LIVE
LATEST THREAT: DragonForce 2026: Inside the Ransomware Cartel Reshaping the RaaS Ecosystem THREAT ALERT ACTIVE
Threat Intelligence Feed — Active Monitoring

RANSOMWARE
THREAT INTELLIGENCE
GROUPS // CAMPAIGNS // TTPs // VICTIMS

Track active ransomware groups, ongoing campaigns, and emerging tactics. Timely intelligence to help defenders stay ahead of threat actors.

View All Intelligence RSS Feed
$2.1B+ 2025 Ransom Payments
480+ RansomHub Victims
$1.2M Median Settlement
11 days Median Dwell Time
// Featured Intel
Group Profile LockBit Apr 15, 2026

LockBit 4.0: Resurgence After Operation Cronos

Following the February 2024 law enforcement takedown, LockBit has re-emerged as LockBit 4.0 with hardened infrastructure, a new encryptor, and a reformed affiliate program targeting mid-market enterprises.

Access Report →
Threat Level
8/10
Sectors Targeted
— finance— manufacturing— healthcare— legal
// Active Threats
All Reports →
Group Profile DragonForce May 23, 2026

DragonForce 2026: Inside the Ransomware Cartel Reshaping the RaaS Ecosystem

DragonForce has evolved from a single ransomware operation into a self-styled cartel offering infrastructure-as-a-service to other ransomware operators. This profile covers their model, EDR killer tactics, 2026 victim activity, and what security teams need to know.

8
Group Profile Black Basta May 22, 2026

Black Basta — The Ransomware Group That Thinks Like a Penetration Tester

Black Basta has established itself as one of the most technically capable ransomware operations active in 2025-2026. This profile covers their origins, TTPs, affiliate structure, and the distinctive intrusion patterns that distinguish their campaigns from commodity ransomware operators.

8
Group Profile RansomHub Apr 2, 2026

RansomHub: Anatomy of the Dominant RaaS Affiliate Program

RansomHub has grown into the most active ransomware-as-a-service operation of 2025–2026, displacing ALPHV/BlackCat and LockBit. An analysis of its affiliate structure, victim statistics, and targeting patterns.

8
Campaign Alert Akira Mar 28, 2026

Akira Ransomware: VMware ESXi Campaigns Targeting Healthcare and Manufacturing

Akira ransomware actors have refined their VMware ESXi targeting methodology, developing techniques to encrypt entire VM datastores and evade backup-based recovery. Healthcare and manufacturing organizations face elevated risk.

9
Campaign Alert Cl0p Mar 20, 2026

Cl0p's CLEO MFT Exploitation: Mass Data Theft at Scale

Cl0p's systematic exploitation of critical vulnerabilities in CLEO Harmony, VLTrader, and LexiCom managed file transfer software has enabled mass data theft across financial services and logistics sectors globally.

9