Notable Ransomware Threat Actor Groups: Profiles and TTPs
Ransomware operations are not anonymous, undifferentiated threats — they are structured criminal enterprises with documented memberships, preferred toolsets, target sector patterns, and negotiation behaviors that security researchers and federal agencies have catalogued over years of incident response and law enforcement action. This page profiles the major ransomware threat actor groups active in the US threat landscape, examines their technical and operational signatures (tactics, techniques, and procedures, or TTPs), and provides classification and comparison frameworks used by CISA, the FBI, and independent threat intelligence organizations. The ransomware providers maintained across this reference network draw directly from the actor and variant taxonomies described here.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
A ransomware threat actor group is a named criminal organization or nation-state-affiliated unit that develops, operates, or licenses ransomware tooling as a sustained enterprise. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI jointly publish advisories under the Stop Ransomware initiative that assign specific group names, MITRE ATT&CK technique identifiers, and Indicators of Compromise (IOCs) to each tracked actor. The FBI's Internet Crime Complaint Center (IC3 2023 Internet Crime Report) received 2,825 ransomware complaints in 2023, attributing the largest share to Lockbit, ALPHV/BlackCat, and Cl0p variants.
The scope of threat actor profiling extends beyond malware attribution. Each group exhibits distinct operational patterns: preferred initial access vectors, ransom demand ranges, negotiation postures, data leak site behaviors, and geographic or sectoral targeting constraints. These patterns, collectively described as TTPs, are catalogued in the MITRE ATT&CK for Enterprise framework, which assigns standardized technique IDs (e.g., T1486 for Data Encrypted for Impact) that map directly to observed group behaviors.
For an overview of the broader service sector built around ransomware defense and response, the ransomware provider network purpose and scope page describes how professional categories are organized within this reference network.
Core mechanics or structure
Ransomware threat actors are operationally structured around one of three delivery models:
Developer-Operator Model: A closed group that both develops and deploys the ransomware. Conti, prior to its 2022 dissolution, exemplified this model — maintaining an internal HR structure, salary schedules, and departmental divisions exposed in the Conti Leaks, a February 2022 disclosure of internal chat logs published by a Ukrainian researcher.
Ransomware-as-a-Service (RaaS) Model: The dominant model as of 2021 onward. A core developer group maintains the ransomware platform and leak infrastructure while recruiting external affiliates who conduct intrusions. Affiliates typically retain 70–80% of ransom proceeds, with the developer group taking the remainder. LockBit, ALPHV/BlackCat, and REvil all operated under this structure.
Access Broker Partnership Model: Some groups, such as Cl0p (also written Clop), conduct campaigns by purchasing initial network access from specialized Initial Access Brokers (IABs) rather than conducting their own phishing or exploitation. Cl0p's 2023 MOVEit Transfer exploitation campaign, which affected over 2,500 organizations according to the Cybersecurity and Infrastructure Security Agency MOVEit advisory AA23-158A, demonstrated the scale achievable through zero-day exploitation rather than traditional phishing chains.
The kill chain structure common to most groups follows the MITRE ATT&CK sequence: Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Exfiltration → Impact (T1486). The interval between initial access and ransomware deployment — called dwell time — averaged 5 days for ransomware incidents in 2023 according to the Mandiant M-Trends 2024 Report.
Causal relationships or drivers
The proliferation of named threat actor groups is driven by three structural factors identified in federal threat assessments:
Cryptocurrency infrastructure: Bitcoin and Monero provide pseudonymous payment channels. The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned specific cryptocurrency addresses tied to groups including Evil Corp, Yakuza/Wizard Spider affiliates, and the Lazarus Group, imposing compliance obligations on any US-nexus payment that intersects sanctioned wallets (31 C.F.R. § 501 et seq.).
RaaS commoditization: The RaaS model dramatically lowered the technical barrier for new entrants. Affiliates require no malware development skill — only intrusion capability and access to RaaS recruitment forums. This structural dynamic expanded the total number of active operators faster than law enforcement could dismantle them.
