Ransomware.live 👀

Microsoft Products

`Windows`

Product	CVE(s)	Ransomware Group(s)	Source(s)
CLFS	CVE-2025-29824	RansomEXX	microsoft.com
Windows Error Reporting Service	CVE-2024-26169	Black Basta	www.security.com / securityonline.info
CLFS	CVE-2023-28252	Nokoyawa	securelist.com
SmartScreen	CVE-2023-24880	Magniber	blog.google
CLFS	CVE-2022-24521	Cuba, Vice Society, RansomHub	securelist.com / microsoft.com / security.com
MSDT	CVE-2022-30190 ("Follina")	BlackBasta	sentinelone.com / trendmicro.com
Active Directory	CVE-2021-42278 & CVE-2021-42287 ("NoPac")	Conti, BlackBasta, CosmicBeetle*, Fog	thedfirreport.com / cisa.gov / welivesecurity.com / thedfirreport.com
Print Spooler	CVE-2021-1675 and CVE-2021-34527 ("PrintNightmare")	Conti, Vice Society, Magniber, BlackBasta	blog.talosintelligence.com / crowdstrike.com / cisa.gov / cisa.gov
Local Security Authority (LSA)	CVE-2021-36942 ("PetitPotam")	LockFile	security.com
MSHTML	CVE-2021-40444	Conti	microsoft.com
NetLogon	CVE-2020-1472 ("ZeroLogon")	LockBit, BlackBasta, Rhysida, BianLian, Conti, Quantum, Ryuk, RansomHub, Cuba, CosmicBeetle*, Ghost/Cring, Fog	cisa.gov / cisa.gov / cisa.gov / cisa.gov / cisa.gov / thedfirreport.com / thedfirreport.com / cisa.gov / cisa.gov / welivesecurity.com / cisa.gov / thedfirreport.com
BITS	CVE-2020-0787	RansomHub	cisa.gov
Remote Desktop Gateway	CVE-2020-0609	Conti	tenable.com
Task Scheduler Service	CVE-2019-1069	Mallox	trendmicro.com
Remote Desktop Services	CVE-2019-0708 ("BlueKeep")	LockBit	cisa.gov
Win32k	CVE-2018-8453	REvil	trendmicro.com
Microsoft Office	CVE-2018-0802	RagnarLocker	kaspersky.com
Microsoft Office	CVE-2023-36884	Underground	fortinet.com
COM	CVE-2017-0213	RagnarLocker	kaspersky.com
Secondary Logon Service	CVE-2016-0099	BlackCat	kaspersky.com
IQVW32.sys (BYOVD)	CVE-2015-2291	DOGE BIG BALLS Ransomware	cyble.com

`MS Server Products`

Product	CVE(s)	Ransomware Group(s)	Source(s)
SharePoint Server	CVE-2025-49706, CVE-2025-49704 ("ToolShell")	Storm-2603 (Warlock)	microsoft.com
Exchange On-Prem	CVE-2022-41080 ("OWASSRF")	PLAY	crowdstrike.com
Exchange On-Prem	CVE-2022-41040 & CVE-2022-41082 ("ProxyNotShell")	PLAY	cisa.gov
Exchange On-Prem	CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 ("ProxyShell")	Conti, Hive, Cuba, AvosLocker, BlackCat, Ghost/Cring	sophos.com / cisa.gov / securelist.com / trendmicro.com / trendmicro.com / cisa.gov
Exchange On-Prem	CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, & CVE-2021-27065 ("ProxyLogon")	Conti, Cuba, AvosLocker	tenable.com / trendmicro.com / trendmicro.com
Exchange On-Prem	CVE-2020-0688	Conti	tenable.com
SMBv3	CVE-2020-0796 ("SMBGhost")	Conti	tenable.com
SQL Server Reporting Services	CVE-2020-0618	Mallox	trendmicro.com
SharePoint Server	CVE-2019-0604	Hello, Ghost/Cring	trendmicro.com / cisa.gov
SMBv1	CVE-2017-0144 ("EternalBlue")	WannaCry, NotPetya, RansomHub, CosmicBeetle*, Ghost/Cring	sentinelone.com / cisa.gov / welivesecurity.com / cisa.gov

Application

Apps and Software targeted by ransomware gangs

`Adobe`

Product	CVE(s)	Ransomware Group(s)	Source(s)
ColdFusion	CVE-2023-29300 & CVE-2023-38203	Storm-0501*	microsoft.com
ColdFusion	CVE-2009-3960 & CVE-2010-2861	Ghost/Cring	cisa.gov

