · Custom tools
impact Triple extortion · Rust-based cross-platform encryption · ESXi targeting · DDoS pressure
targets Healthcare · Critical infrastructure · Finance · Manufacturing · Government
known victims 700+
est. revenue $300M+ (lifetime)
last activity 2024-03

Law Enforcement Actions

  • FBI/Europol infrastructure seizure (Dec 2023)
  • Affiliate exit scam collapsed operation (Mar 2024)
  • US former IR manager Ryan Goldberg sentenced to 4 years (May 2026)
  • US former ransomware negotiator Kevin Martin sentenced to 4 years (May 2026)
  • Angelo Martino (DigitalMint negotiator) pleaded guilty; sentencing scheduled 2026-07-09
Active Data extortion since 2026-03

Leak Bazaar LeakBazaar / SnowTeam

Stolen-data marketplace and extortion operation launched by a Russian-speaking threat actor known as 'Snow' of the SnowTeam crew, advertised on the TierOne (T1) cybercrime forum on March 25, 2026. Rather than deploying an encryptor, Leak Bazaar operates as a post-exfiltration processing service: it ingests raw corporate data dumps and converts them into structured, sellable intelligence using ML-assisted text analysis, automated removal of system files, database reverse engineering, and ERP parsing before human analyst validation. It focuses on organisations with annual revenue above $10M and segments stolen content into high-value products such as quarterly financials, M&A data, R&D files, and personal-data records, while also running a Tor leak site and offering ransom-negotiation support to partner gangs. Although it is a marketplace rather than a traditional encryptor crew, ransomware-tracking platforms (ransomware.live, RansomLook) list it as a distinct group; in the May 10, 2026 reporting window it was the single most active group tracked, posting 9 victims in 24 hours.

TTPs

initial access Data acquired from partner ransomware and extortion gangs · Compromised credentials
execution Not applicable (no encryptor; data processing and analytics platform)
lateral movement Not applicable (operates on already-exfiltrated data)
exfiltration Ingests third-party stolen data dumps · ML-assisted analysis and DBMS reverse engineering
impact Pure data extortion (no encryption) · Structured resale of stolen corporate data · Tor leak-site pressure
targets Manufacturing · Technology · Business services · Healthcare · Financial services
known victims 9+
last activity 2026-05
Active RaaS since 2025-12

Vect VECT / Vect 2.0

RaaS operation that launched its affiliate program in late December 2025 and moved into active campaigns in early 2026, with first leak-site victim posted January 5, 2026 and 25 publicly named victims as of late May 2026 (Vect claims an additional ~300 unreleased victims). MAJOR EVENT (April 2026): Vect formalized an unprecedented alliance with the BreachForums cybercrime marketplace and the TeamPCP hacking crew, and on April 18, 2026 issued automatic Vect affiliate keys to every BreachForums member — roughly 300,000 registered users — in a single bulk onboarding. Analysts at Cynet, Dataminr, and Industrial Cyber describe this as an attempt to convert an entire mainstream cybercrime forum into a distribution network, contrasting with historical selective recruitment models such as Conti's affiliate program. Even partial activation of the BreachForums base would represent one of the largest coordinated ransomware affiliate mobilizations ever observed. Check Point Research and Cloud Security Alliance Labs subsequently shipped reports on a 'Vect 2.0' build that behaves as a wiper in many configurations — paying the ransom does not reliably recover enterprise data — raising the risk profile for victims of any affiliate using the toolkit.

TTPs

initial access Compromised credentials · Exploiting public-facing applications · Phishing
execution Custom encryptor (Vect 2.0) · PowerShell · Living-off-the-land binaries
lateral movement RDP · PsExec · SMB
exfiltration RClone · Custom tools
impact Double extortion · Cross-platform encryption · Wiper-like behavior in Vect 2.0 builds (unreliable decryption) · Mass-affiliate distribution model
targets Manufacturing · Technology · Business services · Financial services · Healthcare
known victims 25+
last activity 2026-05
Active RaaS since 2025-04

