Operator dossier

desolator is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 4 public victims claimed by this operator between August 30, 2025 and September 1, 2025. Desolator is a relatively new ransomware group that emerged in August 2025, with financial motivation as their primary driver based on their ransomware operations. The group appears to operate independently with limited public information available regarding their country of origin or affiliations with other cybercriminal organizations. Due to the recent emergence of this group and limited public reporting from major security firms, specific details about their attack methodology, initial access vectors, and encryption techniques have not been extensively documented by CISA, FBI, or established security researchers. The group has claimed a small number of victims across diverse geographic regions including Colombia, the United States, and Vietnam, with their targeting spanning construction, technology, and other unspecified sectors, suggesting an opportunistic rather than highly targeted approach. No major high-profile attacks or significant ransoms have been publicly attributed to Desolator at this time, likely due to their recent emergence and limited operational scope. The group appears to remain active as of their recent emergence, though their operational tempo and long-term viability remain unclear given the lack of extensive public documentation of their activities.

Most-targeted sectors

Construction2 victims
Not Found1 victims
Technology1 victims

Most-affected countries

CO2 victims
US1 victims
VN1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

desolator

4 victims indexed · first seen 9 months ago · last activity 9 months ago

Victims indexed

#256 of 348 tracked operators

Active period

Aug 2025 → Sep 2025

Countries hit

top CO · 2

At a glance

Status: inactive
First seen: 9 months ago
Last activity: 9 months ago
Onion sites: 1 known endpoint
Primary sector: Construction · 2 hits

About

Desolator is a relatively new ransomware group that emerged in August 2025, with financial motivation as their primary driver based on their ransomware operations. The group appears to operate independently with limited public information available regarding their country of origin or affiliations with other cybercriminal organizations. Due to the recent emergence of this group and limited public reporting from major security firms, specific details about their attack methodology, initial access vectors, and encryption techniques have not been extensively documented by CISA, FBI, or established security researchers. The group has claimed a small number of victims across diverse geographic regions including Colombia, the United States, and Vietnam, with their targeting spanning construction, technology, and other unspecified sectors, suggesting an opportunistic rather than highly targeted approach. No major high-profile attacks or significant ransoms have been publicly attributed to Desolator at this time, likely due to their recent emergence and limited operational scope. The group appears to remain active as of their recent emergence, though their operational tempo and long-term viability remain unclear given the lack of extensive public documentation of their activities.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/desolator

Timeline

2 months

2025-08-01T00:00:00+00:002025-09-01T00:00:00+00:00

Top countries

🇨🇴 CO

🇺🇸 US

🇻🇳 VN

CO dossier →US dossier →VN dossier →

Top sectors

Construction

Not Found

Technology

Construction dossier →Not Found dossier →Technology dossier →

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://po4tq2brx4rgwbdx4mac24fz34uuuf7oigosebp32n2462m2vxl6biqd.onion/wall_of_shame

Source

Updated 9 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.