the green blood group
Ransomware group profile
Description
The Green Blood Group is a ransomware operation that emerged in early 2026, known for its focus on financially motivated extortion using advanced techniques. They employ a double-extortion model that involves encrypting files and threatening to leak sensitive data, all while aggressively disrupting system recovery mechanisms.
Key insights
- •Uses a Golang-based ransomware payload with AES-256-CTR or ChaCha8 encryption.
- •Employs double-extortion tactics, pressuring victims through a Tor-based data leak site.
- •Disables system recovery options and security features to complicate recovery efforts.
- •Initial access often gained through malicious executables and phishing emails.
- •Files are encrypted with the .tgbg extension, and a ransom note is provided post-encryption.
Industries
Threat Level & Status Breakdown
For the green blood group · Based on incidents in selected period
Status Breakdown
Recent activity
Monthly attack count for the green blood group in the selected period
No intelligence data for this group.
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for the green blood group
T1486
T1486
T1490
T1490
T1562
T1562
T1070
T1070
T1047
T1047
T1059
T1059
T1021
T1021
T1021.001
T1021.001
T1547
T1547
T1080
T1080
Affected countries(5)
Countries where this group has been reported to target or leak victims.