cry0
Ransomware group profile
1Victims
North KoreaSource country
45Impact score
Description
The ransomware group cry0 emerged in March 2026, using data broker tactics to engage in direct and double extortion. They are known for encrypting victim data while threatening to leak it through a dedicated leak site on TOR networks.
Key insights
- •Employs direct and double extortion tactics.
- •Utilizes a data leak site accessible via TOR networks.
- •Engages in threats to leak stolen information publicly.
- •Offers free portions of leaked data to entice compliance.
- •Targets a wide array of sectors, including healthcare and education.
Threat Level & Status Breakdown
For cry0 · Based on incidents in selected period
0.1threat level
Aggressiveness0.3/ 10
Lethality0/ 10
Criticality0/ 10
First seenApr 2026
Last seenApr 2026
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 7, 2026
Recent activity
Monthly attack count for cry0 in the selected period
1Total attacks
1peak in Apr
1avg / month
Intelligence
IOCs, YARA/Sigma rules, and related families for cry0
- http://45.227.253.59:3111/
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for cry0
Other
T1486
T1486
T1490
T1490
T1078
T1078
T1059
T1059
T1562
T1562
T1021
T1021
T1547
T1547
T1021.001
T1021.001
T1080
T1080
T1027
T1027
Victims(1)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| dinisrl.it | — | IT Italy | Transportation | Unknown | 2 months ago |
Affected countries(14)
Countries where this group has been reported to target or leak victims.