Underreporting and enforcement gaps: The FBI's IC3 consistently acknowledges that reported complaint counts represent a fraction of actual incidents, limiting law enforcement's ability to build attribution cases. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA, Public Law 117-103) addresses this gap by mandating incident reporting for covered critical infrastructure entities within 72 hours of a ransomware attack, though implementing regulations were still in rulemaking as of 2024.
Classification boundaries
Threat actor groups are classified along four primary dimensions used in federal advisories and independent threat intelligence:
Nation-state nexus vs. purely criminal: Groups with documented nation-state ties include Lazarus Group (North Korea, as attributed by the U.S. Department of Justice in multiple indictments), Sandworm (Russia's GRU Unit 74455), and APT41 (China's MSS-linked unit). Purely criminal groups — LockBit, ALPHV/BlackCat, Cl0p — operate for financial gain without confirmed state direction, though some Russian-linked groups benefit from state tolerance.
Sectoral targeting: Healthcare-focused groups (Hive, before its January 2023 FBI disruption per DOJ press release) differ operationally from financially-sector-focused groups such as FIN7/Carbanak. CISA's sector-specific advisories under Stop Ransomware document these targeting patterns at the two-digit NAICS sector level.
Encryption-only vs. double extortion vs. triple extortion: Groups that encrypt without exfiltration represent a diminishing fraction of active actors. Double extortion (encrypt + threaten to publish) is the dominant model. Triple extortion adds a third coercion vector — typically DDoS attacks on victim infrastructure or direct extortion of the victim's customers, a technique documented in CISA Advisory AA22-040A.
Active vs. disrupted/rebranded: Law enforcement actions have formally disrupted Hive (2023), REvil/Sodinokibi (2022, with arrests coordinated across the US, Europe, and Russia), and portions of LockBit's infrastructure (Operation Cronos, February 2024, as documented in Europol's press release). Disrupted groups frequently rebrand — DarkSide rebranded as BlackMatter; BlackMatter subsequently dissolved; former members seeded other operations.
Tradeoffs and tensions
Attribution confidence vs. operational speed: Federal advisories require sufficient confidence thresholds before publicly attributing attacks to named groups, creating a lag between incident occurrence and actionable attribution. Defenders relying on IOC-based group identification face a parallel problem: IOCs rotate frequently, and shared RaaS tooling complicates group-level attribution when multiple affiliates use the same encryptor binary.
Sanctions compliance vs. victim recovery: OFAC's ransomware sanctions framework creates a compliance dilemma for victims. Paying a ransom to a sanctioned entity (e.g., an Evil Corp affiliate) exposes the victim and any incident response intermediary to civil liability under 31 U.S.C. § 5318. Yet withholding payment may result in permanent data loss or extended operational outage. OFAC's September 2021 Updated Advisory on Potential Sanctions Risks (OFAC Advisory) acknowledged this tension, offering voluntary self-disclosure as a mitigating factor.
Law enforcement takedowns vs. rebrand cycles: Each major disruption operation displaces — rather than eliminates — threat actor capability. Operation Cronos disrupted LockBit's infrastructure in February 2024, seizing 34 servers and over 1,000 decryption keys per Europol reporting. Within weeks, a LockBit 3.0 variant resumed operations under the same brand. This pattern suggests that infrastructure disruption without personnel detention produces limited sustained reduction in threat actor capacity.
Common misconceptions
Misconception: Ransomware groups are loosely organized, anonymous collectives.
The Conti Leaks (2022) and court documents from DOJ indictments against REvil members revealed organizational structures with defined roles — coders, negotiators, OSINT researchers, crypters, and "call center" extortion teams. LockBit published a public-facing bug bounty program offering up to $1 million for vulnerability disclosures in its own infrastructure, demonstrating a level of institutional formality inconsistent with the "amateur collective" framing.
Misconception: Paying the ransom guarantees data recovery.
The Sophos State of Ransomware 2023 Report found that organizations that paid the ransom recovered an average of 65% of encrypted data — not 100%. Recovery completeness varies by group, with some providing non-functional decryptors.
Misconception: Small organizations are not targeted.
CISA's 2022 advisory on ransomware trends (AA22-321A) documented attacks against small municipal governments, school districts with under 500 students, and medical practices with fewer than 10 providers. The RaaS affiliate model makes small targets economically viable because affiliates set their own ransom demands proportional to the victim's apparent revenue.
