Skip to main content

Operator dossier

AiLock is a ransomware operator currently active on public leak sites. Darkfield has indexed 44 public victims claimed by this operator between March 3, 2026 and July 14, 2026. AiLock is an emerging ransomware group first observed in March 2026 with a primarily financial motivation, having targeted at least 24 known victims across multiple sectors. The group's origin and affiliations remain largely undocumented by major threat intelligence organizations, though their targeting patterns suggest a broad operational scope spanning the United States, Canada, Great Britain, China, and Germany. Based on publicly available information from security researchers, AiLock appears to focus on technology companies, consumer services, manufacturing, and public sector entities, though specific attack methodologies, initial access vectors, and encryption techniques have not been extensively documented by CISA, FBI, or major security firms. The group's relatively recent emergence and limited public documentation suggest they may be a smaller operation or newly formed entity, with no notable major campaigns or high-profile ransoms publicly reported by established threat intelligence sources. Given the March 2026 first observation date and lack of subsequent major public reporting, AiLock's current operational status and capabilities remain largely undetermined by mainstream cybersecurity organizations.

Most-targeted sectors

Most-affected countries

Recent disclosures by AiLock

All 44 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for AiLock

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

AiLock

44 victims indexed · first seen 4 months ago · last activity 22 hours ago

44
Victims indexed
#115 of 364 tracked operators
4m
Active period
Mar 2026 → Jul 2026
8
Countries hit
top US · 11

At a glance

Status
active
First seen
4 months ago
Last activity
22 hours ago
Onion sites
1 known endpoint
Primary sector
Not Found · 6 hits

About

AiLock is an emerging ransomware group first observed in March 2026 with a primarily financial motivation, having targeted at least 24 known victims across multiple sectors. The group's origin and affiliations remain largely undocumented by major threat intelligence organizations, though their targeting patterns suggest a broad operational scope spanning the United States, Canada, Great Britain, China, and Germany. Based on publicly available information from security researchers, AiLock appears to focus on technology companies, consumer services, manufacturing, and public sector entities, though specific attack methodologies, initial access vectors, and encryption techniques have not been extensively documented by CISA, FBI, or major security firms. The group's relatively recent emergence and limited public documentation suggest they may be a smaller operation or newly formed entity, with no notable major campaigns or high-profile ransoms publicly reported by established threat intelligence sources. Given the March 2026 first observation date and lack of subsequent major public reporting, AiLock's current operational status and capabilities remain largely undetermined by mainstream cybersecurity organizations.

References

5 links

External sources curated by the MISP threat-intel community.

Timeline

1 months
2026-03-01T00:00:00+00:00 · 24
2026-03-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States
11
🇨🇦 Canada
2
🇬🇧 United Kingdom
2
🇨🇳 China
1
🇩🇪 Germany
1
🇧🇪 Belgium
1
🇰🇷 South Korea
1
🇯🇵 Japan
1

Top sectors

Technology
4
Consumer Services
3
Manufacturing
3
Public Sector
2
Construction
2
Telecommunication
1
Agriculture and Food Production
1
Financial Services
1

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://dhnsppqjaaa22lsqxl2tfhji4ca43743kubltnodvsft3hkvai77p6ad.onion

Source

Updated 22 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time AiLock posts a victim.

Add AiLock to your watchlist — Pro pings you within 5 minutes of any new AiLock leak-site post, Telegram callout, or affiliate-rebrand inference.