Threat Actor Index: Knowledge is Power

Rhysida ransomware emerged in May 2023 as a Ransomware-as-a-Service (RaaS) operation, initially establishing itself through high-impact attacks on critical infrastructure sectors. Operating under the moniker "Rhysida-0.1", the group demonstrated technical proficiency with RSA-4096 and ChaCha20 encryption, rapidly targeting organizations where operational disruption creates maximum leverage. The group notably lacks a full-featured victim support portal common among more mature RaaS operations, relying instead on basic TOR-based communication channels. Recent intelligence indicates significant operational changes, with activity declining substantially from late 2024 into 2025, suggesting disruption from the February 2024 free decryptor release and a marked reduction in operational prominence.

Despite reduced volume, the group maintains persistent targeting of healthcare and education sectors, leveraging double extortion tactics with ransom demands typically ranging from hundreds of thousands to several million dollars. The group's infrastructure has evolved to include multi-tiered command-and-control (C2) systems and cross-platform capabilities with Linux/ESXi variants, though overall operational tempo suggests a group experiencing significant transition rather than expansion.

LockBit ransomware emerged in March 2022, building upon the original version launched in September 2019. As a Ransomware-as-a-Service (RaaS) platform, LockBit 3.0, also branded as LockBit Black, introduced modular capabilities, enhanced encryption, and Safe Mode exploitation features. This innovation allowed affiliates to customize attacks and focus on high-value industries, such as healthcare, finance, and manufacturing. Rapid encryption and user-friendly interface positioned it as one of the most versatile ransomware variants in the threat landscape.

BlackSuit ransomware emerged in May 2023 as a rebrand of Royal ransomware, operating as a private group rather than Ransomware-as-a-Service (RaaS). Building on double extortion tactics and evasion techniques, the group accumulated over $500 million in total ransom demands with individual demands reaching $60 million. The operation maintained 98% code overlap with Royal and traced its lineage back through the Conti syndicate.

RansomHub emerged in February 2024 as a ransomware-as-a-service (RaaS) operation, rapidly becoming the most prolific RaaS platform by late 2024. Distinguished by an exceptionally generous affiliate commission structure offering up to ninety percent of proceeds, the group attracted experienced operators from dismantled operations. After claiming numerous victims globally, the infrastructure went completely dark on April 1, 2025.