SatanLock

SatanLock is a ransomware group/family first reported as emerging in April 2025. It operated a data leak site and listed numerous victims there, although reporting noted that many of the victims attributed to SatanLock had already been claimed by other ransomware groups, which raises questions about the originality and credibility of some of its claims. Check Point Research reported SatanLock as the second most prevalent ransomware group in April 2025, behind Akira and ahead of Qilin, while other reporting characterized it as a newer, low-activity ransomware group that registered limited incident volume and later announced an abrupt shutdown. SatanLock was also cited among a wave of short-lived ransomware brands that launched leak sites within weeks of each other in 2025.

Within broader 2025 ransomware reporting, SatanLock is grouped with newly emerged or rebranded ransomware operations that commonly shared infrastructure, tooling, and access brokers rather than relying on unique malware. These groups were generally described as operating in a fragmented ransomware ecosystem, often under a Ransomware-as-a-Service model, with initial access frequently obtained through identity-based compromise such as stolen VPN credentials, MFA fatigue, session token hijacking, OAuth abuse, exploitation of edge infrastructure like VPN appliances and firewalls, phishing, SaaS abuse, and cloud/SaaS misconfiguration. Reporting on this cluster of groups also noted that data theft and extortion often replaced or preceded encryption, and that malware used by such groups was typically lightweight, open-source, and minimally obfuscated. High-confidence reporting directly tied to SatanLock specifically is limited to its emergence in April 2025, operation of a leak site with numerous victim listings, low observed activity, inclusion among newly launched ransomware leak-site operators, and its subsequent shutdown announcement.