This blog post was created in tandem with ChatGPT4 and Bard by Scot Terban

China

• Ministry of State Security (MSS)
  • PLA Unit 61398 (APT1)
    • Alternate Names: Comment Crew, Comment Group.
  • PLA Unit 61486 (APT2)
    • Alternate Names: Often grouped with APT1 but distinct identifiers are less common.
  • Buckeye (APT3)
    • Alternate Names: Gothic Panda, UPS Team, Threat Group-0110 (TG-0110).
  • Red Apollo (APT10)
    • Alternate Names: Stone Panda, MenuPass, CVNX, HOGFISH.
  • Numbered Panda (APT12)
    • Alternate Names: IXESHE, DynCalc, DNSCALC.
  • DeputyDog (APT17)
    • Alternate Names: Axiom, Hidden Lynx, Sneaky Panda.
  • Codoso Team (APT19)
    • Alternate Names: Sunshop Group, KungFu Kittens.
  • Wocao (APT20)
    • Alternate Names: Not widely recognized under other names.
  • APT 27
    • Alternate Names: Emissary Panda, Iron Tiger, LuckyMouse, Threat Group-3390 (TG-3390).
  • PLA Unit 78020 (APT30, Naikon)
    • Alternate Names: Bronze Geneva.
  • Zirconium (APT31)
    • Alternate Names: Judgment Panda.
  • Periscope Group (APT40)
    • Alternate Names: Leviathan, TEMP.Periscope, TEMP.Jumper, Mudcarp.
  • Double Dragon (APT41, Winnti Group, Barium, Axiom)
    • Alternate Names: Wicked Panda, Wicked Spider, PassCV.
  • Dragonbridge
    • Alternate Names: TA413, Lucky Cat.
  • Hafnium
    • Alternate Names: Not widely recognized under other names, specific to Microsoft Exchange Server attacks.
  • LightBasin (UNC1945)
    • Alternate Names: Not widely recognized under other names.
  • Tropic Trooper
    • Alternate Names: KeyBoy, Pirate Panda.
  • Volt Typhoon
    • Alternate Names: Not widely recognized under other names.

Verticals:

Government, Critical Infrastructure, Aerospace & Defense, Healthcare, Finance, Technology, Telecommunications

Campaigns:

Operation Aurora (2009): Targeted critical infrastructure in the US and other countries.

Operation Cloud Hopper (2014-2015): Espionage campaign against European and Asian targets.

Operation Titan Rain (2014-2017): Hacking of cloud computing accounts and networks.

Operation Shady RAT (2016-2017): Spying on diplomatic and military personnel.

Supply Chain Attacks (2020-present): Compromising software supply chains to target various industries.

Subgroups:

PLA Unit 61398 (APT1): Targets primarily government and military networks.

PLA Unit 61486 (APT2): Focuses on economic espionage against Western companies.

Buckeye (APT3): Targets critical infrastructure, energy, and telecommunications sectors.

Red Apollo (APT10): Known for attacks against healthcare and biotechnology organizations.

Numbered Panda (APT12): Targets financial institutions and government agencies in East Asia.

DeputyDog (APT17): Specializes in cyberattacks against media and telecommunications companies.

Codoso Team (APT19): Targets governments and military organizations in Southeast Asia.

Wocao (APT20): Focuses on intellectual property theft and espionage in the technology sector.

APT 27: Targets government and military networks in Southeast Asia.

PLA Unit 78020 (APT30, Naikon): Known for cyberattacks against financial institutions and cryptocurrency exchanges.

Zirconium (APT31): Targets aerospace and defense companies.

Periscope Group (APT40): Focuses on maritime and shipping industries.

Double Dragon (APT41, Winnti Group, Barium, Axiom): Targets gaming, hospitality, and financial sectors.

Dragonbridge: Targets government and military networks in East Asia.

Hafnium: Focuses on vulnerabilities in Microsoft Exchange Server.

LightBasin (UNC1945): Targets critical infrastructure in Europe.

