krybit
Ransomware group profile
Description
KryBit is a financially motivated ransomware group that emerged in March 2026, offering a Ransomware-as-a-Service model where affiliates retain a significant share of ransom payments. They employ a double-extortion strategy by encrypting files and exfiltrating sensitive data, with notable public conflicts with rival groups contributing to their visibility in the cybercriminal landscape.
Key insights
- •Utilizes a double-extortion model, encrypting files and stealing data.
- •Targets multiple operating systems, including Windows, Linux, and ESXi.
- •Ransom demands range between $40,000 to $100,000.
- •Employs complex evasion techniques, including shadow copy deletion and process injection.
- •Communicates with victims through Tor-based channels for negotiations.
- •Engages in inter-group conflicts that result in operational revelations.
- •Initial access often gained through phishing and exploited services.
Threat Level & Status Breakdown
For krybit · Based on incidents in selected period
Status Breakdown
Recent activity
Monthly attack count for krybit in the selected period
Intelligence
IOCs, YARA/Sigma rules, and related families for krybit
- oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion
- zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onion
- krybitxdpxohsmjooeb3gbgpmdddreh6mnflzac6bnezz74b7yje67yd.onion
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for krybit
T1486
T1486
T1490
T1490
T1078
T1078
T1562
T1562
T1059
T1059
T1021
T1021
T1547
T1547
T1021.001
T1021.001
T1105
T1105
T1037
T1037
T1071
T1071
T1041
T1041
Victims(41)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| activ88-interim.com | activ88-interim.com | DE Germany | Professional Services | Claimed | 1 day ago | |
| www.transbras.com.gt | transbras.com.gt | GT Guatemala | Transportation | Claimed | 1 day ago | |
| tulipmediworld.com | tulipmediworld.com | IN India | Healthcare | Claimed | 4 days ago | |
| ecci-srl.com | ecci-srl.com | IT Italy | Professional Services | Claimed | 5 days ago | |
| motofrenos.com | motofrenos.com | MX Mexico | Manufacturing | Claimed | 7 days ago | |
| smile-siam.com | smile-siam.com | TH Thailand | Retail & E-Commerce | Claimed | 7 days ago | |
| ctps.tp.edu.tw | ctps.tp.edu.tw | TW Taiwan | Education | Claimed | 8 days ago | |
| bangkok.go.th | bangkok.go.th | TH Thailand | Government & Defense | Claimed | 11 days ago | |
| lasevillanita.com | lasevillanita.com | ES Spain | Hospitality | Claimed | 12 days ago | |
| SARL CANIS EVENTS SÉCURITÉ PRIVÉE | — | FR France | Professional Services | Claimed | 15 days ago | |
| nacs.com.hk | nacs.com.hk | HK Hong Kong | Other | Claimed | 15 days ago | |
| mindmastersg.com | mindmastersg.com | SG Singapore | Professional Services | Claimed | 15 days ago | |
| wwag.org | wwag.org | AT Austria | Other | Claimed | 19 days ago | |
| eclagestio360.com | eclagestio360.com | ES Spain | Professional Services | Claimed | 25 days ago | |
| ovextech.com | — | US United States | Technology | Claimed | 29 days ago | |
| foodsmart.com.do | — | DO Dominican Republic | Manufacturing | Claimed | 30 days ago | |
| bomuhospital.org | bomuhospital.org | KE Kenya | Healthcare | Claimed | about 1 month ago | |
| weiss-pm.de | weiss-pm.de | DE Germany | Professional Services | Claimed | about 1 month ago | |
| zsiclife.co.zm | — | ZM Zambia | Financial Services | Claimed | about 1 month ago | |
| moser-spiel.at | — | AT Austria | Hospitality | Claimed | about 1 month ago |
Page 1 of 3
Affected countries(26)
Countries where this group has been reported to target or leak victims.