Breach Monitoring News Feed

DeathGrip is a Ransomware-as-a-Service (RaaS) that emerged around June 2024, offering malware payloads built with leaked LockBit 3.0 and Yashma/Chaos builders. Designed to lower technical barriers, it enables even low-skilled operators to deploy highly capable ransomware attacks. DeathGrip campaigns typically employ AES-256 encryption, delete shadow copies and recovery features, and modify system settings to hinder restoration. Earlier infections include low-tier ransom demands (e.g., around $100), reflecting entry-level targeting, though its flexible tooling allows a range of payload configurations.

DeathRansom is a ransomware family first seen in the wild in late 2019, initially appearing as a bluff—dropping ransom notes without actually encrypting files. By early 2020, the malware evolved into a functional encryptor, using a hybrid scheme of AES for file encryption and RSA to secure AES keys. Infected systems have files appended with extensions such as .wctc or .zzz depending on the campaign variant. Distribution methods include phishing emails with malicious attachments, cracked software downloads, and malicious spam campaigns. Over time, some DeathRansom operations were linked to STOP/Djvu infrastructure and later incorporated into affiliate-based criminal ecosystems.

DevMan is a ransomware variant first observed in April 2025. It is a customized derivative of the DragonForce family, leveraging attacker-operated infrastructure for double-extortion, where both data theft and encryption are employed to pressure victims. The threat is highly organized, targeting sectors such as technology, construction, public services, healthcare, and consumer services across Asia, Africa, and Europe.

DevMan 2.0 is the evolved iteration of the DevMan ransomware, first documented in July 2025. It enhances the capabilities of its predecessor with robust double-extortion tactics and operates under a Ransomware-as-a-Service (RaaS) model, offering structured leak and extortion infrastructure. Affiliates and operators are using it across diverse sectors—such as manufacturing, retail, and electronics—targeting organizations in Japan, Germany, and other countries. Demands from initial campaigns range widely, spanning from around $1 million to over $10 million USD.

Dharma is a prolific ransomware family active since at least 2016, evolving from the earlier CrySiS ransomware. It operates under a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy customized builds with their own contact emails and extensions. Dharma typically appends encrypted files with patterns like .id-[victimID].[email].dharma or other campaign-specific suffixes. Initial access is often gained through exposed Remote Desktop Protocol (RDP) services secured with weak or stolen credentials, sometimes combined with brute-force attacks. The malware encrypts files using AES with RSA to secure the keys and drops ransom notes in text files and pop-up windows. Numerous variants have emerged over time, each linked to different affiliates, making attribution difficult.

Diavol is a ransomware strain first observed in June 2021, associated with the Wizard Spider threat group—best known for operating the TrickBot malware and the Conti ransomware. It uses a double-extortion model, encrypting victim files and exfiltrating sensitive data for additional leverage. The ransomware is written in C and employs a multi-threaded encryption routine using the ChaCha20 algorithm with RSA-2048 to secure encryption keys. Early variants appended no custom extension to files, relying instead on changing file headers, but later versions began appending extensions. Initial access vectors include exploitation of vulnerable systems and the use of TrickBot or BazarLoader infections as staging points. Victims are directed to a Tor-based negotiation portal through ransom notes.

Dire Wolf is a recently emerged double-extortion ransomware group that first appeared around May 2025. It is a crypto-ransomware and data broker targeting industries like manufacturing and technology across multiple countries, including the U.S., Thailand, Taiwan, Singapore, Türkiye, among others. Written in Go and delivered as a UPX-packed binary, it utilizes robust encryption (Curve25519 and ChaCha20) to lock files with a .direwolf extension, while deleting backups, disabling logging, and terminating key services to block recovery. Victims receive highly customized ransom notes containing live-chat credentials and victim-specific portals, indicating a highly professional and targeted approach.

Dispossessor, active since August 2023, was a data-extortion ransomware-as-a-service group led by the moniker "Brain". The group quickly expanded from U.S.-focused attacks to target small and mid-sized organizations globally—across sectors like healthcare, finance, transportation, education, and manufacturing. Their tactics included exploiting weak passwords and lack of multifactor authentication to gain access, followed by data exfiltration and staged extortion: victims were contacted via email or phone with links to proof-video platforms, and exposed on Tor-based leak sites if no payment was made. Many of the organizations targeted (approximately 43 identified) were across diverse countries including the U.S., Canada, Brazil, India, Germany, and more. By mid-2024, international law enforcement—including the FBI, UK National Crime Agency, and German agencies—successfully dismantled their infrastructure.