Ransomware List 2025- 2026 2025 2024 2023 2021 2020 2019 2018
DATE | NAME |
Info | CATEG. |
WEB |
| 31.12.25 | Interpol-led action decrypts 6 ransomware strains, arrests hundreds | An Interpol-coordinated initiative called Operation Sentinel led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. | Ransom | |
| 31.12.25 | Romanian water authority hit by ransomware attack over weekend | Romanian Waters (Administrația Naționalã Apele Române), the country's water management authority, was hit by a ransomware attack over the weekend. | Ransom | |
| 25.12.25 | Ukrainian hacker admits affiliate role in Nefilim ransomware gang | A Ukrainian national pleaded guilty on Friday to conducting Nefilim ransomware attacks that targeted high-revenue businesses across the United States and other countries. | Ransom | |
| 25.12.25 | RansomHouse upgrades encryption with multi-layered data processing | The RansomHouse ransomware-as-a-service (RaaS) has recently upgraded its encryptor, switching from a relatively simple single-phase linear technique to a more complex, multi-layered method. | Ransom | |
| 21.12.25 | Clop ransomware targets Gladinet CentreStack in data theft attacks | The Clop ransomware gang is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign. | Ransom | |
| 21.12.25 | US seizes E-Note crypto exchange for laundering ransomware payments | Law enforcement has seized the servers and domains of the E-Note cryptocurrency exchange, allegedly used by cybercriminal groups to launder more than $70 million. | Ransom | |
| 20.12.25 | Critical React2Shell flaw exploited in ransomware attacks | A ransomware gang exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to corporate networks and deployed the file-encrypting malware less than a minute later. | Ransom | |
| 20.12.25 | Askul confirms theft of 740k customer records in ransomware attack | Japanese e-commerce giant Askul Corporation has confirmed that RansomHouse hackers stole around 740,000 customer records in the ransomware attack it suffered in October. | Ransom | |
| 20.12.25 | CyberVolk’s ransomware debut stumbles on cryptography weakness | The pro-Russia hacktivist group CyberVolk launched a ransomware-as-a-service (RaaS) called VolkLocker that suffered from serious implementation flaws, allowing victims to potentially decrypt files for free. | Ransom | |
| 15.12.25 | VolkLocker Ransomware Exposed by Hard-Coded Master Key Allowing Free Decryption | The pro-Russian hacktivist group known as CyberVolk (aka GLORIAMIST) has resurfaced with a new ransomware-as-a-service (RaaS) offering called VolkLocker that suffers from | Ransom | The Hacker News |
| 13.12.25 | Ransomware IAB abuses EDR for stealthy malware execution | An initial access broker tracked as Storm-0249 is abusing endpoint detection and response solutions and trusted Microsoft Windows utilities to load malware, establish communication, and persistence in preparation for ransomware attacks. | Ransom | |
| 13.12.25 | Ransomware gangs turn to Shanya EXE packer to hide EDR killers | Several ransomware groups have been spotted using a packer-as-a-service (PaaS) platform named Shanya to assist in EDR (endpoint detection and response) killing operations. | Ransom | |
| 13.12.25 | FinCEN says ransomware gangs extorted over $2.1B from 2022 to 2024 | A new report by the Financial Crimes Enforcement Network (FinCEN) shows that ransomware activity peaked in 2023 before falling in 2024, following a series of law enforcement actions targeting the ALPHV/BlackCat and LockBit ransomware gangs. | Ransom | |
| 9.12.25 | STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware | Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565 . Cybersecurity company Sophos said it investigated almost 40 intrusions linked to the threat actor between February 2024 and August 2025. T | Ransom | The Hacker News |
| 7.12.25 | Pharma firm Inotiv discloses data breach after ransomware attack | American pharmaceutical firm Inotiv is notifying thousands of people that they're personal information was stolen in an August 2025 ransomware attack. | Ransom | |
| 7.12.25 | Deep dive into DragonForce ransomware and its Scattered Spider connection | DragonForce expanded its ransomware operation in 2025 by working with English-speaking hackers known for advanced social engineering and initial access. Acronis explains how the "Scattered Spider" collaboration enables coordinated, multistage intrusions across major environments. | Ransom | |
| 29.11.25 | Piecing Together the Puzzle: A Qilin Ransomware Investigation | Huntress analysts reconstructed a Qilin ransomware attack from a single endpoint, using limited logs to reveal rogue ScreenConnect access, failed infostealer attempts, and the ransomware execution path. The investigation shows how validating multiple data sources can uncover activity even when visibility is reduced to a "pinhole." | Ransom | |
