EXPOSING YOUR RANSOMWARE adversaries

Threat Actor Index: Knowledge is Power

Welcome to the Halcyon Ransomware Threat Actor Index, a comprehensive catalog of the most prominent threat actors and ransomware families, to shed light on the ransomware ecosystem. Discover their techniques, tactics, procedures and targeted industries. Make informed decisions, and stay resilient in the face of ransomware.
Filter by Category
THREAT ACTOR:

Play

EMERGENCE DATE:
June 2022
2022-06-01
CATEGORiZATION:
Selective Affiliate Model
THREAT LEVEL:
8
OVERVIEW DESCRIPTION:

Play Ransomware, also known as PlayCrypt, emerged in June 2022 initially operating as a closed group designed to guarantee operational secrecy. The ransomware quickly distinguished itself through intermittent encryption techniques that process only portions of files, reducing detection probability while accelerating attack execution. Having compromised numerous organizations globally as of May 2025, Play has evolved from its original closed structure to incorporate RaaS elements, enabling broader operational reach.

THREAT ACTOR:

Qilin

EMERGENCE DATE:
July 2022
2022-07-01
CATEGORiZATION:
Ransomware-as-a-Service
THREAT LEVEL:
8
OVERVIEW DESCRIPTION:

Qilin emerged in July 2022 as a Ransomware-as-a-Service (RaaS) operation, initially branded as Agenda before rebranding in September 2022. Operating through a mature affiliate model, the group provides ransomware tools and infrastructure while employing double extortion tactics that combine data encryption with threats to leak stolen information on their dark web leak site.

THREAT ACTOR:

Cl0p

EMERGENCE DATE:
February 2019
2019-02-01
CATEGORiZATION:
Ransomware-as-a-Service
THREAT LEVEL:
7.9
OVERVIEW DESCRIPTION:

Cl0p emerged in February 2019, quickly establishing itself as a prolific and financially successful ransomware operation globally. Operating under the Ransomware-as-a-Service (RaaS) model through the established TA505 collective, Cl0p has brought in over $500 million in extorted payments and compromised more than 11,000 organizations worldwide. The group's strategic evolution from traditional encryption to data-theft-centric campaigns has redefined modern tactics, targeting supply chain vulnerabilities and high-value enterprise infrastructure including exposed Oracle E-Business Suite portals.

THREAT ACTOR:

Akira

EMERGENCE DATE:
March 2023
2023-03-01
CATEGORiZATION:
Ransomware-as-a-Service
THREAT LEVEL:
7.9
OVERVIEW DESCRIPTION:

Emerging in March 2023, Akira rapidly established itself as a dominant Ransomware-as-a-Service (RaaS) operation through encryption techniques and multi-platform targeting capabilities. The group employs double extortion tactics, encrypting victim data while threatening public exposure, with ransom demands ranging from hundreds of thousands to several million dollars. Operating across North America, Europe, and Australia, the ransomware maintains a strong focus on organizations with critical data dependencies and operational vulnerabilities.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore Recent Threat Group Activity

View All
Top Ransomware Groups
Power Rankings: Ransomware Malicious Quartile
Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars.
View All
Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Accept
Deny