Blog
Research, detection engineering notes, and incident response lessons learned.
Latest
LockBit 3.0, also known asLockBit Black, is one of the most dominant ransomware variants in operation today. Active since mid-2022, it represents the third major iteration of the LockBit malware family. The group operates a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy LockBit while the core developers manage infrastructure and ransom negotiations.
MalasLocker is a relatively new ransomware and data extortion group first observed in 2023. Unlike traditional financially motivated threat actors, MalasLocker operates with an unusual extortion model: instead of demanding ransom payments in cryptocurrency, victims are instructed to donate to a selected charity and provide proof of their donation to recover their data.
Medusa is a highly active ransomware group first observed in late 2022, operating under a double extortion model with increasing aggression. The group quickly rose to prominence in 2023 for its high-impact intrusions, its distinctive leak site branded as the “Medusa Blog,” and its use of public-facing shaming tactics to pressure victims into payment.
MetaEncryptor is a relatively new but technically adept ransomware group first observed in mid-2023. Despite its youth, the group has already demonstrated strong capabilities in evasion, persistence, and targeted extortion, positioning itself as a growing threat within the cybercriminal landscape. MetaEncryptor operates under a double extortion model, combining the encryption of internal systems with the exfiltration and threatened publication of sensitive data.
Mustang Panda is a well-established Chinese cyber espionage group that has been active since at least 2012. Also tracked under aliases such as RedDelta, TA416, HoneyMyte, and Bronze President, the group primarily targets government agencies, non-governmental organisations, policy research institutes, and religious groups. It is known for using sophisticated phishing campaigns, often leveraging current geopolitical events to deliver malware payloads.
NoEscape is a double extortion ransomware group that emerged in mid-2023, quickly establishing itself as a technically capable and strategically aggressive threat actor. The group targets large enterprises, critical infrastructure, and professional services, combining traditional file encryption with the exfiltration of sensitive data for public exposure if ransom demands are not met.
NoName057(16) is a politically motivated pro-Russian hacktivist group active since March 2022. It emerged shortly after the Russian invasion of Ukraine and has focused almost exclusively on conducting distributed denial-of-service (DDoS) attacks against European and NATO-aligned countries that support Ukraine. The group primarily uses its operations to disrupt public-facing websites of governments, media, transport, and financial institutions.
Oilin is a financially motivated ransomware group that emerged in the second half of 2023. Though comparatively new to the ransomware ecosystem, Oilin has displayed a high level of operational maturity, strategic targeting, and rapidly evolving tooling. The group operates under a double extortion model, exfiltrating sensitive data before encrypting victim systems, and threatening to publish or sell the stolen data if ransom demands are not met.
Play, also known as PlayCrypt, is a financially motivated ransomware group first identified in June 2022. The group has quickly gained notoriety for its double extortion techniques, its targeting of both Windows and Linux/ESXi environments, and a unique, minimalist style of communication. Its ransom notes are often starkly simple—containing only the word“PLAY”—followed by contact details for negotiation via TOR.
ProjectRelic is a relatively unknown threat actor that has been observed conducting cyber operations against small to mid-sized organisations, primarily in Europe. The group is characterised by its use of repurposed tooling, low-profile infrastructure, and a minimalist approach to command and control. Its operations suggest a mix of reconnaissance, credential harvesting, and quiet data exfiltration.
RansomHouse is a data extortion group that diverges from traditional ransomware models by focusing almost entirely on data theft rather than file encryption. First identified in December 2021, the group has grown rapidly in visibility throughout 2022 and 2023, publishing victim data on its dedicated leak site and leveraging public shaming to extract ransom payments.
Rhysida is a double extortion ransomware group first identified in May 2023. Operating under a semi-professionalised model, Rhysida has quickly established a reputation for targeting public institutions, healthcare systems, educational bodies, and increasingly, private sector enterprises. The group combines data theft and encryption with public pressure via a high-profile leak site that prominently features victim logos and countdowns to full data disclosure.