{
	"id": "f7736cda-bcbd-4b58-9608-fb3ec26a989f",
	"created_at": "2026-04-06T00:06:49.659923Z",
	"updated_at": "2026-04-10T13:11:40.51697Z",
	"deleted_at": null,
	"sha1_hash": "d3590ab85ae90948db32a247de899598148134e9",
	"title": "Most Prolific Ransomware Families for Defenders",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 322530,
	"plain_text": "Most Prolific Ransomware Families for Defenders\r\nBy Chad Anderson\r\nArchived: 2026-04-05 17:22:16 UTC\r\nExecutive Summary\r\nRansomware dominates the news cycle, but with an ever-growing number of variants and the botnets behind them\r\nit’s easy for defenders to lose track of their relationships. In this article, DomainTools researchers provide a look at\r\nthe three most prolific (by victim) ransomware families and the current loaders they use.\r\nRansom-every-ware\r\nThe current cybersecurity news cycle seems entirely dominated by the ransomware scene as major pipelines are\r\ninterrupted, the meat supply chain grinds to a halt, and manufacturers across the board shutter while getting their\r\nnetworks in order. Ransomware gangs appear to be multiplying and new groups are claiming their ties to older\r\ngroups to gain clout and scaring their victims into payment. Affiliate programs are recruiting on hacker forums\r\nwhile initial access brokers are selling footholds into corporate networks. There is a vast underground economy\r\nbooming around the ransomware scene today.\r\nIn all of this, it’s easy to get lost when examining infections as the deluge of incidents continues. Malware families\r\nlike TrickBot, Ryuk, Dridex, BazarLoader, and DoppelPaymer certainly don’t make things any easier for\r\ndefenders. Ransomware gangs or affiliate groups being confounded with their tooling names muddle things even\r\nfurther. Couple that with the fact that most of these hacker tools have precursor tools that lead to infections, a\r\npartnership where a botnet operator, after acquiring what they need from a network, then sells access or directly\r\nhttps://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide\r\nPage 1 of 7\n\nworks with ransomware groups for a cut of their take. These partnerships are akin to partnerships in the corporate\r\nworld: for example, a TrickBot infection often leads to Conti or Ryuk ransomware or a Qakbot infection leads to a\r\nREvil ransomware. These ties and alliances shift as new botnets and groups bloom and fade.\r\nThrough this article, DomainTools research will give a lay of the land, as it stands today, and which infections lead\r\nto what outcomes, properties of those infections, and how to spot them. We’ll concentrate on the top three most\r\nprolific ransomware families by number of victims Conti, Maze (and in turn Egregor, more on that later), and\r\nSodinokibi (REvil) to provide you with a better comprehension of what you read in the ever-evolving ransomware\r\nnews cycle.\r\nImage courtesy of Allan Liska\r\nAn Important Reminder On Affiliates\r\nDomainTools researchers feel that it is important to remind readers that all of these groups make alliances, share\r\ntools, and sell access to one another. Nothing in this space is static and even though there is a single piece of\r\nsoftware behind a set of intrusions there are likely several different operators using that same piece of ransomware\r\nthat will tweak its operation to their designs.\r\nThe playbook of the affiliate programs that many of these ransomware authors run is to design a piece of\r\nransomware and then sell it off for a percentage of the ransom gained. Think of it as a cybercrime multi-level\r\nmarketing scheme. Often there is a builder tool that allows the affiliate to customize the ransomware to their needs\r\nfor a specific target which at the same time tweaks the software slightly so it can evade standard, static detection\r\nmechanisms. This article’s intent is not to dive deep into tracking individual affiliates or into each of the stages of\r\nhttps://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide\r\nPage 2 of 7\n\na piece of packed malware (looking at you, CobaltStrike), but just to the top level of software used and their\r\nrelations.