Notable Ransomware Threat Actor Groups: Profiles and TTPs
Ransomware operations are not monolithic — they are structured criminal enterprises run by distinct threat actor groups with documented operational histories, target preferences, technical toolsets, and negotiation behaviors. This page profiles the most operationally significant ransomware groups tracked by US federal agencies and cybersecurity researchers, covering their tactics, techniques, and procedures (TTPs) as categorized in public advisories from CISA, the FBI, and the Department of Health and Human Services. Understanding the structural differences between these groups is essential for sector-specific risk assessment, incident attribution, and regulatory reporting posture.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps (Non-Advisory)
- Reference Table or Matrix
- References
Definition and Scope
A ransomware threat actor group is a structured criminal or state-affiliated organization that develops, deploys, or licenses ransomware tooling as a primary revenue mechanism. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI publish joint advisories under the Stop Ransomware initiative that formally name and profile these groups, designating them by operational cluster names or tool-derived monikers. The FBI's Internet Crime Complaint Center (IC3) received 2,825 ransomware complaints in 2023 (IC3 2023 Internet Crime Report), a figure that substantially undercounts actual incident volume given widespread non-reporting.
The scope of tracked groups spans ransomware-as-a-service (RaaS) operators, affiliate networks, and closed developer teams. Attribution is performed by federal law enforcement and private sector threat intelligence firms using indicators of compromise (IOCs), malware code analysis, infrastructure overlap, and operational security failures by group members. The US Department of Treasury's Office of Foreign Assets Control (OFAC) has designated specific ransomware actors as Specially Designated Nationals, creating legal compliance obligations for organizations considering ransom payment — a dimension covered in depth at OFAC Ransomware Sanctions.
Core Mechanics or Structure
Ransomware threat actor groups operate across a division of labor that separates malware development, infrastructure management, initial access, and affiliate execution. The RaaS model — documented extensively in CISA advisories — allows a core developer group to license ransomware tooling to affiliates who conduct intrusions independently, sharing a percentage of ransom proceeds (typically 70–80% to affiliates, with 20–30% retained by the core operation, as documented in the CISA LockBit advisory AA23-165A).
Core TTPs common across major groups include:
- Initial access via phishing, exposed Remote Desktop Protocol (RDP), and exploitation of unpatched public-facing applications — see Ransomware Initial Access Vectors
- Lateral movement using legitimate administrative tools (PsExec, Cobalt Strike, Mimikatz) to traverse network segments
- Privilege escalation targeting Active Directory to obtain domain administrator credentials — covered at Active Directory and Ransomware
- Data exfiltration prior to encryption to enable double or triple extortion
- Encryption deployment using AES-256 or ChaCha20 algorithms with RSA-wrapped keys to prevent offline decryption
- Ransom demand delivery via Tor-hosted negotiation portals with time-limited payment windows
The largest documented groups — LockBit, ALPHV/BlackCat, Cl0p, and Hive — each maintained dedicated leak sites on the dark web to publish stolen data from non-paying victims, as catalogued at Ransomware Dark Web Leak Sites.
Causal Relationships or Drivers
The proliferation of distinct, professionalized threat actor groups is driven by structural economic and operational factors. The RaaS model lowered the technical barrier to conducting ransomware attacks, enabling affiliate recruitment from individuals without malware development skills. This created a talent marketplace that expanded group capacity without proportional increases in core team risk exposure.
Cryptocurrency infrastructure — specifically privacy-enhancing coins and mixing services — provided payment channels that reduced traceability, as analyzed in Ransomware Cryptocurrency Payments. OFAC's 2021 guidance on virtual currency sanctions compliance (OFAC Updated Advisory on Ransomware) acknowledged this dynamic while asserting jurisdiction over payments to sanctioned entities.
