Cyber Threat Intelligence · Ransomware · 24·7·365

The ransomware groups targeting Europe.

A cyber attack is not something. It is someone. Our European SOC, operating from Milan since 2017, tracks 287 adversary groups and offensive tools: these are the profiles of the most active ransomware groups, with aliases, access techniques, exploited CVEs and extortion model. When we respond, we already know who they are and how they operate.

27Groups profiled
287Adversaries and tools tracked
24·7European SOC
Sources · intelligence
Field-observed TTPs
Leak-site monitoring
C2 infrastructure
MITRE ATT&CK
SOC standards
ISO 27001
STIX/TAXII
ISO 9001
Why a profile per group

Not «sophisticated attackers». A name, a technique.

The difference between detecting and suffering is knowing the adversary before they act. Each profile gathers what triage needs: lineage and rebrands, initial-access techniques, actually exploited CVEs, extortion model. These groups' TTPs are built into the SOC detection rules.

Threat intelligence · tracked groups

Twenty-seven ransomware groups, one profile each.

Profiles built on field-observed techniques and leak-infrastructure monitoring. Where public data is still thin, the card says so: we do not invent numbers.

RaaS · 2025 relaunch

LockBit 5.0

Relaunch of LockBit (September 2025) after Operation Cronos. Cross-platform encryptor (Windows, Linux, ESXi, Proxmox), AES-256-CTR with RSA-2048, advanced evasion (process hollowing, ETW patching, log clearing). Double extortion.

RaaS · Conti lineage

Akira

Active since 2023, among the top earners in 2025. Access via VPNs without MFA and unpatched firewalls: CVE-2024-40766 (SonicWall), CVE-2023-20269 (Cisco ASA), CVE-2024-37085 (VMware ESXi), CVE-2024-40711 (Veeam). Double extortion.

RaaS · high volume

Qilin

Formerly Agenda (2022), over a thousand leak-site victims by late 2025, manufacturing first. Access via phishing and exposed applications, Cobalt Strike, Rclone for exfiltration. Exfiltrate, then encrypt.

RaaS · cartel

DragonForce

Since 2023, declared a «cartel» in March 2025 and absorbed RansomHub affiliates after its April 2025 collapse. Exploits the Ivanti chain (CVE-2024-21887, CVE-2024-21893) and Log4Shell (CVE-2021-44228). White-label model, hybrid extortion.

RaaS · since 2023

INC Ransom

Source code handed over (July 2024) to the operators of Lynx, seen as its successor. IT-staff impersonation, abuse of legitimate tools. Double extortion with leak site.

Extortion · rebrand

World Leaks

January 2025 rebrand of Hunters International: drops encryption for data theft only (Extortion as a Service). Custom exfiltration tooling handed to affiliates.

Extortion · ex-LockBit

Bashe (APT73)

Emerged in 2024 as APT73 (then Eraleig, then Bashe). Leak site imitating LockBit's layout. Likely originated from a former LockBit affiliate after the 2024 disruption.

RaaS · 2025

TheGentlemen

Since 2025, heavy Fortinet exploitation (CVE-2024-55591). Living off the land (AnyDesk, PsExec, PowerShell), propagation via Group Policy, custom evasion. Double extortion.

Closed group · 2025

DeadLock

Since 2025, BYOVD to disable EDR (CVE-2024-51324, Baidu driver), proxy rotation via Polygon smart contracts, communications over Session. Around 57% of victims in the Europe and Russia region.

RaaS · hacktivism

Stormous

Active since 2022, pro-Russian, part of the «Five Families» and linked to Dragon RaaS. Spear-phishing, exploitation of exposed VPN and RDP, brute-force. Politically motivated double extortion.

Closed group · 2024

SafePay

Since September 2024, not a RaaS. Access via valid credentials and edge devices (VPN, firewall, RD Gateway), ChaCha20 encryption, full chain sometimes under 24 hours. Target: SMBs and MSPs.

Extortion · 2025

NightSpire

Since March 2025 (successor to Rbfs), exploits Fortinet CVE-2024-55591, targets SMEs with two-day deadlines. Exfiltration via Rclone and MEGA, then AES-256 with RSA-2048 encryption.

Double extortion · 2024

Space Bears

Since 2024, tied to Phobos infrastructure. Leak site with a «corporate» aesthetic. Hits SMB manufacturing, technology and healthcare across the US and Europe.