\r\nLastly, we must mention that access for the ransomware is often being provided by an initial backdoor or botnet,\r\nfrequently called an initial access broker. These backdoors, sometimes referred to as remote access trojans (RATs),\r\nare first dropped by a downloader, another piece of simple, obfuscated software that is usually distributed by spam\r\nemails with malicious documents of varying types. Sometimes, the people behind these RATs and ransomware\r\nfamilies will also obtain access by password spraying techniques or exploiting old vulnerabilities that might be\r\npresent on aging systems exposed on corporate networks. We will include those steps in our explanations.\r\nAll in all, what this shows is that the problem space to look in for a robust defense solution isn’t necessarily at the\r\nransomware itself, but the methods of initial access through spam email campaigns, brute force attacks, and\r\nvulnerability management. Rarely are the affiliates behind the ransomware infection actually the same entity\r\nacquiring initial access.\r\nConti\r\nFirst observed in December 2019, Conti is suspected to be operated by the same group that is behind the Ryuk\r\nransomware, known for its rapid cycles of initial access to ransomware infection. Like many groups, they operate\r\na Ransomware-as-a-Service (RaaS) offering and have a leak site that they leverage against victims for double\r\nextortion. While distributed by the TrickBot botnet in the past, Conti is often seen now being distributed by Bazar\r\nand IcedID (aka BokBot). What’s interesting here is that IcedID was also known to be distributed by the prolific\r\nEmotet botnet which distributed TrickBot and Ryuk in the past as well. All of these connections lead most to\r\nbelieve that the groups behind all of these pieces of malicious software are connected and working together.\r\nConti is unique in that when encrypting victim data with AES256, the software uses a multithreaded approach\r\nwhich makes the execution much faster than other malware families. This can mean that by the time defenders\r\nnotice the Conti infection on one machine, it’s far too late to remediate. The ties to older groups such as Ryuk,\r\nhaving operated since 2018, and the improvement in capabilities and speed indicate that Conti is the next iteration\r\nof software for these gangs and the most deadly of the current malware families. Additionally, the fact that Conti\r\nis one of the few RaaS programs that sometimes gains initial access on its own shows a higher level of\r\nsophistication than some other affiliate groups.\r\nLastly, we want to call out Bazar for a piece of uniqueness uncovered by the domain name-specific research that\r\nDomainTools conducts. Bazar uses EmerDNS blockchain-based domains. This is an alternative domain registry\r\nwhich uses EmerCoin as the blockchain, meaning the domains cannot be taken down or sinkholed to disrupt the\r\nbotnet’s communications as this is an entirely separate DNS not under anyone’s control. Use of these blockchain\r\ndomains has been slowly on the rise in malicious softwares and produces a significant problem for defenders.\r\nMaze and Egregor\r\nThe Maze ransomware group remains one of the most prolific ransomware affiliate programs with such a vast\r\nnumber of infections that they still exist in the top ten infections of all time even though the affiliate program\r\nannounced their retirement in November 2020 after only forming in 2019. Maze, previously called ChaCha for its\r\nuse of the ChaCha encryption algorithm, was also the first RaaS to develop a leaks site and attempt to get victims\r\nhttps://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide\r\nPage 3 of 7\n\nto pay using double extortion—something that’s common for all new ransomware programs today. For that reason\r\nwe couldn’t leave them off this list even though most of their affiliates moved on to using the Egregor\r\nransomware, first appearing in September 2020, after Maze’s retirement.\r\nMaze used off-the-shelf exploit kits such as Fallout or Spelevo and spam campaigns that have downloaders that\r\ninstall Cobalt Strike Beacon. Beacon is a commercial, full-featured RAT that is found in almost all infection\r\nchains these days. Despite claiming to be a tool for red teams and penetration testers, Cobalt Strike is so full-featured, particularly its modular command and control in Beacon, that bad actors have taken the tool up without\r\nabandon. Most infection chains have an instance of Beacon in them somewhere, including with Conti above.