Ransomware List - 2026 2025 2024 2023 2021 2020 2019 2018
DATE | NAME |
Info | CATEG. |
WEB |
| 12.5.26 | Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak | American educational technology company Instructure, the parent company of Canvas, said it reached an "agreement" with a decentralized | Ransom | The Hacker News |
| 10.5.26 | Trellix source code breach claimed by RansomHouse hackers | The attack on the Trellix source code repository disclosed last week has been claimed by the RansomHouse threat group, which leaked a small set of images as proof of the intrusion. | Ransom | BleepingComputer |
| 10.5.26 | Why ransomware attacks succeed even when backups exist | Backups don't fail because they're missing, they fail because attackers destroy them first. Acronis explains how ransomware targets backup systems before encryption, leaving no path to recovery | Ransom | BleepingComputer |
| 6.5.26 | MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack | The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a "false flag" operation. | Ransom | The Hacker News |
| 3.5.26 | Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks | A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks. | Ransom | BleepingComputer |
| 3.5.26 | US ransomware negotiators get 4 years in prison over BlackCat attacks | Two former employees of cybersecurity incident response companies Sygnia and DigitalMint were sentenced to four years in prison each for targeting U.S. companies in BlackCat (ALPHV) ransomware attacks. | Ransom | BleepingComputer |
| 2.5.26 | Broken VECT 2.0 ransomware acts as a data wiper for large files | Researchers are warning that the VECT 2.0 ransomware has a problem in the way it handles encryption nonces that leads to permanently destroying larger files rather than encrypt them. | Ransom | BleepingComputer |
| 1.5.26 | Two Cybersecurity Professionals Get 4-Year Sentences in BlackCat Ransomware Attacks | The U.S. Department of Justice (DoJ) on Thursday announced the sentencing of two cybersecurity professionals to four years each in prison for their role in | Ransom | The Hacker News |
| 28.4.26 | VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi | Threat hunters are warning that the cybercriminal operation known as VECT 2.0 acts more like a wiper than a ransomware due to a critical flaw in its | Ransom | The Hacker News |
| 26.4.26 | Trigona ransomware attacks use custom exfiltration tool to steal data | Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently. | Ransom | BleepingComputer |
| 26.4.26 | Kyber ransomware gang toys with post-quantum encryption on Windows | A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption. | Ransom | |
| 25.4.26 | Former ransomware negotiator pleads guilty to BlackCat attacks | 41-year-old Angelo Martino, a former employee of cybersecurity incident response company DigitalMint, has pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023. | Ransom | |
| 23.4.26 | The Gentlemen ransomware now uses SystemBC for bot-powered attacks | A SystemBC proxy malware botnet of more than 1,570 hosts, believed to be corporate victims, has been discovered following an investigation into a Gentlemen ransomware attack carried out by a gang affiliate. | Ransom | |
| 22.4.26 | SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation | Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy | Ransom | The Hacker News |
| 22.4.26 | Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 | A third individual who was employed as a ransomware negotiator has pleaded guilty to conducting ransomware attacks against U.S. companies in 2023. | Ransom | The Hacker News |
| 19.4.26 | NAKIVO v11.2: Ransomware Defense, Faster Replication, vSphere 9, and Proxmox VE 9.0 Support | NAKIVO Inc. announced the general availability of NAKIVO Backup & Replication v11.2, focused on fast, reliable, and proactive data protection. | Ransom | |
| 19.4.26 | Payouts King ransomware uses QEMU VMs to bypass endpoint security | The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security. | Ransom | |
| 12.4.26 | Healthcare IT solutions provider ChipSoft hit by ransomware attack | Dutch healthcare software vendor ChipSoft has been impacted by a ransomware attack that forced the company to take offline its website and digital services for patients and healthcare providers. | Ransom | |
| 11.4.26 | Microsoft links Medusa ransomware affiliate to zero-day attacks | Microsoft says that Storm-1175, a China-based financially motivated cybercriminal group known for deploying Medusa ransomware payloads, has been deploying n-day and zero-day exploits in high-velocity attacks. | Ransom | |
| 8.4.26 | Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools | Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver ( BYOVD ) technique | Ransom | The Hacker News |
| 6.4.26 | Die Linke German political party confirms data stolen by Qilin ransomware | The Qilin ransomware group has claimed responsibility for an attack against Die Linke ('The Left'), forcing an IT systems outage at the political party, and threatening sensitive data leak. | Ransom | |