Geopolitical safe havens represent a second causal driver. Groups including Evil Corp (Russia), Lazarus Group (North Korea), and Salt Typhoon-adjacent clusters operate from jurisdictions that do not extradite to the United States, limiting law enforcement disruption options. The FBI's most-wanted ransomware indictments — including the 2021 indictment of Yaroslav Vasinskyi for REvil operations — required cross-border cooperation to produce arrests. The concentration of groups in post-Soviet states is not incidental; it reflects a permissive environment where cybercrime directed at Western targets is tolerated or instrumentalized by state actors (US DOJ Press Release, REvil Prosecution).
Classification Boundaries
Threat actor groups are classified along three primary axes:
Operational model: RaaS operators (LockBit, ALPHV/BlackCat, REvil) vs. closed developer-operator teams (Conti's core, Lazarus Group) vs. access broker networks that sell footholds to ransomware actors without conducting encryption themselves.
Attribution confidence: CISA and MITRE ATT&CK use a tiered confidence model distinguishing high-confidence attributions (based on infrastructure overlap and malware code matching) from moderate-confidence attributions (based on TTP similarity alone). The MITRE ATT&CK framework catalogs 17+ named ransomware-affiliated groups as of its most recent published update.
State nexus: Groups are classified as financially motivated criminal enterprises (LockBit, Cl0p), state-sponsored actors using ransomware as a geopolitical tool (Lazarus Group / DPRK), or hybrid operations where state tolerance enables criminal activity (Evil Corp, Russia-nexus). This boundary has direct regulatory relevance under OFAC rules — paying a state-sponsored group may constitute a sanctions violation regardless of victim intent.
The ransomware variants taxonomy provides a parallel classification structure organized by malware lineage rather than operational group identity.
Tradeoffs and Tensions
Attribution vs. operational speed: Incident responders must balance the time required for accurate threat actor attribution against the operational urgency of containment. Misattribution leads to incorrect TTP assumptions, wrong decryption tool selection, and potential negotiation missteps if group-specific communication norms are unknown.
Disruption effectiveness vs. rebranding: Law enforcement takedowns of major groups — including the January 2024 FBI seizure of LockBit infrastructure (DOJ Press Release, January 2024) and the 2022 Hive disruption — have demonstrated that group disbanding is rarely permanent. Core developers rebrand under new identities, reconstitute affiliate networks, and resume operations within months. This creates a tension between the short-term disruption value of takedowns and the persistent threat reconstitution dynamic.
Sanctions compliance vs. decryption access: Organizations facing an active ransomware incident from a sanctioned group — such as Evil Corp — face a direct conflict between OFAC's prohibition on payment and the operational need to restore encrypted systems. OFAC has provided a voluntary self-disclosure safe harbor, but this does not eliminate enforcement risk, as detailed at Ransomware Payment Considerations.
Public attribution vs. intelligence protection: Federal agencies sometimes delay public attribution of group-specific advisories to protect ongoing intelligence collection operations, creating an asymmetry where defenders lack current TTP data while adversaries adapt.
Common Misconceptions
Misconception: Ransomware groups are loosely organized hackers. The documented organizational structure of groups like Conti — revealed through the February 2022 Conti leaks published by a disaffected affiliate — showed HR functions, salary scales, technical divisions, and management hierarchies consistent with a professional enterprise (Conti Leaks Analysis, CISA).
Misconception: Paying guarantees decryption. CISA and the FBI explicitly state that payment does not guarantee decryption or data deletion. Multiple documented cases exist where payment was collected and decryptors were either non-functional or never delivered. Additionally, paying identifies the victim as willing to pay, increasing likelihood of future targeting.
Misconception: Groups operate independently across all attacks. The RaaS model means a single ransomware strain (e.g., LockBit 3.0) may be deployed by dozens of unrelated affiliate teams. Incident response teams may be negotiating with an affiliate with no authority over the core developer's decryption infrastructure.
Misconception: Law enforcement takedowns permanently neutralize groups. The post-Hive and post-LockBit disruption timelines show that core members migrate to successor operations or join competing RaaS programs within 90 days of disruption in documented cases.
