frag

Ransomware group profile

4Victims

RussiaSource country

62Impact score

Description

Frag is a financially motivated ransomware group that emerged in November 2024, operating with a closed operational model and conducting all attacks in-house. They utilize a modular ransomware payload and primarily target organizations through specific vulnerabilities, particularly in Veeam Backup & Replication software. Frag's tactics include swift disruption of victim recovery processes and threats of data exposure to coerce ransom payments.

Key insights

•Targets primarily include organizations with vulnerabilities in Veeam Backup & Replication software.
•Employs modular ransomware payloads customized for each attack to enhance stealth.
•Leverages tactics from past ransomware groups like Hive and LockBit with novel evasion techniques.
•Does not use countdown timers on their data leak site, setting them apart from other ransomware groups.
•Initial access often gained through spear-phishing, exploitation of vulnerabilities, and stolen credentials.
•Demands for ransom typically start in the low six-figure range, escalating to millions.
•Uses Living Off The Land binaries for operations to avoid detection.

Industries

Financial Services Government & Defense Healthcare Manufacturing Other Professional Services Retail & E-Commerce Technology Transportation

Threat Level & Status Breakdown

For frag · Based on incidents in selected period

1.9threat level

Aggressiveness1/ 10

Lethality0/ 10

Criticality5/ 10

First seenJun 2025

Last seenJun 2025

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 2, 2026

Recent activity

Monthly attack count for frag in the selected period

4Total attacks

4peak in Jun

4avg / month

Intelligence

IOCs, YARA/Sigma rules, and related families for frag

d520d06d78afcad2e03842cb8db4622d18b92739e89dfb8dadf5743f30dcd903
e75e5778e71e062ce4a7af673f0b2513854d2367fee0f01a26c0c998863bdf6e
eae09889399fe4fb8e78b114dba0527de913d12fb1802944a88ed136e3e90577
94f73b5dc06ba6705fcef3e759413a747049c2949a0c2e44afc03b2f9989cf73

View full IOC feed500 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for frag

Other

T1486

T1490

T1078

T1021

T1047

T1562

T1059

T1021.001

T1213

T1040

T1080

T1037

Victims(4)

Company	Domain	Country	Industry	Status	Discovered
Cryoviva \| Singapour \| Healthcare services	—	SG Singapore	Healthcare	Unknown	12 months ago
Cryoviva	cryoviva.com.sg	SG Singapore	Healthcare	Unknown	12 months ago
Evasa \| Argentina, Buenos Aires \| Construction	—	AR Argentina	Other	Unknown	12 months ago
Evasa	evasa.com	ES Spain	Professional Services	Unknown	12 months ago

Affected countries(9)

Countries where this group has been reported to target or leak victims.

🇨🇦Canada 🇩🇪Germany 🇪🇸Spain 🇬🇧United Kingdom 🇮🇳India Iran, Islamic Republic of 🇳🇱Netherlands 🇸🇬Singapore 🇺🇸United States