Ransomware Gang
What is Ransomware Gang?
Ransomware GangA financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats.
Modern ransomware gangs operate as structured criminal enterprises. A core team builds the encryptor, runs the data-leak site, negotiates ransoms, manages cryptocurrency cash-out, and recruits affiliates under a ransomware-as-a-service (RaaS) model. Affiliates obtain initial access (often via initial access brokers, phishing, or VPN/Citrix exploits), perform reconnaissance, escalate privileges, exfiltrate data, then deploy the ransomware. Many gangs use double extortion (encryption plus leak threat) and increasingly triple extortion (DDoS, customer harassment). Known brands include LockBit, Conti, REvil, BlackCat/ALPHV, Cl0p, Royal/BlackSuit, Akira, Play, Hive, and 8Base. They are heavily targeted by law-enforcement disruptions, sanctions, and infrastructure takedowns.
● Examples
- 01
LockBit operated 2019-2024 with thousands of victims before a global takedown disrupted its infrastructure in February 2024.
- 02
Cl0p exploited the 2023 MOVEit Transfer zero-day to extort hundreds of organisations worldwide.
● Frequently asked questions
What is Ransomware Gang?
A financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats. It belongs to the Defense & Operations category of cybersecurity.
What does Ransomware Gang mean?
A financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats.
How does Ransomware Gang work?
Modern ransomware gangs operate as structured criminal enterprises. A core team builds the encryptor, runs the data-leak site, negotiates ransoms, manages cryptocurrency cash-out, and recruits affiliates under a ransomware-as-a-service (RaaS) model. Affiliates obtain initial access (often via initial access brokers, phishing, or VPN/Citrix exploits), perform reconnaissance, escalate privileges, exfiltrate data, then deploy the ransomware. Many gangs use double extortion (encryption plus leak threat) and increasingly triple extortion (DDoS, customer harassment). Known brands include LockBit, Conti, REvil, BlackCat/ALPHV, Cl0p, Royal/BlackSuit, Akira, Play, Hive, and 8Base. They are heavily targeted by law-enforcement disruptions, sanctions, and infrastructure takedowns.
How do you defend against Ransomware Gang?
Defences for Ransomware Gang typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Ransomware Gang?
Common alternative names include: Ransomware crew, Ransomware operator.
● Related terms
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- malware№ 902
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
- defense-ops№ 536
Initial Access Broker (IAB)
A cybercrime specialist who obtains unauthorised access to corporate networks and sells that access to other criminals, especially ransomware affiliates.
- defense-ops№ 624
LockBit
A Russian-speaking ransomware-as-a-service operation that became the most prolific ransomware brand globally between 2022 and 2024 before being heavily disrupted by Operation Cronos.
- defense-ops№ 215
Conti Ransomware
A Russian-speaking ransomware operation active 2020-2022 that ran one of the highest-volume double-extortion programmes before disbanding after major internal leaks.
- defense-ops№ 099
BlackCat / ALPHV
A Rust-based ransomware-as-a-service operation active from late 2021 to 2024, notable for cross-platform encryptors and aggressive multi-stage extortion.
● See also
- № 1145Threat Actor
- № 542Insider Threat
- № 268Cybercrime-as-a-Service (CaaS)
- № 418FIN Threat Group
- № 928REvil / Sodinokibi
- № 271Dark Web