> ransomware group tracker
Live profiles of active ransomware operations. Tracking TTPs, targets, victim counts, and law enforcement actions across the ransomware ecosystem.
Qilin Agenda
Dominant RaaS operation and the most active ransomware group of 2026 for the third consecutive quarter, responsible for nearly 20% of global ransomware activity. Posted 338 victims in Q1 2026 — outpacing the bottom 50 ransomware groups combined — and continued at-pace into May 2026. Recent May 2026 victims include AppDirect (US, posted 2026-05-11), Keller Williams Real Estate – Exton (US), International Customer Care Services, Pangolin Editions, Lindabury (US legal services), The Gravity Group (2026-05-12), Sysco (US food distribution giant, 2026-05-05), Seagate Capital Construction (US, 2026-05-05), Ahorramas (Spanish consumer services, 2026-05-05), Standard-Examiner (US news, 2026-05-02), and LSM Lee (Singapore, 2026-05-02). Top targeted sectors year-to-date: Manufacturing (276), Business Services (219), Technology (166), Healthcare (158), Financial Services (115); United States is by far the most targeted country (~803 victims). Absorbed many former RansomHub affiliates after that group collapsed in April 2025. Deploys EDR-killing DLL (msimg32.dll) capable of disabling 300+ security drivers via BYOVD; technique now also seen in Warlock ransomware. KELA assessed Qilin as the single most active operation for January-May 2026, accounting for roughly 17% of all publicly claimed ransomware attacks worldwide; ransomware.live tracked 1,863 Qilin leak-site victims by May 26, 2026 (the group continued at-pace through the late-May window with new posts almost daily). A Qilin-attributed intrusion at Covenant Health was confirmed in May 2026 to have exposed personal data on nearly 480,000 individuals. Late-May 2026 victims include Semgrep (US, posted 2026-05-22), Ridge Law Firm (US, attack estimated 2026-05-12), and Gestordes (attack estimated 2026-05-03).
TTPs
Akira GOLD SAHARA
Prolific RaaS group with over 1,500 total victims since 2023 and $245M+ in collected ransoms. Q1 2026 victim count was 176, down 22% from 226 in Q4 2025, reflecting the declining yield of the late-2025 SonicWall SSL-VPN campaign as more organisations patched. Still drives an estimated 40% of cyber-insurance claims year-to-date and SonicWall devices remain present in ~86% of Akira-related incidents. Average ransom demand is now ~$1.2M. Can move from initial access to full network encryption in under four hours, with documented sub-hour smash-and-grab cases. A new SonicWall firewall-bypass vulnerability (CVE-2026-0204) continues to be weaponized in the same playbook. In April 2026 Qilin overtook Akira as the single most active group of the month; Akira held second place at roughly its March activity level. GreyNoise telemetry recorded a sharp SonicWall SonicOS API scanning surge between May 9-18, 2026, with a May 12 peak of ~597,000 sessions in 24 hours — roughly 46x the prior 30-day baseline — interpreted as Akira affiliates aggressively re-enumerating exposed appliances ahead of the next exploit wave.
TTPs
LockBit LockBit 3.0 / LockBit Green / LockBit 5.0
Taken down by Operation Cronos in February 2024 but launched LockBit 5.0 in September 2025 with more modular encryption and improved defense evasion. Has posted 200+ victims on its new leak site since December 2025, targeting Windows, Linux, and ESXi across the Americas, Europe, and Asia. US accounts for ~23% of victims. Together with Qilin, Akira, and The Gentlemen claimed 41% of all Q1 2026 victims.
TTPs
Law Enforcement Actions
- Operation Cronos takedown (Feb 2024)
- Multiple affiliate arrests (2024)
- Leader 'LockBitSupp' identified as Dmitry Khoroshev (May 2024)
Clop Cl0p / TA505
Specializes in mass exploitation of file-transfer software zero-days. Responsible for MOVEit (2023), GoAnywhere (2023), Cleo (2024), and the Oracle E-Business Suite campaign of late 2025/early 2026 (CVE-2025-61882). Has now publicly named ~30 alleged Oracle EBS victims on its leak site — including Harvard University, Wits University, Envoy Air, The Washington Post, Schneider Electric, Emerson, Logitech, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland — with analyst estimates suggesting 100+ organisations were ultimately impacted. Approximately 40% of victims in technology and 30% in manufacturing; 80% of victims are US-based.
TTPs
Law Enforcement Actions
- Multiple arrests in Ukraine (2021)
Play PlayCrypt
Closed ransomware group (not RaaS) targeting government agencies, police networks, and critical infrastructure primarily in Latin America and Europe. Uses custom encryption and double-extortion tactics.
