Ransomexx ransomware group is a Human-Operated Ransomware (HumOR) that has existed since May 2020.

Cactus ransomware gang

The Cactus ransomware operation launched in March 2023 and has since amassed numerous companies that they claim were breached in cyberattacks.

Like all ransomware operations, they breach corporate networks through purchased credentials, partnerships with malware distributors, phishing attacks, or by exploiting vulnerabilities.


WIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER. This actor is a Russia-based criminal group known for the operation of the TrickBot banking malware that had focused primarily on wire fraud in the past.

The Hades ransomware gang

The Hades ransomware gang began operating in 2020. When encrypting a victim, it will create a ransom note named ‘HOW-TO-DECRYPT-[extension].txt’ that resembles notes used by the REvil ransomware group.

TimisoaraHackerTeam (THT)

THT is named after a Romanian town, and its source code also appears to have been produced by Romanian speakers. Researchers have not yet determined which overarching family the THT ransomware group belongs to.

Researchers discovered the group in July 2018, when it surfaced with its characteristic tactic of abusing legitimate tools such as Microsoft Bitlocker, rather than developing its own tools to encrypt victim files. What is known, however, is that the group is not against targeting hospitals.