US News

Most wanted: The top 5 online crime gangs running ransomware

On the internet, nobody knows you’re a dog!

These words from Peter Steiner’s famous cartoon could easily be applied to the recent ransomware attack on Florida-based software supplier Kaseya.

Kaseya provides software services to thousands of clients around the world. It’s estimated between 800 and 1,500 medium to small businesses may be impacted by the attack, with the hackers demanding US$50 million (lower than the previously reported US$70 million) in exchange for restoring access to data being held for ransom.

The global ransomware attack has been labeled the biggest on record. Russian cybercriminal organization REvil is the alleged culprit.

Despite its notoriety, nobody really knows what REvil is, what it’s capable of, or why it does what it does — apart from the immediate benefit of huge sums of money. Also, ransomware attacks often involve vast distributed networks, so it’s not even certain the individuals involved would know each other.

Ransomware attacks are growing exponentially in size and ransom demand — changing the way we operate online. Understanding who these groups are and what they want is critical to take them down.

Here, we list the top five most dangerous criminal organizations currently online. As far as we know, these rogue groups aren’t backed or sponsored by any state.


DarkSide is the group behind the Colonial Pipeline ransom attack in May, which shut down the US Colonial Pipeline’s fuel distribution network, triggering gasoline shortage concerns.

The group seemingly first emerged in August last year. It targets large companies that will suffer from any disruption to their services — a key factor, as they’re then more likely to pay a ransom. Such companies are also more likely to have cyber insurance which, for criminals, means easy money-making.

DarkSide’s business model is to offer a ransomware service. In other words, it carries out ransomware attacks on behalf of other, hidden perpetrator/s so they can lessen their liability. The executor and perpetrator then share profits.

Groups that offer cybercrime-as-a-service also provide online forum communications to support others who may want to improve their cybercrime skills.

This might involve teaching someone how to combine distributed denial-of-service (DDoS) and ransomware attacks, to put extra pressure on negotiations. The ransomware would prevent a business from working on past and current orders, while a DDoS attack would block any new orders.


The ransomware-as-a-service group REvil is currently making headlines due to the ongoing Kaseya incident, as well as another recent attack on global meat processing company JBS. This group has been particularly active in 2020-2021.