\r\nWhat’s important to note here is that the Egregor ransomware family departs from Maze in that it follows a similar\r\nmodel to Conti where external exploits against RDP, similar to Conti, are used as well as spam mail with\r\nmalicious documents to drop the Qakbot (AKA Qbot) worm. Qakbot is a commodity malware, available since\r\n2007, that is available on a number of underground forums and used by several ransomware families. Muddying\r\nwaters even further, Qakbot has been seen being dropped by Emotet in some infections and tied to several\r\nransomware families in the past outside Egregor, such as ProLock and LockerGoga. The Egregor attacks using\r\nRDP to gain an initial foothold lead some to believe that some Egregor affiliates are confident in breaching\r\nnetworks directly while others are relying on initial access brokers who are less skilled leveraging commodity\r\nmalware.\r\nREvil (Sodinokibi)\r\nThe REvil ransomware family first appeared in April 2019 and is thought, due to code similarities, to be the\r\nspiritual successor to GandCrab, an earlier ransomware variant that targeted consumers. Similar to many other\r\nransomware variants, REvil checks on startup if the computer’s language region is set to an allowlisted country,\r\ntypically a nation outside of the CIS nations such as Kazakhstan and Russia. Much like other families, REvil\r\noperates a leak site where they have for instance offered up stolen Apple blueprints.\r\nREvil also has a number of unique features that make the malware particularly sinister. For instance, REvil\r\nsamples will attempt to escalate privileges by constantly spamming the user with an administrator login prompt or\r\nwill reboot into Windows Safe Mode to encrypt files, as antivirus software rarely runs in safe mode. The software\r\nalso uses a custom packer to disguise itself which makes analysis difficult for less talented reverse engineers.\r\nSeparate from the previous two families discussed, REvil uses the AES or Salsa20 encryption algorithms on\r\nvictim files which is a slightly unique signature. These unique features along with the RaaS’ success has led to\r\nsome new gangs, such as Prometheus, claiming to be a part of REvil to encourage victim payment.\r\nAs for distribution, REvil affiliates have been seen using a spam campaign to deliver malicious documents and\r\nexploit kits targeting old vulnerabilities on unpatched machines as well as most recently through Qakbot. This new\r\nrelationship of being distributed through the Qakbot worm brings REvil into line with the many other families that\r\nhave been distributed by botnets in the past. With the speed at which many of these ransomware groups are now\r\nmoving and the money involved, purchasing access from botnet operators into valuable victim networks is more\r\neffective than individual targeting of companies for most affiliates.\r\nRansomware Map\r\nhttps://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide\r\nPage 4 of 7\n\nWhile the previous three families may be the most prominent in terms of victim market share, there remains an\r\never growing number of ransomware gangs and families to keep track of in the rapid news cycle. These three\r\nfamilies also offer a glimpse into what most of the ransomware market looks like as far as infection vectors and\r\nchains are concerned. With those as a basis, we offer the was a guide below to help with interpreting any articles\r\nencountered on ransomware. As with any ancient map there are portions of unknown territories (here be dragons)\r\nand portions that may rapidly shift from the time when this map was made. Tactics and techniques change,\r\nrelationships change, but this is the market slightly untangled from the DomainTools research perspective at the\r\ntime of this publishing.\r\nhttps://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide\r\nPage 5 of 7\n\nhttps://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide\r\nPage 6 of 7\n\nClick here to view the full Miro board.\r\nSource: https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide\r\nhttps://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide"
	],
	"report_names": [
		"the-most-prolific-ransomware-families-a-defenders-guide"
	],
	"threat_actors": [],
	"ts_created_at": 1775434009,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3590ab85ae90948db32a247de899598148134e9.pdf",
		"text": "https://archive.orkl.eu/d3590ab85ae90948db32a247de899598148134e9.txt",
		"img": "https://archive.orkl.eu/d3590ab85ae90948db32a247de899598148134e9.jpg"
	}
}