Operator dossier

AiLock is a ransomware operator currently active on public leak sites. Darkfield has indexed 34 public victims claimed by this operator between March 3, 2026 and May 18, 2026. AiLock is an emerging ransomware group first observed in March 2026 with a primarily financial motivation, having targeted at least 24 known victims across multiple sectors. The group's origin and affiliations remain largely undocumented by major threat intelligence organizations, though their targeting patterns suggest a broad operational scope spanning the United States, Canada, Great Britain, China, and Germany. Based on publicly available information from security researchers, AiLock appears to focus on technology companies, consumer services, manufacturing, and public sector entities, though specific attack methodologies, initial access vectors, and encryption techniques have not been extensively documented by CISA, FBI, or major security firms. The group's relatively recent emergence and limited public documentation suggest they may be a smaller operation or newly formed entity, with no notable major campaigns or high-profile ransoms publicly reported by established threat intelligence sources. Given the March 2026 first observation date and lack of subsequent major public reporting, AiLock's current operational status and capabilities remain largely undetermined by mainstream cybersecurity organizations.

Most-targeted sectors

Not Found6 victims
Technology4 victims
Consumer Services3 victims
Manufacturing3 victims
Public Sector2 victims
Construction2 victims

Most-affected countries

US11 victims
CA2 victims
GB2 victims
CN1 victims
DE1 victims
BE1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

AiLock

34 victims indexed · first seen 3 months ago · last activity 3 days ago

Victims indexed

#126 of 348 tracked operators

Active period

Mar 2026 → May 2026

Countries hit

top US · 11

At a glance

Status: active
First seen: 3 months ago
Last activity: 3 days ago
Onion sites: 1 known endpoint
Primary sector: Not Found · 6 hits

About

AiLock is an emerging ransomware group first observed in March 2026 with a primarily financial motivation, having targeted at least 24 known victims across multiple sectors. The group's origin and affiliations remain largely undocumented by major threat intelligence organizations, though their targeting patterns suggest a broad operational scope spanning the United States, Canada, Great Britain, China, and Germany. Based on publicly available information from security researchers, AiLock appears to focus on technology companies, consumer services, manufacturing, and public sector entities, though specific attack methodologies, initial access vectors, and encryption techniques have not been extensively documented by CISA, FBI, or major security firms. The group's relatively recent emergence and limited public documentation suggest they may be a smaller operation or newly formed entity, with no notable major campaigns or high-profile ransoms publicly reported by established threat intelligence sources. Given the March 2026 first observation date and lack of subsequent major public reporting, AiLock's current operational status and capabilities remain largely undetermined by mainstream cybersecurity organizations.

References

5 links

External sources curated by the MISP threat-intel community.

Timeline

1 months

2026-03-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 US

🇨🇦 CA

🇬🇧 GB

🇨🇳 CN

🇩🇪 DE

🇧🇪 BE

🇰🇷 KR

🇯🇵 JP

US dossier →CA dossier →GB dossier →CN dossier →

Top sectors

Not Found

Technology

Consumer Services

Manufacturing

Public Sector

Construction

Telecommunication

Agriculture and Food Production

Not Found dossier →Technology dossier →Consumer Services dossier →Manufacturing dossier →

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://dhnsppqjaaa22lsqxl2tfhji4ca43743kubltnodvsft3hkvai77p6ad.onion

Source

Updated 3 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.