A 2026 retrospective on the international takedown that displaced LockBit at the top of the ransomware ecosystem — what stuck, what reverted, where the affiliate workforce migrated, and what the next coordinated action should learn from the playbook.

A 2026 attribution playbook for ransomware investigations — combining TTP fingerprinting against MITRE ATT&CK, ransom-note artifact analysis, leak-site monitoring, and the open-source intelligence pivots that hold up under scrutiny.

A 2026 practitioner walkthrough of Active Directory hardening against the lateral-movement, credential-theft, and persistence techniques that modern ransomware operators rely on — Tier 0 isolation, DSRM rotation, PRT theft mitigation, and AD audit baselines.

A practitioner’s tutorial for assembling a working threat-actor profile from public sources — MITRE ATT&CK for TTPs, Mandiant and CrowdStrike for attribution context, Malpedia for malware lineage, plus a clean note-taking template.

A 2026 tutorial for tracking individual ransomware affiliates across operator rebrands using VirusTotal Intelligence, abuse.ch’s MalwareBazaar, and YARA rules. Code reuse, builder fingerprints, and TTP continuity reveal the same crews under new names.

A 2026 comparative profile of the three dominant infostealer families — capabilities, distribution channels, market share by observed infections, and where each is heading after the 2024 takedown actions.

Three mid-tier ransomware operators have built sustained victim claim counts in 2025-2026. Profiles of Qilin, Medusa, and Embargo — what’s distinctive about each, and what the rise of the mid-tier means for defenders.

Persistent rumors point to a Lapsus$ revival operating under new branding in 2026. Sorting the credible signal from the Telegram noise, and what defenders should make of it.

Akira began as a classic encrypt-and-extort operation but has been quietly drifting toward data-theft-only attacks across 2025-2026. A profile of where they came from, where they are now, and why the model is working.

RansomHub became the largest active RaaS by claim count in 2025 by absorbing experienced affiliates from the LockBit and ALPHV exits. A 2026 profile of the operator, their tooling, and their structural position.

Scattered Spider — UNC3944, Octo Tempest — survived the 2024 arrests and remains one of the most operationally aggressive English-speaking threat groups. Their 2026 playbook, capabilities, and how they keep getting in.

A 2026 Q1 ransomware leaderboard built from leak-site claims, with the structural changes shaping the operator pool — RansomHub at the top, a long mid-tier, and the takedown ripples still propagating through the ecosystem.

A new generation of operators has dropped encryption entirely — they steal the data and threaten to leak it without ever locking a single file. Here’s why that model is winning.

Play — also known as PlayCrypt — does not run an open RaaS. It runs a closed shop with vetted affiliates, an unusual aesthetic, and a steady cadence of attacks against cities, schools, and managed service providers. Quietly, it has become one of the most prolific operators of the post-LockBit era.

Hive was a top-tier RaaS that hit hospitals, schools, and Costa Rica’s public sector — until the FBI quietly infiltrated its infrastructure for seven months, harvested decryption keys, and dismantled the operation in January 2023.

DarkSide ran for less than a year before its attack on Colonial Pipeline rewrote the politics of ransomware in May 2021. Then it disappeared, rebranded as BlackMatter, and seeded what would eventually become BlackCat/ALPHV. A short, consequential life.

Akira launched in March 2023 with a 1980s green-screen aesthetic and rapidly became one of the most active ransomware operations in the world, riding waves of Cisco VPN exploitation and a steady stream of mid-market victims. Here is what makes it distinctive.

Black Basta walked out of the Conti collapse in 2022 and rapidly became one of the top RaaS programs in the world, with a particular taste for healthcare and critical infrastructure. Then internal chats leaked again — and the playbook started looking familiar.

Ryuk was the Russian-speaking operation that proved you could ransom a Fortune 500 company for tens of millions of dollars and get away with it. It is also the operation whose people went on to run Conti — and, by extension, half the modern ransomware ecosystem.

Cl0p turned ransomware into a zero-day data-extortion business. Three sweeping campaigns against file-transfer software — Accellion, GoAnywhere, and MOVEit — produced thousands of victims and billions in damages, with little encryption and a lot of stolen data.

BlackCat — also known as ALPHV — was the first major ransomware written in Rust, the operation that filed an SEC complaint against its own victim, and the brand that walked away with $22 million from Change Healthcare and stiffed its own affiliate. A short, eventful career.

REvil — a.k.a. Sodinokibi — was the swaggering, big-game hunting RaaS responsible for some of the highest-profile attacks in ransomware history, including the Kaseya supply-chain incident. Then it vanished, briefly came back, and got cleaned up by the FSB.

Conti was the most corporate ransomware operation of its era — payroll, HR, R&D, the works — until an internal leak in 2022 exposed the entire enterprise and its political alignment. Here is how it grew, how it operated, and how it collapsed into a network of successor brands.

LockBit was the most prolific ransomware operation in history, running an industrialised RaaS program with the world’s fastest encryptor — until Operation Cronos shredded its infrastructure in early 2024.