| 26.11.25 | Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim 'Korean Leaks' Data Heist | South Korea's financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware. "This | Ransom | The Hacker News |
| 23.11.25 | Russian bulletproof hosting provider sanctioned over ransomware ties | Today, the United States, the United Kingdom, and Australia announced sanctions targeting Russian bulletproof hosting (BPH) providers that have supported ransomware gangs and other cybercrime operations. | Ransom | |
| 22.11.25 | Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters | An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation. | Ransom | |
| 16.11.25 | Checkout.com snubs hackers after data breach, to donate ransom instead | UK financial technology company Checkout announced that the ShinyHunters threat group has breached one of its legacy cloud storage systems and is now extorting the company for a ransom. | Ransom | |
| 16.11.25 | Kraken ransomware benchmarks systems for optimal encryption choice | The Kraken ransomware, which targets Windows, Linux/VMware ESXi systems, is testing machines to check how fast it can encrypt data without overloading them. | Ransom | |
| 16.11.25 | CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs | US government agencies are warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks. | Ransom | |
| 15.11.25 | Synnovis notifies of data breach after 2024 ransomware attack | Synnovis, a leading UK pathology services provider, is notifying healthcare providers that a data breach occurred following a ransomware attack in June 2024, which resulted in the theft of some patients' data. | Ransom | |
| 14.11.25 | Yanluowang initial access broker pleaded guilty to ransomware attacks | A Russian national will plead guilty to acting as an initial access broker (IAB) for Yanluowang ransomware attacks that targeted at least eight U.S. companies between July 2021 and November 2022. | Ransom | |
| 14.11.25 | Ransomware's Fragmentation Reaches a Breaking Point While LockBit Returns | Key Takeaways: 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date. 1,590 victims disclosed across 85 | Ransom | The Hacker News |
| 9.11.25 | AI-Slop ransomware test sneaks on to VS Code marketplace | A malicious extension with basic ransomware capabilities seemingly created with the help of AI, has been published on Microsoft's official VS Code marketplace. | Ransom | |
| 9.11.25 | How a ransomware gang encrypted Nevada government's systems | The State of Nevada has completed its recovery from a ransomware attack it suffered on August 24, 2025, which impacted 60 state agencies, disrupting critical services related to health and public safety. | Ransom | |
| 9.11.25 | Apache OpenOffice disputes data breach claims by ransomware gang | The Apache Software Foundation disputes claims that its OpenOffice project suffered an Akira ransomware attack, after the threat actors claimed to have stolen 23 GB of corporate documents. | Ransom | |
| 8.11.25 | US cybersecurity experts indicted for BlackCat ransomware attacks | Three former employees of cybersecurity incident response companies DigitalMint and Sygnia have been indicted for allegedly hacking the networks of five U.S. companies in BlackCat (ALPHV) ransomware attacks between May 2023 and November 2023. | Ransom | |
| 7.11.25 | Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities | Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial | Ransom | The Hacker News |
| 4.11.25 | U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks | Federal prosecutors in the U.S. have accused a trio of allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 | Ransom | The Hacker News |
| 3.11.25 | CISA: High-severity Linux flaw now exploited by ransomware gangs | CISA confirmed on Thursday that a high-severity privilege escalation flaw in the Linux kernel is now being exploited in ransomware attacks. | Ransom | |
| 3.11.25 | Ukrainian extradited from Ireland on Conti ransomware charges | A Ukrainian national believed to be a member of the Conti ransomware operation has been extradited to the United States and faces charges that could get him 25 years in prison. | Ransom | |
| 1.11.25 | Qilin ransomware abuses WSL to run Linux encryptors in Windows | The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools. | Ransom | |
| 1.11.25 | Ransomware profits drop as victims stop paying hackers | The number of victims paying ransomware threat actors has reached a new low, with just 23% of the breached companies giving in to attackers' demands. | Ransom | |
| 1.11.25 | Russian Ransomware Gangs Weaponize Open-Source AdaptixC2 for Advanced Attacks | The open-source command-and-control (C2) framework known as AdaptixC2 is being used by a growing number of threat actors, some of whom are related to Russian ransomware | Ransom | The Hacker News |