Checklist or Steps (Non-Advisory)
The following sequence reflects the threat intelligence workflow used by incident response and threat intelligence teams when a ransomware group is identified during or after an incident, as described in NIST SP 800-61 (Computer Security Incident Handling Guide) and CISA's Stop Ransomware advisories:
- Identify ransomware strain — Recover ransom note text, encrypted file extension, and dropper artifacts for submission to ID Ransomware (id-ransomware.malwarehunterteam.com) or CISA's reporting portal
- Map strain to attributed group — Cross-reference strain with CISA joint advisories, MITRE ATT&CK group profiles, and FBI flash alerts to establish probable operator identity
- Check OFAC sanctions list — Query the SDN List for the identified group's designations before any payment-related decisions
- Retrieve group-specific TTP profile — Obtain documented TTPs from the relevant CISA or FBI advisory to guide forensic scope (e.g., LockBit affiliates consistently abuse Cobalt Strike and RDP; Cl0p exploited MOVEit and GoAnywhere MFT vulnerabilities)
- Assess data exfiltration indicators — Based on group behavior profile, determine whether double extortion is a known tactic and conduct network log analysis for outbound bulk transfer signatures
- Preserve forensic artifacts — Capture memory dumps, encrypted file samples, and ransom note variants before any remediation action that may overwrite evidence needed for law enforcement reporting
- Report to FBI IC3 and CISA — Submit incident details per FBI Ransomware Reporting and CISA's reporting portal; include group attribution indicators
- Monitor group's leak site — If data exfiltration is confirmed, track the group's dark web leak site for victim listing status as part of ongoing incident management
Reference Table or Matrix
| Group Name | Attribution | Primary Model | Known Sectors Targeted | OFAC Designation | Notable CISA/FBI Advisory |
|---|---|---|---|---|---|
| LockBit | Russia-nexus (criminal) | RaaS | Critical infrastructure, healthcare, government | No (as of 2024 advisory) | AA23-165A |
| ALPHV / BlackCat | Russia-nexus (criminal) | RaaS | Healthcare, financial, energy | No | AA23-353A |
| Cl0p (TA505) | Russia-nexus (criminal) | Closed developer | Financial, higher education, manufacturing | No | AA23-158A |
| Hive | Russia-nexus (criminal) | RaaS | Healthcare, education | No (disrupted 2023) | AA22-321A |
| REvil / Sodinokibi | Russia-nexus (criminal) | RaaS | Managed service providers, agriculture | No | FBI Flash MC-000150-MW |
| Evil Corp | Russia (state-adjacent) | Closed developer | Financial sector | Yes — OFAC SDN | CISA AA20-243A |
| Lazarus Group | North Korea (state-sponsored) | State operator | Financial, cryptocurrency exchanges | Yes — OFAC SDN | CISA AA22-011A |
| Conti | Russia-nexus (criminal) | Closed developer | Healthcare, government | No (disbanded 2022) | AA21-265A |
| Royal / BlackSuit | Russia-nexus (criminal) | Closed developer | Critical infrastructure | No | AA23-061A |
| Akira | Russia-nexus (criminal) | RaaS | Education, manufacturing, SMB | No | AA24-109A |
OFAC designation status reflects published SDN list entries and may change. Verify current status at OFAC SDN List before any payment decision.
References
- CISA Stop Ransomware — Joint Advisories and Group Profiles
- FBI Internet Crime Complaint Center (IC3) 2023 Annual Report
- MITRE ATT&CK — Ransomware-Affiliated Group Profiles
- NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
- OFAC Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (2021)
- OFAC Specially Designated Nationals (SDN) List
- US DOJ — REvil Prosecution Press Release
- US DOJ — LockBit Disruption Operation, January 2024
- CISA Advisory AA23-165A — LockBit 3.0
- CISA Advisory AA23-353A — ALPHV/BlackCat
- [CISA Advisory AA21-265A