LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Threat Intelligence Feed — Active Monitoring

RANSOMWARE
THREAT INTELLIGENCE
GROUPS // CAMPAIGNS // TTPs // VICTIMS

Track active ransomware groups, ongoing campaigns, and emerging tactics. Timely intelligence to help defenders stay ahead of threat actors.

View All Intelligence RSS Feed
$2.1B+ 2025 Ransom Payments
480+ RansomHub Victims
$1.2M Median Settlement
11 days Median Dwell Time
Group Profile LockBit Apr 15, 2026

LockBit 4.0: Resurgence After Operation Cronos

Following the February 2024 law enforcement takedown, LockBit has re-emerged as LockBit 4.0 with hardened infrastructure, a new encryptor, and a reformed affiliate program targeting mid-market enterprises.

Access Report →
Threat Level
8/10
Sectors Targeted
— finance— manufacturing— healthcare— legal
All Reports →
Group Profile Space Bears Jul 10, 2026

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Space Bears is a financially motivated threat group that operates a professional-looking data leak site stylised as a corporate investment firm, targeting organisations across finance, healthcare, and manufacturing. This profile covers their initial access methodology, toolset, targeting pattern, and what distinguishes them from mainstream RaaS operations.

8
Group Profile Underground Jul 9, 2026

Underground Ransomware: Group Profile

Underground ransomware is the extortion arm of RomCom, a Russia-linked threat actor with documented espionage and criminal operations. Active since June 2023, the group has claimed over 50 victims across government, healthcare, and manufacturing, with a distinctive dual mandate that sets it apart from purely criminal ransomware operations.

8
Group Profile Termite Jul 8, 2026

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting

Termite ransomware emerged in late 2024 as a closed, non-RaaS group built on Babuk source code. Its attacks on Blue Yonder and Australian fertility clinic Genea placed it among the highest-impact groups of its size, targeting supply chain vendors and healthcare providers.

8
Intel Report Jul 7, 2026

How Ransomware TTPs Are Evolving in 2026: BYOVD, Supply Chain Credentials, and ESXi Targeting

Ransomware affiliate tradecraft has shifted in H1 2026 toward more reliable EDR bypass techniques, software supply chain access, and direct hypervisor targeting. This intelligence report covers the tactical evolution and what defenders need to adjust.

6
Group Profile Hunters International Jul 6, 2026

Hunters International / World Leaks: From Hive Successor to Pure Extortion

Hunters International emerged in October 2023 as the direct successor to the FBI-disrupted Hive ransomware operation, inheriting its source code and RaaS infrastructure. By 2025, the group pivoted away from encryption entirely to operate as World Leaks — a data theft and extortion operation without ransomware. This profile covers the evolution, TTPs, victim statistics, and current threat posture.

8