Breach Monitoring News Feed

Good Day is a ransomware variant within the ARCrypter family, first observed in May 2023. It gained prominence due to its reticent financial extortion model and custom branding—victims are greeted with a “Good day” message upon landing on individualized Tor-based victim portals. The malware is typically delivered via phishing campaigns disguising payloads as legitimate Windows updates. It utilizes a robust encryption workflow, including deletion of volume shadow copies and process evasion mechanisms. Notably, Good Day has been linked to the Cloak ransomware group through shared data leak infrastructure and overlapping leak portal behaviors.

Grief, also known as Pay or Grief, is a ransomware group that emerged in May 2021 and is widely believed to be operated by actors linked to the Evil Corp cybercrime syndicate. It operates as a Ransomware-as-a-Service (RaaS) platform, using a double-extortion strategy: encrypting files while threatening to leak stolen data via its Tor-based leak site. Grief’s ransomware payload uses strong encryption (commonly RSA-2048 + AES-256) and typically appends the .grief extension to files. The group has targeted organizations across multiple sectors, including government, finance, education, and manufacturing, with a focus on U.S. and European entities. Grief has been associated with infrastructure and code overlaps from the earlier DoppelPaymer ransomware and uses phishing emails, malicious attachments, and compromised RDP credentials for intrusion. In late 2021, the U.S. Treasury’s OFAC issued sanctions against Grief due to its ties with Evil Corp, making ransom payments to the group legally risky for victims in the U.S.

Groove was a short-lived ransomware group and cybercrime gang that emerged in August 2021 and became notable for its aggressive, publicity-driven tactics. Unlike traditional Ransomware-as-a-Service (RaaS) groups, Groove functioned more as a loose criminal collective, encouraging other threat actors to join forces in attacking U.S. entities, particularly in the government and financial sectors. The group ran a Tor-based leak site where it published stolen data, but its operators claimed to focus more on building an “underground alliance” than on ransomware deployment itself. Analysts noted overlaps between Groove and actors behind Babuk and BlackMatter, as well as forum personas known for data theft operations. By early 2022, Groove’s activity had largely ceased, with some experts suggesting the group was either a short-term recruitment campaign or a misinformation effort.

Gunra is an emerging ransomware group first identified in April 2025. It employs a classic double-extortion model—encrypting sensitive data and exfiltrating it for publication via a Tor-hosted leak site. Since its emergence, Gunra has struck a diverse set of global targets—reportedly spanning sectors like manufacturing, healthcare, IT, real estate, agriculture, and consulting in countries including Brazil, Japan, Canada, Turkey, South Korea, Taiwan, Egypt, and the U.S.

Gwisin is a targeted ransomware group first publicly reported in July 2022, believed to operate primarily within South Korea. The group’s name means “ghost” in Korean, reflecting its stealthy approach. Gwisin has been observed conducting attacks on critical sectors, including healthcare, pharmaceutical, and manufacturing industries. It uses custom-built payloads tailored for each victim, capable of encrypting both Windows and Linux/VMware ESXi environments, and often executes attacks during national holidays to maximize operational disruption. Gwisin employs a double-extortion model—exfiltrating sensitive data before encryption—and communicates with victims in Korean-language ransom notes. Initial access vectors are not fully confirmed in open-source reporting, but suspected methods include exploiting vulnerable VPN appliances and leveraging stolen administrative credentials. The group is known for extensive pre-encryption reconnaissance to identify high-value systems and backups.

Hades is a ransomware group first observed in December 2020, believed by several threat intelligence firms to be operated by, or closely linked to, the Evil Corp cybercrime syndicate. The group has primarily targeted large enterprises in the United States, Canada, and Germany, conducting big-game hunting operations. Hades is not known to operate as an open Ransomware-as-a-Service (RaaS) platform; instead, attacks appear to be conducted by the core operators. It uses a double-extortion model, encrypting systems and threatening to leak stolen data via a Tor-based portal. The ransomware payload is typically deployed after extensive network reconnaissance and lateral movement, often through compromised VPN credentials and exploitation of exposed services. Encrypted files are appended with the .hades extension, and ransom notes direct victims to unique Tor portals for negotiation. Notable sectors affected include manufacturing, transportation, and consumer goods.

Handala (also known as Handala Hack Team, Hatef, Hamsa) is a pro-Palestinian hacktivist group first observed in December 2023. Its operations focus on politically motivated cyber campaigns targeting Israeli entities and organizations associated with Israel globally. Handala employs destructive tactics—primarily using multi-stage wiper malware that affects both Windows and Linux systems—alongside data theft and public exposure through leak sites. They are also known for orchestrating phishing campaigns that masquerade as legitimate alerts (e.g., spoofing CrowdStrike), followed by disabling defenses, injection via AutoIT or Delphi loaders, and destructive payload deployment.

Haron is a ransomware group that emerged in July 2021 and is believed to share operational similarities with the Avaddon ransomware, which shut down the month prior. Haron uses a double-extortion model—encrypting victims’ data and threatening to publish stolen files on a Tor-based leak site. The ransomware is written in C# and uses the Salsa20 encryption algorithm with RSA-1024 for key protection. File extensions are typically not changed during encryption, but ransom notes named HOW TO RESTORE YOUR FILES.txt are dropped across affected systems. Initial access methods are not comprehensively documented in public sources but may include phishing campaigns and exploitation of exposed RDP services. Haron’s leak site and negotiation structure closely resemble Avaddon’s, suggesting either code reuse or a shared affiliate network.

HellCat is a relatively recent ransomware group first observed in late 2024, known for its data-theft and extortion campaigns targeting high-profile organizations. It operates a double-extortion model, exfiltrating sensitive information and threatening to publish it on its Tor-based leak site if ransom demands are not met. The group has been linked to multiple significant breaches, including incidents involving Schneider Electric and Capgemini, where large volumes of corporate data were allegedly stolen. HellCat’s payloads and leak infrastructure suggest a custom-built platform rather than a widely shared RaaS, and some incidents have involved only data exposure without confirmed encryption events. The group has drawn attention for recruiting or collaborating with high-profile threat actors, including the persona “Grep,” who acts as a public representative in some extortion cases.

Helldown is an emerging ransomware group first identified in August 2024, known for its fast-evolving and cross-platform threat capabilities. It exploits critical vulnerabilities—most notably CVE-2024-42057 in Zyxel firewalls—for initial access and demonstrates modular design and anti-detection mechanisms. Helldown targets both Windows and Linux environments, including VMware and ESXi systems. It employs a double-extortion strategy: encrypting files with randomized extensions via executables like hellenc.exe, and threatening victims with data dump releases via its Tor-hosted leak site.