Tropic Trooper: Focuses on espionage against Southeast Asian governments.

Volt Typhoon: Targets government and military networks in Southeast Asia.

Iran

• Elfin Team (APT33)
• Helix Kitten (APT34)
• Charming Kitten (APT35)
• Remix Kitten (APT39, ITG07, Chafer)
• Pioneer Kitten​​

Elfin Team (APT33)

Verticals:

Aerospace & Defense, Energy (Oil & Gas, Petrochemicals), Technology, Government, Telecommunications

Campaigns:

Operation Shamoon (2012): Widespread cyberattack against Saudi Arabian oil and gas companies, causing significant disruption.

Operation Static Kitten (2013-2014): Targeted aerospace and defense companies in the US and Europe.

Operation Spearfishing (2016-2017): Phishing campaign targeting aviation and petrochemical companies in the Middle East.

Operation Hangover (2018): Attacks against Israeli government and military organizations.

Operation Eximiner (2020): Espionage campaign targeting US defense contractors and intelligence agencies.

Helix Kitten (APT34)

Verticals: Government, Telecommunications, Healthcare, Energy, Finance

Campaigns:

Operation Rocra (2016-2017): Widespread espionage campaign targeting government and military networks in the Middle East.

Operation Whisper (2017-2018): Espionage campaign targeting telecommunications companies in Europe and Asia.

Operation InSight (2018-2019): Attacks against healthcare organizations in the Middle East.

Operation Silent Night (2019-2020): Targeting energy and finance companies in Europe and Asia.

Charming Kitten (APT35)

Verticals:

Government, Military, Technology, Critical Infrastructure

Campaigns:

Operation Saffron Rose (2014-2015): Espionage campaign targeting government and military networks in Southeast Asia.

Operation SeaPea (2017-2018): Attacks against critical infrastructure in Vietnam and Thailand.

Operation Sandworm (2019-2020): Targeting technology companies and research institutions in the Middle East and Europe.

Remix Kitten (APT39, ITG07, Chafer)

Verticals:

Government, Defense, Aerospace, Telecommunications, Critical Infrastructure

Campaigns:

Operation Machete (2016-2017): Targeted government and military networks in Southeast Asia.

Operation Astronaut (2018-2019): Attacks against aerospace and defense companies in the US and Europe.

Operation Cobalt Kitty (2019-2020): Espionage campaign targeting government and telecommunications companies in Africa.

Operation Whirlwind (2022): Attacks against critical infrastructure in Europe and the Middle East.

Pioneer Kitten

Verticals:

Government, Telecommunications, Critical Infrastructure, Healthcare

Campaigns:

Operation RedCurl (2016-2017): Espionage campaign targeting government and telecommunications networks in the Middle East.

Operation StoneDrill (2018-2019): Attacks against critical infrastructure in Southeast Asia.

Operation HealthSea (2019-2020): Targeting healthcare organizations in the Middle East and Europe.

Israel

Unit 8200 (Israeli Signal Intelligence Unit)

Verticals:

Primarily focuses on intelligence gathering and analysis, targeting a wide range of sectors including:

• Government: Military, intelligence agencies, diplomatic missions
• Critical Infrastructure: Energy grid, nuclear facilities, transportation systems
• Technology: Telecommunications companies, software developers, research institutions
• Finance: Banks, financial institutions, cryptocurrency exchanges
• Aerospace & Defense: Military contractors, satellite communications
• Media & Telecommunications: News outlets, social media platforms, telecommunications companies

Campaigns:

While Unit 8200’s activities are largely classified, some notable operations include:

• Stuxnet (2009-2010): Developed and deployed a worm that disrupted Iranian nuclear centrifuges.
• Duqu (2011): A sophisticated cyberespionage campaign targeting critical infrastructure in Europe and the Middle East.
• Operation Dancing Water (2012-2014): Infiltrated Palestinian telecommunications networks to gather intelligence.
• Havoc (2013): Cyberattack on Syrian air defense systems.
• WannaCry (2017): Global ransomware attack believed to have been developed by Unit 8200 alumni.
• Pegasus (2016-present): Spyware developed by NSO Group, an Israeli company with close ties to Unit 8200,used to target journalists, activists, and political figures worldwide.

