Breach Monitoring News Feed

Cuba ransomware, active since at least 2019, is a financially motivated threat group operating a double-extortion scheme—encrypting files and exfiltrating data to pressure victims. It has targeted government agencies, healthcare providers, critical infrastructure, financial institutions, and manufacturing firms, primarily in the United States, Canada, and Europe. Distribution often involves the Hancitor (Chanitor) malware loader, phishing campaigns, and exploitation of vulnerabilities in public-facing services such as Microsoft Exchange. Cuba employs RSA and AES encryption, typically appending the .cuba extension to affected files, and drops ransom notes instructing victims to contact the attackers via Tor-based portals. In December 2021, the FBI reported that Cuba ransomware operators had compromised at least 49 entities in U.S. critical infrastructure sectors, stealing data and demanding multimillion-dollar ransoms.

Cyclops ransomware was rebranded as Knight around mid‑2023, emerging initially in early 2023. It operates as a Ransomware-as-a-Service (RaaS), targeting multiple platforms including Windows, macOS, Linux, and ESXi systems. Crafted in Go, it uses strong encryption algorithms like ChaCha20 and Curve25519. Knight includes both a full and "lite" encryptor, supports batch attacks, hosts a Tor leak site, and offers a web portal for affiliates—positioning itself as a scalable and partner-friendly ransomware operation. Affiliates can manage deployments, track payments, and negotiate with victims through a sophisticated RaaS platform.

D0glun is a crypto-ransomware strain first observed in January 2025, believed to be derived from Babuk via an intermediary variant known as Cheng Xilun. It uses AES-256 symmetric encryption and appends filenames with patterns such as .@D0glun@ or similar. The malware encrypts files rapidly, changes the desktop wallpaper, and drops ransom notes typically named @[email protected], Desktopcxl.txt, or help.exe. The campaign has shown signs of shared infrastructure and code reuse from Cheng Xilun, but there is no confirmed evidence of a large-scale or mature operation. Its activity so far suggests it is being tested or deployed by a small group or individual rather than a structured affiliate network.

D4rk4rmy is a data-extortion focused threat actor that emerged in mid-2025, targeting high-profile organizations across sectors like financial services, hospitality, and education. It operates primarily through leak site extortion rather than encryption, listing prominent entities—such as Bridgewater Associates, Magellan Financial, Onex Canada Asset Management, Tsai Capital, Casino de Monte-Carlo, and others—on its Tor-based platform. The group has also hit victims in technology, logistics, and university sectors across multiple continents. Their tactic centers on reputation manipulation and public exposure to pressure victims into negotiations.

Dagon Locker is a double-extortion ransomware family that surfaced around September 2022. It represents an evolution of the MountLocker and Quantum ransomware lines. The group employs strong encryption using ChaCha20 protected by RSA-2048 and appends the .dagoned extension to encrypted files. It provides operators flexibility through command-line options to control encryption behavior, such as skipping logs, deletions, or process termination. Notably, Dagon Locker is frequently distributed via phishing campaigns and as part of Brodin-based initial access chains. It operates under a Ransomware-as-a-Service (RaaS) model, engaging affiliates to launch customized campaigns—particularly targeting organizations in South Korea.

Daixin Team is a ransomware and data extortion group active since at least June 2022, known for targeting the healthcare sector, including hospitals, clinics, and related service providers. The group employs a double-extortion model—exfiltrating sensitive data before encrypting systems—and has leaked protected health information (PHI) to pressure victims. Intrusions often involve exploiting VPN vulnerabilities (notably in Fortinet FortiOS) and using compromised credentials for initial access. The ransomware uses AES for file encryption with RSA to protect the keys, and ransom notes direct victims to a Tor-based portal. The U.S. CISA, FBI, and HHS have issued joint advisories warning of the group’s impact on healthcare delivery and patient safety

dAn0n is a data-extortion actor that first appeared in April 2024. Operating primarily in a leak-focused extortion model, they publish stolen data on a Tor-hosted site rather than encrypting files. Their victims include organizations across sectors like business services, technology, healthcare, transportation, and legal—all largely based in the United States, with a few in Ireland and South Korea. Activity surged in May 2024, landing them in the top 10 most active ransomware actors that month. Despite limited branding efforts, their smaller operational footprint has allowed for swift, targeted breaches that prioritize rapid data exposure over elaborate cryptographic tactics.

Dark Power is a ransomware group first observed in January 2023, known for targeting small to mid-sized organizations across education, healthcare, manufacturing, and information technology sectors. The group uses a double-extortion model, encrypting files and threatening to leak exfiltrated data via a Tor-based site if ransom demands are not met. Written in the Nim programming language, Dark Power ransomware appends the .dark_power extension to encrypted files and drops a ransom note named README.txt, giving victims 72 hours to contact them. The note typically demands payment in cryptocurrency and offers to negotiate. Victims have been observed in North America, Asia, and Europe, with attacks often involving exploitation of vulnerable public-facing systems or stolen credentials.

Dark Angels is a highly targeted ransomware and data-extortion group that emerged in spring 2022. Rather than using an affiliate-driven model, it orchestrates discreet, high-impact attacks on large organizations—often choosing one Fortune-level victim at a time. The group exfiltrates massive volumes of data (sometimes 10–100 TB), optionally deploys encryption on Windows or ESXi systems, and pressures victims via a Tor-hosted leak platform ("Dunghill Leak"). Their notable incidents include extorting a record $75 million from a Fortune 50 company in 2024 and demanding around $51 million from Johnson Controls. Dark Angels’ operations emphasize stealth and precision over disruption, often avoiding high-profile media exposure and operating with low operational visibility.