> ransomware group tracker
Live profiles of active ransomware operations. Tracking TTPs, targets, victim counts, and law enforcement actions across the ransomware ecosystem.
Qilin Agenda
Dominant RaaS operation and the most active ransomware group of 2026 for the third consecutive quarter, responsible for nearly 20% of global ransomware activity. Posted 338 victims in Q1 2026 — outpacing the bottom 50 ransomware groups combined — and continued at-pace into May 2026. Recent May 2026 victims include AppDirect (US, posted 2026-05-11), Keller Williams Real Estate – Exton (US), International Customer Care Services, Pangolin Editions, Lindabury (US legal services), The Gravity Group (2026-05-12), Sysco (US food distribution giant, 2026-05-05), Seagate Capital Construction (US, 2026-05-05), Ahorramas (Spanish consumer services, 2026-05-05), Standard-Examiner (US news, 2026-05-02), and LSM Lee (Singapore, 2026-05-02). Top targeted sectors year-to-date: Manufacturing (276), Business Services (219), Technology (166), Healthcare (158), Financial Services (115); United States is by far the most targeted country (~803 victims). Absorbed many former RansomHub affiliates after that group collapsed in April 2025. Deploys EDR-killing DLL (msimg32.dll) capable of disabling 300+ security drivers via BYOVD; technique now also seen in Warlock ransomware.
TTPs
Akira GOLD SAHARA
Prolific RaaS group with over 1,500 total victims since 2023 and $245M+ in collected ransoms. Q1 2026 victim count was 176, down 22% from 226 in Q4 2025, reflecting the declining yield of the late-2025 SonicWall SSL-VPN campaign as more organisations patched. Still drives an estimated 40% of cyber-insurance claims year-to-date and SonicWall devices remain present in ~86% of Akira-related incidents. Average ransom demand is now ~$1.2M. Can move from initial access to full network encryption in under four hours, with documented sub-hour smash-and-grab cases. A new SonicWall firewall-bypass vulnerability (CVE-2026-0204) continues to be weaponized in the same playbook.
TTPs
LockBit LockBit 3.0 / LockBit Green / LockBit 5.0
Taken down by Operation Cronos in February 2024 but launched LockBit 5.0 in September 2025 with more modular encryption and improved defense evasion. Has posted 200+ victims on its new leak site since December 2025, targeting Windows, Linux, and ESXi across the Americas, Europe, and Asia. US accounts for ~23% of victims. Together with Qilin, Akira, and The Gentlemen claimed 41% of all Q1 2026 victims.
TTPs
Law Enforcement Actions
- Operation Cronos takedown (Feb 2024)
- Multiple affiliate arrests (2024)
- Leader 'LockBitSupp' identified as Dmitry Khoroshev (May 2024)
Clop Cl0p / TA505
Specializes in mass exploitation of file-transfer software zero-days. Responsible for MOVEit (2023), GoAnywhere (2023), Cleo (2024), and the Oracle E-Business Suite campaign of late 2025/early 2026 (CVE-2025-61882). Has now publicly named ~30 alleged Oracle EBS victims on its leak site — including Harvard University, Wits University, Envoy Air, The Washington Post, Schneider Electric, Emerson, Logitech, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland — with analyst estimates suggesting 100+ organisations were ultimately impacted. Approximately 40% of victims in technology and 30% in manufacturing; 80% of victims are US-based.
TTPs
Law Enforcement Actions
- Multiple arrests in Ukraine (2021)
Play PlayCrypt
Closed ransomware group (not RaaS) targeting government agencies, police networks, and critical infrastructure primarily in Latin America and Europe. Uses custom encryption and double-extortion tactics.
TTPs
DragonForce
Operating as a ransomware cartel model, absorbing smaller groups like BlackLock/Mamona and spawning sub-brands like Devman. Offers white-label ransomware infrastructure to affiliates. Notably behind the Marks & Spencer attack (April 2025, ~£300M financial impact, online store offline for 46 days) deployed via Scattered Spider affiliates, along with Co-op and Harrods. Continues targeting retail, manufacturing, and pharma into May 2026, with the cartel now threatening 365+ companies on its leak site. May 2026 victims include Cult Wines (UK fine wine retailer, posted 2026-05-04). April 27, 2026 leak-site burst included MassDevelopment (US state agency), FAT Brands, IBS Website Solutions, and several mid-market US firms.
TTPs
Medusa MedusaLocker
Prolific RaaS operation linked to Storm-1175 and Lazarus Group deployments. Weaponizes zero-day and N-day vulnerabilities for high-velocity attacks, often moving from initial access to ransomware deployment within 24 hours. Has exploited 16+ vulnerabilities across major enterprise software, including (most recently) CVE-2026-1731 in BeyondTrust Remote Support / Privileged Remote Access, CVE-2026-23760 in SmarterMail (exploited a week before public disclosure), and CVE-2025-10035 in GoAnywhere MFT (also pre-disclosure). Heaviest impact in healthcare, education, professional services, and finance across Australia, the UK, and the US. May 2026 incidents include Strategic Imports (Australian car-parts importer).