Nova RALord / RAlord / Nova RaaS

Ransomware-as-a-service operation that rebranded from RALord (active since April 2025) to Nova in mid-2025. Runs a structured affiliate program (marketed as 'APIPN') that recruits affiliates and buys network access, and uses double extortion — encrypting files and threatening to leak stolen data via a Tor site. Has claimed roughly 100+ victims across five continents, with the United States the top target, followed by France, Brazil, Spain and Singapore; heaviest sector impact in Manufacturing, Technology, Healthcare, Education and Business Services. SonicWall researchers note Nova has so far largely spared schools and nonprofits. Remained one of the most active groups in late May / early June 2026 (3 new victims on 2026-05-30 and continued posts into June). NOTABLE EVENT (late May-June 2026): a Nova affiliate broke the long-standing 'don't hit CIS targets' taboo by listing Eriell Group, a major Uzbekistan-headquartered oilfield-services firm with a Moscow office, in the group's 2026-05-26 batch. After backlash, Nova issued a public apology, banned the affiliate, claimed no files were encrypted, pledged not to leak the stolen data, and offered to help Eriell recover free of charge — a reminder that the rule barring attacks on Russia and CIS states still governs the Russian-speaking ransomware ecosystem in 2026. Bitdefender's June 2026 Threat Debrief listed Nova among the month's Top 10 most active ransomware groups. On 2026-06-24 Nova claimed responsibility for a breach of the NSW Rural Fire Service (Australia's largest volunteer firefighting agency), alleging theft of roughly 300GB of data including files on emergency-response projects and topographic maps; NSW RFS confirmed a security incident affecting IT systems but said emergency operations were unaffected, and has not confirmed Nova's specific claim — attribution is contested. By late June 2026 the group had logged roughly 157 documented victims across 42 countries.

TTPs

initial access Compromised credentials · Network access purchased from affiliates/IABs · Exploiting public-facing applications
execution Custom ransomware encryptor · PowerShell
lateral movement RDP · PsExec · SMB
exfiltration RClone · Custom tools
impact Double extortion · Data encryption · Tor leak-site pressure
targets Manufacturing · Technology · Healthcare · Education · Business services
known victims 102+
last activity 2026-06
Active Data extortion since 2025-01

World Leaks WorldLeaks / World_Leaks / Hunters International (predecessor)

Extortion-only operation that emerged in January 2025 as a rebrand of Hunters International (itself a 2023 rebrand of the Hive RaaS). Hunters International wound down its encryptor operation during 2025 — even releasing free decryptors — and migrated to a pure data-theft-and-extortion model under the World Leaks name, judging traditional ransomware too risky and less profitable amid law-enforcement pressure and falling payment rates. Runs an Extortion-as-a-Service (EaaS) model providing custom exfiltration tooling to affiliates, atop a four-platform infrastructure: a main Tor leak site, a victim negotiation portal with live chat, an affiliate management panel, and an Insider journalist portal that grants media outlets 24-hour advance access to stolen data before public release. Highly selective targeting of organisations with significant intellectual property and weak authentication (e.g. VPNs without MFA); single-victim leaks have exceeded 780GB. By June 2026 World Leaks had roughly 167 documented victims across 28 countries, with the United States hit hardest (~90 victims, over half of all attacks), followed by the UK (10) and Germany (8); top sectors are Healthcare (31), Manufacturing (24), Business Services (21), Technology (17) and Consumer Services (11). It ranked among the single most active groups by leak-site postings in mid-2026. Although it markets a no-encryption model, Darktrace documented an early-2026 incident in which World Leaks both exfiltrated and encrypted victim data, contradicting its stated data-only posture. The window's most significant World Leaks incident: around 2026-06-10/12 the group listed Tata Electronics — a major Apple and Tesla supplier — claiming theft of 204,341 files totaling 630.4GB, allegedly including iPhone 18 Pro technical specifications, Tesla-related manufacturing documents, employee passport scans, and internal operational records; Tata Electronics confirmed the incident (a rare victim confirmation for a World Leaks target) but said business operations were unaffected. Major press coverage of the leak publication continued through 2026-06-30.

TTPs

initial access Exploiting VPNs lacking MFA · Compromised credentials · Exploiting public-facing applications
execution Custom exfiltration tooling · Living-off-the-land binaries
lateral movement RDP · SOCKSv5 proxy pivots
exfiltration Custom exfiltration tool (SOCKSv5 proxy, TOR-based C2) · Large-scale data theft (780GB+ single-victim)
impact Pure data extortion (occasional encryption observed) · Staged leak-site disclosure · Journalist early-access portal pressure
targets Healthcare · Manufacturing · Business services · Technology · Consumer services
known victims 167+
last activity 2026-06
Active RaaS since 2025-08