Additional notes:

• Unit 8200’s capabilities are extensive and include advanced malware development, network intrusion, data exfiltration, and targeted surveillance.
• The unit is known for its close cooperation with other intelligence agencies, including the US National Security Agency (NSA).
• Its activities raise concerns about privacy violations and the potential for misuse of cyberweapons.

North Korea

• Ricochet Chollima (APT37)
• Lazarus Group (APT38)
• Kimsuky​​

Ricochet Chollima (APT37)

Verticals:

• Financial institutions: Primarily targeted for financial gain and sanctions evasion.
• Government: South Korean government and defectors, as well as other countries like Japan and the Middle East.
• Industrial sector: Stealing intellectual property and trade secrets.
• Academics and journalists: Gathering intelligence and potentially silencing dissent.

Campaigns:

• Operation Daybreak (2016): Targeted South Korean banks and financial institutions.
• Operation Erebus (2017): Struck South Korean cryptocurrency exchanges.
• Operation Golden Time (2017): Hacked South Korean defense contractors.
• Operation Evil New Year (2018): Disrupted South Korean websites with malware.

Malware:

• RICECURRY: JavaScript-based browser profiler to deliver malicious code.
• DOGCALL, RUHAPPY, CORALDECK: Destructive malware capable of overwriting systems.
• SHUTTERSPEED, WINERACK: Malware for data exfiltration.

Lazarus Group (APT38)

Verticals:

• Financial institutions: Banks, cryptocurrency exchanges, and other financial services.
• Critical infrastructure: Power grids, transportation systems, and other essential services.
• Defense contractors: Stealing military technology and intelligence.

Campaigns:

• Sony Pictures Entertainment hack (2014): Leaked sensitive data and disrupted operations.
• Bangladesh Bank Heist (2016): Stole $81 million from the Bangladesh central bank.
• WannaCry ransomware attack (2017): Infected millions of computers worldwide, causing billions of dollars in damage.
• Cyberattacks against cryptocurrency exchanges (2018-present): Stolen millions of dollars in cryptocurrency.

Malware:

• GandCrab ransomware: Used in numerous cyberattacks against businesses and individuals.
• WannaCry ransomware: Global ransomware attack with devastating consequences.
• DALTON, JADU: Malware for network intrusion and data exfiltration.

Kimsuky

Verticals:

• Defense contractors and aerospace companies: Stealing military technology and intelligence.
• Financial institutions: Banks and cryptocurrency exchanges for financial gain.
• Critical infrastructure: Power grids and other essential services for disruption.

Campaigns:

• Operation DarkSeoul (2013): Targeted South Korean banks and government websites.
• Operation ShareThePain (2014): Attacked South Korean defense contractors.
• Operation MoonRise (2018): Hacked cryptocurrency exchanges in South Korea and Japan.
• Operation GoldenHope (2019): Targeted South Korean banks and cryptocurrency exchanges.

Malware:

• KIMSUKY: A modular malware framework used in various cyberattacks.
• METASPOIT: Open-source penetration testing framework often used by attackers.
• RATs (Remote Access Trojans): Used for remote control of infected systems.

Russia

• Fancy Bear (APT28)
• Cozy Bear (APT29)
• Berserk Bear
• FIN7
• Gamaredon (Primitive Bear)
• Sandworm
• Venomous Bear​​.

Verticals:

• Government: Primarily targeting political and military organizations, including election systems and diplomatic missions.
• Critical infrastructure: Power grids, nuclear facilities, and other essential services.
• Technology: Telecommunications companies, software developers, and research institutions.
• Media: News outlets and journalists.

