LockBit 5.0
Relaunch of LockBit (September 2025) after Operation Cronos. Cross-platform encryptor (Windows, Linux, ESXi, Proxmox), AES-256-CTR with RSA-2048, advanced evasion (process hollowing, ETW patching, log clearing). Double extortion.
A cyber attack is not something. It is someone. Our European SOC, operating from Milan since 2017, tracks 287 adversary groups and offensive tools: these are the profiles of the most active ransomware groups, with aliases, access techniques, exploited CVEs and extortion model. When we respond, we already know who they are and how they operate.
The difference between detecting and suffering is knowing the adversary before they act. Each profile gathers what triage needs: lineage and rebrands, initial-access techniques, actually exploited CVEs, extortion model. These groups' TTPs are built into the SOC detection rules.
Profiles built on field-observed techniques and leak-infrastructure monitoring. Where public data is still thin, the card says so: we do not invent numbers.
Relaunch of LockBit (September 2025) after Operation Cronos. Cross-platform encryptor (Windows, Linux, ESXi, Proxmox), AES-256-CTR with RSA-2048, advanced evasion (process hollowing, ETW patching, log clearing). Double extortion.
Active since 2023, among the top earners in 2025. Access via VPNs without MFA and unpatched firewalls: CVE-2024-40766 (SonicWall), CVE-2023-20269 (Cisco ASA), CVE-2024-37085 (VMware ESXi), CVE-2024-40711 (Veeam). Double extortion.
Formerly Agenda (2022), over a thousand leak-site victims by late 2025, manufacturing first. Access via phishing and exposed applications, Cobalt Strike, Rclone for exfiltration. Exfiltrate, then encrypt.
Since 2023, declared a «cartel» in March 2025 and absorbed RansomHub affiliates after its April 2025 collapse. Exploits the Ivanti chain (CVE-2024-21887, CVE-2024-21893) and Log4Shell (CVE-2021-44228). White-label model, hybrid extortion.
Source code handed over (July 2024) to the operators of Lynx, seen as its successor. IT-staff impersonation, abuse of legitimate tools. Double extortion with leak site.
January 2025 rebrand of Hunters International: drops encryption for data theft only (Extortion as a Service). Custom exfiltration tooling handed to affiliates.
Emerged in 2024 as APT73 (then Eraleig, then Bashe). Leak site imitating LockBit's layout. Likely originated from a former LockBit affiliate after the 2024 disruption.
Since 2025, heavy Fortinet exploitation (CVE-2024-55591). Living off the land (AnyDesk, PsExec, PowerShell), propagation via Group Policy, custom evasion. Double extortion.
Since 2025, BYOVD to disable EDR (CVE-2024-51324, Baidu driver), proxy rotation via Polygon smart contracts, communications over Session. Around 57% of victims in the Europe and Russia region.
Active since 2022, pro-Russian, part of the «Five Families» and linked to Dragon RaaS. Spear-phishing, exploitation of exposed VPN and RDP, brute-force. Politically motivated double extortion.
Since September 2024, not a RaaS. Access via valid credentials and edge devices (VPN, firewall, RD Gateway), ChaCha20 encryption, full chain sometimes under 24 hours. Target: SMBs and MSPs.
Since March 2025 (successor to Rbfs), exploits Fortinet CVE-2024-55591, targets SMEs with two-day deadlines. Exfiltration via Rclone and MEGA, then AES-256 with RSA-2048 encryption.
Since 2024, tied to Phobos infrastructure. Leak site with a «corporate» aesthetic. Hits SMB manufacturing, technology and healthcare across the US and Europe.
April 2025 rebrand of RALord. Rust encryptor, negotiation via qTox. Claims to spare schools and non-profits. Double extortion.
Extortion brand with 2026 claims, tracked by aggregators. Publishes data samples (payroll, documents). Public technical detail still limited.
Emerged in 2026, Go encryptor (X25519 key exchange, AES-CTR and AES-GCM), self-deletion via PowerShell. Early victims concentrated in IT and MSPs, contact via Tox.
Affiliate-deployed since 2019 (not to be confused with the 2021 «Medusa»). Access via RDP brute-force and stolen credentials, propagation over RDP, PsExec, SMB. Double extortion.
Since 2020, shifting from encryption to data theft only and to access brokering. Over 120 victims in healthcare, with dedicated warnings in the US.
Since July 2025, proprietary RSA with AES-256 encryptor and strong anti-analysis (API and string hashing, direct syscalls). Phishing as initial access, around 100 claimed victims.
Since September 2025 (no link to the Coinbase exchange), data theft only. Access from infostealer-harvested credentials, staged leaks and auctions. Over 160 claimed victims.
Since December 2024, pairs double extortion with a destructive «wipe» mode (a rare encryptor plus wiper). Spear-phishing, flexible affiliate splits (80/20, 60/40, 50/50).
Since 2025, hits healthcare, telecom and manufacturing (Japan, Italy, US, Jordan). A 100 million ransom demanded from a Japanese hospital. RaaS or closed structure unconfirmed.
Formerly «Alpha/DGJT», leak site active since 2026. Monetises access to exposed perimeter devices (Fortinet, Cisco, Citrix, Palo Alto). Many claims unverifiable.
Since October 2025 (later rebranded «Shisa» in 2026). Abuse of valid accounts over RDP and VPN without MFA, intermittent encryption for speed. Leak site with countdown, around 50 victims.
Since 2026, Babuk-derived code, cross-platform Windows and ESXi. 12 victims claimed at launch across seven countries. Public detail still limited.
New actor emerged in 2026, small leak site (energy, pharmaceutical) across France, Romania and Thailand. Nature as an encrypting ransomware not yet confirmed.
Recruiting since late 2025, C++ multi-OS malware (Windows, Linux, ESXi). Known critical flaw: files over 128 KB are destroyed rather than encrypted. Links to BreachForums and TeamPCP.
Notable lineage and rebrands: World Leaks is the rebrand of Hunters International, INC Ransom is seen as the origin of Lynx, Nova is the rebrand of RALord, Tengu became «Shisa», DragonForce absorbed RansomHub's affiliates.
Knowing the group is the first act. Stopping it in time is the second: response if the attack is under way, protection so it does not happen.
IR hotline 24·7·365: operational response in 30 min, median containment <30 min, support for CSIRT notification within 24h NIS2.
Activate the Emergency →The first-minute actions: isolate without powering off, don't pay on impulse, activate incident response, preserve evidence.
Emergency guide →The SOC intercepts the attacker in the first four stages, within the 21-day dwell time, before they touch data or backups.
Discover protection →Among the most active against Europe: LockBit 5.0, Akira, Qilin, DragonForce, INC Ransom, SafePay, Anubis, Medusa and the many groups that emerged in 2025 and 2026 (TheGentlemen, NightSpire, PayoutsKing, Coinbase Cartel, Tengu, Vect). Their TTPs are built into the SOC detection rules.
Double extortion: data is first exfiltrated and then encrypted, so restoring from backup is not enough to avoid publication. Triple extortion: a third lever is added (DDoS, direct contact with customers or staff, notification to the regulator). Several recent groups drop encryption entirely.
By combining field-observed TTPs from incidents, monitoring of leak sites and C2 infrastructure, and threat intelligence feeds. When we respond to an incident, we already know who the attacker is and how they operate, we don't improvise.
Knowing the adversary is the first act of defence. Stopping it in time is the second. Know · Anticipate · Stop.
A Fortgale threat briefing focuses on the ransomware groups active against your industry and your exposures: exposed access, unpatched CVEs, credentials already for sale. Talk to our analysts.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.