| 28.10.25 | Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack | The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the | Ransom | The Hacker News |
| 25.10.25 | Retail giant Muji halts online sales after ransomware attack on supplier | Japanese retail company Muji has taken offline its store due to a logistics outage caused by a ransomware attack at its delivery partner, Askul. | Ransom | |
| 19.10.25 | Microsoft disrupts ransomware attacks targeting Teams users | Microsoft has disrupted a wave of Rhysida ransomware attacks in early October by revoking over 200 certificates used to sign malicious Teams installers. | Ransom | |
| 18.10.25 | Hackers now use Velociraptor DFIR tool in ransomware attacks | Threat actors have started to use the Velociraptor digital forensics and incident response (DFIR) tool in attacks that deploy LockBit and Babuk ransomware. | Ransom | |
| 17.10.25 | Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign | Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware | Ransom | |
|
12.10.25 |
Qilin ransomware claims Asahi brewery attack, leaks data | The Qilin ransomware group has claimed responsibility for the attack at Japanese beer maker Asahi, adding the company to its extortion page on the dark web yesterday. | Ransom | |
|
12.10.25 |
Salesforce refuses to pay ransom over widespread data theft attacks | Salesforce has confirmed that it will not negotiate with or pay a ransom to the threat actors behind a massive wave of data theft attacks that impacted the company's customers this year. | Ransom | |
|
12.10.25 |
Clop exploited Oracle zero-day for data theft since early August | The Clop ransomware gang has been exploiting a critical Oracle E-Business Suite (EBS) zero-day bug in data theft attacks since at least early August, according to cybersecurity company CrowdStrike. | Ransom | |
|
12.10.25 |
Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks | Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL- | Ransom | |
|
11.10.25 |
Microsoft: Critical GoAnywhere bug exploited in ransomware attacks | A cybercrime group, tracked as Storm-1175, has been actively exploiting a maximum severity GoAnywhere MFT vulnerability in Medusa ransomware attacks for nearly a month. | Ransom | |
|
11.10.25 |
Japanese beer giant Asahi confirms ransomware attack | Japanese beer-making giant Asahi has disclosed today that a ransomware attack caused the IT disruptions that forced it to shut down factories this week. | Ransom | |
|
10.10.25 |
CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw | Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025 , Google Threat | Ransom | |
|
8.10.25 |
LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem | Three prominent ransomware groups DragonForce , LockBit , and Qilin have announced a new strategic ransomware alliance, once underscoring continued shifts in the cyber threat | Ransom | |
|
5.10.25 |
Clop extortion emails claim theft of Oracle E-Business Suite data | Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems | Ransom | |
| 4.10.25 | Ransomware gang sought BBC reporter’s help in hacking media giant | Threat actors claiming to represent the Medusa ransomware gang tempted a BBC correspondent to become an insider threat by offering a significant amount of money. | Ransom | |
| 4.10.25 | Akira ransomware breaching MFA-protected SonicWall VPN accounts | Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts. Researchers suspect that this may be achieved through the use of previously stolen OTP seeds, although the exact method remains unconfirmed. | Ransom | |
| 3.10.25 | Google Mandiant Probes New Oracle Extortion Wave Possibly Linked to Cl0p Ransomware | Google Mandiant and Google Threat Intelligence Group (GTIG) have disclosed that they are tracking a new cluster of activity possibly linked to a financially motivated threat actor known as | Ransom | The Hacker News |
| 28.9.25 | Obscura, an obscure new ransomware variant | Huntress analysts discovered a previously unseen ransomware variant, Obscura, spreading from a victim company's domain controller. Learn how Obscura works—and what it means for defenders—in this week's Tradecraft Tuesday. | Ransom | |
| 28.9.25 | UK arrests suspect for RTX ransomware attack causing airport disruptions | The UK's National Crime Agency has arrested a suspect linked to a ransomware attack that is causing widespread disruptions across European airports. | Ransom | |
| 27.9.25 | Airport disruptions in Europe caused by a ransomware attack | The disruptions over the weekend at several major European airports were caused by a ransomware attack targeting the check-in and boarding systems. | Ransom | |
