Focused victims: LockBit focused 1000’s of victims worldwide in its heyday, together with authorities companies, personal sector corporations, and important infrastructure suppliers.
Attribution: LockBit’s use of Russian-language boards and focusing on patterns have led some analysts to consider the group relies in Russia. Russian nationwide Dmitry Yuryevich Khoroshev, named by Western regulation enforcement companies final 12 months because the developer and administrator of LockBit, faces a US indictment alongside asset freezes and journey bans. Two Russian nationals have been indicted for deploying LockBit ransomware towards focused organizations.
Lynx
Historical past: Lynx shares 48% of its supply code with the sooner INC ransomware, which signifies a believable rebranding or evolution of the identical risk actor.
The way it works: Lynx additionally operates a RaaS and employs double extortion techniques. After infiltrating a system, the ransomware can steal delicate info and encrypt the sufferer’s information, successfully locking them out. To make restoration harder, it provides the ‘.lynx’ extension to encrypted recordsdata and deletes backup recordsdata like shadow copies.
Focused victims: Since rising, the ransomware has actively focused a number of US and UK industries, together with retail, actual property, structure, monetary companies, and environmental companies. The group behind Lynx attacked a number of services throughout the US between July 2024 and November 2024, which embrace victims related to power, oil, and fuel, based on Palo Alto’s Unit 42 risk intel group. “According to a statement Lynx released in July 2024, they claim to be ‘ethical’ with regards to choosing victims,” Rapid7’s Beek provides.
Attribution: Lynx operates as a RaaS mannequin, which means it’s doubtless utilized by a number of cybercriminals reasonably than a single entity.
Medusa
Historical past: Medusa is a ransomware-as-a-service operation that debuted in 2022.
The way it works: The group sometimes hacks into techniques by both exploiting vulnerabilities in public-facing belongings, phishing emails, or utilizing preliminary entry brokers.
Focused victims: Cybercriminals behind Medusa have focused healthcare, training, manufacturing, and retail organizations within the US, Europe, and India.
Attribution: Exercise on Russian-language cybercrime boards associated to Medusa suggests the core group and plenty of of its associates could also be from Russia or neighbouring international locations however this stays unconfirmed.
Play
Historical past: Play is a ransomware risk that emerged in June 2022. The group intensified its actions following the disruption of different main risk actors.
The way it works: Attackers sometimes encrypt techniques after exfiltrating delicate information. Play retains a reasonably low profile on the darkish internet other than its leak web site, not promoting itself on darkish internet boards. “It has even claimed not to be an RaaS gang at all, saying it maintains a ‘closed group to guarantee the secrecy of deals,’ in spite of evidence to the contrary,” Searchlight Cyber’s Donovan explains.
Focused victims: The group has focused numerous sectors, together with healthcare, telecommunications, finance, and authorities service.
Attribution: Play might have connections to North Korean state-aligned APT teams.
In October 2024, safety researchers at Palo Alto Networks’ Unit 42 revealed proof of a deployment of Play ransomware by a risk actor backed by North Korea, particularly APT45. “The link between this threat actor and Play is unclear, but demonstrates the potential for crossover between state-sponsored cyber activity and ostensibly independent cybercrime networks,” Donovan says.
Qilin
Historical past: Qilin, also called Agenda, is a Russia-based RaaS group that has been working since Might 2022.
The way it works: The group targets Home windows and Linux techniques, together with VMware ESXi servers, utilizing ransomware variants written in Golang and Rust. Qilin follows a double extortion mannequin — encrypting victims’ recordsdata and threatening to leak stolen information if the ransom is just not paid.
Focused victims: Qilin recruits associates on underground boards and prohibits assaults on organizations in Commonwealth of Impartial States (CIS) international locations bordering present-day Russia.
Qilin posted looted information from 697 victims within the second half on 2025, a five-fold year-on-year enhance, based on analysis by Searchlight Cyber. Safety researchers attribute the surge to an aggressive recruitment effort and tie-ins with preliminary entry brokers to acquire stolen VPN credentials.
Attribution: The make-up of Qilin stays unknown however a Russian-speaking organized cybercrime operation is strongly suspected.
RansomHub
Historical past: RansomHub emerged in February 2024 and rapidly turned a significant cyber risk. The group, initially referred to as Cyclops and later Knight, rebranded and expanded its operations by recruiting associates from different disrupted ransomware teams reminiscent of LockBit and ALPHV/BlackCat.
The way it works: As soon as inside a community, RansomHub associates exfiltrate information and deploy encryption instruments, typically using legit administrative utilities to facilitate their malicious actions. RansomHub operates an “affiliate-friendly” RaaS mannequin, initially providing a set 10% charge for people who make assaults utilizing its ransomware and the choice to gather ransom funds straight from victims earlier than paying the core group. “These elements make it an attractive option for affiliates that are looking for a guaranteed return, where other RaaS operations have been unreliable in paying out in the past,” Searchlight Cyber’s Donovan says.
Focused victims: RansomHub has been linked to greater than 210 victims throughout numerous vital sectors, together with healthcare, finance, authorities companies, and important infrastructure in Europe and North America, based on Rapid7.
Attribution: Attribution stays unconfirmed however circumstantial proof factors towards an organized Russian-speaking cybercrime operation with ties to different established ransomware risk actors.
Scattered Lapsus$ Hunters
Historical past: Beforehand separate cybercrime teams Scattered Spider, LAPSUS$, and ShinyHunters shaped a unfastened alliance in August 2025 to run ransomware assaults towards massive enterprises. Initially associates for ALPHV/BlackCat and others, the group broke away and developed its personal platform and methodology.
The way it works: Scattered Lapsus$ Hunters is famous for its experience in utilizing social engineering to compromise assist desks, amongst different techniques. The Consolidated Menace Group combines monetary extortion through information leaks with ransomware. Their leak web site was seized by regulation enforcement in October 2025 however this may increasingly properly not be the final we hear of the cybercrime supergroup.
Focused victims: The collective ran a significant Salesforce marketing campaign in August and October that uncovered information from dozens of corporations, together with Toyota, FedEx, and Disney.
Attribution: Safety researchers characterize Scattered Lapsus$ Hunters as a unfastened alliance reasonably than a single cohesive group. Suspected members of the group stay publicly unidentified as of late February 2026.
