EXPOSING YOUR RANSOMWARE adversaries

Threat Actor Index: Knowledge is Power

Welcome to the Halcyon Ransomware Threat Actor Index, a comprehensive catalog of the most prominent threat actors and ransomware families, to shed light on the ransomware ecosystem. Discover their techniques, tactics, procedures and targeted industries. Make informed decisions, and stay resilient in the face of ransomware.
Filter by Category
THREAT ACTOR:

SafePay

EMERGENCE DATE:
September 2024
2024-09-01
CATEGORiZATION:
Independent Ransomware Operation
THREAT LEVEL:
7.9
OVERVIEW DESCRIPTION:

SafePay ransomware emerged in September-October 2024 as a sophisticated threat actor operating an independent ransomware operation that rapidly ascended to become the most active group globally by May 2025. The group employs double extortion tactics, leveraging modified LockBit source code while maintaining aggressive operational tempo with consistent 24-hour encryption timelines.

THREAT ACTOR:

Qilin

EMERGENCE DATE:
July 2022
2022-07-01
CATEGORiZATION:
Ransomware-as-a-Service
THREAT LEVEL:
7.3
OVERVIEW DESCRIPTION:

Qilin emerged in July 2022 as a Ransomware-as-a-Service (RaaS) operation, initially branded as Agenda before rebranding in September 2022. Operating through a mature affiliate model, the group provides advanced ransomware tools and infrastructure while employing double extortion tactics that combine data encryption with threats to leak stolen information on their dark web leak site.

THREAT ACTOR:

8Base

EMERGENCE DATE:
March 2022
2022-03-01
CATEGORiZATION:
Ransomware-as-a-Service
THREAT LEVEL:
7.2
OVERVIEW DESCRIPTION:

8Base emerged as a prominent data extortion operation in late 2022, establishing itself as the largest known affiliate within the Phobos ransomware ecosystem. The group demonstrated sophisticated customization capabilities while maintaining independent branding and operational control. Operations targeted small to medium enterprises across multiple sectors through systematic vulnerability exploitation and data theft campaigns.

THREAT ACTOR:

BianLian

EMERGENCE DATE:
June 2022
2022-06-01
CATEGORiZATION:
Data Extortion Operation
THREAT LEVEL:
6.5
OVERVIEW DESCRIPTION:

BianLian emerged in June 2022 and, at one time, was one of the most active ransomware groups targeting US and European targets. After its code leaked in 2023, the group abandoned file encryption to focus exclusively on data theft and extortion. Recognized for aggressive tactics including printing ransom notes on compromised network printers and issuing direct threats to employees and stakeholders, the group demonstrated adaptability through custom Go-coded backdoors and advanced evasion techniques.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore Recent Threat Group Activity

View All
Top Ransomware Groups
Power Rankings: Ransomware Malicious Quartile
Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars.
View All
Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Accept
Deny