RaaS · RALord rebrand

Nova

April 2025 rebrand of RALord. Rust encryptor, negotiation via qTox. Claims to spare schools and non-profits. Double extortion.

Extortion · leak site

Titan

Extortion brand with 2026 claims, tracked by aggregators. Publishes data samples (payroll, documents). Public technical detail still limited.

Double extortion · 2026

M3rx

Emerged in 2026, Go encryptor (X25519 key exchange, AES-CTR and AES-GCM), self-deletion via PowerShell. Early victims concentrated in IT and MSPs, contact via Tox.

RaaS · since 2019

MedusaLocker

Affiliate-deployed since 2019 (not to be confused with the 2021 «Medusa»). Access via RDP brute-force and stolen credentials, propagation over RDP, PsExec, SMB. Double extortion.

Extortion · since 2020

Everest

Since 2020, shifting from encryption to data theft only and to access brokering. Over 120 victims in healthcare, with dedicated warnings in the US.

Closed group · 2025

PayoutsKing

Since July 2025, proprietary RSA with AES-256 encryptor and strong anti-analysis (API and string hashing, direct syscalls). Phishing as initial access, around 100 claimed victims.

Extortion · 2025

Coinbase Cartel

Since September 2025 (no link to the Coinbase exchange), data theft only. Access from infostealer-harvested credentials, staged leaks and auctions. Over 160 claimed victims.

RaaS · 2024

Anubis

Since December 2024, pairs double extortion with a destructive «wipe» mode (a rare encryptor plus wiper). Spear-phishing, flexible affiliate splits (80/20, 60/40, 50/50).

Extortion · 2025

NetRunner

Since 2025, hits healthcare, telecom and manufacturing (Japan, Italy, US, Jordan). A 100 million ransom demanded from a Japanese hospital. RaaS or closed structure unconfirmed.

IAB and extortion · 2026

ALP-001

Formerly «Alpha/DGJT», leak site active since 2026. Monetises access to exposed perimeter devices (Fortinet, Cisco, Citrix, Palo Alto). Many claims unverifiable.

RaaS · 2025

Tengu

Since October 2025 (later rebranded «Shisa» in 2026). Abuse of valid accounts over RDP and VPN without MFA, intermittent encryption for speed. Leak site with countdown, around 50 victims.

Double extortion · 2026

Payload

Since 2026, Babuk-derived code, cross-platform Windows and ESXi. 12 victims claimed at launch across seven countries. Public detail still limited.

Extortion · 2026

Lamashtu

New actor emerged in 2026, small leak site (energy, pharmaceutical) across France, Romania and Thailand. Nature as an encrypting ransomware not yet confirmed.

RaaS · 2026

Vect

Recruiting since late 2025, C++ multi-OS malware (Windows, Linux, ESXi). Known critical flaw: files over 128 KB are destroyed rather than encrypted. Links to BreachForums and TeamPCP.

Notable lineage and rebrands: World Leaks is the rebrand of Hunters International, INC Ransom is seen as the origin of Lynx, Nova is the rebrand of RALord, Tengu became «Shisa», DragonForce absorbed RansomHub's affiliates.

FAQ · ransomware groups

The questions that precede triage.

Which ransomware groups are most active today?

Among the most active against Europe: LockBit 5.0, Akira, Qilin, DragonForce, INC Ransom, SafePay, Anubis, Medusa and the many groups that emerged in 2025 and 2026 (TheGentlemen, NightSpire, PayoutsKing, Coinbase Cartel, Tengu, Vect). Their TTPs are built into the SOC detection rules.

What do double and triple extortion mean?

Double extortion: data is first exfiltrated and then encrypted, so restoring from backup is not enough to avoid publication. Triple extortion: a third lever is added (DDoS, direct contact with customers or staff, notification to the regulator). Several recent groups drop encryption entirely.

How does Fortgale track these groups?

By combining field-observed TTPs from incidents, monitoring of leak sites and C2 infrastructure, and threat intelligence feeds. When we respond to an incident, we already know who the attacker is and how they operate, we don't improvise.

Knowing the adversary is the first act of defence. Stopping it in time is the second. Know · Anticipate · Stop.

Threat briefing on your sector

Do you know which of these groups are watching your sector?

A Fortgale threat briefing focuses on the ransomware groups active against your industry and your exposures: exposed access, unpatched CVEs, credentials already for sale. Talk to our analysts.

Response time: < 1 business day.