List of Ransomware Syndicate Who Will Steal and Leak Your Data if You Don't Pay

Posted on July 17, 2021 by Benjamin Bressington

List of Ransomware Syndicate Who Will Steal and Leak Your Data if You Don't Pay

List of All The Ransomware Syndicate Who Will Steal and Leak Your Data if You Don't Pay

Recent years have seen an increase in the frequency and aggressiveness of hackers who use computer software to capture data from personal computers.

Ransomware that leaks victims often create a data leak site to publicly shame their victims and publish the files they stole. If the victim refuses to pay, the ransomware syndicate threaten to leak the information online, on so-called "leak sites" and then tip journalists about the company's security incident.

Some companies who may not want certain intellectual property leaked or published, will give in and pay a ransom demand to make the incident disappear.

In December 2019, the Maze ransomware syndicate pioneered this tactic by utilizing it in their encryption. Now it is spreading to other groups as well.

Below is a list of ransomware "leak sites," listed alphabetically, which we'll maintain going forward as an index for any future groups that use this tactic. We will not be linking to any of these sites, nor will we be listing any past or present victims.

The following list exists solely for the purpose of letting victim companies know that in the case of an infection with any of the ransomware strains below that they should treat it as a classic data breach where data has been exfiltrated and has reached a third-party's hands, rather than just a ransomware attack.

AKO Ransomware (Rebranded as Ranzy below)

AKO ransomware began operating in January 2020 when they started to target corporate networks with exposed remote desktop services.

Unlike other ransomware, Ako demands higher ransom payments from larger companies with more valuable information and takes an additional extortion demand to delete or leaks victims stolen files.

If payment is not made, the victim's data is put on a site that posts personal information being impersonated or used without permission.

Avaddon Ransomware

Avaddon ransomware began operating in June 2020 when they launched in a spam campaign targeting users worldwide.

If you do not pay, your info will also be released on the “Avaddon Info” site.

Babyk Ransomware

Babyk Locker is a new type of malware that launched in early 2021  and has since amassed a small list of victims worldwide.

CL0P Ransomware

The malware became popular for its CryptoMix variant in the first month, and soon became a favorite of an APT ransomware operations known as TA505.

These ransomware activities gained media attention when they encrypted 267 servers at Maastricht University.

In March 2020, CL0P released a data breaches leak site called 'CL0P^-LEAKS', where they publish the victim's data.

Conti Ransomware

The Conti Ransomware is the successor of Ryuk Ransomware and it now being distributed by TrickBot trojan.

Ransomware that began operating in 2020 is distributed at the event of a network becoming compromised by TrickBot.

Operated as a private Ransomware-as-a-Service (RaaS), Conti released a data leak site with twenty-six victims on August 25, 2020.

Cuba Ransomware

The .cuba extension was used to encrypt files by the ransomware that launched December 2020.

DarkSide Ransomware

DarkSide is a new human-operated ransomware that started operation in August 2020.

After encrypting the victim's devices, they charge fees that vary depending on how many devices are encrypted or if any data was stolen.

Ransomware syndicate demands as low as $200,000 for victims who did not have data stolen to a high of $2,000,000 for victim whose data was stolen.

DoppelPaymer Ransomware

In July 2019, a new ransomware appeared that looked and acted just like another ransomware called BitPaymer.

Named DoppelPaymer by Crowdstrike researchers, the BitPaymer group member who created this ransomware left and formed their own operation.

As soon as CrowdStrike's researchers released their report, the ransomware operators adopted the name and began using it on their Tor payment site.

DoppelPaymer targets its victims through remote desktop hacks and the Dridex Trojan.

DoppelPaymer has been targeting high-profile victims, like Bretagne Telecom and the City of Torrance in Los Angeles County.

In February 2020, DoppelPaymer launched a new site dedicated exclusively to sharing stolen user data: "Dopple Leaks." If you have been victimized, they threaten to sell your data on the dark web unless you pay them.

Egregor Ransomware

Egregor began operating in September, less than a month after Maze shut down.

As the Maze affiliates moved to the Egregor operation, ransomware group's activity increased. The latest form of ransomware has been involved in some higher-profile attacks targeting Crytek, Ubisoft, and Barnes and Noble.

Everest (Everbe) ransomware

The Everest ransomware is known as Everbe, which predominantly targets victims in Canada.

LockBit Ransomware

LockBit is an Ransomware-as-a-Service (RaaS). Its developers create and host the payment site, while affiliates distribute the ransomware.

