Breach Monitoring News Feed

Testing Puposes Only.

First observed in early January 2020 (initial victim post on January 9, 2020), Ako (also known as MedusaReborn) operates under a Ransomware-as-a-Service (RaaS) model, with daily beta builds reportedly offered for affiliates. It uses a double-extortion approach—encrypting files and exfiltrating data, with subsequent threats to leak the data via a dedicated leak site. Delivery primarily occurs via malspam, often through password-protected ZIP attachments containing malicious .scr executables. After compromise, it deletes shadow copies and disables recovery, then encrypts files—excluding certain extensions—and appends random six-character suffixes, dropping files like ako-readme.txt and id.key. Encryption is carried out using unspecified algorithms, but its behavior aligns closely with MedusaLocker variants. Known targets include networked Windows environments, potentially across multiple sectors. No notably high-profile or geographically specific incidents are detailed.

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021. ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

Amnesia ransomware was first identified in May 2017, particularly affecting enterprise cloud environments. It does not appear to operate as Ransomware-as-a-Service (RaaS), and there is no public indication of a provider-led affiliate structure. The extortion model is single-stage—primarily file encryption without documented data theft or leak threats. It targets specific file types and resets their modified timestamps. Encrypted files may receive suffixes such as .amnesia, .@decrypt2017, .[Help244@Ya.RU].LOCKED, .CTB-Locker, and several others. Common ransom notes include files named HOW TO RECOVER ENCRYPTED FILES.TXT or RECOVER-FILES.HTML, typically placed in every folder. Executable names associated with its delivery include variants like guide.exe, update.exe, Happier.exe, bstarb.exe, among others. The encryption algorithm is AES-256, implemented in Delphi, and victims are instructed to contact the attackers via email addresses (e.g., decrypt@india.com). No high-profile incidents or geographic patterns have been publicly attributed to Amnesia.

Antibrok3rs emerged as an access broker (not a ransomware operator itself) linked to the aftermath of the 2023 MOVEit supply-chain exploitation. From November 2024 through early 2025, this actor has posted stolen data from at least 15 energy-sector victims, including U.S. utilities such as CenterPoint Energy, Entergy, Nevada Energy, and Appalachian Power—data likely obtained via the MOVEit breach. While some analysts suspected ties to the Cl0P ransomware collective, Antibrok3rs publicly denied any such affiliation. The extortion model centers on data leakage without accompanying file encryption—a purely leak-based threat. No delivery, encryption, or ransom note behaviors have been observed, nor is there evidence of RaaS activity.

Anubis is a financially motivated cybercrime group primarily known for its banking trojan operations but also linked to ransomware activity targeting corporate networks. First identified in 2016 and evolving over time, Anubis ransomware attacks have targeted Windows systems, often deployed after initial compromises by the Anubis banking malware or other access vectors such as phishing, malicious email attachments, or exploitation of unpatched vulnerabilities. The group’s ransomware encrypts files using strong symmetric encryption algorithms, appending distinctive extensions and delivering ransom notes with payment instructions via Tor. Anubis has targeted multiple sectors worldwide, including finance, retail, and government, often combining ransomware with credential theft and data exfiltration to maximize pressure on victims. Its infrastructure and tactics overlap with other financially motivated actors, suggesting possible affiliate or shared tool usage within broader cybercriminal ecosystems.

Apos ransomware surfaced in April 2024 and is best characterized as a data‑broker or leak‑only operation, rather than a traditional file‑encryption ransomware. It has not been observed to conduct encryption, but instead focuses on data exfiltration with threats to leak or sell the stolen information. Targets span sectors such as technology, healthcare, manufacturing, business services, telecommunications, and government—with significant victimology in Brazil, the United States, India, France, Paraguay, and Spain. Reporting suggests its activity tapered off after a few incidents, possibly indicating a one-time campaign or short-lived operation. Though some sources list multiple victims, technical details such as encryption algorithms, ransom notes, or extortion pricing are not publicly documented. Apos is sometimes listed among new or industrial-focused threats observed in Q1 2025, but remains poorly defined in public technical intel.

Aptlock surfaced in early 2025 and is characterized by a single-extortion model combined with threats of data leakage. The ransomware encrypts files on Windows systems, appending the extension .aptlock, and then changes the victim’s desktop wallpaper. Victims receive a ransom note named read_me_to_access.txt informing them that their critical company data has been exfiltrated and will be deleted or leaked if they don’t act. They are given 72 hours to initiate contact via Tor-based chat access (using credentials provided in the note), with further warnings issued if no engagement occurs within 5 days. Specific details about intrusion vectors, encryption algorithms used, or known affiliate operators remain undisclosed in public threat intelligence. No reliable evidence links Aptlock to Ransomware-as-a-Service operations or lists any known affiliates.

Arcane first emerged in mid-2021 under the UNC2190 cluster and later rebranded as Sabbath, continuing its operations against critical infrastructure like hospitals, schools, and educational entities. It follows a double-extortion model—encrypting data (using ROLLCOAST/Eruption malware) while also exfiltrating sensitive information and threatening to leak it. Victims have included institutions in the U.S. and Canada across sectors such as healthcare, education, and natural resources. Initial intrusion tactics involved deployment of Cobalt Strike with custom profiles, DLL-based in-memory execution, and signed TLS certificates, plus use of stealthy GET requests ending with “kitten.gif.” Specific encryption algorithms or file extensions have not been publicly confirmed. The group appears to operate in an affiliate-style model but remains under single management rather than a full RaaS platform.

ArcRypt (also known as ARCrypter or ChileLocker) was first identified in August 2022, originally targeting government entities in Latin America and subsequently expanding globally. The group employs a single-extortion model—there is no evidence of a data-leak threat or RaaS ecosystem. The malware encrypts files using extensions such as .crypt, .crYpt, and .crYptA3, and uniquely drops the ransom note before commencing encryption. It has variants for both Windows and Linux, including a Go-based Linux version. Communication with victims occurs via Tor-based portals, evolving over time from a single shared site to individualized mirror sites for each victim. In some cases, threat actors have instructed victims to contact them using Tox, creating a Tox profile for communication. Targets have included Chile’s government infrastructure, Colombia’s Invima agency, and organizations in China and Canada.