PEAR Pear

Extortion operation first observed August 5, 2025 that scaled steadily through early 2026, claiming roughly 92 victims by June 10, 2026 and ranking among the most active groups by victim count in mid-2026 reporting windows. Overwhelmingly US-focused — more than 53 of its known victims are located in the United States — with heaviest impact in Business Services (32), Healthcare (18), Financial Services (7), Technology (6) and the Public Sector (6). Average dwell time between initial compromise and public leak-site disclosure is about 33 days. Recent victims include the San Diego Eye Bank, The Odom Firm (US law firm, 2026-02-26), CTI & Coordinators (freight transport, 2026-03-05), a New Jersey private university (posted 2026-03-03) and Family Psychological Associates (US mental-health provider, 2026-04-09), reflecting a pronounced focus on healthcare, legal and professional-services SMBs. Late-June 2026 victims posted 2026-06-30 include Spector and Lenz, PC (US legal/business services, attack estimated 2026-06-22), ORA Group (retail/POS sector, attack estimated 2026-06-23), and Sociedad Latina (US nonprofit/education, attack estimated 2026-06-25).

TTPs

initial access Compromised credentials · Exploiting public-facing applications · IABs
execution Custom encryptor · PowerShell
lateral movement RDP · PsExec · SMB
exfiltration RClone · Custom tools
impact Double extortion · Data encryption · Leak-site pressure
targets Business services · Healthcare · Financial services · Technology · Public sector
known victims 92+
last activity 2026-06
Active RaaS since 2024-06

Brain Cipher BrainCipher

Ransomware operation that surfaced in mid-2024 and gained immediate global notoriety with a June 2024 attack on Indonesia's National Data Center (PDN) that disrupted more than 160 government services, including national immigration systems. Widely assessed to be built on the leaked LockBit 3.0 builder, it runs a double-extortion model — encrypting systems and threatening to leak stolen data via a Tor site — and has expanded targeting across Southeast Asia, Europe and the Americas. Primary sectors include information technology, professional goods and services, government and civic bodies, manufacturing, healthcare, education and finance. The group sustained activity into mid-June 2026: on June 15, 2026 it claimed Anglomoil, Avantage Global and Avantage Mari, and separately compromised Japanese internet service provider Kisnet Co., Ltd. A further victim, PAI Pharma (Brazil, healthcare), was posted 2026-06-30; no ransom amount or data samples were published and impact remains unconfirmed.

TTPs

initial access Phishing · Exploiting public-facing applications · Compromised credentials
execution LockBit 3.0-derived encryptor · PowerShell · Cobalt Strike
lateral movement RDP · PsExec · SMB
exfiltration RClone · Custom tools
impact Double extortion · Data encryption · Critical public-service disruption
targets Government · Information technology · Manufacturing · Healthcare · Education · Finance
known victims 75+
last activity 2026-06
Active Data extortion since 2025-08

Scattered LAPSUS$ Hunters SLH / Scattered Lapsus$ Hunters / ShinyHunters / Scattered Spider (component) / LAPSUS$ (component)

Federated cybercriminal brand that coalesced in mid-2025 as an umbrella uniting members of Scattered Spider, ShinyHunters and LAPSUS$, letting affiliated operators present a unified front. Specialises in social-engineering-led data theft and extortion rather than encryption — most notably a sprawling Salesforce/SaaS data-theft campaign in which the actors claimed to have stolen over a billion Salesforce records and listed 39 high-profile victims including Google, Cisco, FedEx, Disney/Hulu, Toyota, Marriott and IKEA; confirmed leaks include Albertsons, Engie Resources, Fujifilm, Gap, Qantas and Vietnam Airlines (Qantas and Vietnam Airlines each exposing 5M+ customer records). In November 2025 the group announced a Ransomware-as-a-Service platform, ShinySp1d3r, to be led by ShinyHunters under the Scattered LAPSUS$ Hunters brand, signalling a move from pure extortion toward encryption-capable operations; as of mid-2026 ShinySp1d3r remains largely in development, with the group's actual 2026 revenue still driven by OAuth/SSO credential theft and SaaS data extortion rather than deployed ransomware. Its public leak site has intermittently gone dark, but the group has continued claiming victims into 2026 (60M+ breached records year-to-date) and explicitly signalled it would persist through the year. Between 2026-05-27 and 2026-06-09 ShinyHunters ran a widespread campaign against on-premises Oracle PeopleSoft servers, claiming compromise of 100+ organisations across 300+ instances via CVE-2026-35273 (critical PeopleSoft Environment Management RCE, CVSS 9.8); Google Threat Intelligence Group/Mandiant corroborated the campaign on 2026-06-11, finding 68% of notified victims in higher education, including the University of Nottingham's Campus Solutions student-records system. ShinyHunters also listed Eastman Kodak on its leak site around 2026-06-15/18, threatening to publish 2.2M+ customer PII records (Kodak confirmed unauthorized third-party access to a limited amount of data), and published stolen Salesforce data taken from Sysco Corporation on 2026-06-28 (originally claimed 2026-06-16) after Sysco reportedly declined to pay — roughly 2.7M unique email addresses from the dump were subsequently loaded into Have I Been Pwned. A further claim against Illinois Central College (~28GB, payroll and financial-aid data) was posted 2026-06-28.

