The top 15 most infamous ransomware groups (2025 update)

Ransomware groups are responsible for some of the biggest cyber incidents in recent history. These cybercriminal groups target organizations of all sizes, from small companies to global corporations, to extort large amounts of money. This article explores the rise of ransomware organizations and their methods, provides a list of ransomware groups that are relevant today, and gives advice on how to protect your organization from falling victim to cyber extortion.

The rise of ransomware groups in recent years

Ransomware attacks are evolving at an alarming pace. What used to be isolated, small-scale incidents have now grown into highly organized, professional operations.

One major factor driving this surge is the way ransomware groups operate. Many active groups operate like businesses by offering ransomware-as-a-service (RaaS) to other criminal organizations.

These cybercriminals, who operate as ransomware-as-a-service groups, "rent" ransomware tools to other threat actors. Easy access to ransomware tools allows anyone, even individuals or groups with limited technical skills, to launch sophisticated attacks without needing to create malware themselves.

The numbers paint a clear picture. The Q1 2025 Global Cyber Attack Report by Check Point Software revealed that ransomware attacks jumped 126% compared to the same period in 2024, with 2,289 incidents reported worldwide. North America bore the brunt of these attacks, accounting for 62%, while Europe came in next at 21%.

Ransomware groups target industries that they know are most vulnerable. The report revealed that the consumer goods and services sector took the hardest hit, making up 13.2% of attacks globally, followed by business services (9.8%) and industrial manufacturing (9.1%).

There is a promising trend, though. Fewer victims are agreeing to pay the ransom. According to ransomware remediation firm Coveware, only 29% of victims paid the ransom in Q4 2023, compared to 46% in 2021 and 85% in 2019. This data shows that organizations are beginning to resist cyber extortion.

Still, refusing to pay doesn’t mean the problem goes away. Ransomware groups are launching more attacks than ever, and the financial damage keeps growing. Cybersecurity Ventures predicts that ransomware will cost victims around $275 billion annually by 2031.

So, while fewer victims are paying ransoms, ransomware attacks are growing more frequent and more sophisticated. This threat is not going away, and businesses of all sizes remain a target. To stay safe, organizations need to take action now.

Tactics and techniques used by top ransomware groups

The biggest ransomware groups are highly organized and use advanced tactics to breach networks, encrypt critical files, and extort money from businesses. Understanding how these threat actors operate is one of the most effective ways to defend against them. By recognizing their methods, organizations can strengthen defenses, address vulnerabilities, and respond more effectively to potential threats. Below are some of the key tactics and techniques these ransomware groups use to maximize their impact and profits:

• Phishing emails. Phishing remains one of the most common ransomware attack vectors. Ransomware groups often send fake emails designed to trick employees into opening malicious attachments or clicking on harmful links.
• Exploitation of unpatched systems. Ransomware groups regularly target vulnerabilities in outdated security software or unpatched operating systems. This method allows attackers to gain initial access to networks and deploy ransomware with minimal effort.
• Data exfiltration. Ransomware attacks now go beyond simple file encryption. Threat actors steal sensitive data from ransomware victims and threaten to publicly release it unless their demands are met. This tactic amplifies the pressure on organizations because data breaches often lead to legal consequences, as well as financial and reputational damage.
• Double and triple extortion. Some of the most aggressive and prolific ransomware groups, such as LockBit and Cl0p, use double or triple extortion techniques. Multi-extortion tactics involve encrypting files, stealing sensitive victim data, and threatening financial penalties or public exposure.

Top 15 ransomware groups to know about in 2025

The following list highlights some of the most notorious ransomware groups you might hear or read about in 2025 and the upcoming years. While not all of them are still active, their operations and tactics continue to shape the ransomware threat landscape and how new ransomware groups operate.

1. LockBit

LockBit is one of the most aggressive ransomware groups in the world. This organization is responsible for more attacks than any other ransomware group, with over 1,700 attacks in the US since 2020, and has collected an estimated $91 million in ransom payments.

In 2023, it crippled Royal Mail, demanding a $80 million ransom. Later that year, it hit Taiwan Semiconductor Manufacturing Company (TSMC) with a $70 million ransom demand.

