orion

Ransomware group profile

17Victims

GlobalSource country

45Impact score

Also Known As

Orion Leaks

Description

Orion Ransomware is a newly identified ransomware operation that emerged in early 2024, focusing on small-to-mid-sized enterprises (SMEs) with limited security resources. The group employs high-speed encryption techniques and masquerades as 'security consultants' while employing a double extortion strategy by stealing and threatening to leak victim data.

Key insights

•Targets primarily small-to-mid-sized enterprises (SMEs) that lack dedicated 24/7 SOCs.
•Utilizes high-speed encryption techniques, leveraging a variant based on LockBit 3.0.
•Employs a double extortion tactic by both encrypting files and exfiltrating victim data.
•Gains initial access through common vectors like phishing emails and compromised RDP access.
•Attacks disable antivirus tools and delete system snapshots to hinder recovery efforts.
•Promotes an affiliate program focused on high-profit potential for affiliates.

Industries

Education Financial Services Healthcare Hospitality Manufacturing Other Retail & E-Commerce Technology Transportation

Threat Level & Status Breakdown

For orion · Based on incidents in selected period

1.5threat level

Aggressiveness4.3/ 10

Lethality0/ 10

Criticality0/ 10

Status Breakdown

Claimed11.8%2

First seenJan 2026

Last seenMar 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 6, 2026

Recent activity

Monthly attack count for orion in the selected period

17Total attacks

15peak in Jan

8.5avg / month

↓ 13 vs first month

No intelligence data for this group.

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for orion

Other

T1486

T1490

T1021

T1562

T1080

T1078

T1547

T1059

T1021.001

T1210

T1046

T1037

Victims(17)

Company	Domain	Country	Industry	Status	Discovered
Popular Tags	—	—	—	Claimed	2 months ago
Pastas Allegri https://pastasallegri.com.ve	—	VE Venezuela	Hospitality	Claimed	2 months ago
orion	—	—	Other	Unknown	4 months ago
Your clicks can earn you a Lamborghini	—	—	—	Unknown	4 months ago
pricemodern	—	—	—	Unknown	5 months ago
morrisgroupint	—	—	—	Unknown	5 months ago
daubertchemical	—	US United States	Manufacturing	Unknown	5 months ago
emanic	—	—	—	Unknown	5 months ago
udhaiyamdhall	—	—	—	Unknown	5 months ago
kioti	—	US United States	Manufacturing	Unknown	5 months ago
sitrack	—	—	—	Unknown	5 months ago
hetero	—	—	—	Unknown	5 months ago
ipsenlogistics	—	—	—	Unknown	5 months ago
albanybank	—	US United States	Financial Services	Unknown	5 months ago
bridgestoneamericas	—	US United States	Manufacturing	Unknown	5 months ago
hphood	—	—	—	Unknown	5 months ago
huntongroup	—	—	Technology	Unknown	5 months ago

Affected countries(10)

Countries where this group has been reported to target or leak victims.

🇦🇷Argentina 🇦🇺Australia 🇨🇦Canada 🇩🇪Germany 🇮🇳India Korea, Republic of Russian Federation 🇹🇭Thailand 🇺🇸United States Global