WIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER. This actor is a Russia-based criminal group known for the operation of the TrickBot banking malware that had focused primarily on wire fraud in the past.

The Hades ransomware gang

The Hades ransomware gang began operating in 2020. When encrypting a victim, it will create a ransom note named ‘HOW-TO-DECRYPT-[extension].txt’ that resembles notes used by the REvil ransomware group.

TimisoaraHackerTeam (THT)

THT is named after a Romanian town, and its source code also appears to have been produced by Romanian speakers. Researchers have not yet determined which overarching family the THT ransomware group belongs to.

Researchers discovered the group in July 2018, when it surfaced with its characteristic tactic of abusing legitimate tools such as Microsoft Bitlocker, rather than developing its own tools to encrypt victim files. What is known, however, is that the group is not against targeting hospitals.

Nevada Ransomware Operation

(Feb’23): A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems.

Nevada ransomware started to be promoted on the RAMP darknet forums on December 10, 2022, inviting Russian and Chinese-speaking cybercriminals to join it for an 85% cut from paid ransoms. For those affiliates who bring in a lot of victims, Nevada say they will increase their revenue share to 90%.

RAMP has been previously reported as a space where Russian and Chinese hackers promote their cybercrime operations or to communicate with peers.


APT28 does not appear to conduct widespread intellectual property theft for economic gain. Instead, APT28 focuses on collecting intelligence that would be most useful to a government. Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries, and security organizations that would likely benefit the Russian government.