How it works: Attackers typically encrypt systems after exfiltrating sensitive data. Play keeps a fairly low profile on the dark web aside from its leak site, not advertising itself on dark web forums. “It has even claimed not to be an RaaS gang at all, saying it maintains a ‘closed group to guarantee the secrecy of deals,’ in spite of evidence to the contrary,” Searchlight Cyber’s Donovan explains.
Targeted victims: The group has targeted various sectors, including healthcare, telecommunications, finance, and government service.
Attribution: Play may have connections to North Korean state-aligned APT groups.
In October 2024, security researchers at Palo Alto Networks’ Unit 42 published evidence of a deployment of Play ransomware by a threat actor backed by North Korea, specifically APT45. “The link between this threat actor and Play is unclear, but demonstrates the potential for crossover between state-sponsored cyber activity and ostensibly independent cybercrime networks,” Donovan says.
Qilin
History: Qilin, also known as Agenda, is a Russia-based RaaS group that has been operating since May 2022.
How it works: The group targets Windows and Linux systems, including VMware ESXi servers, using ransomware variants written in Golang and Rust. Qilin follows a double extortion model — encrypting victims’ files and threatening to leak stolen data if the ransom is not paid.
Targeted victims: Qilin recruits affiliates on underground forums and prohibits attacks on organizations in Commonwealth of Independent States (CIS) countries bordering present-day Russia.
Attribution: The makeup of Qilin remains unknown but a Russian-speaking organized cybercrime operation is strongly suspected.
RansomHub
History: RansomHub emerged in February 2024 and quickly became a major cyber threat. The group, initially known as Cyclops and later Knight, rebranded and expanded its operations by recruiting affiliates from other disrupted ransomware groups such as LockBit and ALPHV/BlackCat.
How it works: Once inside a network, RansomHub affiliates exfiltrate data and deploy encryption tools, often utilizing legitimate administrative utilities to facilitate their malicious activities. RansomHub operates an “affiliate-friendly” RaaS model, initially offering a fixed 10% fee for those that make attacks using its ransomware and the option to collect ransom payments directly from victims before paying the core group. “These elements make it an attractive option for affiliates that are looking for a guaranteed return, where other RaaS operations have been unreliable in paying out in the past,” Searchlight Cyber’s Donovan says.
Targeted victims: RansomHub has been linked to more than 210 victims across various critical sectors, including healthcare, finance, government services, and critical infrastructure in Europe and North America, according to Rapid7.
Attribution: Attribution remains unconfirmed but circumstantial evidence points toward an organized Russian-speaking cybercrime operation with ties to other established ransomware threat actors.