| 21.9.25 | Known. Emerging. Unstoppable? Ransomware Attacks Still Evade Defenses | Ransomware remains one of the most destructive threats—because defenses keep failing. Picus Blue Report 2025 shows prevention dropped to 62%, while data exfiltration prevention collapsed to just 3%. | Ransom | |
| 21.9.25 | VC giant Insight Partners warns thousands after ransomware breach | New York-based venture capital and private equity firm Insight Partners is notifying thousands of individuals whose personal information was stolen in a ransomware attack. | Ransom | |
| 18.9.25 | New HybridPetya ransomware can bypass UEFI Secure Boot | A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition. | Ransom | |
| 17.9.25 | Akira Ransomware Group Utilizing SonicWall Devices for Initial Access | In August 2024, SonicWall published a security advisory for CVE SNWLID-2024-0015, which was related to improper access control vulnerability for SSLVPN affecting Gen5, Gen6, and Gen7 firewall appliances. | Ransom | RAPID7 |
| 14.9.25 | Panama Ministry of Economy discloses breach claimed by INC ransomware | Panama's Ministry of Economy and Finance (MEF) has disclosed that one of its computers may have been compromised in a cyberattack. | Ransom | |
| 14.9.25 | Akira ransomware exploiting critical SonicWall SSLVPN bug again | The Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity access control vulnerability, to gain unauthorized access to SonicWall devices. | Ransom | |
| 13.9.25 | US charges admin of LockerGoga, MegaCortex, Nefilim ransomware | The U.S. Department of Justice has charged Ukrainian national Volodymyr Viktorovich Tymoshchuk for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. | Ransom | |
| 12.9.25 | New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit | Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya / NotPetya malware, while also | Ransom | The Hacker News |
| 6.9.25 | Pennsylvania AG Office says ransomware attack behind recent outage | The Office of the Pennsylvania Attorney General announced that a ransomware attack is behind the ongoing two-week service outage. | Ransom | |
| 31.8.25 | MATLAB dev says ransomware gang stole data of 10,000 people | MathWorks, a leading developer of mathematical simulation and computing software, revealed that a ransomware gang stole the data of over 10,000 people after breaching its network in April. | Ransom | |
| 30.8.25 | Nissan confirms design studio data breach claimed by Qilin ransomware | Nissan Japan has confirmed to BleepingComputer that it suffered a data breach following unauthorized access to a server of one of its subsidiaries, Creative Box Inc. (CBI) | Ransom | |
| 26.8.25 | ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners | A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that | Ransom | The Hacker News |
| 26.8.25 | HOOK Android Trojan Adds Ransomware Overlays, Expands to 107 Remote Commands | Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display | Ransom | The Hacker News |
| 24.8.25 | Colt confirms customer data stolen as Warlock ransomware auctions files | UK-based telecommunications company Colt Technology Services confirms that customer documentation was stolen as Warlock ransomware gang auctions files. | Ransom | |
| 24.8.25 | Europol confirms $50,000 Qilin ransomware reward is fake | Europol has confirmed that a Telegram channel impersonating the agency and offering a $50,000 reward for information on two Qilin ransomware administrators is fake. The impostor later admitted it was created to troll researchers and journalists. | Ransom | |
| 23.8.25 | Pharma firm Inotiv says ransomware attack impacted operations | American pharmaceutical company Inotiv has disclosed that some of its systems and data have been encrypted in a ransomware attack, impacting the company's business operations. | Ransom | |
| 13.8.25 | Charon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics | Cybersecurity researchers have discovered a new campaign that employs a previously undocumented ransomware family called Charon to target the Middle | Ransom | The Hacker News |
| 02.08.25 | Akira Ransomware Exploits SonicWall VPNs in Likely Zero-Day Attack on Fully-Patched Devices | SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. "In the intrusions | Ransom | The Hacker News |
| 25.7.25 | CISA and FBI warn of escalating Interlock ransomware attacks | CISA and the FBI warned on Tuesday of increased Interlock ransomware activity targeting businesses and critical infrastructure organizations in double extortion attacks. | Ransom | |
| 25.7.25 | UK to ban public sector orgs from paying ransomware gangs | The United Kingdom's government is planning to ban public sector and critical infrastructure organizations from paying ransoms after ransomware attacks. | Ransom | |