TTPs
DragonForce
Operating as a ransomware cartel model, absorbing smaller groups like BlackLock/Mamona and spawning sub-brands like Devman. Offers white-label ransomware infrastructure to affiliates. Notably behind the Marks & Spencer attack (April 2025, ~£300M financial impact, online store offline for 46 days) deployed via Scattered Spider affiliates, along with Co-op and Harrods. Continues targeting retail, manufacturing, and pharma into May 2026, with the cartel now threatening 365+ companies on its leak site. May 2026 victims include Cult Wines (UK fine wine retailer, posted 2026-05-04). April 27, 2026 leak-site burst included MassDevelopment (US state agency), FAT Brands, IBS Website Solutions, and several mid-market US firms. May 25, 2026 saw another concentrated leak-site burst with Saver NV (Dutch waste-management operator), Veg-Fresh Farms (US agriculture), Alliance Adjustment Group (US public insurance adjusting, PA/NJ), and Xchange Technology Rentals (Germany, IT/AV equipment rental).
TTPs
Medusa MedusaLocker
Prolific RaaS operation linked to Storm-1175 and Lazarus Group deployments. Weaponizes zero-day and N-day vulnerabilities for high-velocity attacks, often moving from initial access to ransomware deployment within 24 hours. Has exploited 16+ vulnerabilities across major enterprise software, including (most recently) CVE-2026-1731 in BeyondTrust Remote Support / Privileged Remote Access, CVE-2026-23760 in SmarterMail (exploited a week before public disclosure), and CVE-2025-10035 in GoAnywhere MFT (also pre-disclosure). Heaviest impact in healthcare, education, professional services, and finance across Australia, the UK, and the US. May 2026 incidents include Strategic Imports (Australian car-parts importer).
TTPs
NightSpire
Originally a closed group handling all operations in-house, NightSpire announced a RaaS affiliate program in April 2026 and began publicly recruiting affiliates. Go-based ransomware payload uses hybrid encryption for speed. Primarily targets SMBs with less mature security across 30+ countries. Posted 74 victims on its data leak site in Q1 2026 and another 15 in April 2026, reaching 259+ claimed victims by May 1, 2026 across 28 industries. Ransom demands range from $150K to $2M.
TTPs
Handala Handala Hack
Iranian-linked hacktivist group affiliated with MOIS. Primarily targets Israeli organizations but expanded targeting after Operation Epic Fury in February 2026. Claimed 23 victims in March 2026 alone. Operations focus on disruption and influence rather than financial gain.
TTPs
SafePay
Emerged in late 2024, scaling aggressively through 2025-2026 with former Black Basta members among its ranks. Operates classic double-extortion — stealing data, encrypting systems, and publishing victims on Tor-based leak sites. Surpassed 483 claimed victims by May 25, 2026 and remained one of the most active groups globally. May 2026 victims include Energy Action (Australian energy management firm), Boots Transport (Canada, 2026-05-04), Maiadouro.pt (Portugal), Hokuyo 2006 Co. (Japan), and Dahlgrens Cement AB (Sweden). Over 90% of victims are small or mid-sized businesses; top sectors are Business Services (62), Manufacturing (61), Technology (48), Consumer Services (39), and Education (38). United States accounts for 198 victims, Germany 94, United Kingdom 30, Canada 29, Australia 15. Uses modified LockBit source code and runs ~24-hour encryption timelines.
TTPs
Black Basta Vanilla Tempest
Formerly one of the top-tier RaaS operations until its collapse in early 2025. Members have migrated to successor groups including SafePay. The group's alleged leader Oleg Nefedov was placed on EUROPOL Most Wanted and INTERPOL Red Notice lists.
