EXPOSING YOUR RANSOMWARE adversaries

Threat Actor Index: Knowledge is Power

Welcome to the Halcyon Ransomware Threat Actor Index, a comprehensive catalog of the most prominent threat actors and ransomware families, to shed light on the ransomware ecosystem. Discover their techniques, tactics, procedures and targeted industries. Make informed decisions, and stay resilient in the face of ransomware.
Filter by Category
THREAT ACTOR:

INC Ransom

EMERGENCE DATE:
July 2023
2023-07-01
CATEGORiZATION:
Ransomware-as-a-Service
THREAT LEVEL:
7
OVERVIEW DESCRIPTION:

INC Ransom emerged as a ransomware-as-a-service operation in July 2023. The group operates with a business-like approach, framing their attacks as security services while conducting financially motivated operations. Following the sale of their source code for approximately $300,000 in March 2024, INC Ransom evolved through derivative operations, most notably Lynx ransomware, which shares over 70% code similarity.

THREAT ACTOR:

Fog

EMERGENCE DATE:
May 2024
2024-05-01
CATEGORiZATION:
Independent Ransomware Operation
THREAT LEVEL:
6.7
OVERVIEW DESCRIPTION:

Emerging as a new ransomware variant in May 2024, Fog established itself as a significant threat actor in the ransomware ecosystem, particularly targeting educational institutions and business services. Operating with an independent affiliate model, the group implements double extortion tactics while conducting financially motivated operations. Following emergence as a STOP/DJVU variant, evolution through technical capabilities resulted in the first ransomware group to deploy legitimate employee monitoring software and publish victim IP addresses.

THREAT ACTOR:

BianLian

EMERGENCE DATE:
June 2022
2022-06-01
CATEGORiZATION:
Data Extortion Operation
THREAT LEVEL:
6.5
OVERVIEW DESCRIPTION:

BianLian emerged in June 2022 and, at one time, was one of the most active ransomware groups targeting US and European targets. After its code leaked in 2023, the group abandoned file encryption to focus exclusively on data theft and extortion. Recognized for aggressive tactics including printing ransom notes on compromised network printers and issuing direct threats to employees and stakeholders, the group demonstrated adaptability through custom Go-coded backdoors and evasion techniques.

THREAT ACTOR:

Arcus Media

EMERGENCE DATE:
May 2024
2024-05-01
CATEGORiZATION:
Selective Affiliate Model
THREAT LEVEL:
6.2
OVERVIEW DESCRIPTION:

Arcus Media emerged as a ransomware-as-a-service operation in May 2024, establishing itself as a significant threat actor in the ransomware ecosystem, particularly targeting manufacturing and healthcare organizations.

The group operates with a selective affiliate approach, implementing referral-based recruitment requiring vetting processes while conducting financially motivated operations. Following emergence during disruption of major groups like LockBit and ALPHV/BlackCat, Arcus Media evolved their technical capabilities, most notably implementing selective encryption strategies that balance speed with effectiveness.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore Recent Threat Group Activity

View All
Top Ransomware Groups
Power Rankings: Ransomware Malicious Quartile
Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars.
View All
Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Accept
Deny