| 20.7.25 | Russian alcohol retailer WineLab closes stores after ransomware attack | WineLab, the retail store of the largest alcohol company in Russia, has closed its stores following a cyberattack that is impacting its operations and causing purchase problems to its customers. | Ransom | |
| 20.7.25 | New Phobos and 8base ransomware decryptor recover files for free | The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files. | Ransom | |
| 18.7.25 | Police disrupt “Diskstation” ransomware gang attacking NAS devices | Police disrupt “Diskstation” ransomware gang attacking NAS devices | Ransom | |
| 18.7.25 | From Backup to Cyber Resilience: Why IT Leaders Must Rethink Backup in the Age of Ransomware | With IT outages and disruptions escalating, IT teams are shifting their focus beyond simply backing up data to maintaining operations during an incident. One of the key | Ransom | The Hacker News |
| 17.7.25 | From a Teams Call to a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up | Matanbuchus is a malware loader that has been available as a Malware-as-a-Service (MaaS) since 2021. | Ransom | Morphisec |
| 13.7.25 | Ingram Micro starts restoring systems after ransomware attack | Ingram Micro has begun restoring systems and business services after suffering a massive SafePay ransomware attack right before the July 4th holiday. | Ransom | |
| 11.7.25 | M&S confirms social engineering led to massive ransomware attack | M&S confirmed today that the retail outlet's network was initially breached in a "sophisticated impersonation attack" that ultimately led to a DragonForce ransomware attack. | Ransom | |
| 11.7.25 | Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals | An Iranian-backed ransomware-as-a-service (RaaS) named Pay2Key has resurfaced in the wake of the Israel-Iran-U.S. conflict last month, offering bigger payouts to | Ransom | The Hacker News |
| 6.7.25 | Ingram Micro outage caused by SafePay ransomware attack | An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. | Ransom | |
| 5.7.25 | IdeaLab confirms data stolen in ransomware attack last year | IdeaLab is notifying individuals impacted by a data breach incident last October when hackers accessed sensitive information. | Ransom | BleepingComputer |
| 5.7.25 | Hunters International ransomware shuts down, releases free decryptors | The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom. | Ransom | BleepingComputer |
| 5.7.25 | DOJ investigates ex-ransomware negotiator over extortion kickbacks | An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals. | Ransom | |
| 5.7.25 | Aeza Group sanctioned for hosting ransomware, infostealer servers | The U.S. Department of the Treasury has sanctioned Russian hosting company Aeza Group and four operators for allegedly acting as a bulletproof hosting company for ransomware gangs, infostealer operations, darknet drug markets, and Russian disinformation campaigns. | Ransom | |
| 3.7.25 | Switzerland says government data stolen in ransomware attack | The government in Switzerland is informing that sensitive information from various federal offices has been impacted by a ransomware attack at the third-party organization Radix. | Ransom | BleepingComputer |
| 2.7.25 | U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware | The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against Russia-based bulletproof hosting (BPH) service provider | Ransom | The Hacker News |
| 26.6.25 | Revil ransomware members released after time served on carding charges | Four REvil ransomware members arrested in January 2022 were released by Russia on time served after they pleaded guilty to carding and malware distribution charges. | Ransom | |
| 22.6.25 | Ryuk ransomware’s initial access expert extradited to the U.S. | A member of the notorious Ryuk ransomware operation who specialized in gaining initial access to corporate networks has been extradited to the United States. | Ransom | |
| 21.6.25 | Anubis ransomware adds wiper to destroy files beyond recovery | The Anubis ransomware-as-a-service (RaaS) operation has added to its file-encrypting malware a wiper module that destroys targeted files, making recovery impossible even if the ransom is paid. | Ransom | BleepingComputer |
| 21.6.25 | Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms | The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the | Ransom | The Hacker News |
| 18.6.25 | Anubis Ransomware Encrypts and Wipes Files, Making Recovery Impossible Even After Payment | An emerging ransomware strain has been discovered incorporating capabilities to encrypt files as well as permanently erase them, a development that has been | Ransom | The Hacker News |
| 15.6.25 | Fog ransomware attack uses unusual mix of legitimate and open-source tools | Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca. | Ransom | |