Campaigns:

• DDoS attacks against Georgian government websites (2008): Disrupted operations during the Russia-Georgia War.
• Hacking of Democratic National Committee (2016): Leaked emails and influenced the US presidential election.
• Cyberattacks against the World Anti-Doping Agency (2016): Released confidential athlete data.
• Targeting of Olympic Games (2014, 2018): Compromised anti-doping databases and athlete information.
• Supply chain attacks against Microsoft (2020): Compromised software updates to infiltrate targeted systems.

Cozy Bear (APT29)

Verticals:

• Government: Primarily targeting foreign ministries, think tanks, and defense contractors.
• Critical infrastructure: Energy grid, nuclear facilities, and transportation systems.
• Finance: Banks, financial institutions, and cryptocurrency exchanges.
• Think tanks and research institutions: Stealing intellectual property and confidential information.

Campaigns:

• Operation Olympic Destroyer (2016): Disrupted the 2016 Olympic Games in Rio de Janeiro.
• Hacking of the US State Department (2014): Compromised classified diplomatic cables and emails.
• Targeting of European government agencies (2015-present): Stealing sensitive information on political and economic issues.
• SolarWinds supply chain attack (2020): Infiltrated networks of government agencies and private companies through compromised software.
• Microsoft Exchange Server vulnerabilities (2021): Exploited vulnerabilities to gain access to email systems.

Fancy Bear (APT28)

Verticals:

• Government: Primarily targeting political and military organizations, including election systems and diplomatic missions.
• Critical infrastructure: Power grids, nuclear facilities, and other essential services.
• Technology: Telecommunications companies, software developers, and research institutions.
• Media: News outlets and journalists.

Campaigns:

• DDoS attacks against Georgian government websites (2008): Disrupted operations during the Russia-Georgia War.
• Hacking of Democratic National Committee (2016): Leaked emails and influenced the US presidential election.
• Cyberattacks against the World Anti-Doping Agency (2016): Released confidential athlete data.
• Targeting of Olympic Games (2014, 2018): Compromised anti-doping databases and athlete information.
• Supply chain attacks against Microsoft (2020): Compromised software updates to infiltrate targeted systems.

Berserk Bear

Verticals:

• Financial institutions: Banks, credit card companies, and ATM networks.
• Retail: Retailers and payment processing companies.
• Healthcare: Hospitals and medical institutions.

Campaigns:

• Carbanak (2013-2015): Stole millions of dollars from banks worldwide.
• FIN7 (2016-present): A prolific financial cybercrime group targeting banks and other financial institutions.
• Cobalt Strike (2012-present): A powerful penetration testing tool used by various threat actors, including Berserk Bear.

FIN7

Verticals:

• Financial institutions: Banks, credit card companies, and ATM networks.
• Retail: Retailers and payment processing companies.
• Healthcare: Hospitals and medical institutions.

Campaigns:

• Carbanak (2013-2015): Stole millions of dollars from banks worldwide.
• Operation MoneyTaker (2016-present): A long-running campaign targeting financial institutions with malware and phishing attacks.
• Cobalt Strike (2012-present): A powerful penetration testing tool used by FIN7 and other threat actors.

Gamaredon (Primitive Bear)

Verticals:

• Government: Primarily targeting Eastern European government agencies and military organizations.
• Critical infrastructure: Power grids, transportation systems, and other essential services.
• Energy sector: Oil and gas companies, nuclear facilities, and electricity grids.

Campaigns:

• Cyberattacks against Ukrainian government websites (2014-present): Disrupted operations and spread disinformation.
• Targeting of critical infrastructure in Eastern Europe (2015-present): Launched DDoS attacks and deployed malware to disrupt operations.
• Operation PowerFall (2016): Widespread attack against Ukrainian power grid causing blackouts.

Sandworm

Verticals:

• Critical infrastructure: Power grids, nuclear facilities, and transportation systems.
• Military: Targeting military networks and command-and-control systems.
• Government: Stealing intelligence and disrupting operations.

Campaigns:

• Cyberattacks against Ukrainian power grid (2015-present): Caused blackouts and disrupted operations.
• NotPetya ransomware attack (2017): Infected

Turkey

• StrongPity (APT-C-41, PROMETHIUM)​​.