`Apache`

Product	CVE(s)	Ransomware Group(s)	Source(s)
ActiveMQ	CVE-2023-46604	RansomHub	cisa.gov
Log4j	CVE-2021-44228 ("Log4Shell")	LockBit, *Prophet Spider, AvosLocker	cisa.gov / secureworks.com / blog.talosintelligence.com
Log4j	CVE-2021-4104	*Prophet Spider	secureworks.com
Struts	CVE-2017-5638	*Prophet Spider	secureworks.com

`Atlassian`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Confluence Data Center & Server	CVE-2023-22527	LockBit	thedfirreport.com
Confluence Data Center & Server	CVE-2023-22515	RansomHub	cisa.gov
Confluence Data Center & Server	CVE-2023-22518	Cerber	trendmicro.com
Confluence Data Center & Server	CVE-2022-26134	Cerber	sophos.com

`ConnectWise`

Product	CVE(s)	Ransomware Group(s)	Source(s)
ScreenConnect	CVE-2024-1708 & CVE-2024-1709	BlackBasta, Cicada3301, Bl00dy, BlackCat, Medusa	cisa.gov / unit42.paloaltonetworks.com / trendmicro.com / bleepingcomputer.com / cisa.gov

`CyberPanel`

Product	CVE(s)	Ransomware Group(s)	Source(s)
CyberPanel	CVE-2024-51567	PSAUX	www.csoonline.com
CyberPanel	CVE-2024-51568	PSAUX	www.csoonline.com

`Kaseya`

Product	CVE(s)	Ransomware Group(s)	Source(s)
VSA	CVE-2021-30116	REvil	tenable.com

`Java Applications`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Jboss Application Server	CVE-2017-7504	*Prophet Spider	secureworks.com

`Jenkins`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Jenkins	CVE-2024-23897	RansomEXX	blogs.juniper.net / www.cloudsek.com

`JetBrains`

Product	CVE(s)	Ransomware Group(s)	Source(s)
TeamCity	CVE-2024-27198	BianLian	www.guidepointsecurity.com
TeamCity	CVE-2023-42793	BianLian	www.guidepointsecurity.com

`Mitel`

Product	CVE(s)	Ransomware Group(s)	Source(s)
MiVoice Connect	CVE-2022-29499	Lorenz	arcticwolf.com

`Oracle`

Product	CVE(s)	Ransomware Group(s)	Source(s)
E-Business	CVE-2025-61882	Clop	crowdstrike.com
WebLogic	CVE-2020-14882	*Prophet Spider	secureworks.com
WebLogic	CVE-2020-14750	*Prophet Spider	secureworks.com
WebLogic	CVE-2019-2725	REvil	trendmicro.com
E-Business	CVE-2016-0545	*Prophet Spider	secureworks.com

`PHP`

Product	CVE(s)	Ransomware Group(s)	Source(s)
PHP CGI	CVE-2024-4577	TellYouThePass	www.imperva.com

`SAP`

Product	CVE(s)	Ransomware Group(s)	Source(s)
NetWeaver	CVE-2025-31324	Bianlian, RansomEXX	reliaquest.com

`SimpleHelp`

Product	CVE(s)	Ransomware Group(s)	Source(s)
SimpleHelp RMM	CVE-2024-57727	PLAY, DragonForce, Medusa	cisa.gov / sophos.com / CuratedIntel

`Sitecore`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Sitecore XP	CVE-2021-42237	*Prophet Spider	secureworks.com

`SysAid`

Product	CVE(s)	Ransomware Group(s)	Source(s)
SysAid On-Prem	CVE-2023-47246	Clop	@msftsecintel

`Qlik`

Product	CVE(s)	Ransomware Group(s)	Source(s)
QlikSense	CVE-2023-41265	Cactus	northwave-cybersecurity.com

`QNAP`

Product	CVE(s)	Ransomware Group(s)	Source(s)
NAS	CVE-2021-28799	eCh0raix	unit42.paloaltonetworks.com

`Veeam`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Backup & Replication	CVE-2024-40711	Akira, Fog	@SophosXOps
Backup & Replication	CVE-2023-27532	Akira, FIN7, Cuba, CosmicBeetle, Qilin, RansomHub	labs.withsecure.com / blogs.blackberry.com / welivesecurity.com / sophos.com / news.sophos.com / security.com
Backup & Replication	CVE-2022-26500 & CVE-2022-26501	AvosLocker, Cuba	kroll.com / securelist.com

`Veritas`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Veritas Backup Exec	CVE-2021-27876	ALPHV	cloud.google.com
Veritas Backup Exec	CVE-2021-27877	ALPHV	cloud.google.com
Veritas Backup Exec	CVE-2021-27878	ALPHV	cloud.google.com

