Breach Monitoring News Feed

Donex is a ransomware family that emerged in early 2022 as a rebrand of the older Muse ransomware. It uses a double-extortion strategy, combining file encryption with threats to leak stolen data on a Tor-hosted portal. Written in C++, Donex encrypts files using a combination of ChaCha20 and RSA-4096 algorithms and appends a custom extension unique to each victim. The group targets a broad range of sectors, including manufacturing, logistics, and professional services, with victims reported across North America, Europe, and Asia. Initial access methods include exploitation of public-facing applications and the use of stolen RDP credentials.

Donut Leaks, first reported in August 2022, is a data-extortion group linked to high-profile breaches, including the compromise of Continental in 2022. The group does not consistently encrypt files—in some cases acting purely as a data broker—yet adopts a double-extortion model when ransomware is deployed. Their operations involve exfiltrating sensitive corporate data, then threatening public release via a dedicated leak site on Tor. Donut Leaks has targeted organizations in automotive manufacturing, IT services, and professional sectors, with confirmed victims in Europe and North America. Intrusion methods are not fully documented in public sources but likely include phishing, credential theft, and exploitation of exposed services.

DoppelPaymer is a ransomware family first identified in mid-2019, derived from the BitPaymer codebase and operated by the Evil Corp cybercrime group. It is known for its double-extortion approach, encrypting victim files with AES-256 and securing keys with RSA-2048, while also stealing sensitive data for public release if payment is not made. DoppelPaymer primarily targets large organizations, including those in healthcare, government, and manufacturing, with high ransom demands often in the millions of U.S. dollars. Infection vectors include phishing emails carrying Dridex or other loaders, exploitation of remote access services, and credential theft. Encrypted files typically retain their original name with a new extension, and ransom notes direct victims to Tor-based portals for negotiation. The group has been linked to attacks on institutions such as the City of Torrance, the State of Delaware, and hospital systems in Germany and the United States.

DragonForce is a ransomware-as-a-service (RaaS) group first identified in late 2023. Originally linked to hacktivist activity, the group pivoted to financially motivated operations by early 2024. Since then, it has accelerated into a highly organized cartel-like network, providing customizable payloads to affiliates, a sophisticated affiliate portal, and shared infrastructure for leak sites and campaigns. The group has targeted a wide range of sectors globally, including major UK retailers such as M&S, Harrods, and Co-op, along with organizations in government, logistics, and manufacturing. Its operations are known for strategic branding flexibility, enabling affiliates to operate under their own labels using DragonForce’s backend services.

Dunghill Leak is the publicly branded data leak site (DLS) operated by the Dark Angels ransomware group, established circa January 2023. Rather than a standalone encryption threat, it serves as the disclosure and extortion platform where stolen victim data is published if ransom demands are ignored. Dark Angels is known for highly targeted “big game hunting” tactics, exfiltrating tens to hundreds of terabytes of corporate data, often without encrypting systems. Victims include major industry players—like Johnson Controls, Sabre, Sysco, and a Fortune 50 firm—which reportedly paid a record-breaking $75 million USD ransom. The leak site is complemented by a mirrored Telegram channel for distributing victim announcements and maintaining negotiation traffic.

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences: 1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint. 2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced. 3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

Egregor is a ransomware strain that appeared in September 2020, widely believed to be a rebrand or successor to the Maze ransomware operation, using similar infrastructure and tactics. It runs as a Ransomware-as-a-Service (RaaS), recruiting affiliates to deploy its payload in exchange for a percentage of ransom payments. Egregor employs a double-extortion model, encrypting files with ChaCha and RSA-2048 algorithms, while exfiltrating sensitive data to threaten public release. Victims receive ransom notes directing them to Tor-based portals for negotiation. The group has targeted organizations worldwide across sectors such as retail, transportation, manufacturing, and finance, with notable attacks on Barnes & Noble and Cencosud. Egregor's operations were disrupted in early 2021 through coordinated law enforcement action, leading to the arrest of suspected affiliates in Ukraine.

This group is believed to be connected to Lost Trust. El Dorado rebranded to BlackLock in September 2024. User "$$$" on RAMP is known to be connected to the group.

Elpaco is a variant of Mimic ransomware that emerged around August 2023. Designed with significant customization and stealth in mind, it targets Windows systems by abusing the Everything search utility to optimize file discovery and accelerate encryption. Operators exploit various initial access methods—most notably RDP brute-force and the Zerologon vulnerability (CVE-2020-1472)—to gain access, escalate privileges, and deliver the payload. The ransomware uses a 7z SFX dropper, deploys multi-threaded encryption, disables recovery options, and self-deletes after execution, leaving victims with encrypted files bearing Elpaco-specific extensions. It's recognized for its adaptability and advanced features compared to earlier Mimic variants.

Embargo is a Ransomware-as-a-Service (RaaS) operation first observed in May 2024. It employs a double-extortion model, encrypting victim data while exfiltrating sensitive files for publication on a Tor-based leak site. Embargo uses a Rust-based payload that leverages AES-256 and RSA-4096 encryption, deletes volume shadow copies, and disables recovery features to prevent restoration. Its targeting appears opportunistic but has included sectors such as finance, manufacturing, and professional services across North America, Europe, and Asia. The ransomware’s customization options, negotiation portal, and leak infrastructure suggest a closed affiliate model with a focus on operational security.