| 6.4.26 | Evolution of Ransomware: Multi-Extortion Ransomware Attacks | Multi-extortion ransomware relies on stolen data to pressure victims with public leaks. Penta Security explains how its D.AMO platform keeps exfiltrated files encrypted and useless to attackers. | Ransom | |
| 5.4.26 | Google Drive ransomware detection now on by default for paying users | Google announced that the AI-powered Google Drive ransomware detection feature has reached general availability and is now enabled by default for all paying users. | Ransom | BleepingComputer |
| 28.3.26 | Yanluowang ransomware access broker gets 81 months in prison | A Russian national was sentenced to nearly 7 years in prison after pleading guilty to acting as an initial access broker (IAB) for Yanluowang ransomware attacks. | Ransom | |
| 27.3.26 | Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware | A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat | Ransom | The Hacker News |
| 24.3.26 | U.S. Sentences Russian Hacker to 6.75 Years for Role in $9M Ransomware Damage | A 26-year-old Russian citizen has been sentenced in the U.S. to 6.75 years (81 months) in prison for his role in assisting major cybercrime groups, including the Yanluowang ransomware crew, in conducting numerous attacks against | Ransom | The Hacker News |
| 21.3.26 | Ransomware gang exploits Cisco flaw in zero-day attacks since January | The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software in zero-day attacks since late January. | Ransom | BleepingComputer |
| 21.3.26 | Marquis: Ransomware gang stole data of 672K people in cyberattack | Marquis, a Texas-based financial services provider, revealed this week that a ransomware gang stole the data of over 670,000 individuals in an August 2025 cyberattack that also disrupted operations at 74 banks across the United States. | Ransom | |
| 20.3.26 | LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks | The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript. | Ransom | BleepingComputer |
| 18.3.26 | Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access | Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco | Ransom | The Hacker News |
| 18.3.26 | LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader | The ransomware operation known as LeakNet has adopted the ClickFix social engineering tactic delivered through compromised websites as an initial | Ransom | The Hacker News |
| 15.3.26 | US charges another ransomware negotiator linked to BlackCat attacks | The U.S. Department of Justice charged another former DigitalMint employee for his involvement in an insider scheme in which ransomware negotiators secretly partnered with the BlackCat (ALPHV) ransomware operation. | Ransom | BleepingComputer |
| 8.3.26 | Termite ransomware breaches linked to ClickFix CastleRAT attacks | Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor. | Ransom | |
| 7.3.26 | Phobos ransomware admin pleads guilty to wire fraud conspiracy | A Russian national pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation, which breached hundreds of victims worldwide. | Ransom | |
| 7.3.26 | Mississippi medical center reopens clinics hit by ransomware attack | The University of Mississippi Medical Center (UMMC) says it has resumed normal operations, nine days after a ransomware attack blocked access to electronic medical records and took down many of its IT systems. | Ransom | |
| 1.3.26 | Ransomware payment rate drops to record low as attacks surge | The number of ransomware victims paying threat actors has dropped to 28% last year, an all-time low, despite a significant increase in the number of claimed attacks. | Ransom | |
| 1.3.26 | Marquis sues SonicWall over backup breach that led to ransomware attack | Marquis Software Solutions has filed a lawsuit against SonicWall, accusing the cybersecurity company of gross negligence and misrepresentation that allegedly led to a ransomware attack disrupting operations at 74 U.S. banks. | Ransom | |
| 24.2.26 | Lazarus Group Uses Medusa Ransomware in Middle East and U.S. Healthcare Attacks | The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed | Ransom | The Hacker News |
| 22.2.26 | Japanese tech giant Advantest hit by ransomware attack | Advantest Corporation disclosed that its corporate network has been targeted in a ransomware attack that may have affected customer or employee data. | Ransom | |
| 22.2.26 | CISA: BeyondTrust RCE flaw now exploited in ransomware attacks | Hackers are actively exploiting the CVE-2026-1731 vulnerability in the BeyondTrust Remote Support product, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns. | Ransom | |
| 22.2.26 | Mississippi medical center closes all clinics after ransomware attack | The University of Mississippi Medical Center (UMMC) closed all its clinic locations statewide on Thursday following a ransomware attack. | Ransom | |