| 13.6.25 | Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote | Ransom | The Hacker News |
| 13.6.25 | Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks | Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and | Ransom | The Hacker News |
| 8.6.25 | Tax resolution firm Optima Tax Relief hit by ransomware, data leaked | U.S. tax resolution firm Optima Tax Relief suffered a Chaos ransomware attack, with the threat actors now leaking data stolen from the company. | Ransom | |
| 8.6.25 | Kettering Health confirms Interlock ransomware behind cyberattack | Healthcare giant Kettering Health, which manages 14 medical centers in Ohio, confirmed that the Interlock ransomware group breached its network and stole data in a May cyberattack. | Ransom | BleepingComputer |
| 8.6.25 | Interlock ransomware claims Kettering Health breach, leaks stolen data | The Interlock ransomware gang has claimed a recent cyberattack on the Kettering Health healthcare network and leaked data allegedly stolen from breached systems. | Ransom | |
| 7.6.25 | FBI: Play ransomware breached 900 victims, including critical orgs | In an update to a joint advisory with CISA and the Australian Cyber Security Centre, the FBI said that the Play ransomware gang had breached roughly 900 organizations as of May 2025, three times the number of victims reported in October 2023. | Ransom | |
| 1.6.25 | Interlock ransomware gang deploys new NodeSnake RAT on universities | The Interlock ransomware gang is deploying a previously undocumented remote access trojan (RAT) named NodeSnake against educational institutes for persistent access to corporate networks. | Ransom | BleepingComputer |
| 30.4.25 | Marks & Spencer breach linked to Scattered Spider ransomware attack | Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by threat actors known as "Scattered Spider" BleepingComputer has learned from multiple sources. | Ransom | |
| 30.4.25 | Hitachi Vantara takes servers offline after Akira ransomware attack | Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack. | Ransom | |
| 30.4.25 | RansomHub Went Dark April 1; Affiliates Fled to Qilin, DragonForce Claimed Control | Cybersecurity researchers have revealed that RansomHub 's online infrastructure has "inexplicably" gone offline as of April 1, 2025, prompting concerns among | Ransom | The Hacker News |
| 27.4.25 | DragonForce expands ransomware model with white-label branding scheme | The ransomware scene is re-organizing, with one gang known as DragonForce working to gather other operations under a cartel-like structure. | Ransom | |
| 26.4.25 | ToyMaker Uses LAGTOY to Sell Access to CACTUS Ransomware Gangs for Double Extortion | Cybersecurity researchers have detailed the activities of an initial access broker (IAB) dubbed ToyMaker that has been observed handing over access to double | Ransom | The Hacker News |
| 26.4.25 | Frederick Health data breach impacts nearly 1 million patients | A ransomware attack in January at Frederick Health Medical Group, a major healthcare provider in Maryland, has led to a data breach affecting nearly one million patients. | Ransom | BleepingComputer |
| 26.4.25 | Interlock ransomware claims DaVita attack, leaks stolen data | The Interlock ransomware gang has claimed the cyberattack on DaVita kidney dialysis firm and leaked data allegedly stolen from the organization. | Ransom | |
| 21.4.25 | Interlock ransomware gang pushes fake IT tools in ClickFix attacks | The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. | Ransom | BleepingComputer |
| 21.4.25 | Ahold Delhaize confirms data theft after INC ransomware claims attack | Food retail giant Ahold Delhaize confirms that data was stolen from its U.S. business systems during a November 2024 cyberattack. | Ransom | BleepingComputer |
| 20.4.25 | Kidney dialysis firm DaVita hit by weekend ransomware attack | Kidney dialysis firm DaVita disclosed Monday it suffered a weekend ransomware attack that encrypted parts of its network and impacted some of its operations. | Ransom | |
| 13.4.25 | Ransomware attack cost IKEA operator in Eastern Europe $23 million | Fourlis Group, the operator of IKEA stores in Greece, Cyprus, Romania, and Bulgaria, has informed that the ransomware attack it suffered just before Black Friday on November 27, 2024, caused losses estimated to €20 million ($22.8M). | Ransom | |
| 13.4.25 | Sensata Technologies hit by ransomware attack impacting operations | Sensata Technologies (known as Sensata) has suffered a ransomware attack last weekend that encrypted parts of the company network and disrupted operations. | Ransom | BleepingComputer |
| 10.4.25 | Everest ransomware's dark web leak site defaced, now offline | The dark web leak site of the Everest ransomware gang has apparently been hacked over the weekend by an unknown attacker and is now offline. | Ransom | BleepingComputer |