TTPs

initial access Help-desk social engineering / vishing · MFA fatigue and SIM-swapping · OAuth token abuse · Compromised credentials · Oracle PeopleSoft RCE (CVE-2026-35273)
execution Living-off-the-land binaries · Cloud-native tooling
lateral movement Cloud-to-cloud pivots · SaaS-to-SaaS pivots · RDP
exfiltration Direct SaaS/cloud data theft (Salesforce) · Custom tools
impact Pure data extortion · Leak-site and direct-victim pressure · Emerging ShinySp1d3r RaaS encryptor
targets Technology · Retail · Aviation · Financial services · Telecom · Manufacturing
known victims 39+
last activity 2026-06
Active RaaS since 2024-11

Anubis Sphinx

RaaS operation that emerged in November 2024 under the original name Sphinx before rebranding to Anubis in early 2025. Distinguished by a built-in wiper mode (/WIPEMODE parameter) that permanently overwrites file contents during encryption, removing any recovery path even if a ransom is paid — a destructive capability that significantly elevates victim risk. Launched a formal affiliate program in February 2025 offering negotiable revenue splits and additional monetization paths including data extortion and access sales. Activity surged sharply in early 2026, with internal data-volume tracking metrics rising from 187 to over 2,600 points between late 2025 and March 2026, with peak tempo in February 2026 seeing victim claims every 48–72 hours. Disproportionately targets healthcare — 17 of 35 confirmed 2026 attacks targeted US healthcare entities, a risk-tolerance well above baseline for most top-20 ransomware operators. By mid-2026 the group had 68–80+ confirmed victims across the United States (43+), United Kingdom (6), Australia (6), Canada (5), Netherlands, France, Spain, Poland, and Peru. Notable 2026 incidents include Singing River Health System (Mississippi, 54,000+ patient records exposed), a confirmed attack on the Adriatic Port Authority (maritime critical infrastructure — cargo tracking, shipping schedules, and customs processing disrupted; ransom demand reported around $11M), and Quest Health Solutions (claimed 2026-06-24, alleging exfiltration of employee data and internal files, ~239GB with a 2-3 day publication deadline). Cross-platform payload supports Windows, Linux, and VMware ESXi environments. Also claimed FÉTIS Group & SECOM Engineering (French engineering firms, posted 2026-06-11), alleging exfiltrated financial records and project details.

TTPs

initial access Spear-phishing · Exploiting public-facing applications · Compromised credentials
execution Custom cross-platform encryptor with optional /WIPEMODE wiper · PowerShell
lateral movement RDP · PsExec · Unpatched vulnerability exploitation for privilege escalation
exfiltration RClone · Custom tools
impact Double extortion · Built-in wiper (/WIPEMODE — permanent file destruction) · Cross-platform encryption (Windows/Linux/ESXi) · Healthcare-focused urgency tactics
targets Healthcare · Engineering · Construction · Professional services · Technology · Critical infrastructure
known victims 80+
last activity 2026-06
Active RaaS since 2025-06