`Zoho`

Product	CVE(s)	Ransomware Group(s)	Source(s)
ManageEngine ADSelfService Plus	CVE-2022-47966	Storm-0501*	microsoft.com
ManageEngine ADSelfService Plus	CVE-2021-40539	AvosLocker, Trigona	kroll.com / areteir.com

`Zimbra`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Zimbra Collaboration	CVE-2022-41352	BabLock	group-ib.com

Virtualization

Virtualized infrastructure and systems targeted by ransomware gangs

`Citrix`

Product	CVE(s)	Ransomware Group(s)	Source(s)
NetScaler ADC & Gateway	CVE-2023-4966 ("Citrixbleed")	LockBit, Medusa, BlackCat, INC Ransom, Storm-0501*	doublepulsar.com / bleepingcomputer.com / therecord.media / secureworks.com / microsoft.com
NetScaler ADC & Gateway	CVE-2023-3519	Pioneer Kitten+, RansomHub	cisa.gov / cisa.gov
NetScaler ADC & Gateway	CVE-2022-27510	Royal	at-bay.com
ShareFile Storage Zones Controller	CVE-2021-22941	*Prophet Spider	crowdstrike.com
NetScaler ADC & Gateway & SD-WAN	CVE-2019-19781	Pioneer Kitten+, REvil	cisa.gov / cisa.gov / sentinelone.com
Workspace app and Receiver for Windows	CVE-2019-11634	Nefilim	sophos.com

`VMware`

Product	CVE(s)	Ransomware Group(s)	Source(s)
ESXi	CVE-2024-37085 ("ESX Admins")	Akira, BlackBasta, BlackByte	microsoft.com / blog.talosintelligence.com
Workspace ONE Access & Identity Manager	CVE-2022-22954	RAR1Ransom	fortinet.com
vCenter Server	CVE-2021-22005	Conti	tenable.com
vSphere Client	CVE-2021-21985	Conti	tenable.com
ESXi	CVE-2021-21974	ESXiArgs	greynoise.io
vSphere Client	CVE-2021-21972	BlackCat, Akira	crowdstrike.com / qualys.com

File Transfer Servers

Applications and Systems used to transfer and store files, often targeted for data exfiltration

`Accellion`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Accellion File Transfer Appliance	CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104	Clop	mandiant.com

`Cleo`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Cleo VLTrader, Harmony, LexiCom	CVE-2024-55956	Clop	huntress.com

`CrushFTP`

Product	CVE(s)	Ransomware Group(s)	Source(s)
CrushFTP	CVE-2025-31161	Kill Ransomware	kennedyslaw.com

`Fortra`

Product	CVE(s)	Ransomware Group(s)	Source(s)
GoAnywhere Managed File Transfer	CVE-2023-0669	Clop, LockBit	censys.io / cisa.gov

`IBM`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Aspera Faspex	CVE-2022-47986	IceFire, Buhti	sentinelone.com / security.com

`Progress Software`

Product	CVE(s)	Ransomware Group(s)	Source(s)
MOVEit	CVE-2023-34362	Clop	cisa.gov

`PaperCut`

Product	CVE(s)	Ransomware Group(s)	Source(s)
PaperCut Application Server	CVE-2023–27350 & CVE-2023–27351	Clop, LockBit, Bl00dy, Buhti	twitter.com/MsftSecIntel / cisa.gov / security.com

`SolarWinds`

Product	CVE(s)	Ransomware Group(s)	Source(s)
SolarWinds Serv-U FTP	CVE-2021-35211	Clop	research.nccgroup.com

Network Edge Devices

Virtual Private Networks (VPNs), Firewalls, Routers, Switches, Load Balancers, Connection Gateways

`Pulse Secure / Ivanti`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Pulse Connect Secure	CVE-2024-21887	Pioneer Kitten+	cisa.gov
Ivanti MobileIron	CVE-2023-38035	Cactus	bitdefender.com
Ivanti EPM Cloud Services Appliance (CSA)	CVE-2021-44529	BlackCat	crowdstrike.com
Pulse Connect Secure & Pulse Policy Secure	CVE-2019-11539	Pioneer Kitten+, REvil	cisa.gov / sentinelone.com
Pulse Connect Secure	CVE-2019-11510	REvil, Pioneer Kitten+	tenable.com / cisa.gov

