Archives: Threat Actors

Predatory Sparrow

Some say their name is a play on “Charming Kitten”, the name of the notorious Iranian APT (advanced persistent threat) group. Although Predatory Sparrow has their own social media accounts, these are not searchable under their English nom but under its Persian equivalent, Gonjeshke Darande.

At this point (July 2022) no one knows whether Predator Sparrow is a state-sponsored group. Are they just mere hacktivists out to punish corporations they see are crossing the line?


Qilin (or the Agenda ransomware group) offers affiliates options to customize configurable binary payloads for each victim, including details such as company ID, RSA key, and processes and services to kill before the data encryption. Additionally, the ransom amount requested is different per company, ranging from US$50,000 to US$800,000.

Lorenz ransomware gang

Lorenz is a ransomware gang targeting the enterprise. A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms.

The Lorenz ransomware gang began operating in April 2021, and has since amassed a growing list of victims whose stolen data has been published on a ransomware data leak site

The Lorenz ransomware gang may have a link to the ThunderCrypt operators. The Lorenz gang began operating last month. Since then, the group has developed a notable list of victims. A data leak site houses victims’ stolen and exposed data.

It is not clear if Lorenz is the same group or purchased the ransomware source code to create its own variant.

Like other human-operated ransomware attacks, Lorenz will breach a network and spread laterally to other devices until they gain access to Windows domain administrator credentials. While spreading throughout the system, they will harvest unencrypted files from victims’ servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims to pay a ransom or to sell the data to other threat actors.

Daixin Team

Since June 2022, Daixin Team attackers have been linked to multiple health sector ransomware incidents where they’ve encrypted systems used for many healthcare services, including electronic health records storage, diagnostics, imaging services, and intranet services.

They’re also known for stealing patient health information (PHI) and personal identifiable information (PII) and using it for double extortion to pressure victims into paying ransoms under the threat of releasing the stolen information online.

The ransomware gang gains access to targets’ networks by exploiting known vulnerabilities in the organizations’ VPN servers or with the help of compromised VPN credentials belonging to accounts with multi-factor authentication (MFA) toggled off. Once in, they use Remote Desktop Protocol (RDP) and Secure Shell (SSH) to move laterally through the victim’s networks.

Vice Society

Vice Society emerged in 2021, this ransomware group targets small and medium businesses rather than large ones and has targeted Education, Healthcare, Non-governmental organizations the most since it emerged last year. There is no specific geographical area of operation.

Mount Locker

Starting around the end of July 2020, Mount Locker began breaching corporate networks. Mount Locker uses ChaCha20 to encrypt the files and an embedded RSA-2048 public key to encrypt the encryption key.

Scatter Swine / 0ktapus

Scatter Swine/0ktapus likely uses commercial data aggregation services to collect mobile phone numbers belonging to employees of technology companies, telecommunications providers, and individuals linked to cryptocurrency.

Ragnar Locker

Ragnar Locker is a family of ransomware, which first came to prominence in early 2020 when it became known for hitting large organizations, attempting to extort large amounts of cryptocurrency from its victims.

Pin It on Pinterest

Scroll to Top