root

Ransomware group profile

9Victims

RussiaSource country

17Impact score

Description

Shadowroot is a ransomware strain identified in July 2024 that primarily targets Turkish businesses but also affects global sectors such as healthcare and online shopping. Its attacks begin with spear-phishing emails that lead to file encryption, demanding ransoms paid in cryptocurrency. The ransomware is notable for its rudimentary design and recursive encryption process, indicating the potential inexperience of its developers.

Key insights

•Gains initial access through spear-phishing emails with malicious PDF attachments.
•Encrypts files with a '.shadowroot' extension while demanding ransoms in cryptocurrency.
•Utilizes PowerShell to stealthily execute its main ransomware component, 'RootDesign.exe'.
•Targets Turkish businesses, with ransom notes delivered in Turkish.
•Employs a recursive self-process creation method that causes high memory consumption.

Industries

Financial Services Hospitality Manufacturing Other Retail & E-Commerce Technology

Threat Level & Status Breakdown

For root · Based on incidents in selected period

0.8threat level

Aggressiveness2.3/ 10

Lethality0/ 10

Criticality0/ 10

Status Breakdown

Claimed66.7%6

First seenNov 2025

Last seenDec 2025

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 2, 2026

Recent activity

Monthly attack count for root in the selected period

9Total attacks

5peak in Nov

4.5avg / month

↓ 1 vs first month

Intelligence

IOCs, YARA/Sigma rules, and related families for root

fc8c34bfa937df962347ea943b27c34369d3cd397590154503b06e8b3d60ea99
436c014614477e79696e838d6b605f4e
6548617b3f40a471b667926392ec9c8845a10d74e27f5f0b67c7df1c43659399
cf9cf39f511870cf1c03897df267d9aff4c56fca2b966891ff14641bc6143ad6
566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739
47707bbc8d3ec1a1a33461acae0fe841ab6da7a5d11ee5ba1fc7cc5705534d97
7be242cd843eb439405480a34b9d597b6e603866774d1475be3bdc1154c741b8
e8139b0bc60a930586cf3af6fa5ea573
88da2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2

View full IOC feed13 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for root

Other

T1486

T1490

T1078

T1059

T1021

T1562

T1550

T1027

T1041

T1105

Victims(9)

Company	Domain	Country	Industry	Status	Discovered
Japan Exchange Group [PUBLISHING]	—	JP Japan	Financial Services	Claimed	6 months ago
GTA Properties	—	AE United Arab Emirates	Other	Claimed	6 months ago
Gamanza Group	—	—	Other	Claimed	6 months ago
Dynamic Capital	—	—	Financial Services	Claimed	6 months ago
Surana Brothers	—	—	Manufacturing	Claimed	6 months ago
The Neighborhood Hotel	—	US United States	Hospitality	Claimed	6 months ago
resonancenetwork.com	—	US United States	Hospitality	Unknown	6 months ago
DJT Corporation & Investments Pvt	—	IN India	Financial Services	Unknown	6 months ago
Japan Exchange Group	—	JP Japan	Financial Services	Unknown	6 months ago

Affected countries(5)

Countries where this group has been reported to target or leak victims.

🇩🇪Germany 🇬🇧United Kingdom Russian Federation 🇹🇷Turkey 🇺🇸United States