Verticals:

• Government: Primarily targeting Turkish and Syrian government agencies and military organizations.
• Critical infrastructure: Power grids, telecommunications networks, and transportation systems.
• Defense contractors: Stealing sensitive military technology and intelligence.
• Media and telecommunications: Targeting journalists, activists, and dissidents.

Campaigns:

• Operation Sandvine (2018): Exploited vulnerabilities in network monitoring equipment to spy on Turkish and Egyptian users.
• Trojanized Telegram App (2020): Used a fake Telegram app to backdoor and spy on victims.
• Operation StrongPity3 (2020): Used new infrastructure and malware variants to expand their reach.
• Targeting of Kurdish journalists and activists (2016-present): Spying on and harassing individuals critical of the Turkish government.

Tools and Malware:

• StrongPity: The group’s primary backdoor, capable of remote access, data exfiltration, and command execution.
• StrongPity2, StrongPity3: Variants of the original StrongPity backdoor with additional features and functionalities.
• Truvasys: A readily available malware often used as a first-stage dropper for StrongPity.

Additional Notes:

• StrongPity is considered a highly sophisticated and adaptable threat group with a history of targeting sensitive Turkish and Syrian infrastructure and individuals.
• The group’s activities raise concerns about government-sponsored cyberespionage and the potential for attacks against critical infrastructure.
• Attribution of cyberattacks to specific groups can be complex and not always accurate. The information provided here is based on publicly available sources and may not be exhaustive.

United States

• Equation Group​​.

The Equation Group is a highly sophisticated cyber espionage group suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Here’s a breakdown of their activities:

Verticals:

• Government: Primarily targeting foreign ministries, diplomatic missions, and defense contractors.
• Critical infrastructure: Power grids, nuclear facilities, and telecommunications networks.
• Technology: Software developers, research institutions, and technology companies.
• Aerospace & Defense: Stealing military technology and intelligence.

Campaigns:

• Operation Aurora (2009): Targeted critical infrastructure in the US and other countries, including power grids and financial institutions.
• Operation Cloud Hopper (2014-2015): Espionage campaign targeting European and Asian government agencies and businesses.
• Operation Titan Rain (2014-2017): Hacking of cloud computing accounts and networks, including those of Google and Yahoo.
• Operation Shady RAT (2016-2017): Spying on diplomatic and military personnel.
• Supply Chain Attacks (2020-present): Compromising software supply chains to target various industries.

Tools and Malware:

• Equation Group Suite: A collection of custom-built malware tools designed for espionage and infiltration.
• Gumshoe: A backdoor that allows remote access to infected systems.
• SurfinBird: A tool used for network reconnaissance and data exfiltration.
• EquationDisk: A persistent malware that survives system reboots.

Additional Notes:

• The Equation Group is considered one of the most sophisticated cyber espionage groups in the world, with a long history of targeting sensitive infrastructure and organizations.
• The group’s activities raise concerns about government-sponsored cyberespionage and the potential for widespread disruption and data theft.
• Attribution of cyberattacks to specific groups can be complex and not always accurate. The information provided here is based on publicly available sources and may not be exhaustive.

Uzbekistan

SandCat: associated with the State Security Service​​.

SandCat is a hacking group linked to the State Security Service (SSS) of Uzbekistan. While their exact activities remain largely classified, available information paints a picture of a group involved in cyber espionage and malware development, targeting primarily journalists, activists, and government entities.

Verticals:

• Government: Uzbek government agencies, including military and intelligence units.
• Media and Telecommunications: Journalists, human rights activists, and independent media outlets.
• Critical Infrastructure: Potential for targeting critical infrastructure, although specific instances haven’t been documented.