Although LockBit's website was taken over by law enforcement authorities in early 2024, the group managed to rebuild and resume operations after the takedown. LockBit remains a serious global threat in 2025.

2. BlackCat/ALPHV

BlackCat, also known as ALPHV, is one of the most advanced and dangerous ransomware groups operating today. It doesn’t just encrypt data — it steals it first, which puts extra pressure on victims to meet the group’s demands.

The group’s latest ransomware strain, “Sphynx,” includes advanced features designed to evade detection and bypass security measures. BlackCat constantly evolves and targets high-value sectors, which makes it a serious and ongoing global threat that organizations cannot afford to ignore.

3. Cl0p

Cl0p, also written as Clop, is a highly sophisticated ransomware group that has been active since 2019. It primarily targets large organizations with revenues exceeding $5 million, including critical industries like healthcare and public health. Known for its double extortion tactics, Cl0p encrypts data and exfiltrates sensitive files, then threatens to release them on its dark web leak site if victims refuse to pay.

Although Ukrainian authorities arrested six suspected members of the Cl0p ransomware gang in 2021, as one of the most active ransomware groups, it still remains dangerous. The group relentlessly steals data and uses advanced tactics, which makes it a constant danger to organizations worldwide.

4. Conti

Conti is one of the most notorious ransomware gangs that operated between 2020 and 2022. Known for its aggressive double extortion tactics, the group reportedly extorted $180 million at its peak in 2021, making it one of the most profitable ransomware operations in history.

In 2022, Conti faced global backlash after publicly supporting Russia’s invasion of Ukraine. This controversial stance led many victims to refuse ransom payments. Shortly after, an insider leaked tens of thousands of internal chats and source code, exposing the group’s internal operations.

While Conti officially shut down in 2022, cybersecurity experts believe its members are still active and operate under different aliases.

5. Royal/BlackSuit

Royal ransomware is a highly dangerous threat that has targeted healthcare organizations, private companies, and local governments since it emerged in 2022. Initially operating under the name Zeon, Royal ransomware group is known for its personalized ransom demands, which range from $250,000 to over $2 million.

Security experts believe Royal is run by experienced hackers who split from other major ransomware gangs like Conti. The group employs advanced techniques to infiltrate networks and strongly focuses on double extortion tactics.

One of its most high-profile attacks occurred in May 2023, when it crippled the city of Dallas, Texas. This attack resulted in $8.5 million in mitigation costs and required thousands of hours of data recovery work. After June 2023, Royal ransomware evolved into what is now known as BlackSuit ransomware.

By late 2023, the group operating under its new name had extorted over $275 million from more than 350 victims worldwide. As of 2025, the BlackSuit variant continues the legacy of its predecessor.

6. REvil/Sodinokibi

REvil, also known as Sodinokibi, is one of the most infamous ransomware gangs in history. This Russian-linked group quickly gained notoriety for high-profile attacks on critical infrastructure and global corporations.

One of REvil's most notable attacks targeted an Apple supplier. The hackers stole proprietary blueprints for new Apple devices and threatened to release them unless the supplier paid the ransom.

Although Russian authorities claimed to have dismantled the group in early 2022 and arrested several members, many experts believe remnants of REvil continue to operate under different aliases or contribute to other ransomware groups.

7. Hive

Hive ransomware, first found in June 2021, attacked industries like healthcare, finance, telecommunications, and governments. Major victims included CNA Insurance, Memorial Health System, the Bank of Zambia, and Costa Rica's government.

In January 2023, the US Department of Justice, with help from Germany, the Netherlands, and Europol, shut down Hive’s operations. Investigators secretly infiltrated the group for months and blocked $130 million in ransom payments. Authorities seized Hive’s servers in California and Europe.

Despite this takedown, experts believe Hive’s hackers may have joined other ransomware groups or started working on a new ransomware strain. Unfortunately, law enforcement takedowns rarely put an end to these groups, just pause their operations.

