Breach Monitoring News Feed

DarkBit is a politically motivated ransomware operation active since February 2023, targeting academic and public sector entities—most notably including attacks against Israeli institutions like the Technion. Written in Go (Golang) and leveraging powerful encryption routines, it employed AES-256 and supported command-line options for customizable deployments. Its behavior includes deleting volume shadow copies and encrypting files with a randomized prefix and .Darkbit extension. The group deployed their own Tor-based negotiation portal and utilized Tox messaging for communication. Their messaging contained anti-government rhetoric, suggesting ideological motivations in addition to cyber-extortion objectives.

DarkRace is a moderately destructive ransomware strain observed since 2024. It encrypts files and appends a randomized extension (e.g., .1352FF327) that varies per victim. Implemented as a 32-bit Windows application, it disables antivirus defenses, deletes volume shadow copies, terminates processes, and drops ransom note files for payment negotiation. Technical weaknesses in its encryption have enabled developers to produce a universal decryptor that works against DarkRace and related variants.

FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.

DarkVault is a versatile and opportunistic threat actor first observed in late 2023. Rather than being a traditional ransomware operation, it acts broadly as a data broker and extortion ensemble, publishing victim information—like company names and industries—via Tor-leak sites. Activities reportedly include doxing, website defacement, bomb threats, malware distribution, and swatting, suggesting a diversified cybercriminal portfolio beyond simple ransomware, often framed as an "exclusive online community." While the leak site design mirrors LockBit 3.0, there is no verified technical evidence linking DarkVault to LockBit's codebase. No ransomware executables or encryption tools have been confirmed; its role appears centered on data exposure and extortion without enforced file encryption.

Written in python

Darky Lock is a commodity-style ransomware strain first identified in July 2022, derived from publicly available Babuk source code. Victim systems undergo file encryption with an added “.darky” extension, and a “Restore-My-Files.txt” ransom note is placed in all impacted locations. The malware attempts to disable backup mechanisms, including shadow copies and specific applications. Its distribution leverages phishing and trojanized installers, complemented by payloads dropped via frameworks like Empire, Metasploit, and Cobalt Strike.

DataCarry is a newly observed ransomware and data-extortion operation, first seen in May 2025. It operates a double-extortion model, exfiltrating data and threatening publication via a Tor-hosted portal. The group has already claimed multiple victims across diverse sectors including insurance, healthcare, real estate, retail, and aerospace in countries such as Latvia, Belgium, Türkiye, South Africa, Switzerland, Denmark, and the United Kingdom. The rapid emergence and multi-country reach signal a well-organized operation.

DataF Locker is a ransomware variant first observed in 2024, closely tied to the Babuk ransomware lineage. It operates under a double-extortion model, encrypting files by appending the .dataf extension and threatening to leak exfiltrated data if the ransom isn't paid. Victims receive a ransom note named How To Restore Your Files.txt, with satisfaction of specified recovery procedures. Observations suggest use of typical intrusion vectors such as phishing, exploit tools, or leaked credential abuse, although detailed delivery methods and leak infrastructure remain under-documented in high-tier intelligence reports.