exitium

Ransomware group profile

6Victims

30Impact score

Description

Exitium is a newly identified ransomware-as-a-service (RaaS) group that emerged prominently in early 2026. They employ a double extortion tactic, encrypting data and threatening its public disclosure if ransoms are not paid. They utilize living-off-the-land techniques to evade detection during their attacks.

Key insights

•Exitium employs a double extortion model by both encrypting data and exfiltrating sensitive information.
•The group uses living-off-the-land (LotL) techniques for lateral movement and privilege escalation before deploying their ransomware.
•Their ransomware variants typically append the '.exitium' file extension to locked files.
•They target a variety of industries, including energy, agriculture, and manufacturing.
•Exitium's attacks are characterized by sophisticated encryption methods, likely involving AES-256 and RSA-4096.
•They operate a dedicated leak site on the Tor network to pressure victims into paying ransoms.

Industries

Energy & Utilities Government & Defense Healthcare Manufacturing Other

Threat Level & Status Breakdown

For exitium · Based on incidents in selected period

1.4threat level

Aggressiveness1.5/ 10

Lethality0/ 10

Criticality2.8/ 10

Status Breakdown

Claimed100.0%6

First seenMar 2026

Last seenApr 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 2, 2026

Recent activity

Monthly attack count for exitium in the selected period

6Total attacks

5peak in Mar

3avg / month

↓ 4 vs first month

No intelligence data for this group.

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for exitium

Other

T1486

T1490

T1078

T1059

T1547

T1021

T1021.001

T1562

T1046

T1068

T1110

Victims(6)

Company	Domain	Country	Industry	Status	Discovered
Gastroenterology & Hepatology of CNY	—	US United States	Healthcare	Claimed	about 2 months ago
Ming Hwei Energy	—	TW Taiwan	Energy & Utilities	Claimed	2 months ago
IKRON	—	—	Energy & Utilities	Claimed	2 months ago
Marborges Agroindustria	—	BR Brazil	Other	Claimed	2 months ago
Fannin CAD	—	US United States	Government & Defense	Claimed	3 months ago
Classified	—	—	—	Claimed	3 months ago

Affected countries(12)

Countries where this group has been reported to target or leak victims.

🇧🇷Brazil 🇨🇦Canada 🇩🇪Germany 🇪🇸Spain 🇫🇷France 🇮🇳India 🇮🇹Italy 🇵🇦Panama 🇸🇬Singapore 🇹🇭Thailand Taiwan, Province of China 🇺🇸United States