Originally part of the Maze Ransomware cartel, LockBit was publishing the data of their stolen victims on Maze's data leak site.

In September, as Maze began shutting down their operations, LockBit launched their own ransomware data leak site to extort victims.

Maze Ransomware

The latest cybersecurity threat, the Maze ransomware, is mostly to blame for the new strategy of stealing files and using them as leverage.

Maze was first spotted in May 2019. Their attacks have escalated through exploit kits, spam, and network breaches.

On November 2019, Maze published the stolen data of Allied Universal due to not paying the ransom.Since then, they've relied on publishing the data of numerous victims through posts on hacker forums and eventually a dedicated leak site. Soon after, all other ransomware operators began copying this tactic to extort their victims.

Maze discontinued their ransomware operation in November 2020. Maze has perpetrated a number of high profile cyberattacks, including one against Chubb Insurance, City of Pensacola, Bouygues Construction, and Banco BCR.


The Mount Locker ransomware operation became active on July 2020, and started to breach corporate networks and deploy their ransomware. The Mount Locker syndicate is demanding multi-million dollar ransom payments in some cases.

In September 2020, Mount Locker launched a site that they used to publish the stolen files of victims who do not pay a ransom.

Nemty Ransomware

Originally launched as a Ransomware-as-a-Service called JSWorm, Nemty adopted the name Nemty in August 2019.

The ransomware uses a wide range of tactics, including exploit kits, spam, RDP hacks, and trojans.

In March, Nemty created a data leak site to publish the victim's data. This website can no longer be accessed by the public.

Nephilim Ransomware

On March 30th, the Nemty ransomware operator started building a new team of affiliates for Nephilim, an Ransomware-as-a-Service.

With an experienced team of hackers and malware distributors, Nephilim was designed to avoid the issues Nemty faced in its more free-for-all environment.

Afterward, they created a site, Corporate Leaks, which publishes the stolen data of victims who refuse to pay a ransom.

Netwalker Ransomware

In October 2019, the ransomware was named Mailto. In February 2020, it rebranded to Netwalker.

Netwalker, best known for its attack against the Australian transportation company Toll Group, targets corporate networks by using remote desktop hacks and spam.

Newalker is a publishing site that provides affiliate links for other sites to use. On May 2020, the company started recruiting affiliates with promises of much higher rates and an automated data leak website, threatening victims with having their information leaked if they did not pay.

Law enforcement seized the Netwalker data leak and payment sites in January 2021.

Nephilim Ransomware

On March 30th, the Nemty ransomware operator began recruiting new affiliates for Nephilim Ransomware-as-a-Service.

While Nemty was a free-for-all RaaS that allowed anyone to join, Nephilim is built by recruiting only experienced malware distributors and hackers.

The group quickly created a site called "Corporate Leaks" for the purpose of publishing and monetizing data stolen from victims who refuse to pay ransoms.

Netwalker Ransomware

Starting in October of 2019 as Mailto ransomware, the malware rebranded as Netwalker in February of 2020.

Upon discovery, it is believed the Netwalker targeted a multinational corporation that owns Toll Group and other transportation companies.

Starting in 2020, Newalker courted affiliates with the promise of huge payouts and a data leak site that was set to launch on April 6th. Law enforcement seized the Netwalker data leak and payment sites in January 2021.

Pay2Key ransomware

Pay2Key is a new ransomware operation that targeted Israeli organizations in November 2020.

It is not believed that this ransomware gang is performing the attacks to create chaos for Israel businesses and interests.

Pysa Ransomware (Mespinoza)

Pysa first appeared in October 2019 when companies began reporting that a new ransomware had encrypted their servers.

In the beginning of 2018, hackers used the .locked extension for encrypted files. They switched to using .pysa in November 2019.

The ransom notes start with "Hi Company" and victims report remote desktop hacks, so this ransomware targets corporate networks. CERT-FR, the French counterpart to CERT-US (Computer Emergency Response Team) has a comprehensive report on this type of ransomware.

The ransomware operators have created a data leak site called 'Pysa Homepage' where they publish the stolen files of their "partners" if no ransom is paid.

Ragnar Locker Ransomware

First seen in February 2020, Ragnar Locker was the first to terminate processes used by Managed Service Providers.

This tactic illustrated that the hackers were targeting corporate networks and terminated these processes to avoid detection by an MSP, making it harder for an ongoing attack to be stopped.

Ragnar Locker encrypted Portuguese energy giant Energias de Portugal (EDP) and asked for a 1,580 BTC ransom through their front-end site.

