ms13-089
Ransomware group profile
Description
ms13089 is a ransomware group that emerged in December 2025, primarily focused on financial gain through data encryption and exfiltration. They utilize a double extortion model, threatening to publish sensitive stolen data if ransom demands are not met. There is limited information regarding their origin or tools used beyond their ransomware payload.
Key insights
- •Uses a double extortion model for ransomware attacks.
- •Threatens to publish stolen data on a Tor-based leak site if ransom is not paid.
- •Targets a wide variety of sectors, including finance and healthcare.
- •No specific initial access methods or proprietary malware publicly detailed.
- •Employs direct extortion tactics to pressure organizations into compliance.
Threat Level & Status Breakdown
For ms13-089 · Based on incidents in selected period
Status Breakdown
Recent activity
Monthly attack count for ms13-089 in the selected period
No intelligence data for this group.
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for ms13-089
T1486
T1486
T1490
T1490
T1021
T1021
T1562
T1562
T1080
T1080
T1078
T1078
T1547
T1547
T1059
T1059
T1021.001
T1021.001
T1041
T1041
T1203
T1203
Victims(4)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| brittanyresidential.com (USA, Ohio) | — | US United States | Healthcare | Claimed | about 1 month ago | |
| sjl-legal.com (Luxembourg, Luxembourg) | — | LU Luxembourg | Professional Services | Claimed | 5 months ago | |
| dgpcommercialisti.it (Italy, Reggio Emilia) | — | IT Italy | Professional Services | Claimed | 6 months ago | |
| uro.com (USA, Virginia) | — | US United States | Healthcare | Claimed | 6 months ago |
Affected countries(6)
Countries where this group has been reported to target or leak victims.