| 6.4.25 | Port of Seattle says ransomware breach impacts 90,000 people | Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack. | Ransom | |
| 6.4.25 | Hunters International shifts from ransomware to pure data extortion | The Hunters International Ransomware-as-a-Service (RaaS) operation is shutting down and rebranding with plans to switch to data theft and extortion-only attacks. | Ransom | BleepingComputer |
| 6.4.25 | Texas State Bar warns of data breach after INC ransomware claims attack | The State Bar of Texas is warning it suffered a data breach after the INC ransomware gang claimed to have breached the organization and began leaking samples of stolen data. | Ransom | BleepingComputer |
|
30.3.25 |
Retail giant Sam’s Club investigates Clop ransomware breach claims | Sam's Club, an American warehouse supermarket chain owned by U.S. retail giant Walmart, is investigating claims of a Clop ransomware breach. | Ransom | |
|
30.3.25 |
UK fines software provider £3.07 million for 2022 ransomware breach | The UK Information Commissioner's Office (ICO) has fined Advanced Computer Software Group Ltd £3.07 million over a 2022 ransomware attack that exposed the sensitive personal data of 79,404 people, including National Health Service (NHS) patients. | Ransom | |
|
29.3.25 |
BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability | In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called | Ransom | The Hacker News |
|
29.3.25 |
RedCurl cyberspies create ransomware to encrypt Hyper-V servers | A threat actor named 'RedCurl,' known for stealthy corporate espionage operations since 2018, is now using a ransomware encryptor designed to target Hyper-V virtual machines. | Ransom | |
|
28.3.25 |
New VanHelsing ransomware targets Windows, ARM, ESXi systems | A new multi-platform ransomware-as-a-service (RaaS) operation named VanHelsing has emerged, targeting Windows, Linux, BSD, ARM, and ESXi systems. | Ransom | BleepingComputer |
|
28.3.25 |
Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks | A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa , BianLian , and Play . The connection | Ransom | The Hacker News |
|
25.3.25 |
SANS Institute Warns of Novel Cloud-Native Ransomware Attacks | The latest Palo Alto Networks Unit 42 Cloud Threat Report found that sensitive data is found in 66% of cloud storage buckets. This data is vulnerable to | Ransom | The Hacker News |
|
24.3.25 |
VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics | A ransomware-as-a-service (RaaS) operation called VanHelsing has already claimed three victims since it launched on March 7, 2025. "The RaaS model allows | Ransom | The Hacker News |
|
24.3.25 |
VSCode Marketplace Removes Two Extensions Deploying Early-Stage Ransomware | Cybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that's | Ransom | The Hacker News |
|
23.3.25 |
VSCode extensions found downloading early-stage ransomware | Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsoft's review process. | Ransom | |
|
23.3.25 |
RansomHub ransomware uses new Betruger ‘multi-function’ backdoor | Security researchers have linked a new backdoor dubbed Betruger, deployed in several recent ransomware attacks, to an affiliate of the RansomHub operation. | Ransom | |
|
21.3.25 |
Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates | The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a | Ransom | The Hacker News |
|
20.3.25 |
Leaked Black Basta Chats Suggest Russian Officials Aided Leader's Escape from Armenia | The recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime | Ransom | The Hacker News |
|
16.3.25 |
New Akira ransomware decryptor cracks encryptions keys using GPUs | Security researcher Yohanes Nugroho has released a decryptor for the Linux variant of Akira ransomware, which utilizes GPU power to retrieve the decryption key and unlock files for free. | Ransom | BleepingComputer |
|
16.3.25 |
Ransomware gang creates tool to automate VPN brute-force attacks | The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs. | Ransom | BleepingComputer |
|
16.3.25 |
Suspected LockBit ransomware dev extradited to United States | A dual Russian-Israeli national, suspected of being a key developer for the LockBit ransomware operation, has been extradited to the United States to face charges. | Ransom | BleepingComputer |
|
16.3.25 |
New SuperBlack ransomware exploits Fortinet auth bypass flaws | A new ransomware operator named 'Mora_001' is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. | Ransom | BleepingComputer |
|
16.3.25 |
CISA: Medusa ransomware hit over 300 critical infrastructure orgs | CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month. | Ransom | BleepingComputer |