TTPs
NightSpire
Originally a closed group handling all operations in-house, NightSpire announced a RaaS affiliate program in April 2026 and began publicly recruiting affiliates. Go-based ransomware payload uses hybrid encryption for speed. Primarily targets SMBs with less mature security across 30+ countries. Posted 74 victims on its data leak site in Q1 2026 and another 15 in April 2026, reaching 259+ claimed victims by May 1, 2026 across 28 industries. Ransom demands range from $150K to $2M.
TTPs
Handala Handala Hack
Iranian-linked hacktivist group affiliated with MOIS. Primarily targets Israeli organizations but expanded targeting after Operation Epic Fury in February 2026. Claimed 23 victims in March 2026 alone. Operations focus on disruption and influence rather than financial gain.
TTPs
SafePay
Emerged in late 2024, scaling aggressively through 2025-2026 with former Black Basta members among its ranks. Operates classic double-extortion — stealing data, encrypting systems, and publishing victims on Tor-based leak sites. Surpassed 471 claimed victims by May 6, 2026 and remained one of the most active groups globally. May 2026 victims include Energy Action (Australian energy management firm), Boots Transport (Canada, 2026-05-04), Maiadouro.pt (Portugal), Hokuyo 2006 Co. (Japan), and Dahlgrens Cement AB (Sweden). Over 90% of victims are small or mid-sized businesses; top sectors are Business Services (62), Manufacturing (61), Technology (48), Consumer Services (39), and Education (38). United States accounts for 197 victims, Germany 90, United Kingdom 28. Uses modified LockBit source code and runs ~24-hour encryption timelines.
TTPs
Black Basta Vanilla Tempest
Formerly one of the top-tier RaaS operations until its collapse in early 2025. Members have migrated to successor groups including SafePay. The group's alleged leader Oleg Nefedov was placed on EUROPOL Most Wanted and INTERPOL Red Notice lists.
TTPs
Law Enforcement Actions
- LE raids on two suspects in Ukraine and Germany (Jan 2026)
- Leader Oleg Nefedov placed on EUROPOL Most Wanted and INTERPOL Red Notice (Jan 2026)
The Gentlemen
Fast-scaling RaaS that emerged mid-2025 and climbed to the #2 spot by victim count in early 2026. Founded by a threat actor known as Hastalamuerte — an experienced Qilin affiliate who left after a dispute over a ~$48K unpaid commission, which explains the group's rapid operational capability and sophistication. Public leak-site count exceeded 365 by late April 2026; ReliaQuest documented a jump from 35 victims in Q4 2025 to 182 in Q1 2026, and the group added another ~82 victims in April 2026 alone. Check Point Research mapped an underlying SystemBC C2 botnet of 1,570+ likely corporate victims — well beyond what the group publicly claims, with Bitdefender now assessing actual victim count likely exceeds 1,500. FBI issued an official warning on March 15, 2026. Top targeted sectors: Manufacturing, Technology, Healthcare, Financial Services, and Transportation/Logistics; top geographies: US, Thailand, France, Brazil, India. MAJOR EVENT (May 2026): The group's own backend infrastructure was compromised. On May 4, 2026, a Breached forum post titled 'The Gentlemen - hacked data for sale' offered the full dataset for $10K in BTC; by May 8 the seller posted a free MediaFire download link. The breach is linked to a compromise of hosting provider 4VPS, which operated parts of the gang's infrastructure. Leaked data included internal chats, affiliate operations, ransom-negotiation correspondence, attack methods, and organizational structure — revealing a small but professional syndicate of ~9 core operators. Leaked negotiations show the group threatening to release data tied to companies under NDAs with Sony and Barclays. The Gentlemen publicly claimed no critical data was exposed.
TTPs
Law Enforcement Actions
- FBI official warning issued (2026-03-15)
- Backend infrastructure breach via 4VPS hosting provider (2026-05-04); affiliate roster and negotiation logs leaked publicly on MediaFire (2026-05-08)
Sinobi
Financially motivated hybrid RaaS that emerged in late June 2025. Placed fourth globally with 56 claimed victims in January 2026 before cooling to 18 victims in February 2026, suggesting operational disruption or affiliate churn. Top activity sectors are Manufacturing, Healthcare, Construction, and Technology. Payload is concealed via legitimate driver abuse and defense-evasion tooling.
