the green blood group
Ransomware group profile
Description
The Green Blood Group is a ransomware operation that emerged in early 2026, known for its focus on financially motivated extortion using advanced techniques. They employ a double-extortion model that involves encrypting files and threatening to leak sensitive data, all while aggressively disrupting system recovery mechanisms.
Key insights
- •Uses a Golang-based ransomware payload with AES-256-CTR or ChaCha8 encryption.
- •Employs double-extortion tactics, pressuring victims through a Tor-based data leak site.
- •Disables system recovery options and security features to complicate recovery efforts.
- •Initial access often gained through malicious executables and phishing emails.
- •Files are encrypted with the .tgbg extension, and a ransom note is provided post-encryption.
Industries
Threat Level & Status Breakdown
For the green blood group · Based on incidents in selected period
Status Breakdown
Recent activity
Monthly attack count for the green blood group in the selected period
No intelligence data for this group.
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for the green blood group
T1486
T1486
T1490
T1490
T1562
T1562
T1070
T1070
T1047
T1047
T1059
T1059
T1021
T1021
T1021.001
T1021.001
T1547
T1547
T1080
T1080
Victims(2)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| 🇸🇳 DAF SENEGAL | — | SN Senegal | Government & Defense | Claimed | 4 months ago | |
| 🇪🇬 ECOBAT EGYPT | — | EG Egypt | Manufacturing | Claimed | 4 months ago |
Affected countries(5)
Countries where this group has been reported to target or leak victims.