Ransomware attacks are increasingly focusing on bigger targets, with several major international companies falling victim in recent years. As a result, it’s crucial for all companies to take these sorts of threats seriously. Knowing who you’re dealing with is the first step, so here are five of the most prolific ransomware groups to be aware of. 


First detected in 2019, this malware is technically sophisticated. In 2020, it made up 11% of all reported attacks and targets mainly Engineering & Manufacturing, Finance, Professional & Consumer Services, Legal and IT & Telecommunications sectors. One of their most high-profile victims was electronics company Acer from whom they demanded a $50m ransom.


Making up around 13% of attacks, this is one of the more prolific groups. This malware is unusual in that the cybercriminals offer victims help with security in exchange for agreeing to pay. It also uses a double extortion method, withholding the decryption key and threatening to release sensitive data unless the ransom is paid. Earlier this year, Conti forced the Costa Rican government to declare a national emergency after they were attacked.


This group’s malware was present in 6.6% of ransomware attacks from January to May. The FBI published a warning about this group after a spate of attacks on healthcare systems in Europe. In one case, a patient in Germany died as a result, when the ambulance they were in was rerouted, preventing them from getting to the hospital on time. 


This group is based on a Ransomware as a service (RaaS) model, and targets high profile businesses to extort large amounts of money. The most well-known attack was on the Colonial Pipeline in May 2021 – the largest attack on oil infrastructure in US history. Unusually, this group has tried to professionalise ransomware and has created a “customer service” department to ensure victims’ systems are restored after payment. They see this as a way to ensure targets will pay.


This group is believed to have been developed by the core members of the now defunct “Maze” ransomware group which developed the “double extortion method”. Whilst the group first appeared in September 2020, by May 2021 it accounted for 8.1% of attacks.To date it has committed at least 71 attacks across 19 countries.