RagnarLocker has created a website called "Ragnar Leaks News" where they publish the stolen data of victims who do not pay for their ransom.

RansomExx/Defray 777

RansomExx is a widespread malware, rebranded from Defray777 ransomware and has seen increased activity since June 2020.

They have victimized Texas Department of Transportation, Konica Minolta, IPG Photonics, Tyler Technologies and SoftServe.

Ranzy Locker

ThunderX, a ransomware operation that launched at the end of August 2020, soon saw holes in its operations and needed a free decryptor to be released.

After fixing bugs in its code, the ransomware operators released a new version of Ranzy Locker under the name Locky.

A data leak site called Ranzy Leak was released in October, which had the same Tor-based URL as AKO Ransomware.

The AKO ransomware gang told BleepingComputer that ThunderX was a development variant of their ransomware and that AKO rebranded as Razy Locker.

REvil / Sodinokibi Ransomware

Sodinokibi detonated in April 2019 as a successor to GandCrab, which ceased operations earlier this year.

REvil Sodinokibi is a dangerous computer hacking group that exploits both corporate networks with the help of high-level affiliates.

Victims of the Reveal ransomware include Grubman Shire Meiselas & Sacks (GSMLaw), SeaChange, Travelex, Kenneth Cole and GEDIA Automotive Group.

Maze publishing stolen files had a profound effect on Sodinokibi, who followed suit by first publishing stolen data on a hacker forum and then launching a dedicated "Happy Blog" data leak site.

Sekhmet Ransomware

Sekhmet appeared in March 2020 and began targeting corporate networks.

"Your company network has been hacked and breached. We downloaded confidential and private data. In case of not contacting us in 3 business days this data will be published on a special website available for public view," states Sekhmet's ransom note.

The Sekhmet operators have created a website titled 'Leaks leaks and leaks' where they publish data stolen from their victims.

Snatch Ransomware

Beginning in the end of 2018, Snatch was one of the first ransomware infections to threaten users with data theft.

Their previous leak site was associated with multiple TOR addresses, but they have since been shut down. It is not known if they are continuing to steal data.


SunCrypt is ransomware that was created in the end of 2019 and has recently become active after joining the 'Maze Cartel.'

SunCrypt launched a data leak in August 2020, where they publish the stolen data for victims who do not pay the ransom.

CryLock Ransomware

Cryakl, a ransomware program that operated for 2 years, rebranded this year as CryLock.

As part of the rebranding process, they also began stealing data from companies before encrypting files and leaking the files if not paid.

ProLock Ransomware

One of the first ransomware strains seen this year was PwndLcker. It targeted corporate networks with ransom demands ranging from $175,000 to over $660,000 USD.

After a weakness allowed a decryptor to be made, the operators fixed the bug and rebranded as Prolock ransomware.

Snake Ransomware

The first known instance of snake ransomware was found by Secureworks in a network-wide attack against businesses January 2020.

Recent data released by Snake includes the patient records for the French hospital operator Fresenius Medical Care.

Who is ChatFortress

ChatFortress is a leading cybersecurity company that is helping small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.

ChatFortress Eliminates Bank Transfer Wire Fraud and Eliminates Email Phishing Attacks!

Helping you verify the device and the person you're sharing wire information with via our secure chat platform. When you need to validate the person you are sending information you need ChatFortress communication. To speak with a ChatFortress Agent call (307) 999-7755. If you want a demo you can Schedule a ChatFortress demo here.

Has your username, password or PII data been exposed to hackers on the darkweb?

Complete your FREE scan using our Hacked Scan Tool which scans over 11 Billion compromised data records and the darkweb to see if your data has been exposed to hackers. We will tell you exactly which third party services exposed your data and what you can do about it. Complete your free scan now it only takes 30 seconds!

Cybersecurity Resources

Talk to Us

Reduce your cybersecurity risk and exposure. Schedule time with your ChatFortress Specialist now
or Call 307-999-7755

Cybersecurity Education Links

Common Cybersecurity Mistakes and how you can protect yourself and your business from liability and financial loss! Instant Webinar Access!

Schedule Your Free Cybersecurity Risk Assessment Click Here to Schedule Call

Discover current hacker trends to steal your data and how you can protect yourself in 7 day FREE Email Cybersecurity crash course

Here are the 8 common types of email phishing attacks that hackers use to steal your identity. Are you protected?

Protect your business from hackersCrash Coursesmall business cybersecurity protectionHackerssmall business cybersecurity protection8typesofemailphishingscamssmall business cybersecurity protectionCMMC Compliance Check ListCybersecurity For Business