8. Ragnar Locker

Ragnar Locker, one of the most active ransomware groups since 2019, was notorious for targeting critical infrastructure, including energy providers, governments, airlines, and hospitals. The group employed double extortion, demanding massive ransom payments for both decryption tools and the non-release of stolen data.

Ragnar Locker used the “Wall of Shame” leak site on the dark web to pressure victims, explicitly threatening to publish stolen data if they contacted police. In 2023, a global law enforcement operation dismantled Ragnar Locker’s infrastructure, and the group stopped operating under that name.

9. DarkSide/BlackMatter

DarkSide, first discovered in August 2020, gained global attention in May 2021 when it launched the Colonial Pipeline attack. This attack forced the shutdown of a 5,500-mile fuel pipeline that supplies 45% of the East Coast’s fuel, causing widespread fuel shortages, a state of emergency, and a ransom payment of over $4 million.

DarkSide used double extortion tactics, encrypting data while also stealing sensitive information to pressure victims. Following increased law enforcement pressure after the Colonial Pipeline attack, DarkSide briefly disappeared, and its members later resurfaced under the name BlackMatter.

Even though DarkSide/BlackMatter itself may no longer operate, its methods, tools, and tactics, such as double extortion, inspired other ransomware groups. It remains a key case study in the fight against ransomware. 10. Vice Society Vice Society is a ransomware group that emerged in 2021. It quickly gained infamy for targeting schools, hospitals, and other vulnerable sectors. The group, believed to be Russian-speaking, targets underfunded organizations that often lack strong cybersecurity defenses.

Vice Society uses double extortion, encrypting data and threatening to leak sensitive files unless victims pay up. Unlike many ransomware gangs, it doesn’t run a RaaS model. Instead, it builds its own custom ransomware and uses powerful hacking tools like Cobalt Strike, Zeppelin, and Hello Kitty/FiveHands to carry out its attacks.

11. Medusa

Medusa is a highly active and dangerous ransomware-as-a-service (RaaS) group that has been operating since late 2021. Known for targeting industries like education, healthcare, legal services, insurance, and manufacturing, Medusa has impacted over 430 victims worldwide as of May 2025.

One of the most active ransomware groups uses aggressive tactics, including large-scale file encryption, data theft, and double extortion. The group encrypts data and threatens to publicly release stolen information if victims refuse to pay the ransom.

Medusa’s attacks have mostly affected organizations in the United States, the United Kingdom, and Canada. This ransomware group remains a significant global threat in 2025.

12. BianLian

BianLian is a rapidly evolving ransomware group that has been active since late 2021. It targets critical industries such as healthcare, manufacturing, and professional services across the United States and Europe.

The group initially used a double-extortion model, encrypting and stealing data. However, in 2023, it shifted tactics and abandoned encryption in favor of data theft and extortion.

BianLian has quickly become one of the top three most active ransomware groups, ranking alongside LockBit and BlackCat/ALPHV. Its leak site displays a growing list of victims, with the healthcare and manufacturing sectors being hit the hardest.

As of 2025, the group continues to expand operations by actively recruiting developers and affiliates to refine its methods, making it an ongoing threat to global cybersecurity.

13. 8Base

8Base is a ransomware group that first appeared in 2022 and significantly increased its activity in 2023. Known for targeting small to medium-sized businesses (SMBs) across industries like finance, manufacturing, IT, and healthcare, the group primarily operates in the United States, Brazil, and the United Kingdom.

8Base uses a combination of data encryption and "name-and-shame" tactics to pressure victims into paying ransoms. Despite its rapid rise in activity and a growing list of victims, 8Base remains relatively mysterious. Cybersecurity researchers have very limited information about this group’s identities or motivations.

14. RansomHouse

RansomHouse is a unique ransomware group that emerged in 2022. It focuses solely on data theft and extortion without encrypting files. Its “extortion-only” approach allows it to steal sensitive data and demand ransom payments in Bitcoin, all while claiming to act as a “force for good” by exposing weak security practices.

This strategy makes this group’s attacks harder to detect because skipping encryption triggers fewer alarms and can lead to longer dwell times inside victim networks.

