Dark Web Profile: Tengu Ransomware (Shisa)

Despite a measured public persona, Tengu Ransomware operates as a financially motivated, well-organized threat. First observed in late 2025, the group emerged as a Ransomware-as-a-Service (RaaS) operation combining a double-extortion model, a lean custom toolset, and disciplined affiliate management. In fewer than six months of activity, it claimed approximately 50 victims across multiple continents before rebranding as “Shisa Ransomware” in March 2026.

Who Is Tengu Ransomware/Shisa Ransomware?

Tengu Ransomware is a RaaS operation first observed on October 9, 2025, when it listed its initial victims on its Data Leak Site (DLS). The group targets organizations for financial gain, following a double-extortion model in which sensitive data is stolen before systems are encrypted. Victims are pressured to pay through a combination of encryption, a countdown timer to public data release, and, in some cases, the publication of ransom negotiation chat logs directly on the victim’s DLS page.

The group’s early targeting of Middle Eastern and North African organizations, alongside Spain and Brazil, led analysts to assess that at least one affiliate or core member may be based in the Middle East. A notable indicator: the group’s first listed victim, a Qatargas-linked entity, was mislabeled as Iranian on the DLS due to Iranian-linked documents found within the leaked files, suggesting direct regional familiarity. By January 2026, the victim geography had broadened significantly to include North America, India, Europe, Southeast Asia, and beyond, reflecting typical RaaS expansion as the affiliate base diversified.

The name “Tengu” (天狗) references a category of supernatural beings in Japanese Shinto belief. Tengu are depicted as bird-like demons, often red-faced with long noses, considered protective yet mischievous spirits. The branding is consistent with the group’s calculated public posture: confident, theatrical, and willing to publish sensitive victim data as leverage while maintaining a veneer of order through formal affiliate rules.

Observed Ransomware-as-a-Service (RaaS) Activity

Tengu operates a structured Ransomware-as-a-Service (RaaS) affiliate program, advertised on Dark Web forums in late 2025. Its terms include an 80/20 revenue split in favor of affiliates, with communications handled through a dedicated TOX encrypted messaging ID. Ransomware builds are available for Windows, Linux, and ESXi, with binary sizes of roughly 90 to 100KB.

The group uses intermittent encryption, targeting file headers to make files unusable while speeding up the encryption process. In a March 2026 attack, a U.S. victim claimed that 22.9TB of data was encrypted in just 14 hours, showing the practical speed advantage of this method.

For exfiltration, Tengu relies on StealTENGU, a custom file upload service advertised on February 22, 2026, and StealTG, a Windows and Linux-compatible tool announced on February 28, 2026. Affiliates also use Rclone and WinSCP, with MEGA as the main storage destination and SFTP, PixelDrain, and StorJ as secondary options. Verified partners may also receive access to an EDR-killer and a custom multi-chain pivot tool.

The program prohibits attacks on Russia and CIS countries, a common carve-out in Russian-language RaaS programs, although Tengu’s true origin remains unconfirmed. Affiliates without victim data must provide a refundable $1,500 deposit, which the group describes as a filter against researchers and law enforcement. Builds are released only after affiliates submit target data for encryption preparation, and stolen data is later posted on the group’s DLS blog.

One technical indicator stands out: an initial dropper hash linked to Tengu activity was tagged as “SalatStealer” in public threat intelligence databases, while sandbox analysis showed ransomware-like behavior. This may indicate multi-use tooling or early-stage classification ambiguity.

Data Leak Site and Infrastructure

Tengu operates a dedicated DLS on the Tor network. Victim pages include images of sensitive documents, a countdown timer to full data release, and in some cases, uploaded ransom negotiation chat logs. The infrastructure evolved through several phases:

• October 2025: Original DLS launched, listing six initial victims from Qatar, Morocco, UAE, Spain, and Brazil
• January 27, 2026: Group begins advertising a new DLS and shuts down the original; TOX ID also changed
• January 30, 2026: Group goes fully offline for DLS revamp
• February 2026: New DLS launched; a separate file server domain provisioned for leak storage; four additional backup onion domains created, all using the vanity keyword “long,” indicating use of a Tor vanity domain generation service. The group also briefly used the “Shisa Ransomware” name as the page title before reverting.

• March 10, 2026: DLS permanently rebranded as “Shisa Ransomware.”