| 21.2.26 | Poland arrests suspect linked to Phobos ransomware operation | Polish police have detained a 47-year-old man suspected of ties to the Phobos ransomware group and seized computers and mobile phones containing stolen credentials, credit card numbers, and server access data. | Ransom | |
| 21.2.26 | Washington Hotel in Japan discloses ransomware infection incident | The Washington Hotel brand in Japan has announced that that its servers were compromised in a ransomware attack, exposing various business data. | Ransom | BleepingComputer |
| 14.2.26 | Crazy ransomware gang abuses employee monitoring tool in attacks | A member of the Crazy ransomware gang is abusing legitimate employee monitoring software and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment. | Ransom | |
| 11.2.26 | Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools | Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own | Ransom | The Hacker News |
| 10.2.26 | Reynolds: Defense Evasion Capability Embedded in Ransomware Payload | BYOVD component included in ransomware payload itself, rather than as a separate tool. | Ransom | SECURITY.COM |
| 10.2.26 | Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools | Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own | Ransom | The Hacker News |
| 10.2.26 | Warlock Ransomware Breaches SmarterTools Through Unpatched SmarterMail Server | SmarterTools confirmed last week that the Warlock (aka Storm-2603) ransomware gang breached its network by exploiting an unpatched | Ransom | The Hacker News |
| 8.2.26 | Payments platform BridgePay confirms ransomware attack behind outage | A major U.S. payment gateway and solutions provider says a ransomware attack has knocked key systems offline, triggering a widespread outage affecting multiple services. The incident began on Friday and quickly escalated into a nationwide disruption across BridgePay's platform. | Ransom | |
| 8.2.26 | Ransomware gang uses ISPsystem VMs for stealthy payload delivery | Ransomware operators are hosting and delivering malicious payloads at scale by abusing virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider | Ransom | |
| 3.2.26 | Marquis blames ransomware breach on SonicWall cloud backup hack | Marquis Software Solutions, a Texas-based financial services provider, is blaming a ransomware attack that impacted its systems and affected dozens of U.S. banks and credit unions in August 2025 on a security breach reported by SonicWall a month later. | Ransom | |
| 3.2.26 | Initial access hackers switch to Tsundere Bot for ransomware attacks | A prolific initial access broker tracked as TA584 has been observed using the Tsundere Bot alongside XWorm remote access trojan to gain network access that could lead to ransomware attacks. | Ransom | |
| 3.2.26 | FBI seizes RAMP cybercrime forum used by ransomware gangs | The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations. | Ransom | |
| 25.1.26 | INC ransomware opsec fail allowed data recovery for 12 US orgs | An operational security failure allowed researchers to recover data that the INC ransomware gang stole from a dozen U.S. organizations. | Ransom | |
| 25.1.26 | Ingram Micro says ransomware attack affected 42,000 people | Information technology giant Ingram Micro has revealed that a ransomware attack on its systems in July 2025 led to a data breach affecting over 42,000 individuals. | Ransom | |
| 23.1.26 | New Osiris Ransomware Emerges as New Strain Using POORTRY Driver in BYOVD Attack | Cybersecurity researchers have disclosed details of a new ransomware family called Osiris that targeted a major food service franchisee operator in | Ransom | The Hacker News |
| 18.1.26 | Black Basta boss makes it onto Interpol's 'Red Notice' list | The identity of the Black Basta ransomware gang leader has been confirmed by law enforcement in Ukraine and Germany, and the individual has been added to the wanted list of Europol and Interpol. | Ransom | |
| 18.1.26 | South Korean giant Kyowon confirms data theft in ransomware attack | The Kyowon Group (Kyowon), a South Korean conglomerate, disclosed that a cyberattack has disrupted its operations and customer information may have been exposed in the incident. | Ransom | |
| 18.1.26 | Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice | Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service | Ransom | The Hacker News |
| 17.1.26 | University of Hawaii Cancer Center hit by ransomware attack | University of Hawaii says a ransomware gang breached its Cancer Center in August 2025, stealing data of study participants, including documents from the 1990s containing Social Security numbers. | Ransom | |
| 3.1.26 | US cybersecurity experts plead guilty to BlackCat ransomware attacks | Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023 | Ransom | |
| 3.1.26 | Romanian energy provider hit by Gentlemen ransomware attack | A ransomware attack hit Oltenia Energy Complex (Complexul Energetic Oltenia), Romania's largest coal-based energy producer, on the second day of Christmas, taking down its IT infrastructure. | Ransom |