krybit
Ransomware group profile
Description
KryBit is a financially motivated ransomware group that emerged in March 2026, offering a Ransomware-as-a-Service model where affiliates retain a significant share of ransom payments. They employ a double-extortion strategy by encrypting files and exfiltrating sensitive data, with notable public conflicts with rival groups contributing to their visibility in the cybercriminal landscape.
Key insights
- •Utilizes a double-extortion model, encrypting files and stealing data.
- •Targets multiple operating systems, including Windows, Linux, and ESXi.
- •Ransom demands range between $40,000 to $100,000.
- •Employs complex evasion techniques, including shadow copy deletion and process injection.
- •Communicates with victims through Tor-based channels for negotiations.
- •Engages in inter-group conflicts that result in operational revelations.
- •Initial access often gained through phishing and exploited services.
Threat Level & Status Breakdown
For krybit · Based on incidents in selected period
Status Breakdown
Recent activity
Monthly attack count for krybit in the selected period
Intelligence
IOCs, YARA/Sigma rules, and related families for krybit
- oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion
- zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onion
- krybitxdpxohsmjooeb3gbgpmdddreh6mnflzac6bnezz74b7yje67yd.onion
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for krybit
T1486
T1486
T1490
T1490
T1078
T1078
T1562
T1562
T1059
T1059
T1021
T1021
T1547
T1547
T1021.001
T1021.001
T1105
T1105
T1037
T1037
T1071
T1071
T1041
T1041
Victims(56)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| aasa.ae | — | — | — | Claimed | in about 1 hour | |
| www.mupras.com | — | — | — | Claimed | in about 1 hour | |
| coemi.com.br | — | — | — | Claimed | in about 1 hour | |
| www.courdescomptes.sn | courdescomptes.sn | SN Senegal | Government & Defense | Claimed | 2 days ago | |
| ersa.com.py | ersa.com.py | PY Paraguay | Manufacturing | Claimed | 2 days ago | |
| theorangeblowfish.com | theorangeblowfish.com | GB United Kingdom | Technology | Claimed | 4 days ago | |
| frey.com | frey.com | CH Switzerland | Technology | Claimed | 5 days ago | |
| www.mbt-energy.com | mbt-energy.com | DE Germany | Energy & Utilities | Claimed | 7 days ago | |
| aisem.gob.bo | aisem.gob.bo | BO Bolivia | Government & Defense | Claimed | 8 days ago | |
| www.progress-security.com | progress-security.com | DE Germany | Technology | Claimed | 8 days ago | |
| libertyinsurance.com.ph | libertyinsurance.com.ph | PH Philippines | Financial Services | Claimed | 9 days ago | |
| PROBE, S.A. DE C.V | — | SV El Salvador | Other | Claimed | 9 days ago | |
| huashan.com.cn | huashan.com.cn | CN China | Manufacturing | Claimed | 14 days ago | |
| schultz.com.br | schultz.com.br | BR Brazil | Professional Services | Claimed | 14 days ago | |
| www.elumax.com | elumax.com | DE Germany | Professional Services | Claimed | 16 days ago | |
| activ88-interim.com | activ88-interim.com | DE Germany | Professional Services | Claimed | 17 days ago | |
| www.transbras.com.gt | transbras.com.gt | GT Guatemala | Transportation | Claimed | 17 days ago | |
| tulipmediworld.com | tulipmediworld.com | IN India | Healthcare | Claimed | 20 days ago | |
| ecci-srl.com | ecci-srl.com | IT Italy | Professional Services | Claimed | 21 days ago | |
| motofrenos.com | motofrenos.com | MX Mexico | Manufacturing | Claimed | 23 days ago |
Page 1 of 3
Affected countries(38)
Countries where this group has been reported to target or leak victims.