Insights
Investigación, notas de ingeniería de detección y lecciones de respuesta a incidentes.
7 Apr 2025
NoEscape is a double extortion ransomware group that emerged in mid-2023, quickly establishing itself as a technically capable and strategically aggressive threat actor. The group targets large enterprises, critical infrastructure, and professional services, combining traditional file encryption with the exfiltration of sensitive data for public exposure if ransom demands are not met.
Read article
7 Apr 2025
NoName057(16) is a politically motivated pro-Russian hacktivist group active since March 2022. It emerged shortly after the Russian invasion of Ukraine and has focused almost exclusively on conducting distributed denial-of-service (DDoS) attacks against European and NATO-aligned countries that support Ukraine. The group primarily uses its operations to disrupt public-facing websites of governments, media, transport, and financial institutions.
Read article
7 Apr 2025
Oilin is a financially motivated ransomware group that emerged in the second half of 2023. Though comparatively new to the ransomware ecosystem, Oilin has displayed a high level of operational maturity, strategic targeting, and rapidly evolving tooling. The group operates under a double extortion model, exfiltrating sensitive data before encrypting victim systems, and threatening to publish or sell the stolen data if ransom demands are not met.
Read article
7 Apr 2025
Play, also known as PlayCrypt, is a financially motivated ransomware group first identified in June 2022. The group has quickly gained notoriety for its double extortion techniques, its targeting of both Windows and Linux/ESXi environments, and a unique, minimalist style of communication. Its ransom notes are often starkly simple—containing only the word“PLAY”—followed by contact details for negotiation via TOR.
Read article
7 Apr 2025
ProjectRelic is a relatively unknown threat actor that has been observed conducting cyber operations against small to mid-sized organisations, primarily in Europe. The group is characterised by its use of repurposed tooling, low-profile infrastructure, and a minimalist approach to command and control. Its operations suggest a mix of reconnaissance, credential harvesting, and quiet data exfiltration.
Read article
7 Apr 2025
RansomHouse is a data extortion group that diverges from traditional ransomware models by focusing almost entirely on data theft rather than file encryption. First identified in December 2021, the group has grown rapidly in visibility throughout 2022 and 2023, publishing victim data on its dedicated leak site and leveraging public shaming to extract ransom payments.
Read article
7 Apr 2025
Rhysida is a double extortion ransomware group first identified in May 2023. Operating under a semi-professionalised model, Rhysida has quickly established a reputation for targeting public institutions, healthcare systems, educational bodies, and increasingly, private sector enterprises. The group combines data theft and encryption with public pressure via a high-profile leak site that prominently features victim logos and countdowns to full data disclosure.
Read article
7 Apr 2025
Royal is a highly capable ransomware group that emerged in early 2022, quickly establishing itself as a major player in the double extortion landscape. Noted for its custom-built encryptor, refusal to rely on Ransomware-as-a-Service (RaaS) models, and frequent targeting of healthcare, education, and public sector organisations, Royal has distinguished itself as both tactically effective and operationally autonomous.
Read article
7 Apr 2025
Sandworm is a highly destructive Russian state-sponsored threat group attributed to Unit 74455 of the GRU, Russia’s military intelligence agency. The group has been active since at least 2009 and is known for some of the most damaging cyber operations in history, including the 2015 and 2016 attacks on Ukraine’s energy grid and the 2017 NotPetya attack.
Read article
7 Apr 2025
Sarcoma is a relatively new but technically competent ransomware group, first identified in early 2024. Like many contemporary cybercriminal entities, Sarcoma operates under a double extortion model, combining traditional ransomware encryption with the theft and threatened exposure of sensitive data. While still considered an emerging threat, Sarcoma’s campaigns demonstrate a high degree of intentionality, persistence, and an increasing level of sophistication.
Read article
7 Apr 2025
Scattered Spider, also tracked as Octo Tempest by Microsoft, is a financially motivated threat actor that has rapidly gained prominence for its use of advanced social engineering, SIM swapping, and multi-stage extortion campaigns. First observed in 2022, the group has successfully infiltrated major companies across multiple sectors, including telecommunications, technology, hospitality, and critical infrastructure.
Read article
7 Apr 2025
SiegedSec is a politically motivated hacktivist collective that emerged in 2022 and gained notoriety for a series of high-profile data leaks, defacements, and cyber intrusions. The group promotes itself as ideologically driven, frequently referencing opposition to authoritarianism, support for LGBTQ+ rights, and protest against surveillance and government overreach.
Read article