Ransomware is a major threat that costs businesses, corporations, and infrastructure operators billions of dollars every year. Behind this type of threat are experienced ransomware gangs developing and distributing malware that makes the attacks possible.

By now you know that there are plenty of ransomware versions out there. With names such as Vice Society, Agenda, or Redeemer, these strains sound like they belong in hacker movies, right? So, while newcomers may want to get a share of the money, a few ransomware families have established their domination.

Let’s take a quick look at the top 5 most dangerous ransomware groups disrupting the cybersecurity landscape. Here we go!

  1. Clop Ransomware Group
  2. Conti Ransomware Group
  3. DarkSide
  4. Revil aka Sodinokibi
  5. LockBit

Clop Ransomware

For the past three years, Clop has been one of the most active ransomware families. It has gained notoriety for hacking into high-profile companies in many industries around the world, employing multilevel extortion tactics that led to substantial payouts estimated at US$500 million as of November 2021.

The gang was detected in early 2019 and has since been linked to a number of high-profile incidents, like the breach on ExecuPharm in the United States, as well as the data breach at Accellion, where malicious actors abused vulnerabilities in the IT provider’s software to collect data from dozens of its customers, including the University of Colorado.

The Clop ransomware organization was the focus of a three-and-a-half-year global law enforcement operation known as ‘Operation Cyclone’. We reported in November that Ukrainian authorities had arrested members of the Clop ransomware group who were implicated in ransom money laundering.

Conti Ransomware Group

Conti is another well-known ransomware group that has been making headlines since late 2018. It employs the double extortion strategy which involves keeping back the decryption key and threatening to disclose private information if the ransom is not paid.

What makes Conti different from other ransomware gangs is the lack of ethical limitations on its victims. The hacking group carried out multiple cyberattacks in the healthcare and education sectors, demanding millions of dollars in ransom.

In February 2022, Conti targeted an international terminal operator that manages 24 seaports across Europe and Africa. All 24 ports were impacted by the cyberattack, which significantly disrupted business operations.

In April, Conti had also infiltrated the Broward County Public Schools and asked for a $40 million ransom. After the district declined to pay the requested ransom, the gang published stolen information on its website. More recently, following attacks launched by Conti on multiple government agencies, the president of Costa Rica was forced to declare a national emergency.


DarkSide is a ransomware program that functions as a ransomware-as-a-service (RaaS) group. It began attacking organizations worldwide in August 2020 and, like other similar threats used in targeted cyberattacks, DarkSide not only encrypts the victim’s data but also exfiltrates it from the impacted servers. In just nine months of operation, DarkSide gained at least $90 million in Bitcoin ransom payments from 47 distinct wallets.

The hacking group gained around $10 million from that profit attacking chemical distribution organization Brenntag, which paid a $4.4 million ransom, and Colonial Pipeline, which also paid $5 million in cryptocurrency.

REvil aka Sodinokibi

REvil Ransomware, first noticed in April 2019 and operating as a ransomware-as-a-service model, is famous for its attacks on two important organizations: JBS and Kaseya.

Due to the REvil ransomware group, JBS Foods, the biggest meatpacking enterprise worldwide was forced to temporarily shut down its operations and had to pay an estimated $11 million ransom to prevent attackers from publishing their data online.

REvil ransomware was able to encrypt Kaeya’s servers in July 2021, thanks to a Kaseya software vulnerability to SQL injection attacks. This led to a supply chain attack because its customers were affected. As it directly impacted over 1,500 businesses globally, the attack on Kaseya garnered the gang some unwanted attention.

In January 2022, following diplomatic pressure, Russian authorities captured multiple members of the organization and seized assets worth millions of dollars. However, this disruption was just temporary, and the REvil ransomware gang has resumed operations starting April 2022.


LockBit ransomware, one of the most dangerous organizations at this time, was first spotted in September 2019. The group operates as a ransomware-as-a-service (RaaS) by recruiting malicious actors to compromise networks and encrypt devices. It targets companies located in the US, China, India, and Europe.

LockBit 2.0 RaaS was released in June 2021, followed by 3.0 in June 2022. The latest version features new encryptors built on the BlackMatter source code, new payment methods, new extortion strategies, and the first ransomware bug bounty program.

We recently found out that the LockBit ransomware operation took a severe blow after a developer leaked online the builder of their newest ransomware encryptor. The encryptor, codenamed LockBit Black, was officially released in June, after being in tests for two months. Multiple security researchers confirmed that the builder is indeed legitimate.

And, of course, the list continues. If you’re interested in discovering more ransomware strains and more details about them, check out the below related articles and learn more about their operating mode, significant attacks, and prevention measures.

Companies Affected by Ransomware [Updated 2023]

2022 Ransomware Statistics & The Biggest Ransomware Attacks

Ransomware Payouts in Review: Highest Payments, Trends & Stats

How to Mitigate Ransomware?

How to Prevent Ransomware Attacks

LockBit Malware Is Now Used by Evil Corp 

All about Conti Ransomware.

Clop Ransomware: Overview, Operating Mode, and Prevention

DarkSide Ransomware 101

REvil/Sodinokibi Ransomware: Origin, Victims, Prevention Strategies

Leave a Reply

Your email address will not be published. Required fields are marked *