Intelligence Reports

Group profiles, campaign alerts, and strategic intelligence on the ransomware threat landscape.

Filter: All Group Profile Campaign Alert Intel Report
Black Basta LockBit RansomHub Akira Cl0p
Group Profile

Black Basta — The Ransomware Group That Thinks Like a Penetration Tester

Black Basta has established itself as one of the most technically capable ransomware operations active in 2025-2026. This profile covers their origins, TTPs, affiliate structure, and the distinctive intrusion patterns that distinguish their campaigns from commodity ransomware operators.

Black Basta healthcaremanufacturing
Group Profile Featured

LockBit 4.0: Resurgence After Operation Cronos

Following the February 2024 law enforcement takedown, LockBit has re-emerged as LockBit 4.0 with hardened infrastructure, a new encryptor, and a reformed affiliate program targeting mid-market enterprises.

LockBit financemanufacturing
Group Profile

RansomHub: Anatomy of the Dominant RaaS Affiliate Program

RansomHub has grown into the most active ransomware-as-a-service operation of 2025–2026, displacing ALPHV/BlackCat and LockBit. An analysis of its affiliate structure, victim statistics, and targeting patterns.

RansomHub healthcaregovernment
Campaign Alert

Akira Ransomware: VMware ESXi Campaigns Targeting Healthcare and Manufacturing

Akira ransomware actors have refined their VMware ESXi targeting methodology, developing techniques to encrypt entire VM datastores and evade backup-based recovery. Healthcare and manufacturing organizations face elevated risk.

Akira healthcaremanufacturing
Campaign Alert

Cl0p's CLEO MFT Exploitation: Mass Data Theft at Scale

Cl0p's systematic exploitation of critical vulnerabilities in CLEO Harmony, VLTrader, and LexiCom managed file transfer software has enabled mass data theft across financial services and logistics sectors globally.

Cl0p financelogistics
Intel Report

2026 Ransomware Payment Trends: Demands, Negotiations, and Sector Breakdown

An analysis of ransomware payment data from 2025–2026 covering average demands by sector, negotiation outcomes, payment rate trends, and the growing role of cyber insurance in shaping ransom economics.

cross-sector
Intel Report

Initial Access Brokers: The Supply Chain Enabling Ransomware

An in-depth look at the Initial Access Broker (IAB) ecosystem — how ransomware groups purchase network access, pricing structures, broker profiles, and what defenders can learn from understanding this market.

cross-sector