Targeted victims: LockBit targeted thousands of victims worldwide in its heyday, including government services, private sector companies, and critical infrastructure providers.
Attribution: LockBit’s use of Russian-language forums and targeting patterns have led some analysts to believe the group is based in Russia. Russian national Dmitry Yuryevich Khoroshev, named by Western law enforcement agencies last year as the developer and administrator of LockBit, faces a US indictment alongside asset freezes and travel bans. Two Russian nationals were indicted for deploying LockBit ransomware against targeted organizations.
Lynx
History: Lynx shares 48% of its source code with the earlier INC ransomware, which indicates a plausible rebranding or evolution of the same threat actor.
How it works: Lynx also operates a RaaS and employs double extortion tactics. After infiltrating a system, the ransomware can steal sensitive information and encrypt the victim’s data, effectively locking them out. To make recovery more difficult, it adds the ‘.lynx’ extension to encrypted files and deletes backup files like shadow copies.
Targeted victims: Since emerging, the ransomware has actively targeted several US and UK industries, including retail, real estate, architecture, financial services, and environmental services. The group behind Lynx attacked multiple facilities across the US between July 2024 and November 2024, which include victims associated with energy, oil, and gas, according to Palo Alto’s Unit 42 threat intel group. “According to a statement Lynx released in July 2024, they claim to be ‘ethical’ with regards to choosing victims,” Rapid7’s Beek adds.
Attribution: Lynx operates as a RaaS model, meaning it is likely used by multiple cybercriminals rather than a single entity.
Medusa
History: Medusa is a ransomware-as-a-service operation that debuted in 2022.
How it works: The group typically hacks into systems by either exploiting vulnerabilities in public-facing assets, phishing emails, or using initial access brokers.
Targeted victims: Cybercriminals behind Medusa have targeted healthcare, education, manufacturing, and retail organizations in the US, Europe, and India.
Attribution: Activity on Russian-language cybercrime forums related to Medusa suggests the core group and many of its affiliates may be from Russia or neighbouring countries but this remains unconfirmed.
Play
History: Play is a ransomware threat that emerged in June 2022. The group intensified its activities following the disruption of other major threat actors.
How it works: Attackers typically encrypt systems after exfiltrating sensitive data. Play keeps a fairly low profile on the dark web aside from its leak site, not advertising itself on dark web forums. “It has even claimed not to be an RaaS gang at all, saying it maintains a ‘closed group to guarantee the secrecy of deals,’ in spite of evidence to the contrary,” Searchlight Cyber’s Donovan explains.
Targeted victims: The group has targeted various sectors, including healthcare, telecommunications, finance, and government service.
Attribution: Play may have connections to North Korean state-aligned APT groups.
In October 2024, security researchers at Palo Alto Networks’ Unit 42 published evidence of a deployment of Play ransomware by a threat actor backed by North Korea, specifically APT45. “The link between this threat actor and Play is unclear, but demonstrates the potential for crossover between state-sponsored cyber activity and ostensibly independent cybercrime networks,” Donovan says.
Qilin
History: Qilin, also known as Agenda, is a Russia-based RaaS group that has been operating since May 2022.
How it works: The group targets Windows and Linux systems, including VMware ESXi servers, using ransomware variants written in Golang and Rust. Qilin follows a double extortion model — encrypting victims’ files and threatening to leak stolen data if the ransom is not paid.
Targeted victims: Qilin recruits affiliates on underground forums and prohibits attacks on organizations in Commonwealth of Independent States (CIS) countries bordering present-day Russia.
Qilin posted looted data from 697 victims in the second half on 2025, a five-fold year-on-year increase, according to research by Searchlight Cyber. Security researchers attribute the surge to an aggressive recruitment effort and tie-ins with initial access brokers to obtain stolen VPN credentials.
Attribution: The makeup of Qilin remains unknown but a Russian-speaking organized cybercrime operation is strongly suspected.
RansomHub
History: RansomHub emerged in February 2024 and quickly became a major cyber threat. The group, initially known as Cyclops and later Knight, rebranded and expanded its operations by recruiting affiliates from other disrupted ransomware groups such as LockBit and ALPHV/BlackCat.
How it works: Once inside a network, RansomHub affiliates exfiltrate data and deploy encryption tools, often utilizing legitimate administrative utilities to facilitate their malicious activities. RansomHub operates an “affiliate-friendly” RaaS model, initially offering a fixed 10% fee for those that make attacks using its ransomware and the option to collect ransom payments directly from victims before paying the core group. “These elements make it an attractive option for affiliates that are looking for a guaranteed return, where other RaaS operations have been unreliable in paying out in the past,” Searchlight Cyber’s Donovan says.
Targeted victims: RansomHub has been linked to more than 210 victims across various critical sectors, including healthcare, finance, government services, and critical infrastructure in Europe and North America, according to Rapid7.
Attribution: Attribution remains unconfirmed but circumstantial evidence points toward an organized Russian-speaking cybercrime operation with ties to other established ransomware threat actors.
Scattered Lapsus$ Hunters
History: Previously separate cybercrime groups Scattered Spider, LAPSUS$, and ShinyHunters formed a loose alliance in August 2025 to run ransomware attacks against large enterprises. Initially affiliates for ALPHV/BlackCat and others, the group broke away and developed its own platform and methodology.
How it works: Scattered Lapsus$ Hunters is noted for its expertise in using social engineering to compromise help desks, among other tactics. The Consolidated Threat Group combines financial extortion via data leaks with ransomware. Their leak site was seized by law enforcement in October 2025 but this may well not be the last we hear of the cybercrime supergroup.
Targeted victims: The collective ran a major Salesforce campaign in August and October that exposed data from dozens of companies, including Toyota, FedEx, and Disney.
Attribution: Security researchers characterize Scattered Lapsus$ Hunters as a loose alliance rather than a single cohesive group. Suspected members of the group remain publicly unidentified as of late February 2026.
