Ransomware is defined as a type of malware (malicious software) that encrypts all the data on a PC or mobile device, blocking the data owner’s access to it. After the infection happens, the victim receives a message that tells him/her that a certain amount of money must be paid (usually in Bitcoins) in order to get the decryption key.

Usually, there is also a time limit for the ransom to be paid. There is no guarantee that if the victim pays the ransom, he/she will get the decryption key. The most reliable solution is to back up your data in at least 3 different places (for redundancy) and keep those backups up to date, so you don’t lose important progress.

When ransomware operations started to become the norm, the attackers only had one main goal, and that was to encrypt as many companies’ data as possible and then demand a ransom payment for a decryptor.

But since the beginning of 2020, the ransomware operations began conducting a new tactic – double-extortion.

Double-extortion is happening when ransomware operations are stealing unencrypted files before encrypting a network, by using this tactic the attackers aim to then threaten to publicly release the stolen files on dark web data leak sites if a ransom is not paid.

The victims are being caught between the threat of not recovering their encrypted files and the additional concerns of data breaches, government fines, and lawsuits, and often times decide to pay the ransom, therefore making the attackers stronger.

DarkTracer is a dark web security researcher that has been keeping track of data leak sites.

He followed closely thirty-four ransomware gangs and discovered that they have leaked data belonging to 2,103 organizations.

The list of ransomware gangs followed by DarkTracer contains the following groups, according to Bleeping Computer: Team Snatch, MAZE, Conti, NetWalker, DoppelPaymer, NEMTY, Nefilim, Sekhmet, Pysa, AKO, Sodinokibi (REvil), Ragnar_Locker, Suncrypt, DarkSide, CL0P, Avaddon, LockBit, Mount Locker, Egregor, Ranzy Locker, Pay2Key, Cuba, RansomEXX, Everest, Ragnarok, BABUK LOCKER, Astro Team, LV, File Leaks, Marketo, N3tw0rm, Lorenz, Noname, and XING LOCKER.

Out of the thirty-four operations, the top five active ones are

  • Conti (338 leaks);
  • Sodinokibi/REvil (222 leaks);
  • DoppelPaymer (200 leaks);
  • Avaddon (123 leaks);
  • Pysa (103 leaks).



Even if some of the listed ransomware gangs are no longer in operation, such as NetWalker, Sekhmet, Egregor, Maze, Team Snatch, or have rebranded to a new name, such as NEMTY and AKO, the data-extortion industry is becoming a significant money-maker for ransomware gangs.

Even if it may seem like a good idea to pay a certain ransom in order to prevent a data leak, there is no guarantee that the data in question won’t be released or sold to other threat actors, therefore, you should keep in mind that if your data is stolen, you should treat it as a data breach and be transparent about it to those who are affected, whilst informing the authorities, if that is an option as well.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

The analysis in question gives us some insight into the capabilities of the ransomware gangs and puts into perspective a situation that is only getting more complicated and harder to handle from a cybersecurity standpoint.

These Free Ransomware Decryption Tools Are Your Key to Freedom [Updated 2023]

Ransomware-as-a-Service (RaaS) – The Rising Threat to Cybersecurity

Leave a Reply

Your email address will not be published. Required fields are marked *