Endpoint Detection and Response, Extended Detection and Response, Managed Detection and Response — the alphabet soup of modern endpoint defence is real but confusing. Here is what each tier actually does, where it stops working, and how to choose.
Play — also known as PlayCrypt — does not run an open RaaS. It runs a closed shop with vetted affiliates, an unusual aesthetic, and a steady cadence of attacks against cities, schools, and managed service providers. Quietly, it has become one of the most prolific operators of the post-LockBit era.
Hive was a top-tier RaaS that hit hospitals, schools, and Costa Rica’s public sector — until the FBI quietly infiltrated its infrastructure for seven months, harvested decryption keys, and dismantled the operation in January 2023.
DarkSide ran for less than a year before its attack on Colonial Pipeline rewrote the politics of ransomware in May 2021. Then it disappeared, rebranded as BlackMatter, and seeded what would eventually become BlackCat/ALPHV. A short, consequential life.
Akira launched in March 2023 with a 1980s green-screen aesthetic and rapidly became one of the most active ransomware operations in the world, riding waves of Cisco VPN exploitation and a steady stream of mid-market victims. Here is what makes it distinctive.
Black Basta walked out of the Conti collapse in 2022 and rapidly became one of the top RaaS programs in the world, with a particular taste for healthcare and critical infrastructure. Then internal chats leaked again — and the playbook started looking familiar.
Ryuk was the Russian-speaking operation that proved you could ransom a Fortune 500 company for tens of millions of dollars and get away with it. It is also the operation whose people went on to run Conti — and, by extension, half the modern ransomware ecosystem.
Cl0p turned ransomware into a zero-day data-extortion business. Three sweeping campaigns against file-transfer software — Accellion, GoAnywhere, and MOVEit — produced thousands of victims and billions in damages, with little encryption and a lot of stolen data.
BlackCat — also known as ALPHV — was the first major ransomware written in Rust, the operation that filed an SEC complaint against its own victim, and the brand that walked away with $22 million from Change Healthcare and stiffed its own affiliate. A short, eventful career.
REvil — a.k.a. Sodinokibi — was the swaggering, big-game hunting RaaS responsible for some of the highest-profile attacks in ransomware history, including the Kaseya supply-chain incident. Then it vanished, briefly came back, and got cleaned up by the FSB.