Top 10 Ransomware Groups

Top 10 Ransomware Groups

We have prepared 10 Ransomware Groups for you.


Hive, which first appeared in June 2021, has gained a reputation as an extremely aggressive group targeting the healthcare sector.

Hive launched an attack on the Costa Rican Social Security Fund, the country’s public health service, on May 31. Other notable incidents include the Missouri Delta Medical Center attack, in which patient data was leaked, and the Memorial Health System in Ohio, where urgent surgeries and radiology exams had to be canceled.

The US Department of Health and Human Services has warned healthcare organizations about the gang and advised them to implement strong cybersecurity systems and defenses. Hive is a RaaS provider that employs the double extortion method, in which data is both stolen and encrypted. The Golang programming language is used in the creation of their malware.

2-AlphV (BlackCat)

Hive, which first appeared in June 2021, has gained a reputation as an extremely aggressive group targeting the healthcare sector.

Microsoft discovered AlphV, also known as BlackCat, in November 2021. It also functions as a RaaS and employs the double extortion method. This group is notable for being the first ransomware gang to employ the RUST programming language.

The gang has targeted a number of high-profile organizations, including the fashion label Moncler and the Swissport airline cargo handling service provider. The Austrian federal state Carinthia was targeted in May 2022, and BlackCat demanded $5 million for the decryption of stolen data.


Lapsus$ became operational for the first time in December 2021. Instead of traditional data leak websites, cybercriminals use their private Telegram channel to communicate with the public. They also hold polls to allow members to vote on who should be targeted next.

According to Microsoft, the hacking group is known for employing a solely extortion and destruction model, with no ransomware payloads deployed. Typically, the gang focuses on compromising user identities while using compromised credentials.

Despite the fact that the gang was initially thought to be based in Brazil because one of its first victims was the country’s Ministry of Health, seven people aged 16 to 21 were arrested in the UK in relation to the gang’s activities in late March 2022.

The UK arrests did not derail the group, as Lapsus$ released a 73GB archive from software services company Globant, whose clients include Disney and Google, a few days later. As a result, the group appears to be still active.


According to Digital Shadows, Conti, thought to be led by cybercriminal Wizard Spider, accounted for 20% of attacks in the first three months of 2022.

They use a multithreading method to spread malware and operate on a double extortion system.

The group is thought to have ties to Russia because it issued a statement strongly supporting the Kremlin’s decision to invade Ukraine. They are behind a number of high-profile ransomware attacks, including those on the City of Tulsa and the Japanese multinational electronics company JVCKenwood.

Costa Rica declared a national emergency in May 2022 after Conti attacked their government systems.

However, the group disbanded in the midst of this.

The Conti cybercrime syndicate will, however, continue to live on, with reports of partnerships with smaller ransomware gangs, such as Hive, BlackCat, BlackByte, and more.

Members will spread to these gangs and work as part of those organizations but will still be a part of the larger Conti syndicate. The Costa Rica attack has been theorized to be a publicity stunt as Conti members slowly migrated to other gangs.


According to Digital Shadows, LockBit, a RaaS organization that employs double extortion methods, was responsible for 38% of ransomware attacks between January and March 2022. They’ve been here since 2019.

Stealbit, their malware tool, automates data exfiltration.

It was released alongside LockBit 2.0, which its creators dubbed the fastest and most efficient encryption system.

They have targeted large collaborations such as Bridgestone Americas and the French electronics multinational Thales Group. Lockbit has also threatened the French Ministry of Justice with the release of sensitive data.

6-Black Basta

Black Basta frequently employs double extortion tactics, threatening to publicly leak the stolen data if the ransom is not paid. DDoS attacks are also used by the group to persuade its victims to pay the ransom. In some cases, members of Black Basta have demanded millions of dollars from their victims in order to keep the stolen data private.

According to Intel 471, Black Basta ransomware attacks will affect 50 organizations in the third quarter of 2022. Consumer and industrial products, professional services and consulting, technology and media, and life sciences and healthcare were the industries most affected by ransomware attacks. The United States was the group’s biggest target for the quarter, accounting for 62% of all reported attacks.


REvil Ransomware, which was discovered in April 2019 and operates as a ransomware-as-a-service model, is well-known for its attacks on two major companies: JBS and Kaseya.

Because of the REvil ransomware group, JBS Foods, the world’s largest meatpacking company, was forced to temporarily halt operations and pay an estimated $11 million ransom to prevent attackers from publishing their data online.

Because of a Kaseya software vulnerability to SQL injection attacks, REvil ransomware was able to encrypt Kaeya’s servers in July 2021. Because its customers were affected, this resulted in a supply chain attack. The attack on Kaseya drew unwanted attention to the gang because it directly impacted over 1,500 businesses worldwide.


Maze ransomware, which was discovered in 2019, quickly ascended to the top of its malware class. This ransomware was responsible for more than a third of all attacks, accounting for more than a third of all victims. Maze’s creators were among the first to steal data prior to encryption. The cybercriminals threatened to publish the stolen files if the victim did not pay the ransom. The method proved effective and was later used by many other ransomware operations, including REvil and DoppelPaymer, which we will discuss further below.

Another breakthrough was that cybercriminals began reporting their attacks to the media. The Maze group informed Bleeping Computer about its hack of the company Allied Universal in late 2019, attaching a few of the stolen files as evidence. The group threatened to send spam from Allied Universal’s servers in e-mail conversations with the website’s editors, and it later published the hacked company’s confidential data on the Bleeping Computer forum.

9- AvosLocker

AvosLocker is a newer ransomware family that emerged to fill the void left by REvil. While it is not as well-known or active as LockBit or Conti, it is slowly gaining traction, with the US Federal Bureau of Investigation (FBI) issuing an advisory on this threat.

According to the report, AvosLocker has been targeting critical infrastructure in various sectors across the United States, with attacks also observed in Canada, the United Kingdom, and Spain. Despite the low detection rate, its clever use of familiar tactics makes it a ransomware variant worth monitoring right now.

10- Babuk

Babuk ransomware was discovered in early 2021, but it didn’t take long for this destructive new malware to gain notoriety. Babuk ransomware, also known by its Russian spelling, Babyk, has made a name for itself through several high-profile attacks, extorting at least $85,000 from victims to date.

Despite its success, Babuk is not thought to be sophisticated malware. It contains a number of bugs and does not obfuscate its code, which is a common tactic used by threat actors to prevent others from understanding it. However, this does not mean that Babuk ransomware is not dangerous. Some victims’ files were corrupted beyond repair, while others’ private information was published on the internet and dark web.


Thanks for reading!

Check us our product 👉

Follow us at Twitter and Linkedin 👇