This is just meant as a brief entry about some active ransomware gangs in March 2023. I haven’t done these update posts in a while and this is just a very short one, to give some names and activity. I have left a few out and of course there are more than those found here and some I don’t know of yet, so this is by no means a complete list. Rather it’s just a few groups I have been following this month.

In no particular order:


Royal hit more than a dozen targets, including some in Germany in March 23. Additionally, their leak site has a fancy animation, where victims slide in from the side, which gives strong PowerPoint vibes. On a purrsonal note, I can never go to their leak site and not immediately get triggered and start singing Royal from Lorde.

I’ve never seen a diamond in the flesh
I cut my teeth on wedding rings in the movies
And I’m not proud of my address


Lockbit always goes brrrrr every month, I haven’t even counted, they are just number one in terms of victims most months. However, their anti-DDOS protection thingy is annoying me. Its fine on the leak-search, but not on the leak-blog. I spend way too much time looking at this:


Play seemed completely focused on a few targets in the US and UK only this month.


Alphv was adding a lot of leaks on the site in March, it almost feels like they did a one-leak-a-day-challenge, cause it’s up to approximately thirty already.


Abyss does not have many victims yet, however I listed them here because there are a few interesting things about this group:

• Their motto is: Just business, nothing personal
• They leaked patient-data stemming from orthopedic care (About leaks and patient-data, see my german twitter entry)
• As an astrophysicist I have to give them probs for their black hole depiction:


Clob was very busy in March, hitting some well-known orgs, also including some doing cyber security. Yep.
They also warn against imitators:


Medusa had a wild selection of targets, from schools over a defense company to space technology.
Also, guys, your twitter-link is broken.


Blackbasta hit mostly US-based companies. They typically give the revenue of the company in the leak. It always surprises me how much revenue some small law firms have ….


As usual they have remained very international, hitting all around the globe basically.
They also get the rootcat style award as always (since PYSA is gone). I mean just look at this beauty of GTA meets 90s word art: