Breach Monitoring Group Feed

FTCode is a ransomware family first observed in 2013 as a PowerShell-based threat and later resurfaced in September 2019 with enhanced capabilities. It is notable for being fileless, executing entirely in memory using PowerShell scripts, which allows it to evade traditional antivirus detection. FTCode is commonly delivered via malicious email campaigns, often using phishing attachments such as Word documents with embedded macros that execute the ransomware script. It encrypts files using the AES algorithm and appends the .FTCODE extension, leaving ransom notes instructing victims to contact the operators via email. Later variants added capabilities such as stealing credentials from browsers and email clients. FTCode campaigns have been observed globally, with a focus on Europe, particularly Italy.

Funksec, a double extortion ransomware group, emerged in late 2024 and quickly gained notoriety by breaching databases and selling access to 15 government websites within just a month. Claiming to be entirely self-taught and operating without collaboration from other groups, Funksec is a four-member team driven primarily by financial motives. The group leverages AI for specific tasks, such as creating tools and phishing templates, though they emphasize that AI contributes to only about 20% of their operations. Notably, they have developed their own proprietary AI tool, WormGPT, a desktop application built entirely in-house. To enhance their phishing campaigns, Funksec uses premium services like PhishingBox to create customized phishing templates, adding another layer of precision and sophistication to their methods. After the interview, during some casual chit-chat, it came to light that the owner of Funksec was also behind an underground forum called DarkZone, which had been built in collaboration with GhostSec in the past. https://osint10x.com/threat-actor-interview-spotlighting-on-funksec-ransomware-group/

GandCrab was a prolific Ransomware-as-a-Service (RaaS) operation active from January 2018 to mid-2019. It quickly became one of the most widespread ransomware families due to its affiliate-based distribution model, where operators provided the ransomware to partners in exchange for a revenue share (reportedly 30–40%). GandCrab used a double-extortion approach in later stages, encrypting files with a combination of Salsa20 and RSA-2048 algorithms and appending extensions that varied by version (e.g., .GDCB, .KRAB, .CRAB). Initial access vectors included phishing emails with malicious attachments, exploit kits (notably RIG and GrandSoft), and remote desktop protocol (RDP) attacks. GandCrab’s operators claimed to have earned over $150 million before publicly announcing their retirement in June 2019, after which decryption keys for all versions were released.

Our team members are from different countries and we are not interested in anything else, we are only interested in dollars. We do not allow CIS, Cuba, North Korea and China to be targeted. Re-attacks are not allowed for target companies that have already made payments. We do not allow non-profit hospitals and some non-profit organizations be targeted.

Financial interests only. We do not provide or work with affiliate programs, no collaborations either. The requested payment must be made within a specified time frame, otherwise the price may be increased, we will begin to publish the data we have about your company and notify the company's customers and suppliers. Charitable, non-profit, and medical institutions are only hacked if they have reputation gaps known from open sources or discovered in company data. However, this is only data extraction; live support systems are not affected. Data is always destroyed after payment; we do not attack the same company twice. Interesting fact: once, the total amount of claims against a breached company exceeded its entire capitalization. We know how to create trouble, though it is in our mutual interest to avoid it. To make the data leak more valuable, the most important information is published in a separate folder for each company called “parsed” and is also published on darkweb forums.

aka Cring / Ghost (Cring) Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses. Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a

Now a RaaS by BlackLock ($$$). Global Group is a newly emerged Ransomware-as-a-Service (RaaS) platform that debuted in June 2025 on the Ramp4u cybercrime forum. Marketed as a successor to the Mamona and BlackLock ransomware families, it leverages a Golang-based, cross-platform payload that supports execution on Windows, macOS, and Linux. This group stands out by incorporating AI-driven chatbots to manage victim negotiations, promoting scalability and efficiency—even for affiliates lacking language skills. Within its first weeks of operation, Global Group claimed numerous victims across industries such as healthcare, automotive services, and facilities management, located in the U.S., U.K., Australia, and Brazil.