TTPs
Law Enforcement Actions
- LE raids on two suspects in Ukraine and Germany (Jan 2026)
- Leader Oleg Nefedov placed on EUROPOL Most Wanted and INTERPOL Red Notice (Jan 2026)
The Gentlemen
Fast-scaling RaaS that emerged mid-2025 and climbed to the #2 spot by victim count in early 2026. Founded by a threat actor known as Hastalamuerte — an experienced Qilin affiliate who left after a dispute over a ~$48K unpaid commission, which explains the group's rapid operational capability and sophistication. Public leak-site count exceeded 365 by late April 2026; ReliaQuest documented a jump from 35 victims in Q4 2025 to 182 in Q1 2026, and the group added another ~82 victims in April 2026 alone. Check Point Research mapped an underlying SystemBC C2 botnet of 1,570+ likely corporate victims — well beyond what the group publicly claims, with Bitdefender now assessing actual victim count likely exceeds 1,500. FBI issued an official warning on March 15, 2026. Top targeted sectors: Manufacturing, Technology, Healthcare, Financial Services, and Transportation/Logistics; top geographies: US, Thailand, France, Brazil, India. MAJOR EVENT (May 2026): The group's own backend infrastructure was compromised. On May 4, 2026, a Breached forum post titled 'The Gentlemen - hacked data for sale' offered the full dataset for $10K in BTC; by May 8 the seller posted a free MediaFire download link. The breach is linked to a compromise of hosting provider 4VPS, which operated parts of the gang's infrastructure. Leaked data included internal chats, affiliate operations, ransom-negotiation correspondence, attack methods, and organizational structure — revealing a small but professional syndicate of ~9 core operators. Leaked negotiations show the group threatening to release data tied to companies under NDAs with Sony and Barclays. The Gentlemen publicly claimed no critical data was exposed. A May 2026 KELA analysis of the leaked backend ranked The Gentlemen second only to Qilin for January-May 2026, with 332 publicly claimed victims (~10% of global ransomware claims for the year), and found the gang had studied the Black Basta chat leak as a playbook for phishing, credential reuse, and internal reconnaissance. KELA's May 13, 2026 cut put The Gentlemen second behind Qilin in the Jan 1-May 13 window during which all ransomware groups together posted 3,349 claimed victims globally (a ~14.5% rise vs the same period in 2025).
TTPs
Law Enforcement Actions
- FBI official warning issued (2026-03-15)
- Backend infrastructure breach via 4VPS hosting provider (2026-05-04); affiliate roster and negotiation logs leaked publicly on MediaFire (2026-05-08)
Sinobi
Financially motivated hybrid RaaS that emerged in late June 2025. Placed fourth globally with 56 claimed victims in January 2026 before cooling to 18 victims in February 2026, suggesting operational disruption or affiliate churn. Top activity sectors are Manufacturing, Healthcare, Construction, and Technology. Payload is concealed via legitimate driver abuse and defense-evasion tooling.
TTPs
0APT 0APT Syndicate
Controversial RaaS that surfaced in late January 2026 and rapidly listed 253+ alleged victims by end of Q1 2026, but was widely assessed by GuidePoint and Halcyon as running a faux operation — leak samples were zero-byte files and the infrastructure was operated from an Android phone's SD card on AnLinux-Parrot. MAJOR EVENT (April–May 2026): in April 2026, 0APT breached rival group KryBit's RaaS panel and extracted staff names, credentials, cryptocurrency wallet addresses, location data, and ransom-negotiation correspondence, then attempted to extort KryBit for $2M with a threat to leak the affiliate list to the FBI. KryBit retaliated by breaching 0APT's own infrastructure, locking out its staff and dumping logs that publicly confirmed the operation was being run off a Droid phone with Parrot OS on an SD card. Leak-site download links were shown to be falsified — clicking an archive simply piped random data to a preset path. 0APT's site is now locked out and the group has gone silent; KryBit's reciprocal exposure has tarnished its own standing despite winning the feud.
TTPs
CoinbaseCartel Coinbase Cartel
Pure data-extortion crew (no encryptor) that emerged in September 2025 and has scaled aggressively through early 2026, claiming 118+ victims by April. Posted 22 victims in March 2026 alone and notably listed Cognizant and Aptim. Analyst assessments (Bitdefender, FortiGuard) suggest the group is composed of affiliates drawn from ShinyHunters, Scattered Spider, and Lapsus$. Operates a Tor leak site and uses staged disclosures — limited samples first, then full publication if the victim does not pay.
TTPs
Everest
Russian-speaking financially motivated group active since December 2020. Originally a pure data-exfiltration crew, evolved to dual AES/DES encryption in 2021 and now also operates as an Initial Access Broker. Recruits corporate insiders for cash/profit-sharing. Approximately 360 total victims across at least 286 documented R&DE incidents; claimed at least 25 incidents YTD in 2026, ranking as the 10th most prominent extortion collective for the year. May 2026 saw high-profile financial-services victims, including Fiserv (US payment-processing giant, posted 2026-05-03) and TSYS (US payment solutions, 2026-05-02). Specifically targets medical-imaging providers with 24-hour deadlines, weaponising HIPAA pressure and patient-care urgency. In early May 2026 Everest began publishing what it claims is 108GB of Liberty Mutual data after an alleged failure to meet its demands; Liberty Mutual attributes the exposure to a third-party vendor incident.
