Swift action, assured recovery: Incident Response excellence

Our Security Operations Centre (SOC) operates 24/7, ensuring immediate availability when an incident occurs. Once engaged, our incident response specialists will act without delay – deploying remotely or on-site the same day to begin containment and recovery.

We work alongside your internal teams to decrypt and recover critical data, aiming to get your systems back online quickly. Our focus is on reducing downtime and limiting the operational and reputational impact of the attack.

Integrity360’s specialists are trained to conduct thorough forensic investigations, identifying how the incident occurred, what was affected, and how to prevent reoccurrence. We can also support legal or regulatory proceedings with expert witness services and evidence handling as needed.

Integrity360 is endorsed under the Cyber Incident Response (CIR) Scheme Assurance and has undergone assessments aligned with NCSC standards, ensuring our capability to deliver top-tier cyber incident response services.

The Akira ransomware group was first identified in March 2023. It primarily targets corporate networks across North America, with attacks reported in sectors such as education, finance, insurance, real estate, manufacturing, recreation, and business consulting. Akira uses double extortion tactics, stealing sensitive data before encrypting systems to pressure victims into paying a ransom.

ALPHV—also known as BlackCat, AlphaV, or AlphaVM—is a ransomware-as-a-service (RaaS) operation active since November 2021. It is recognised as the first ransomware group to use the Rust programming language, enabling faster, more adaptable malware. ALPHV is infamous for its triple extortion tactics: encrypting files, exfiltrating sensitive data, and launching DDoS attacks to pressure victims.

RansomHub is a ransomware-as-a-service (RaaS) group first detected in February 2024, comprising members from across the globe. Known for its structured operations, RansomHub imposes strict rules on its affiliates during attacks—violations can lead to bans from the group. Victim organisations are publicly named on RansomHub’s darknet leak site. The group pledges not to attack targets in CIS countries, Cuba, North Korea, China, and Romania.

Qilin also known as Agenda, is a ransomware-as-a-service (RaaS) group that has targeted organisations across a wide range of sectors worldwide. This cyber threat actor is operated by a user known as “Qilin” on underground cybercriminal forums. The group provides customised ransomware variants to affiliates in return for a share of any ransom payments collected. Qilin’s malware is tailored to specific targets, making its attacks more effective and harder to detect. Active on the global stage, the group has become known for its adaptability and growing list of victims.

Clop is a sophisticated ransomware group first identified in February 2019, known for targeting large enterprises across multiple sectors worldwide. The group carries out data-extortion and ransomware attacks, often exploiting zero-day vulnerabilities to gain access to corporate networks. Clop has been linked to several high-impact campaigns, most notably the MOVEit Transfer attacks, which resulted in the theft of sensitive data and millions in ransom payments. Its technical expertise and aggressive tactics make Clop a significant threat to organisations globally.

The Play ransomware group—also known as PlayCrypt—first emerged in June 2022, deploying its own custom ransomware in targeted attacks. Play uses a double extortion model, stealing sensitive data before encrypting files. If victims refuse to pay the ransom, the stolen data is published on the group’s data-leak site to increase pressure. This tactic has made Play a growing concern for organisations worldwide. While initial attacks focused on select industries, Play has since expanded its reach, targeting a broader range of sectors.

is a newly emerged ransomware group first observed in late 2024. It uses a double extortion model, deploying a modified LockBit payload to steal and encrypt sensitive data from critical systems. Once compromised, victims face ransom demands under threat of data exposure. SafePay’s operations involve gaining initial access, conducting post-compromise activity, and moving laterally within networks—often by exploiting vulnerable remote desktop services.

Scattered Spider is a financially motivated cybercriminal group that has been active since at least May 2022. Known for its sophisticated extortion and ransomware campaigns, the group has primarily targeted organisations in telecommunications, the arts, entertainment, recreation sectors and most recently the retail sector. Scattered Spider is also notable for its focus on compromising software-as-a-service (SaaS) platforms and cloud service provider (CSP) environments to steal sensitive data. The group employs advanced techniques to gain access, move laterally, and exfiltrate valuable information for extortion.

Lynx Ransomware is a ransomware-as-a-service (RaaS) group first observed in July 2024. Financially motivated, the group uses both single and double extortion tactics—encrypting data and threatening to leak it unless a ransom is paid. On 24 July 2024, Lynx issued a public statement claiming it avoids targeting government institutions, hospitals, and non-profit organisations. Once a system is compromised, the group drops a "readme.txt" file containing a unique ID and a link to its Tor-based portal. Like many RaaS operators, Lynx maintains a data leak site (DLS) to list victims and pressure them into paying.

Medusa is a ransomware-as-a-service (RaaS) platform first identified in 2021, operated by a financially motivated cybercriminal group. The threat actors behind Medusa primarily exploit unpatched vulnerabilities to gain access to corporate networks. Once inside, they deploy ransomware to encrypt data and demand payment for its release. Medusa has launched attacks across a wide range of industries, including technology, education, manufacturing, healthcare, and retail making it a broad and persistent threat.

First detected in November 2023, DragonForce is a rapidly emerging ransomware group whose origins remain unverified. Despite being a relatively new player, DragonForce has quickly risen to prominence and is now ranked among the top 20 global ransomware groups in operation. The group is known for launching highly disruptive attacks using double extortion techniques—stealing data before encrypting systems to pressure victims into paying ransoms. DragonForce targets organisations across various sectors, and its activity shows a high level of coordination and technical capability.

KillSec began as a hacktivist collective but has since evolved into a ransomware-as-a-service (RaaS) provider, actively supplying customisable ransomware tools to affiliates for cyber extortion. Now operating as a financially motivated threat actor, KillSec has demonstrated its growing capabilities by targeting organisations across a wide range of industries worldwide.