Breach Monitoring News Feed

0mega is a ransomware group first observed in May 2022, operating with a double extortion model: * Encrypting victim files (adding the .0mega extension) * Threatening to leak stolen data if ransom demands are not met. Ransom notes are named DECRYPT-FILES.txt and include victim-specific details and a Tor-based negotiation portal. Unlike typical Ransomware-as-a-Service (RaaS) operations, 0mega appears to work as a closed group, selecting a limited number of high-value targets. The group employs two main tactics: * Traditional ransomware encryption of on-premise systems. * Cloud-based extortion, compromising Microsoft 365 Global Admin accounts, creating unauthorized admin users, and exfiltrating data via SharePoint. Active period: May 2022 – January 2024

2023Lock is a ransomware strain first observed in January 2024, believed to be an evolution of the Venus and Zeoticus families and a direct precursor to the later TrinityLock variant. It employs a hybrid encryption method combining XChaCha20 and curve25519xsalsa20poly1305, appending the “.2023lock” extension to encrypted files. Upon infection, it delivers ransom notes in HTML, TXT, and HTA formats containing decryption instructions. Unlike many modern ransomware groups, there is no evidence that 2023Lock engages in double extortion or data exfiltration, operating purely through file encryption to pressure victims into payment. Its codebase and operational patterns strongly align with TrinityLock, which emerged a few months later with more sophisticated extortion tactics.

3AM, also known as ThreeAM, is a relatively new ransomware family that emerged in late 2023, initially deployed as a fallback option when LockBit infections failed. Written in Rust for 64-bit systems, it appends the “.threeamtime” extension to encrypted files and tags them with the marker “0x666,” while deleting Volume Shadow Copies to hinder recovery. 3AM operators use a double extortion strategy, combining file encryption with data theft and threats to leak stolen information. More recent campaigns have shown increased sophistication, incorporating email bombing followed by vishing calls to convince victims to grant remote access via Microsoft Quick Assist. Attackers then deploy virtual machines containing backdoors, allowing them to remain undetected while exfiltrating data before attempting to launch the ransomware payload.

8Base emerged in early 2022 and rapidly escalated its ransomware operations by mid-2023, positioning itself as a “simple pen tester” while executing a relentless double-extortion scheme: encrypting files using AES-256 CBC mode (appending the “.8base” extension) and threatening to leak stolen data via a Tor-accessible leak site. The group leverages initial access methods such as phishing and SmokeLoader, disables security mechanisms like Volume Shadow Copy and firewalls, and deploys persistence via registry and startup entries. Targeting primarily small and medium-sized organizations across sectors such as manufacturing, finance, IT, and healthcare in regions including the U.S., Brazil, and Europe, 8Base has drawn comparisons to Phobos and RansomHouse for its tactics and ransom-note style. In early 2025, international law enforcement operations disrupted the group, resulting in the arrest of four key actors, seizure of servers, and warnings to hundreds of potential victims.

The locker is written in C/C++/ASM. It supports all systems starting from Windows 2003, has a separate binary for ESXi, and uses a unified encrypted file format across all systems. WINDOWS: • Two encryption modes: patch-based and file header. • Extensive configuration settings: from ignoring specific paths/extensions to terminating services/processes, unlocking occupied files, working with network shares, and more. • Arguments available for shutting down Hyper-V virtual machines, deleting backups, network scanning with logged-in user tokens. • Each build includes an obfuscated PowerShell script. • Execution is password-protected. • The locker itself is shellcode for x86/x64; if you have custom execution methods, we can provide the shellcode. ESXI: • Encrypts files in patches, with configurable path exclusions. The default configuration is pre-set to avoid disrupting Windows/ESXi/Linux systems. Our commission is 20% of payouts

Abrahams_Ax, first observed in November 2022, is not a Ransomware-as-a-Service (RaaS) operation but a politically motivated hacktivist persona. The group is linked to the Iranian-associated threat actor COBALT SAPLING, which previously operated as Moses Staff. It uses double-extortion tactics focused on stealing and leaking sensitive data rather than encrypting files. Infrastructure, visual branding, and operational patterns strongly resemble those of Moses Staff, suggesting a shared origin. Its most notable incident was the breach of the Saudi Arabian Ministry of Interior, where stolen data was published alongside propaganda content. The group’s targeting appears to align with Middle Eastern geopolitical interests, particularly against Israeli- and Saudi-linked entities. No encryption methods or file extensions are publicly documented, as encryption is not part of their operations.

Abyss‑Data, also known as Abyss Locker, is a ransomware operation first identified around March 2023. It conducts double extortion by exfiltrating data and encrypting systems—particularly targeting VMware ESXi virtual environments—then threatening to leak stolen data via a TOR-based leak site if ransom demands aren't met. The group’s Linux variant derives from the Babuk ransomware source code with encryption resembling HelloKitty, using ChaCha–based ciphers. On Windows, Abyss Locker encrypts files (typically appending “.abyss” or randomized extensions), deletes Volume Shadow Copies, manipulates boot policy to disable recovery, and delivers ransom notes (e.g., WhatHappened.txt), often replacing the desktop wallpaper as part of its extortion tactics. Its campaigns have targeted diverse industries—finance, healthcare, manufacturing, technology—across multiple regions, with victim lists prominently featuring organizations in North America.

AdminLocker was first observed around December 2021 and appears to be a lone operator or small group, with no clear Ransomware-as-a-Service (RaaS) model reported. It uses single-extortion tactics—encrypting files without publicly documented data exfiltration—primarily targeting enterprise and personal systems via methods such as malicious email attachments, cracked software installers, P2P downloads, and malvertising. The ransomware employs symmetric and asymmetric encryption (likely AES combined with RSA) to lock files, appending extensions such as .admin1, .admin2, .admin3, .1admin, .2admin, and .3admin; victims receive a “!!!Recovery File.txt” ransom note with instructions to pay via Tor and Bitcoin. Notable for its multiple simultaneous variants with varied extensions, it reportedly allows victims to decrypt up to five small files as “proof” before demanding ransom. No high-profile sector- or region-specific campaigns are publicly documented.

This ransomware group (notably stylized as aGl0bGVyCg) has extremely limited publicly available information. No confirmed active period is documented, nor is there evidence of whether it operates as a RaaS (Ransomware-as-a-Service). Similarly, there is no known data about its extortion type (single or double), preferred targets, intrusion methods, encryption techniques, file extensions, or ransom note behavior. The only identifiable detail is the blog URL hitleransomware.cf, which appears to serve as its public-facing leak or command-and-control site. Overall, public threat intelligence remains too sparse to draw even basic conclusions beyond the existence of the blog site.

AiLock is a Ransomware-as-a-Service (RaaS) group first identified in March 2025. It employs a double-extortion approach—encrypting files and threatening to report breaches to regulators or share stolen data with competitors if the ransom isn’t paid. Victims have just 72 hours to respond and up to five days to pay; failure to pay results in data leaks and destruction of recovery tools. The ransomware appends the extension .AiLock to encrypted files, changes file icons to a green padlock with the “AiLock” name, and replaces the desktop wallpaper with a distinctive robot-skull logo. It employs a hybrid encryption scheme, combining ChaCha20 for file encryption with NTRUEncrypt for securing metadata, and uses a multi-threaded design (path-traversal and encryption threads with IOCP) for efficiency. While active campaigns and leak sites are confirmed, specific sectors, regions, and intrusion methods remain undisclosed in public sources.

Akira is a ransomware group first observed in March 2023, targeting both Windows and Linux environments, with a particular focus on corporate networks and VMware ESXi servers. The group employs a double extortion model, stealing sensitive data before encrypting systems and threatening to leak it on a Tor-based leak site if ransom demands are not met. Akira typically gains initial access through exploitation of unpatched VPN services, compromised RDP credentials, phishing, or abuse of legitimate remote administration tools. Its Windows variant uses the Windows CryptoAPI to encrypt files, appending the “.akira” extension while skipping critical system folders to maintain system stability. Ransom demands have ranged from $200,000 to over $4 million, typically requested in Bitcoin, and the group has been linked to high-profile incidents affecting education, manufacturing, and healthcare sectors. Akira appears to operate independently rather than as a Ransomware-as-a-Service, and continues to evolve, with recent variants improving encryption speed and evasion techniques.