Campaigns:

• Malware Development: SandCat has been observed developing its own malware, suggesting a shift from relying on commercially available tools to building custom capabilities.
• Journalist Targeting: Reports indicate SandCat targeting journalists and activists through various methods,including:
  • Phishing attacks: Malicious emails disguised as legitimate sources to lure victims into compromising their systems.
  • Zero-day exploits: Exploiting previously unknown vulnerabilities in software to gain unauthorized access.
  • Malware-laced documents: Documents containing embedded malware that, once opened, infect the victim’s system.

Tools and Malware:

• SandCat Malware: Custom-developed malware for espionage and data exfiltration. Specific details remain confidential.
• Commercially Available Tools: SandCat has also been observed using commercially available hacking tools,suggesting a blend of sophisticated and readily available techniques.

Unfortunately, due to the secretive nature of SandCat’s activities, no readily available images directly represent the group.

Additional Notes:

• Attributing cyberattacks to specific groups like SandCat can be challenging due to the complex nature of cyberspace and the use of sophisticated techniques to mask identities.
• The full extent of SandCat’s capabilities and target range remains unclear, requiring further investigation and monitoring.
• SandCat’s activities raise concerns about government-sponsored cyberespionage and potential threats to freedom of expression and digital security in Uzbekistan.

It’s important to stay informed about cyber threats like SandCat and take necessary precautions to protect yourself online. Practicing good cyber hygiene, being vigilant against phishing attempts, and keeping software updated can help mitigate the risks associated with such groups.

Vietnam

• OceanLotus (APT32)​​.

OceanLotus, also known as APT32, is a cyber espionage group suspected of being affiliated with the Vietnamese Ministry of Public Security (MPS). They’ve been active since at least 2014, targeting various entities considered hostile to Vietnamese interests.

Verticals:

• Government: Primarily targeting Vietnamese government agencies, foreign diplomatic missions, and dissidents.
• Critical Infrastructure: Energy, telecommunications, and transportation sectors.
• Defense Contractors: Stealing military technology and intelligence.
• Think Tanks and Media Outlets: Gathering information and potentially influencing public opinion.

Campaigns:

• Watering Hole Attacks (2014-present): Compromising websites frequented by target groups to implant malware on their devices.
• Operation SeaPea (2017-2018): Attacks against critical infrastructure in Vietnam and Thailand.
• Operation Hangover (2018): Targeting Israeli government and military organizations.
• Operation Eximiner (2020): Espionage campaign targeting US defense contractors and intelligence agencies.
• Supply Chain Attacks (2020-present): Compromising software supply chains to target various industries.

Tools and Malware:

• OceanLotus Suite: A collection of custom-built malware tools designed for espionage and infiltration.
• REDLILY: A backdoor capable of remote access, data exfiltration, and command execution.
• COBALTDUCK: A malware framework used for various attacks, including watering holes and spear phishing.
• WATERMELON: A tool used for network reconnaissance and data exfiltration.

Additional Notes:

• OceanLotus is considered a sophisticated and adaptable threat group, constantly developing new techniques and malware to evade detection.
• The group’s activities raise concerns about government-sponsored cyberespionage and the potential for attacks against critical infrastructure and sensitive information.
• Attribution of cyberattacks to specific groups like OceanLotus can be complex and not always accurate. The information provided here is based on publicly available sources and may not be exhaustive.

Criminal Actor Groups:

**Focus	Region of Origin	Notable Activities	Potential Affiliations**
APT29 (State-Sponsored)	Russia	Cyber espionage, disrupting critical infrastructure, election interference	LuminousMoth (Cyber Mercenaries), Mafiaboy (Cyber Mafia), Operator Aurora (Cyber Mercenaries)
APT32 (State-Sponsored)	North Korea	Cyber espionage, disrupting critical infrastructure, manipulating elections	Cobalt Group (RaaS), Nipple (Cyber Mercenaries)
Cartel Cybercrime Groups	Latin America	Ransomware attacks, ATM skimming, malware development	FIN7
Cosmic Kittens (State-Sponsored)	Iran	Cyber espionage, disrupting critical infrastructure	Islamic Revolutionary Guard Corps (IRGC)
Cyber Mafia Groups	Eastern Europe, Russia	BEC scams, credential stuffing, data exfiltration	Carbanak, Ghotel, Jolly Roger
Cyber Mercenaries	Global	Targeted attacks, disinformation campaigns, industrial espionage	LuminousMoth, Nipple, Operator Aurora
Cryptocurrency Scammers	Global	Pump-and-dump schemes, phishing attacks, cryptocurrency exchange hacks	Nokta, Pioneer
DoppelPaymer (RaaS)	Russia	Developing and selling ransomware tools, targeting various industries	FIN7 (Cartel)
Emotet (Malware)	Ukraine, Russia	Distributing malware, phishing attacks, botnet creation	TrickBot (Malware)
EvilNum (RaaS)	Linked to Conti ransomware and targeting various industries
FIN7 (Cartel)	Russia	Specializing in ATM skimming and financial fraud	DoppelPaymer (RaaS)
Hydra Market (Dark Web)	Russia	Illegal marketplace for drugs, weapons, and stolen data	DarkSide (RaaS)
Indra (RaaS)	Russia	Developing and selling ransomware tools, targeting healthcare institutions	REvil (RaaS)
Kaseya (Supply Chain Attack)	United States	Compromising software supply chains, ransomware attacks	REvil (RaaS)
Lazarus Group (State-Sponsored)	North Korea	Responsible for major cyberattacks like WannaCry
LockBit (RaaS)	Russia	Developing and selling ransomware tools, targeting various industries	Conti (RaaS)
Maze (RaaS)	Russia	Developing and selling ransomware tools, targeting healthcare institutions	REvil (RaaS)
Nefilim (RaaS)	Russia	Developing and selling ransomware tools, targeting various industries	Sodinokibi (RaaS)
NetWalker (RaaS)	Russia	Developing and selling ransomware tools, targeting critical infrastructure	Egregor (RaaS)
Phorpie (State-Sponsored)	Vietnam	Cyber espionage, disrupting critical infrastructure	Vietnamese Military Intelligence

Major Ransomware Groups Active Today:

The ransomware landscape is constantly evolving, with new groups emerging and older ones adapting their tactics. Here’s a list of some of the most prominent ransomware groups known to be active today:

LockBit:

• Dominant player: LockBit has consistently been the top ransomware threat for the past two years, responsible for a significant portion of attacks against businesses and individuals.
• Sophisticated: Utilizes advanced encryption algorithms and double extortion tactics, threatening to leak stolen data if the ransom isn’t paid.
• Targets: Wide range of victims, including healthcare, education, and critical infrastructure organizations.

BlackCat (AlphV):

• Rapidly rising: Emerged in late 2021 and quickly gained notoriety for its aggressive tactics and focus on high-profile targets.
• Technical innovation: Uses the Rust programming language, making it more difficult to detect and analyze.
• Targets: Critical infrastructure, energy, and manufacturing sectors.

Clop:

• Established threat: Active since 2017, Clop has a long track record of successful attacks, targeting primarily European organizations.
• Professional approach: Maintains a leak site and engages in negotiations with victims, suggesting a more organized operation.
• Targets: Healthcare, finance, and government organizations.

Hive:

• Ransomware-as-a-Service (RaaS): Operates as a platform that allows other actors to launch ransomware attacks using their tools and infrastructure.
• Lucrative model: Hive has reportedly earned millions of dollars from its RaaS operations.
• Targets: Wide range of organizations, with a recent focus on critical infrastructure.

REvil (Sodinokibi):

• Major player: Was one of the most active and prolific ransomware groups until its alleged shutdown by Russian authorities in 2022.
• High-profile attacks: Responsible for major attacks against Kaseya and JBS, causing significant disruption and financial losses.
• Uncertain future: While REvil’s core operation may be disrupted, its code and infrastructure may be used by other groups.

Other notable groups:

• Conti (disbanded but elements may be active through other groups)
• BianLian
• Ryuk
• Maze (disbanded)
• Darkside (disbanded)