TTPs
Lynx INC Ransom (predecessor)
RaaS operation widely assessed to be a rebrand of the INC ransomware group, active since July 2024. Highly organized with a structured affiliate program, exclusive affiliate panel, internal communications channels, and a polished technical arsenal. Has amassed 410+ confirmed victims by mid-May 2026, with the United States accounting for the largest share — a clear North American preference also extending to Canada, UK, Australia, and Germany. Top targeted sectors: Education and Technology, with significant activity also in Germany. In early 2026, Lynx executed high-volume burst campaigns including a January 5, 2026 wave that added 20 organisations to its leak site in a single day. Sustained that tempo into Q2 2026, becoming one of the two most active groups globally in the May 10 window (8 victims in 24 hours alongside Leak Bazaar). May 2026 victims include bayareaherbs.com, csb-battery.com, and funkychunky.com. Continues to be confused with INC Ransom on some leak-tracking platforms despite the operational separation.
TTPs
KryBit
RaaS operation that emerged in early 2026 with 25+ claimed victims across the United States, Germany, Austria, and Turkey by May 2026. Operates an 80% affiliate revenue-share model with encryptors compatible with ESXi, Linux, and Windows environments and advertised 24/7 technical support. MAJOR EVENT (April–May 2026): publicly engaged in a destructive doxing feud with rival group 0APT. After 0APT first breached KryBit's RaaS admin panel and exfiltrated staff names, credentials, wallet addresses, and ransom negotiation logs — then attempted to extort KryBit for $2M — KryBit retaliated by breaching 0APT's infrastructure and dumping evidence that 0APT was operating from a single Droid phone running Parrot OS off an SD card, confirming long-standing analyst assessments that 0APT was largely a fake operation. The retaliation locked out 0APT's staff but KryBit's exposed admin data (affiliate list, victim records, account credentials) materially increases its own risk of a law enforcement takedown and has damaged its standing with potential affiliates.
TTPs
ALPHV/BlackCat BlackCat / Noberus
Defunct Rust-based RaaS operation that exit-scammed affiliates in early 2024 following the Change Healthcare breach. Group infrastructure was seized by FBI/Europol in December 2023 and the operation collapsed shortly after. New May 2026 development: two US-based former cybersecurity professionals, Ryan Goldberg (former incident response manager) and Kevin Martin (former ransomware negotiator), each received four-year prison sentences after pleading guilty to conspiracy charges. They collaborated with Angelo Martino to purchase access to the ALPHV platform and extorted multiple US victims between April and October 2023. Martino is awaiting sentencing later in 2026.
TTPs
Law Enforcement Actions
- FBI/Europol infrastructure seizure (Dec 2023)
- Affiliate exit scam collapsed operation (Mar 2024)
- US former IR manager Ryan Goldberg sentenced to 4 years (May 2026)
- US former ransomware negotiator Kevin Martin sentenced to 4 years (May 2026)
- Angelo Martino pending sentencing (2026)
Leak Bazaar LeakBazaar / SnowTeam
Stolen-data marketplace and extortion operation launched by a Russian-speaking threat actor known as 'Snow' of the SnowTeam crew, advertised on the TierOne (T1) cybercrime forum on March 25, 2026. Rather than deploying an encryptor, Leak Bazaar operates as a post-exfiltration processing service: it ingests raw corporate data dumps and converts them into structured, sellable intelligence using ML-assisted text analysis, automated removal of system files, database reverse engineering, and ERP parsing before human analyst validation. It focuses on organisations with annual revenue above $10M and segments stolen content into high-value products such as quarterly financials, M&A data, R&D files, and personal-data records, while also running a Tor leak site and offering ransom-negotiation support to partner gangs. Although it is a marketplace rather than a traditional encryptor crew, ransomware-tracking platforms (ransomware.live, RansomLook) list it as a distinct group; in the May 10, 2026 reporting window it was the single most active group tracked, posting 9 victims in 24 hours.
TTPs
Vect VECT / Vect 2.0
RaaS operation that launched its affiliate program in late December 2025 and moved into active campaigns in early 2026, with first leak-site victim posted January 5, 2026 and 25 publicly named victims as of late May 2026 (Vect claims an additional ~300 unreleased victims). MAJOR EVENT (April 2026): Vect formalized an unprecedented alliance with the BreachForums cybercrime marketplace and the TeamPCP hacking crew, and on April 18, 2026 issued automatic Vect affiliate keys to every BreachForums member — roughly 300,000 registered users — in a single bulk onboarding. Analysts at Cynet, Dataminr, and Industrial Cyber describe this as an attempt to convert an entire mainstream cybercrime forum into a distribution network, contrasting with historical selective recruitment models such as Conti's affiliate program. Even partial activation of the BreachForums base would represent one of the largest coordinated ransomware affiliate mobilizations ever observed. Check Point Research and Cloud Security Alliance Labs subsequently shipped reports on a 'Vect 2.0' build that behaves as a wiper in many configurations — paying the ransom does not reliably recover enterprise data — raising the risk profile for victims of any affiliate using the toolkit.