Ransomware Intelligence — Groups, TTPs, Victimshttps://ransomware-tracker.pages.dev/en-ushttps://ransomware-tracker.pages.dev/articles/black-basta-group-profile/https://ransomware-tracker.pages.dev/articles/black-basta-group-profile/Black Basta has established itself as one of the most technically capable ransomware operations active in 2025-2026. This profile covers their origins, TTPs, affiliate structure, and the distinctive intrusion patterns that distinguish their campaigns from commodity ransomware operators.Fri, 22 May 2026 00:00:00 GMTgroup-profileBlack Bastablack-bastaransomwareqakbotcobalt-strikedouble-extortionwindowsesxiRaaShttps://ransomware-tracker.pages.dev/articles/lockbit-4-resurgence-2026/https://ransomware-tracker.pages.dev/articles/lockbit-4-resurgence-2026/Following the February 2024 law enforcement takedown, LockBit has re-emerged as LockBit 4.0 with hardened infrastructure, a new encryptor, and a reformed affiliate program targeting mid-market enterprises.Wed, 15 Apr 2026 00:00:00 GMTgroup-profileLockBitLockBitRaaSlaw enforcementencryptorrebrandinghttps://ransomware-tracker.pages.dev/articles/ransomhub-affiliate-model-analysis/https://ransomware-tracker.pages.dev/articles/ransomhub-affiliate-model-analysis/RansomHub has grown into the most active ransomware-as-a-service operation of 2025–2026, displacing ALPHV/BlackCat and LockBit. An analysis of its affiliate structure, victim statistics, and targeting patterns.Thu, 02 Apr 2026 00:00:00 GMTgroup-profileRansomHubRansomHubRaaSaffiliatedata extortionvictim statisticshttps://ransomware-tracker.pages.dev/articles/akira-ransomware-vmware-esxi-targeting/https://ransomware-tracker.pages.dev/articles/akira-ransomware-vmware-esxi-targeting/Akira ransomware actors have refined their VMware ESXi targeting methodology, developing techniques to encrypt entire VM datastores and evade backup-based recovery. Healthcare and manufacturing organizations face elevated risk.Sat, 28 Mar 2026 00:00:00 GMTcampaign-alertAkiraAkiraVMwareESXihypervisorhealthcaremanufacturingvirtualizationhttps://ransomware-tracker.pages.dev/articles/clop-cleo-exploitation-campaign/https://ransomware-tracker.pages.dev/articles/clop-cleo-exploitation-campaign/Cl0p's systematic exploitation of critical vulnerabilities in CLEO Harmony, VLTrader, and LexiCom managed file transfer software has enabled mass data theft across financial services and logistics sectors globally.Fri, 20 Mar 2026 00:00:00 GMTcampaign-alertCl0pCl0pCLEOMFTzero-daysupply chaindata extortionhttps://ransomware-tracker.pages.dev/articles/ransomware-payment-statistics-2026/https://ransomware-tracker.pages.dev/articles/ransomware-payment-statistics-2026/An analysis of ransomware payment data from 2025–2026 covering average demands by sector, negotiation outcomes, payment rate trends, and the growing role of cyber insurance in shaping ransom economics.Tue, 10 Mar 2026 00:00:00 GMTintelligence-reportpayment statisticsransom demandnegotiationcyber insurancetrendshttps://ransomware-tracker.pages.dev/articles/ransomware-initial-access-brokers/https://ransomware-tracker.pages.dev/articles/ransomware-initial-access-brokers/An in-depth look at the Initial Access Broker (IAB) ecosystem — how ransomware groups purchase network access, pricing structures, broker profiles, and what defenders can learn from understanding this market.Wed, 18 Feb 2026 00:00:00 GMTintelligence-reportinitial access brokersIABdark webaccess marketcredential theftsupply chain