Operator dossier

chort is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 7 public victims claimed by this operator between November 17, 2024 and November 22, 2024. Chort is a recently emerged ransomware group that first appeared in November 2024, operating with apparent financial motivations based on their targeting patterns across multiple sectors. Given the group's recent emergence and limited public documentation, their country of origin and potential affiliations remain unclear, though their targeting of US and Kuwaiti entities suggests a broader international operational scope rather than localized cybercriminal activity. The group's attack methodology details have not been extensively documented by major security firms, though their sector-specific targeting of education, agriculture and food production, technology, and government entities indicates a deliberate victim selection process rather than opportunistic attacks. With only seven known victims documented since their November 2024 emergence, Chort has maintained a relatively low profile compared to established ransomware operations, with no major high-profile incidents or law enforcement actions publicly reported by CISA, FBI, or prominent security researchers. The group remains active as of late 2024, though their limited victim count and recent emergence make it unclear whether they represent a nascent operation still developing their capabilities or a more selective targeting approach.

Most-targeted sectors

Education4 victims
Agriculture and Food Production1 victims
Technology1 victims
Government1 victims

Most-affected countries

US6 victims
KW1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

chort

7 victims indexed · first seen 2 years ago · last activity 1 year ago

Victims indexed

#218 of 348 tracked operators

<1m

Active period

Nov 2024 → Nov 2024

Countries hit

top US · 6

At a glance

Status: inactive
First seen: 2 years ago
Last activity: 1 year ago
Onion sites: 1 known endpoint
Primary sector: Education · 4 hits

About

Chort is a recently emerged ransomware group that first appeared in November 2024, operating with apparent financial motivations based on their targeting patterns across multiple sectors. Given the group's recent emergence and limited public documentation, their country of origin and potential affiliations remain unclear, though their targeting of US and Kuwaiti entities suggests a broader international operational scope rather than localized cybercriminal activity. The group's attack methodology details have not been extensively documented by major security firms, though their sector-specific targeting of education, agriculture and food production, technology, and government entities indicates a deliberate victim selection process rather than opportunistic attacks. With only seven known victims documented since their November 2024 emergence, Chort has maintained a relatively low profile compared to established ransomware operations, with no major high-profile incidents or law enforcement actions publicly reported by CISA, FBI, or prominent security researchers. The group remains active as of late 2024, though their limited victim count and recent emergence make it unclear whether they represent a nascent operation still developing their capabilities or a more selective targeting approach.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

1 months

2024-11-01T00:00:00+00:002024-11-01T00:00:00+00:00

Top countries

🇺🇸 US

🇰🇼 KW

US dossier →KW dossier →

Top sectors

Education

Agriculture and Food Production

Technology

Government

Education dossier →Agriculture and Food Production dossier →Technology dossier →Government dossier →

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://hgxyonufefcglpekxma55fttev3lcfucrf7jvep2c3j6447cjroadead.onion

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.