The file server was active from February 14, 2026 and hosted approximately 450GB of leaked data as of early March 2026, with individual victim folders reaching up to 145GB. Leaks are organized in a searchable directory structure for easy browsing by prospective buyers.

Independent researcher analysis identified significant infrastructure intelligence through operational security failures in the group’s setup, including the real IP address behind the Tor hidden service, 52 attack IP addresses used during brute-force operations with 12 classified as high-confidence, residential proxies geolocated to India, and MEVSPACE VPS infrastructure based in Poland, a provider with documented history in criminal network operations.

What Are Tengu Ransomware’s Targets?

Geographically, early victims appeared in Qatar, Morocco, the UAE, Spain, and Brazil. By early 2026, tracking data showed a wider spread across North America, Europe, Asia, Africa, and the Middle East. India accounted for about 10.6% of observed victims, followed by the United States and Morocco at 8.5% each. Italy, Mexico, and Indonesia each represented 6.4%, suggesting that affiliates likely acquired access opportunistically rather than following strict geographic targeting rules.

By sector, Technology was the most affected category, representing about 17% of observed victims, followed by Manufacturing at 14.9%. Construction and Real Estate, Automotive, Hospitality and Tourism, Public Sector, and Agriculture and Food Production also appeared among the leading sectors. This distribution supports a sector-agnostic model, where affiliates prioritize accessible organizations with operational pressure points over a specific industry.

Claims Linked to Tengu Ransomware

• October 23, 2025: Six initial victims listed on the DLS, including a Qatargas-linked entity from Qatar (mislabeled as Iran), Al Rimal Foodstuff Industries (UAE), Star Legumes (Morocco), Food and Music Management SL (Spain), and UniCursos (Brazil)
• January 2026: Samson Equipment confirmed as a victim; major activity surge with nine claimed victims in 48 hours on January 26 and 27
• January to February 2026: Charoenchai Transformer Co., Ltd (Thailand, manufacturing) and a Japanese Buddhist temple (Jouju-in) among victims claimed, illustrating the indiscriminate nature of targeting
• March 5, 2026: A US company claimed 22.9TB encrypted in 14 hours, demonstrating the speed of the group’s intermittent encryption approach
• March 10, 2026: DLS rebranded as “Shisa Ransomware”; total victim count reached approximately 50, with older listings removed and 12 active listings retained on the revamped site

The SOCRadar Ransomware Intelligence Dashboard provides free, live visibility into ransomware group activity worldwide, including victim claims, targeted countries and industries, active Dark Web group profiles, and more. No account required.

What Are Tengu Ransomware’s Techniques?

Tengu’s attack chain is methodical and deliberately low-noise. Affiliates avoid introducing custom tooling wherever a signed, trusted Windows binary can serve the same purpose, making behavioral detection and a well-tuned EDR far more effective than signature-based controls alone. Each phase is designed to blend with legitimate administrative activity until the final encryption stage.

Initial Access

Entry is primarily credential-driven. Affiliates conduct brute-force attacks against exposed RDP and SMB interfaces, leveraging residential proxies and commercial VPS infrastructure to blend with local network traffic and complicate attribution. Where brute-force is not viable, initial access is achieved through spearphishing links, exploitation of public-facing applications, or the reuse of valid credentials from prior data breaches. In at least one documented case, attacker-controlled infrastructure was observed hosting FortiGate on the RDP port, with FortiRDP subsequently installed on the victim machine, suggesting deliberate mimicry of legitimate remote management tooling.

Execution

All execution is conducted through Living Off The Land Binaries (LOLBins), which are signed Microsoft tools that blend into normal administrative traffic. The group avoids dropping unsigned third-party executables during this phase wherever possible.

Credential Access and Privilege Escalation

Following initial foothold establishment, affiliates prioritize rapid privilege escalation to domain level. LSASS memory is dumped to extract credentials in cleartext. In at least one confirmed case, affiliates exploited ZeroLogon (CVE-2020-1472) against an unpatched domain controller to obtain domain administrator privileges without needing valid credentials first. Active Directory (AD) is then enumerated to map privileged accounts, high-value systems, and network shares targeted for lateral movement and exfiltration.

Lateral Movement

With domain-level access secured, affiliates move laterally using NetExec (nxc) over SMB, executing commands across multiple systems while blending into normal administrative traffic patterns. RDP is also used for interactive access to high-value targets identified during the AD enumeration phase.