RansomHouse primarily targets companies with poor security measures and markets itself as a mix of bug bounty hunters and penetration testers. After stealing data, it offers to provide a full report on exploited vulnerabilities and promises to delete the stolen information — if the ransom is paid, of course.

15. NoEscape

NoEscape, a ransomware group that emerged in May 2023, has quickly built a reputation for its aggressive multi-extortion tactics. It primarily targets industries like healthcare, manufacturing, and education, focusing on small and mid-sized businesses in North America and Europe, which often lack the resources to defend against attacks.

The group uses multi-layered extortion. It encrypts data, steals it, and threatens to leak it to maximize pressure on victims. NoEscape operates a TOR-based leak site to display stolen data and victim lists, solidifying its reputation as a fast-moving and ruthless threat.

While it avoids attacking entities in the Commonwealth of Independent States (CIS), its focus on critical industries makes it a significant danger to businesses worldwide.

How to protect your organization from ransomware groups

Ransomware groups target businesses of all sizes — no organization is safe. To defend against these malicious actors, organizations need to act now by employing strategic, proactive cybersecurity measures. Below are key steps your organization can take to reduce the risk of becoming a ransomware victim.

Train employees

Your employees are your first line of defense against ransomware. Threat actors rely on mistakes, using phishing emails and fake links to breach your critical systems.

Teach your team to recognize suspicious emails, unexpected attachments, and untrusted links. Regular training and phishing tests will help them stay alert and protect your organization from known or emerging ransomware groups.

Protect your data with backups and segmentation

Regularly back up critical data and store those backups securely offline, away from your main network. This approach ensures your data stays safe even if an attack happens. Failing to follow this step has left many organizations unable to recover from ransomware attacks and has amplified the impact of some of the biggest data breaches in recent years.

Network segmentation adds another layer of protection by separating sensitive data and systems from the rest of your network. Segmenting your network limits the ransomware’s reach and gives you more time to respond during an attack.

Strengthen endpoint security

Ransomware attacks often start on endpoints like laptops, desktops, or servers. To block these attacks early, use advanced endpoint protection tools that detect and stop ransomware as soon as an employee downloads a malicious file or clicks on a phishing link.

Stay ahead with threat intelligence feeds

Keep ransomware actors at bay by tracking real-time threat intelligence feeds. These tools alert you to new ransomware variants, active attacks, and exploitable vulnerabilities. Services like NordStellar deliver timely updates, which can help you spot risks early and strengthen your defenses.

Prepare with an incident response plan

Develop a clear, step-by-step strategy that outlines how to detect, contain, and respond to an attack. Test the plan regularly through simulated scenarios so employees and IT staff understand their roles and can act quickly in an emergency.

A well-prepared plan minimizes chaos, accelerates recovery, and provides a structured approach to handling ransomware. The faster your response, the less impact the attack will have on your organization.

Use advanced cybersecurity solutions

Invest in advanced cybersecurity tools that provide multi-layered protection. NordStellar threat exposure management platform provides solutions that allow companies to detect and respond to cyber threats early, breaking the cyber kill chain before an attack escalates.

NordStellar includes solutions like vulnerability management and dark web monitoring, which can give you insight into emerging ransomware tactics and help you identify if your data has been exposed. By partnering with NordStellar, your business is equipped with the latest technology to face evolving threats and stay one step ahead of cybercriminals.

FAQ

What is ransomware-as-a-service?

Ransomware-as-a-service (RaaS) is a business model where ransomware creators rent out their malware to other criminals for profit. RaaS is part of a larger trend called malware-as-a-service (MaaS), where hackers sell or rent malicious tools on the dark web. Unlike general malware, RaaS focuses solely on ransomware, which makes it simple for criminals to encrypt files and demand payment.

How does ransomware spread?

Ransomware spreads through phishing emails, infected software downloads, unpatched vulnerabilities, and malicious websites.

How do ransomware groups choose their targets?

Ransomware groups typically target organizations with valuable data and weak cybersecurity defenses. Ransomware groups are highly likely to target businesses that have paid ransoms in the past because they may assume these organizations are more likely to pay again.

Can ransomware come back after removal?

Yes, ransomware can return after removal if the underlying cause of the malware infection isn’t resolved.