Breach Monitoring Group Feed

Jaff is a ransomware family first discovered in May 2017, notable for its distribution via large-scale spam campaigns operated by the Necurs botnet. These campaigns delivered malicious PDF attachments that contained embedded Word documents with macros, which, when enabled, downloaded the ransomware payload. Jaff encrypts victim files using RSA and AES encryption and appends extensions such as .jaff, .wlu, or .sVn depending on the variant. The ransom note, typically named ReadMe.html or ReadMe.bmp, directs victims to a payment site hosted on the Tor network. The ransomware demands payment in Bitcoin and displays a custom payment portal interface. Jaff was initially believed to be linked to the Locky ransomware operators due to similarities in distribution methods, ransom portal design, and its use of Necurs, though later analysis suggested it was operated by a separate group. Its activity was short-lived, with most campaigns ceasing within weeks of its discovery.

Jigsaw is a ransomware family first observed in April 2016, notorious for its psychological intimidation tactics. It encrypts files using AES encryption and appends various extensions (e.g., .fun, .kkk, .btc) depending on the variant. The ransomware’s ransom note features imagery of the “Billy” puppet from the Saw movie franchise and displays a countdown timer. Jigsaw is unique in that it deletes a portion of the victim’s files every hour until the ransom is paid, escalating the number of deletions over time to increase pressure. The note typically instructs victims to pay in Bitcoin via email communication. The malware is written in .NET, and numerous versions have circulated since its emergence, many of which are decryptable due to coding flaws. Jigsaw has mainly been spread via malicious email attachments and exploit kits. While it had a period of high activity in 2016–2017, most modern antivirus tools can easily detect and block it.

JSWorm is a ransomware family that first appeared in May 2019 and is notable for undergoing multiple rebrands and evolutions, later appearing under names such as Nemty, Nefilim, Offwhite, Fusion, and Milihpen. Initially, it was distributed via malicious spam emails containing JavaScript files, hence the “JS” in its name. Later versions moved to targeted intrusions, leveraging compromised RDP services and vulnerable network appliances for initial access. JSWorm encrypts files using AES-256 encryption with RSA-2048 for key protection and appends campaign-specific extensions (e.g., .JSWORM, .Nemty, .Nephilim). The group adopted a double-extortion model in its later stages, stealing data before encryption and threatening to leak it via Tor-hosted sites. Its victimology spans various sectors worldwide, including manufacturing, energy, healthcare, and professional services. The continuous rebranding suggests an effort to evade detection, disrupt attribution, and maintain pressure on victims.

Karakurt is a financially motivated cybercrime group first publicly identified in June 2021, specializing in data extortion without file encryption. Instead of deploying ransomware to lock systems, Karakurt focuses on gaining access to victim networks, exfiltrating sensitive data, and threatening to leak it on its Tor-based site unless payment is made. The group has targeted victims across North America and Europe in industries including healthcare, manufacturing, education, and professional services. Intrusion methods include phishing, exploitation of vulnerabilities, and purchasing access from initial access brokers. Karakurt’s leak site lists stolen files in stages to pressure victims, sometimes publishing entire data sets if ransoms are not paid. The group is believed to have operational links to the Conti ransomware syndicate, based on shared infrastructure, overlapping victimology, and timing of activity.

Karma is a ransomware group first observed in November 2021, operating a double-extortion model that combines data theft with encryption. The group primarily targets enterprises across various sectors, including healthcare, manufacturing, and technology, with confirmed victims in North America, Europe, and Asia. Karma is believed to be a rebrand or evolution of the FiveHands ransomware, itself derived from the earlier HelloKitty codebase, based on overlaps in encryption methods and ransom portal design. The ransomware appends the .KARMA extension to encrypted files and leaves ransom notes named KARMA-README.txt, directing victims to a Tor-based negotiation site. Initial access is typically obtained through compromised VPN credentials, exploitation of vulnerabilities in public-facing systems, and use of access brokers. Unlike some groups, Karma operators claim to avoid encrypting systems in healthcare emergency services, instead focusing on exfiltration and extortion.

Kasseika is a ransomware variant first publicly reported in January 2024, identified as a new evolution of the BlackMatter/LockBit ransomware codebase. The malware appends the .kasseika extension to encrypted files and uses a double-extortion model, combining file encryption with threats to publish stolen data on a Tor-based leak site. Early analysis revealed that Kasseika shares several traits with LockBit 3.0, including encryption routines, obfuscation methods, and ransom note structure, but with modified branding and negotiation portals. Initial access vectors have not been widely confirmed, though patterns from related ransomware suggest the use of compromised credentials, RDP exploitation, and vulnerabilities in public-facing services. Victims have been observed in North America, Europe, and Asia, spanning industries like manufacturing, logistics, and professional services.

Kelvin Security is a cybercrime group active since at least 2013, primarily known for hacktivism, data breaches, and website defacements rather than traditional ransomware operations. The group has claimed responsibility for intrusions targeting government agencies, educational institutions, and private companies across multiple regions, including Latin America, Europe, and the Middle East. While it has engaged in data theft and leak threats, there is no confirmed evidence that Kelvin Security operates a ransomware encryption component. Instead, their extortion model focuses on stealing sensitive data and threatening public disclosure, often publicizing breaches via social media and underground forums. The group’s activities have been linked to politically motivated campaigns as well as financially motivated breaches. Victim selection appears opportunistic, exploiting vulnerabilities in web servers, poorly configured databases, and exposed credentials.