Defense Evasion

Windows Defender is disabled early in the intrusion using an unsigned .NET executable deployed to the host. Security-related services are stopped via sc.exe, specifically the Windows Security Center service (wscsvc) and Windows Update service (wuauserv). Event logs are cleared using wevtutil to remove forensic artifacts before the encryption stage. All subsequent execution continues through signed LOLBins.

Collection and Exfiltration

Data is collected from network shares and local systems and staged before exfiltration. The group uses the tools described in the RaaS Activity section above, with MEGA as the primary destination. Exfiltration takes place before any encryption occurs, completing the data-theft leg of the double-extortion model.

Encryption

The ransomware payload is deployed only after exfiltration is confirmed. Shadow copies are deleted immediately before execution. The group’s use of intermittent encryption, targeting file headers rather than full file contents, is what allows the encryption of very large environments within hours rather than days. Encrypted files receive the .tengu extension, and a ransom note is dropped across affected directories directing victims to the group’s Tor-based negotiation portal.

What Are the Mitigation Tactics Against Tengu Ransomware?

Tengu’s attack chain is built on credential abuse, LOLBin execution, and exposed perimeter services. Defenses should prioritize identity protection, network visibility, and backup resilience.

Block Initial Access

• Enforce MFA on all RDP, VPN, and remote management interfaces, the primary documented entry vector for Tengu affiliates
• Block or segment exposed remote services; use jump hosts for privileged access
• Alert on repeated authentication failures across SMB and RDP services
• Patch internet-facing VPN appliances and remote access services on a priority basis, including legacy vulnerabilities such as CVE-2020-1472 on domain controllers
• Audit for unauthorized deployment of legitimate remote access tools such as ScreenConnect

Protect Credentials

• Alert on LSASS access and memory dumping activity
• Implement Privileged Access Management to limit and audit domain administrator account usage
• Monitor breach data sources for exposed employee credentials from prior incidents

Detect LOLBin Abuse

• Alert on unusual invocation patterns of powershell.exe, cmd.exe, rundll32.exe, wevtutil.exe, vssadmin.exe, and sc.exe, particularly when chained in sequence
• Enable PowerShell script block logging and module logging
• Apply application control policies to restrict unauthorized tool execution in user and temporary directories

Prevent Exfiltration

• Detect unexpected installation or execution of Rclone and WinSCP in the environment
• Block unauthorized connections to MEGA, PixelDrain, StorJ, and similar cloud storage services via egress filtering
• Alert on bulk file access or large outbound data transfer events

Protect Backups

• Maintain offline or immutable backups that cannot be reached from the corporate network
• Alert immediately on vssadmin delete shadows execution
• Regularly test backup restoration to confirm recovery options remain viable

Apply Threat Intelligence

• Track known Tengu and Shisa Ransomware infrastructure indicators and onion domains
• Monitor Dark Web forums for RaaS affiliate recruitment and Tengu-linked activity
• Review network logs against known Tengu-associated attack IPs identified in published research

What Are the MITRE ATT&CK TTPs of Tengu Ransomware?

What Are the Indicators of Compromise (IOCs) for Tengu Ransomware?

File Hash

• SHA-256: fafb6c5e12dfeefaba5ac8982d5bb13dd206cfcd328b9d36aa87257f762ee24a (unsigned .NET executable, Defender disabler, also tagged as “SalatStealer”)

Dropped Files (C:WindowsSystem32)

• wraithnet_bot[.]exe
• controller_gui[.]exe
• controller_console[.]exe
• wraithnet[.]log

File System

• Encrypted file extension: .tengu
• Ransom note filenames: TENGU_README.txt, [VictimID]-README.txt, TENGU.README.txt, _README_TENGU.txt

Contact Addresses

• tengulocker@cyberfear[.]com
• tengunlocker@onionmail[.]com

Attack Infrastructure IPs (High-Confidence)

• 110.227.205[.]232
• 123.255.248[.]97
• 94.26.88[.]100 / .101 / .102 / .103 (MEVSPACE VPS, Poland)
• 117.239.53[.]213 / 117.240.9[.]147 / 117.244.244[.]52 (residential proxies, India-geolocated)
• 206.168.81.33
• 61.0.226.126

Behavioral Indicators (Commands)

• nxc smb [target] (NetExec lateral movement over SMB)
• sc config wscsvc start= disabled
• sc config wuauserv start= disabled
• vssadmin delete shadows /all /quiet
• wevtutil cl [log name]