`Fortinet`

Product	CVE(s)	Ransomware Group(s)	Source(s)
FortiOS & FortiProxy	CVE-2024-55591	Hunters International, SuperBlack, NightSpire	esentire.com / forescout.com / s-rminform.com
FortiOS SSL-VPN & FortiProxy	CVE-2023-27997	RansomHub	cisa.gov
FortiClientEMS	CVE-2023-48788	RansomHub, Medusa	cisa.gov / cisa.gov
FortiOS SSL-VPN	CVE-2022-42475	CosmicBeetle*	welivesecurity.com
FortiOS	CVE-2022-40684	Akira	stairwell.com
FortiOS SSL VPN	CVE-2020-12812	Hive, PLAY	cisa.gov / cisa.gov
FortiOS	CVE-2019-6693	Akira	stairwell.com
FortiOS	CVE-2019-5591	Nemesis Kitten+	secureworks.com
FortiOS	CVE-2018-13379	Conti, LockBit, PLAY, REvil, Ghost/Cring	tenable.com / cisa.gov / cisa.gov / trendmicro.com / cisa.gov
FortiOS	CVE-2018-13374	Conti	tenable.com

`F5`

Product	CVE(s)	Ransomware Group(s)	Source(s)
BIG-IP	CVE-2023-46747	RansomHub	cisa.gov
BIG-IP	CVE-2022-1388	Pioneer Kitten+	cisa.gov
iControl REST	CVE-2021-22986	LockBit	cisa.gov

`Palo Alto Networks`

Product	CVE(s)	Ransomware Group(s)	Source(s)
PAN-OS Firewall	CVE-2024-0012	RA World	security.com
PAN-OS Firewall	CVE-2024-3400	Pioneer Kitten+	cisa.gov
GlobalProtect Portal & Gateway Interface	CVE-2019-1579	DarkSide	acronis.com

`Sophos`

Product	CVE(s)	Ransomware Group(s)	Source(s)
XG Firewall	CVE-2020-12271	Ragnarok	news.sophos.com

`SonicWall`

Product	CVE(s)	Ransomware Group(s)	Source(s)
SonicOS SSL-VPN	CVE-2024-40766	Akira, Fog	arcticwolf.com / arcticwolf.com
SMA 100	CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-20023	FiveHands, HelloKitty	cloud.google.com / ic3.gov
SonicOS SSL-VPN	CVE-2020-5135	Babuk	coveware.com
SMA 100	CVE-2019-7481	HelloKitty, BlackCat	bleepingcomputer.com / blackberry.com

`Cisco`

Product	CVE(s)	Ransomware Group(s)	Source(s)
ASA & FTD	CVE-2023-20269	Akira	cisco.com
ASA & FTD	CVE-2020-3259	Akira	cisa.gov

`Check Point`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Security Gateway	CVE-2024-24919	Pioneer Kitten+, NailaoLocker	cisa.gov / orangecyberdefense.com

`Zyxel`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Zyxel Firewall	CVE-2024-42057, CVE-2024-11667	Helldown	blog.sekoia.io

Linux

Exploitation of Linux components, such as Kernel, System libraries, Shell, and System utilities

`System Utilities`

Product	CVE(s)	Ransomware Group(s)	Source(s)
Polkit pkexec	CVE-2021-4034 ("Pwnkit")	BlackCat	crowdstrike.com

Vulnerabilities

Microsoft

Microsoft Products

Windows

MS Server Products

Applications

Application

Adobe

Apache

Atlassian

ConnectWise

CyberPanel

Kaseya

Java Applications

Jenkins

JetBrains

Mitel

Oracle

PHP

SAP

SimpleHelp

Sitecore

SysAid

Qlik

QNAP

Veeam

Veritas

Zoho

Zimbra

Virtualization

Virtualization

Citrix

VMware

FileTransferServers

File Transfer Servers

Accellion

Cleo

CrushFTP

Fortra

IBM

Progress Software

PaperCut

SolarWinds

NetworkEdge

Network Edge Devices

Pulse Secure / Ivanti

Fortinet

F5

Palo Alto Networks

Sophos

SonicWall

Cisco

Check Point

Zyxel

Linux

Linux

System Utilities

`Windows`

`MS Server Products`

`Adobe`

`Apache`

`Atlassian`

`ConnectWise`

`CyberPanel`

`Kaseya`

`Java Applications`

`Jenkins`

`JetBrains`

`Mitel`

`Oracle`

`PHP`

`SAP`

`SimpleHelp`

`Sitecore`

`SysAid`

`Qlik`

`QNAP`

`Veeam`

`Veritas`

`Zoho`

`Zimbra`

`Citrix`

`VMware`

`Accellion`

`Cleo`

`CrushFTP`

`Fortra`

`IBM`

`Progress Software`

`PaperCut`

`SolarWinds`

`Pulse Secure / Ivanti`

`Fortinet`

`F5`

`Palo Alto Networks`

`Sophos`

`SonicWall`

`Cisco`

`Check Point`

`Zyxel`

`System Utilities`