Live Threat Intelligence

Ransomware Intelligence
Groups, TTPs & Victims

Track active ransomware groups, ongoing campaigns, and emerging tactics. Timely intelligence to help defenders stay ahead of threat actors.

View All Intelligence RSS Feed
Featured
Group Profile LockBit

LockBit 4.0: Resurgence After Operation Cronos

Following the February 2024 law enforcement takedown, LockBit has re-emerged as LockBit 4.0 with hardened infrastructure, a new encryptor, and a reformed affiliate program targeting mid-market enterprises.

Read Report →
$2.1B+
2025 Ransom Payments
480+
RansomHub Victims
$1.2M
Median Settlement
11 days
Median Dwell Time

Latest Intelligence

View all →
Group Profile Black Basta

Black Basta — The Ransomware Group That Thinks Like a Penetration Tester

Black Basta has established itself as one of the most technically capable ransomware operations active in 2025-2026. This profile covers their origins, TTPs, affiliate structure, and the distinctive intrusion patterns that distinguish their campaigns from commodity ransomware operators.
Group Profile RansomHub

RansomHub: Anatomy of the Dominant RaaS Affiliate Program

RansomHub has grown into the most active ransomware-as-a-service operation of 2025–2026, displacing ALPHV/BlackCat and LockBit. An analysis of its affiliate structure, victim statistics, and targeting patterns.
Campaign Alert Akira

Akira Ransomware: VMware ESXi Campaigns Targeting Healthcare and Manufacturing

Akira ransomware actors have refined their VMware ESXi targeting methodology, developing techniques to encrypt entire VM datastores and evade backup-based recovery. Healthcare and manufacturing organizations face elevated risk.
Campaign Alert Cl0p

Cl0p's CLEO MFT Exploitation: Mass Data Theft at Scale

Cl0p's systematic exploitation of critical vulnerabilities in CLEO Harmony, VLTrader, and LexiCom managed file transfer software has enabled mass data theft across financial services and logistics sectors globally.