Intended victims: LockBit targeted thousands of victims worldwide in its heyday, including government utilities, private companies, and critical infrastructure providers.
Adjective: LockBit’s use of Russian-language platforms and targeting patterns has led some analysts to believe that the group is based in Russia. Russian Dmitry Yuryevich Khoroshev, named by Western law enforcement agencies last year as developer and administrator of LockBit, faces a US lawsuit involving an asset freeze and travel ban. Two Russian nationals have been charged with using LockBit ransomware against targeted organizations.
The Lynx
History: Lynx shares 48% of its source code with the previous INC ransomware, indicating a plausible rebranding or evolution of the same threat actor.
How does this work: Lynx also uses RaaS and uses double piracy tactics. After entering the system, ransomware can steal sensitive information and encrypt the victim’s data, effectively locking them out. To make detection more difficult, it adds a ‘.lynx’ extension to encrypted files and removes backup files as shadow copies.
Intended victims: Since its emergence, ransomware has focused on several industries in the US and UK, including retail, real estate, real estate, financial services, and environmental services. The group behind Lynx attacked multiple facilities across the US between July 2024 and November 2024, including targets related to energy, oil, and gas, according to Palo Alto’s Unit 42 group.
Adjective: Lynx operates as a RaaS model, which means it is likely used by multiple hackers instead of a single business.
Medusa
History: Medusa is a ransomware-as-a-service that started in 2022.
How does this work: The group often hacks systems by exploiting vulnerabilities in public-facing assets, phishing emails, or using early access vendors.
Intended victims: Cybercriminals behind Medusa targeted healthcare, education, manufacturing, and retail organizations in the US, Europe, and India.
Adjective: Activity on Russian-language cybercrime forums related to Medusa suggests that the core group and its affiliates may be from Russia or neighboring countries but this remains unconfirmed.
Play
History: Play is a ransomware threat that emerged in June 2022. The group has stepped up its operations following disruptions from other major malicious actors.
How does this work: Attackers usually encrypt systems after filtering sensitive data. Play keeps a very low profile on the dark web aside from its own leak site, not advertising itself on dark web sites. “It even claims it’s not a RaaS gang, saying it maintains a ‘closed group to ensure confidentiality of transactions,’ despite evidence to the contrary,” Searchlight Cyber’s Donovan explained.
Intended victims: This group has focused on various sectors, including health, communications, finance and government services.
Adjective: Play may have connections with APT groups aligned with the North Korean regime.
In October 2024, security researchers at Palo Alto Networks’ Unit 42 published evidence of the release of the Play ransomware by a North Korean-backed threat actor, specifically APT45. “The connection between this threat actor and Play is unclear, but it shows the potential for intersection between government-sponsored cyber activity and transparent private cybercrime networks,” Donovan said.
Qilin
History: Qilin, also known as Agenda, is a RaaS group based in Russia that has been active since May 2022.
How does this work: The group targeted Windows and Linux systems, including VMware ESXi servers, using ransomware variants written in Golang and Rust. Qilin follows a twofold extortion model – encrypting victims’ files and threatening to leak the stolen data if the ransom is not paid.
Intended victims: Qilin recruits collaborators in the underground and prohibits attacks on organizations in the Commonwealth of Independent States (CIS) countries bordering modern Russia.
Qilin sent stolen information to 697 victims in the second half of 2025, a five-fold increase year-on-year, according to research by Searchlight Cyber. Security researchers attribute this attack to an aggressive recruitment effort and contact with primary access brokers to obtain stolen VPN credentials.
Adjective: The makeup of Qilin is still unknown but Russian-speaking organized cyber crime is highly suspected.
RansomHub
History: RansomHub appeared in February 2024 and quickly became a major cyber threat. The group, originally known as Cyclops and later Knight, renamed itself and expanded its operations by recruiting affiliates from other disrupted ransomware groups such as LockBit and ALPHV/BlackCat.
How does this work: Once inside the network, the RansomHub affiliate extracts data and uses encryption tools, often using legitimate control resources to carry out its malicious activities. RansomHub uses a “friendly” RaaS model, initially offering a fixed 10% payout to attackers using its ransomware and the option to collect ransom payments directly from victims before paying the master party. “These features make it an attractive option for affiliates looking for guaranteed returns, where other RaaS services have been unreliable in paying in the past,” Searchlight Cyber’s Donovan said.
Intended victims: RansomHub has been linked to more than 210 victims in various critical sectors, including healthcare, finance, government services, and critical infrastructure in Europe and North America, according to Rapid7.
Adjective: The evidence remains unconfirmed but some evidence points to organized Russian-speaking cybercriminal activity and ties to other established ransomware threat actors.
Lapsus$ hunters are scattered
History: The various cyber crime groups Scattered Spider, LAPSUS$, and ShinyHunters form a loose alliance in August 2025 to carry out ransomware attacks against large enterprises. Originally affiliated with ALPHV/BlackCat and others, the group split off and created its own platform and approach.
How does this work: Scattered Lapsus$ Hunters are noted for their expertise in using social engineering to compromise help desks, among other tactics. The Integrated Threat Group includes extortion through data leakage and ransomware. Their leak site was seized by law enforcement in October 2025 but this may not be the last we hear of the cyber crime giant.
Intended victims: The group ran a massive Salesforce campaign in August and October that exposed data from a number of companies, including Toyota, FedEx, and Disney.
Adjective: Security researchers characterize the Scattered Lapsus$ Hunters as a loose coalition rather than a single unified group. The alleged members of the group remain publicly anonymous as of late February 2026.
