Top 10 All Time Active Ransomware Groups

 The Current Top 10 Active Ransomware Group Post Count

By Dominic Alvieri

April 23rd, 2023

@AlvieriD

Quantifying ransomware group activity over the past few years there is no doubt that LockBit is the numerical leader all credibility issues aside. LockBit averages posting over one company per day since their initial formation as ABCD. No one else comes close. 

Conti members are still around but this list comprises of active groups with quantifiable active leak sites.

@AlvieriD

Posts that are somewhat quantifiable...

What is included in the numbers? Posts like the recent LockBit Dark Trace-Dark Tracer fiasco or their goofball post that was removed are not included. Neither are posts like the BlackCat NCR flash cyber incident that is still ongoing. 

Up and Coming Groups

The top groups to watch gaining traction are Royal and Play Ransomware. Play will be in the top 10 within the next month if current trends continue. Royal should be in the top 5 by summer.

New groups in 2023

Several new groups have arrived and in the case of Trigona, re-arrived. Money Message sans logo or not should be near the top of the new groups to watch list. Here are a few other new groups to watch:

Money Message

Trigona Ransomware

Cipher Locker

Akira Ransomware

Cross Lock Ransomware

Dunghill Leak...

Dunghill Leak is literally named after a pile of shit. What will they think of next.

Most Dangerous Groups

In my view Alphv BlackCat Ransomware and LockBit are fairly close in the top of this category. BlackCat has the ability to pivot quickly once in a network and LockBit is always trying to improve to stay on top but they have been getting sloppy while Alphv looks like it added another producing affiliate.

Black Basta, BlackByte, Royal and Play Ransomware deserve mention here as do a few others but my time is limited.

Stay safe.

Undisputed LockBit

LockBit is clearly the leading group left standing...for now.

By Dominic Alvieri

January 30th, 2023

@AlvieriD 

In the early morning hours of Thursday, January 26th a multi-governmental offensive seized the Hive Ransomware leak site. No arrests have been made in the never ending ransomware whack-a-mole game. LockBit is now the undisputed leading ransomware operation.

That evening LockBit was ready with a new game, comments and plenty of leaks ready to go. The Hive Ransomware leak site was seized early Thursday morning and the first comment or post from LockBit was a freaking game below.

The post above was removed by LockBit. Researchers at VX Underground were able to get a comment from Mr. LockBit about the post and the news that followed. LockBit is one group I do not have communications with and do not care to. 

By Sunday evening it was business as usual as LockBit posted affiliate offerings of 14 new victims not willing to pay them from around the world. 

Spain

France

Mexico

Austria

Albania

Portugal

Australia

United States

United Kingdom

Low lights from the new posts include PBS member television station KVIE in Sacramento, California, Air Albania, CPL Industries...

 

LockBit is clearly the top operation remaining and is arrogantly making it known. Alphv Black Cat Ransomware is behind LockBit and there is a clear distinction from the remaining groups including new up and coming Play Ransomware, Black Basta, Vice Society...

Several other groups and former members are not included in this article including Black Matter, DarkSide and the other variations, spinoffs and new groups pending like Endurance Ransomware.

No Hive arrests to date.

Affiliates have to go somewhere...

The never ending ransomware whack-a-mole game continues in 2023.

The Cyber Show

New Chinese Misinformation Campaign

Fake Campaign Attempts to Attribute Chinese Advanced Persistent Threat Group APT 41 to the NSA

By Dominic Alvieri 

@AlvieriD

October 12th, 2022

A new Chinese misinformation campaign has been spreading this past week attempting to attribute the Chinese APT 41 to the National Security Agency. Many are using the Intrusion Truth name. 

Global Times Chinese domain article tweet.

Several new accounts tweeted in Chinese Mandarin for the local media in Asia while others have been created in English for a wider audience. All accounts use the APT 41 hashtag. 

Kimberly Allen Fake FireEye Attribution in Mandarin

The above tweet translates to FireEye attributing Chinese APT 41 to the NSA.

The tweet above has been removed but the account remains.

The FBI reports concludes what we all know while some are trying to create confusion in typical APT 41 style.

This is a new and current campaign with all accounts still currently open. No new activity has been spotted since the initial report this week with fake attribution tweets.

Blog will be updated as needed. Stay safe.