Misconception: All groups operate with a financial motive.
Sandworm's deployment of NotPetya in 2017 — attributed by the US, UK, and EU governments — used ransomware-styled malware as destructive cover, with no functional payment mechanism. The FBI's attribution of NotPetya to Russia's GRU (DOJ Indictment, October 2020) established that encryption-based attacks can be geopolitical weapons, not solely criminal revenue tools.
Checklist or steps (non-advisory)
The following sequence describes the threat intelligence lifecycle for tracking a ransomware threat actor group, as structured in federal and industry reference frameworks:
- Group identification — Assign a tracking name or alias using naming conventions from MITRE ATT&CK, CISA advisories, or internal threat intelligence platforms. Cross-reference aliases (e.g., LockBit = ABCD = Gold Blazer in different vendor taxonomies).
- TTP mapping — Map observed behaviors to MITRE ATT&CK technique IDs. Document at minimum: initial access vector (TA0001), persistence mechanism (TA0003), lateral movement technique (TA0008), and impact technique (T1486 or T1490).
- IOC collection — Compile hashes, C2 IP addresses, domain patterns, and ransom note signatures from CISA advisories, FBI Flash alerts, and IS-ISAC sharing partners.
- Sector and geographic targeting documentation — Record NAICS sector codes, geographic regions, and organization size ranges from confirmed incidents.
- Operational status classification — Classify the group as Active, Disrupted, or Rebranded based on the most recent law enforcement action or observed campaign activity.
- Sanctions screening — Cross-reference the group and known cryptocurrency wallet addresses against the OFAC Specially Designated Nationals (SDN) List.
- Affiliate network assessment — Document whether the group operates as a closed developer-operator or as a RaaS platform with external affiliates, noting any known affiliate clusters.
- Decryptor availability check — Query No More Ransom, the joint initiative of Europol, the Dutch National Police, and cybersecurity firms, for available decryptors before ransom payment decisions are made.
For context on how professionals use these profiles in practice, the how to use this ransomware resource page describes the navigational structure of this reference network.
Reference table or matrix
| Group Name | Operational Model | Primary Sectors Targeted | Notable TTPs (MITRE IDs) | Status (as of 2024) | Federal Advisory |
|---|---|---|---|---|---|
| LockBit | RaaS | Manufacturing, Government, Healthcare | T1486, T1490, T1078 (Valid Accounts) | Partially disrupted (Op. Cronos, Feb 2024); rebranded active | CISA AA23-165A |
| ALPHV / BlackCat | RaaS | Healthcare, Finance, Critical Infrastructure | T1486, T1567 (Exfil to Cloud), T1562 | Disrupted (FBI, Dec 2023); affiliate migration ongoing | CISA AA23-353A |
| Cl0p (Clop) | Developer + IAB | Finance, Healthcare, Education | T1190 (Exploit Public-Facing App), T1486 | Active; zero-day focused campaigns | CISA AA23-158A |
| Hive | RaaS | Healthcare, Government | T1486, T1078, T1021 (Remote Services) | Disrupted (FBI/DOJ, Jan 2023) | DOJ Press Release Jan 2023 |
| Conti | Developer-Operator | Healthcare, Critical Infrastructure | T1486, T1055 (Process Injection), T1059 | Dissolved (May 2022 following Conti Leaks); members dispersed | CISA AA21-265A |
| REvil / Sodinokibi | RaaS | MSPs, Retail, Agriculture | T1486, T1490, T1195 (Supply Chain) | Disrupted (2022 arrests); inactive | CISA AA21-131A |
| Evil Corp | Developer-Operator | Financial Services | T1486, T1566 (Phishing), T1027 | Sanctioned by OFAC (Dec 2019); affiliate activity continues | OFAC Evil Corp Designation |
| Lazarus Group | Nation-state (DPRK) | Cryptocurrency, Finance, Defense | T1486, T1059, T1496 (Resource Hijacking) | Active; ongoing DOJ indictments | DOJ Indictment Feb 2021 |
| Sandworm (GRU) | Nation-state (Russia) | Energy, Government (destructive use) | T1486 |