Threat Actors
The ransomware crews and extortion groups behind recent data breaches — who they are, what they target, and every incident we link to them.
LockBit3339 trackedLockBit is one of the most active ransomware-as-a-service brands, known for fast encryption and a large affiliate network.Qilin1995 trackedQilin is a ransomware-as-a-service operation that encrypts victims and steals data for double-extortion, frequently hitting healthcare and manufacturing.Akira1543 trackedAkira is a ransomware group that targets mid-market companies, exfiltrating data before encryption and pressuring victims on a leak site.Play1275 trackedPlay is a ransomware group known for double-extortion attacks against businesses and public-sector organizations.clop1254 trackedclop is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.INC Ransom871 trackedINC Ransom is a ransomware operation using double-extortion against a range of industries including healthcare and government.ransomhub841 trackedransomhub is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.alphv731 trackedalphv is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.DragonForce594 trackedDragonForce is a ransomware group that runs a leak site and targets enterprises for data theft and extortion.The Gentlemen593 trackedThe Gentlemen is a ransomware/extortion group that lists victims on its leak site and threatens to publish stolen data.bianlian534 trackedbianlian is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.blackbasta523 trackedblackbasta is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.SafePay518 trackedSafePay is a ransomware group using double-extortion against small and mid-sized organizations.medusa517 trackedmedusa is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.8base455 tracked8base is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.lynx413 trackedlynx is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.everest364 trackedeverest is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.conti351 trackedconti is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.dispossessor344 trackeddispossessor is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.lockbit5311 trackedlockbit5 is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.pysa309 trackedpysa is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.hunters306 trackedhunters is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.nightspire296 trackednightspire is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.killsec281 trackedkillsec is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.sinobi274 trackedsinobi is a ransomware / data-extortion group tracked on public leak-site monitors. The breaches below are victims it has publicly claimed.Attributions to threat groups and methods reflect public reporting and, in some cases, unverified claims made by the groups themselves; they may be incomplete or later revised. Recent Breaches and GalaxyWarden are independent and are not affiliated with, and do not endorse, any company or group named on this page. This information is aggregated from public sources for awareness only and is not legal, security, or investment advice.