Warlock GOLD SALEM / Storm-2603

Emerged publicly in June 2025 on the Russian-language RAMP forum and scaled rapidly by exploiting unpatched Microsoft SharePoint servers (the 'ToolShell' exploit chain) for initial access, later expanding to unpatched SmarterMail servers (breaching SmarterTools itself, reported February 2026) and continued SharePoint exploitation into 2026 — one Trend Micro-tracked intrusion in January 2026 saw attackers dwell 15 days before deploying the encryptor. Also tracked by Microsoft as Storm-2603 and assessed by some researchers (Computer Weekly, SecureWorks) as potentially linked to a Chinese state-nexus actor (GOLD SALEM per Sophos), a notable divergence from the mostly Russian/Eastern-European ransomware ecosystem. Reached roughly 78 recorded victims on ransomware.live by March 2026, up from 19 in July 2025 and 60 in September 2025. Deploys multiple EDR killers per intrusion — sometimes dozens in a single operation — abusing at least nine distinct vulnerable/malicious kernel drivers via BYOVD (including a legitimate-but-vulnerable NSec driver, 'NSecKrnl.sys', replacing the earlier 'googleApiUtil64.sys'), effectively brute-forcing its way to a working defense-evasion chain rather than relying on one exploit; one deployed tool contained AI-generated boilerplate code (a printed list of 'possible fixes'), suggesting AI-assisted malware development. Also uses TightVNC for persistent remote control. Claimed attacks on European telecom operators Colt and Orange.

TTPs

initial access SharePoint 'ToolShell' exploit chain · Unpatched SmarterMail servers · Exploiting public-facing applications
execution PowerShell · Custom loaders · Web shells
lateral movement RDP · PsExec · Credential dumping
exfiltration RClone · Custom tools
impact Double extortion · Data encryption · Multiple EDR killers per intrusion (9+ vulnerable/malicious drivers via BYOVD)
targets Government · Telecommunications · Technology · Manufacturing · Professional services
known victims 78+
last activity 2026-04
Active Data extortion since 2026-04

Icarus

Data-extortion-only group (no encryptor observed) that launched in April 2026 with just two initial victims before gaining major attention via a June 2026 SaaS supply-chain breach. Klue, a market-intelligence/competitive-battlecard platform, identified unauthorized activity in its Salesforce integration infrastructure on 2026-06-12, traced to a compromised legacy OAuth credential; on 2026-06-19 Icarus claimed to have exfiltrated Salesforce-integration data (business names, product-usage and subscription details, business contacts, and sales/marketing communications) from Klue's customer base, naming a downstream victim list heavily weighted toward cybersecurity vendors — including Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. Extortion contact was conducted via the Session messaging app. A second, separate extortion actor reportedly also began demanding payment over the same stolen Klue data after Icarus claimed to have deleted its copy — that second group remains unnamed in public reporting.

TTPs

initial access Compromised/abused OAuth integration tokens (SaaS supply-chain vector)
execution Not applicable (no encryptor; data theft and extortion only)
lateral movement SaaS-to-SaaS pivots via shared integration infrastructure
exfiltration Direct Salesforce/SaaS data theft via abused OAuth credentials
impact Pure data extortion (no encryption) · Supply-chain exposure of downstream SaaS customers · Extortion via Session messaging app
targets Technology · Cybersecurity vendors · SaaS/B2B customers of compromised platforms
known victims 8+
last activity 2026-06
Active Closed group (solo operator) since 2026-04

Prinz Eugen GERMANIA (operator's predecessor persona)

Newly identified closed-group/solo ransomware operation, not a RaaS and not currently recruiting affiliates. Earliest indicator traced to 2026-04-16 (a leak portal targeting Standard Bank Group, South Africa); formally identified and named by Malwarebytes/ThreatDown researchers on 2026-05-11 after investigating an infected customer, with broader security-media coverage following through June 2026. The operator, using the handle ROOTBOY (active on the Exploit and DarkForums cybercrime forums), previously ran a data-selling persona called GERMANIA (linked via a shared TOX ID; also used the alias 'avtokz' on the XSS forum) before pivoting to the Prinz Eugen ransomware brand. Uses a freshly-built, custom Go-based encryptor (payload observed as 'servertool.exe') deployed via legitimate RMM software (specifically RemotePC) and PowerShell stagers, likely following stolen RDP credential access. Distinctively prioritizes recently-modified files for encryption first (ties broken alphabetically by filename) and deliberately skips dropping a ransom note or changing the desktop wallpaper — an anti-forensic, direct-contact extortion model rather than the standard leak-site playbook. At least 5 victims identified as of the most recent reporting, including Standard Bank Group (South Africa), which refused a 1 BTC ransom demand.

TTPs

initial access Likely stolen RDP credentials
execution Custom Go-based encryptor ('servertool.exe') · PowerShell stagers
lateral movement RDP
exfiltration Not extensively documented
impact Encryption prioritized by most-recently-modified files · No ransom note or wallpaper change (direct-contact extortion)
targets Financial services
known victims 5+
last activity 2026-06