TTPs
0APT 0APT Syndicate
Controversial RaaS that surfaced in late January 2026 and rapidly listed 253+ alleged victims by end of Q1 2026, but was widely assessed by GuidePoint and Halcyon as running a faux operation — leak samples were zero-byte files and the infrastructure was operated from an Android phone's SD card on AnLinux-Parrot. MAJOR EVENT (April–May 2026): in April 2026, 0APT breached rival group KryBit's RaaS panel and extracted staff names, credentials, cryptocurrency wallet addresses, location data, and ransom-negotiation correspondence, then attempted to extort KryBit for $2M with a threat to leak the affiliate list to the FBI. KryBit retaliated by breaching 0APT's own infrastructure, locking out its staff and dumping logs that publicly confirmed the operation was being run off a Droid phone with Parrot OS on an SD card. Leak-site download links were shown to be falsified — clicking an archive simply piped random data to a preset path. 0APT's site is now locked out and the group has gone silent; KryBit's reciprocal exposure has tarnished its own standing despite winning the feud.
TTPs
CoinbaseCartel Coinbase Cartel
Pure data-extortion crew (no encryptor) that emerged in September 2025 and has scaled aggressively through early 2026, claiming 118+ victims by April. Posted 22 victims in March 2026 alone and notably listed Cognizant and Aptim. Analyst assessments (Bitdefender, FortiGuard) suggest the group is composed of affiliates drawn from ShinyHunters, Scattered Spider, and Lapsus$. Operates a Tor leak site and uses staged disclosures — limited samples first, then full publication if the victim does not pay.
TTPs
Everest
Russian-speaking financially motivated group active since December 2020. Originally a pure data-exfiltration crew, evolved to dual AES/DES encryption in 2021 and now also operates as an Initial Access Broker. Recruits corporate insiders for cash/profit-sharing. Approximately 360 total victims across at least 286 documented R&DE incidents; claimed at least 25 incidents YTD in 2026, ranking as the 10th most prominent extortion collective for the year. May 2026 saw high-profile financial-services victims, including Fiserv (US payment-processing giant, posted 2026-05-03) and TSYS (US payment solutions, 2026-05-02). Specifically targets medical-imaging providers with 24-hour deadlines, weaponising HIPAA pressure and patient-care urgency.
TTPs
Lynx INC Ransom (predecessor)
RaaS operation widely assessed to be a rebrand of the INC ransomware group, active since July 2024. Highly organized with a structured affiliate program, exclusive affiliate panel, internal communications channels, and a polished technical arsenal. Has amassed 393+ confirmed victims, with 208 in the United States and 20 in Canada — a clear North American preference. Top targeted sectors: Education and Technology, with significant activity also in Germany. In early 2026, Lynx executed high-volume burst campaigns including a January 5, 2026 wave that added 20 organisations to its leak site in a single day. Sustained that tempo into Q2 2026, becoming one of the two most active groups globally in the May 10 window (8 victims in 24 hours alongside Leak Bazaar). May 2026 victims include bayareaherbs.com, csb-battery.com, and funkychunky.com. Continues to be confused with INC Ransom on some leak-tracking platforms despite the operational separation.
TTPs
KryBit
RaaS operation that emerged in early 2026 with 25+ claimed victims across the United States, Germany, Austria, and Turkey by May 2026. Operates an 80% affiliate revenue-share model with encryptors compatible with ESXi, Linux, and Windows environments and advertised 24/7 technical support. MAJOR EVENT (April–May 2026): publicly engaged in a destructive doxing feud with rival group 0APT. After 0APT first breached KryBit's RaaS admin panel and exfiltrated staff names, credentials, wallet addresses, and ransom negotiation logs — then attempted to extort KryBit for $2M — KryBit retaliated by breaching 0APT's infrastructure and dumping evidence that 0APT was operating from a single Droid phone running Parrot OS off an SD card, confirming long-standing analyst assessments that 0APT was largely a fake operation. The retaliation locked out 0APT's staff but KryBit's exposed admin data (affiliate list, victim records, account credentials) materially increases its own risk of a law enforcement takedown and has damaged its standing with potential affiliates.
TTPs
ALPHV/BlackCat BlackCat / Noberus
Defunct Rust-based RaaS operation that exit-scammed affiliates in early 2024 following the Change Healthcare breach. Group infrastructure was seized by FBI/Europol in December 2023 and the operation collapsed shortly after. New May 2026 development: two US-based former cybersecurity professionals, Ryan Goldberg (former incident response manager) and Kevin Martin (former ransomware negotiator), each received four-year prison sentences after pleading guilty to conspiracy charges. They collaborated with Angelo Martino to purchase access to the ALPHV platform and extorted multiple US victims between April and October 2023. Martino is awaiting sentencing later in 2026.
TTPs
Law Enforcement Actions
- FBI/Europol infrastructure seizure (Dec 2023)
- Affiliate exit scam collapsed operation (Mar 2024)
- US former IR manager Ryan Goldberg sentenced to 4 years (May 2026)
- US former ransomware negotiator Kevin Martin sentenced to 4 years (May 2026)
- Angelo Martino pending sentencing (2026)