| 14.3.25 | Live Ransomware Demo: See How Hackers Breach Networks and Demand a Ransom | Cyber threats evolve daily. In this live webinar, learn exactly how ransomware attacks unfold—from the initial breach to the moment hackers demand payment. | Ransom | The Hacker News |
| 9.3.25 | Microsoft: North Korean hackers join Qilin ransomware gang | Microsoft says a North Korean hacking group tracked as Moonstone Sleet has deployed Qilin ransomware payloads in a limited number of attacks. | Ransom | BleepingComputer |
| 9.3.25 | Ransomware gang encrypted network from a webcam to bypass EDR | The Akira ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim's network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows. | Ransom | BleepingComputer |
| 9.3.25 | US seizes domain of Garantex crypto exchange used by ransomware gangs | The U.S. Secret Service has seized the domain of the sanctioned Russian cryptocurrency exchange Garantex in collaboration with the Department of Justice's Criminal Division, the FBI, and Europol. | Ransom | BleepingComputer |
| 8.3.25 | Toronto Zoo shares update on last year's ransomware attack | The Toronto Zoo, the largest zoo in Canada, has provided more information about the data stolen during a ransomware attack in January 2024. | Ransom | BleepingComputer |
| 8.3.25 | Fake BianLian ransom notes mailed to US CEOs in postal mail scam | Scammers are impersonating the BianLian ransomware gang in fake ransom notes sent to US companies via snail mail through the United States Postal Service. | Ransom | BleepingComputer |
| 8.3.25 | Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware | New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks. | Ransom | BleepingComputer |
| 8.3.25 | Hunters International ransomware claims attack on Tata Technologies | The Hunters International ransomware gang has claimed responsibility for a January cyberattack attack on Tata Technologies, stating they stole 1.4TB of data from the company. | Ransom | BleepingComputer |
| 8.3.25 | Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks | Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows. | Ransom | BleepingComputer |
| 7.3.25 | EncryptHub Deploys Ransomware and Stealer via Trojanized Apps, PPI Services, and Phishing | The financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers | Ransom | The Hacker News |
| 7.3.25 | Medusa Ransomware Hits 40+ Victims in 2025, Demands $100K–$15M Ransom | The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks | Ransom | The Hacker News |
| 5.3.25 | Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates | Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining | Ransom | The Hacker News |
| 1.3.25 | Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks | Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows. | Ransom | BleepingComputer |
| 1.3.25 | Qilin ransomware claims attack at Lee Enterprises, leaks stolen data | The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company. | Ransom | BleepingComputer |
| 1.3.25 | Southern Water says Black Basta ransomware attack cost £4.5M in expenses | United Kingdom water supplier Southern Water has disclosed that it incurred costs of £4.5 million ($5.7M) due to a cyberattack it suffered in February 2024. | Ransom | BleepingComputer |
| 26.2.25 | Leaked Black Basta Ransomware Chat Logs Reveal Inner Workings and Internal Conflicts | More than a year's worth of internal chat logs from a ransomware gang known as Black Basta have been published online in a leak that provides unprecedented | Ransom | The Hacker News |
| 22.2.25 | China-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware | A previously unknown threat activity cluster targeted European organizations, particularly those in the healthcare sector, to deploy PlugX and its successor, | Ransom | The Hacker News |
|
16.1.25 | Inside a 90-Minute Attack: Breaking Ground with All-New AI Defeating Black Basta Tactics | Have you ever had your lunch interrupted by a sudden barrage of security alerts? That’s exactly what happened to one of our clients when a frantic call from their Security Operations Center revealed a flood of suspicious emails. The culprit? A brand-new cyberattack mimicking the notorious Black Basta group’s latest technique—and it hit with lightning speed. | Ransom | SlashNext |
|
3.1.25 | French govt contractor Atos denies Space Bears ransomware attack claims | French tech giant Atos, which secures communications for the country's military and secret services, has denied claims made by the Space Bears ransomware gang that they compromised one of its databases. | Ransom | BleepingComputer |
|
3.1.25 | Ransomware gang leaks data stolen in Rhode Island's RIBridges Breach | The Brain Cipher ransomware gang has begun to leak documents stolen in an attack on Rhode Island's "RIBridges" social services platform. | Ransom | BleepingComputer |