Skip to main content

Operator dossier

desolator is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 4 public victims claimed by this operator between August 30, 2025 and September 1, 2025. Desolator is a relatively new ransomware group that emerged in August 2025, with financial motivation as their primary driver based on their ransomware operations. The group appears to operate independently with limited public information available regarding their country of origin or affiliations with other cybercriminal organizations. Due to the recent emergence of this group and limited public reporting from major security firms, specific details about their attack methodology, initial access vectors, and encryption techniques have not been extensively documented by CISA, FBI, or established security researchers. The group has claimed a small number of victims across diverse geographic regions including Colombia, the United States, and Vietnam, with their targeting spanning construction, technology, and other unspecified sectors, suggesting an opportunistic rather than highly targeted approach. No major high-profile attacks or significant ransoms have been publicly attributed to Desolator at this time, likely due to their recent emergence and limited operational scope. The group appears to remain active as of their recent emergence, though their operational tempo and long-term viability remain unclear given the lack of extensive public documentation of their activities.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

desolator

4 victims indexed · first seen 11 months ago · last activity 11 months ago

4
Victims indexed
#267 of 364 tracked operators
1m
Active period
Aug 2025 → Sep 2025
3
Countries hit
top CO · 2

At a glance

Status
inactive
First seen
11 months ago
Last activity
11 months ago
Onion sites
1 known endpoint
Primary sector
Construction · 2 hits

About

Desolator is a relatively new ransomware group that emerged in August 2025, with financial motivation as their primary driver based on their ransomware operations. The group appears to operate independently with limited public information available regarding their country of origin or affiliations with other cybercriminal organizations. Due to the recent emergence of this group and limited public reporting from major security firms, specific details about their attack methodology, initial access vectors, and encryption techniques have not been extensively documented by CISA, FBI, or established security researchers. The group has claimed a small number of victims across diverse geographic regions including Colombia, the United States, and Vietnam, with their targeting spanning construction, technology, and other unspecified sectors, suggesting an opportunistic rather than highly targeted approach. No major high-profile attacks or significant ransoms have been publicly attributed to Desolator at this time, likely due to their recent emergence and limited operational scope. The group appears to remain active as of their recent emergence, though their operational tempo and long-term viability remain unclear given the lack of extensive public documentation of their activities.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

2 months
2025-08-01T00:00:00+00:00 · 22025-09-01T00:00:00+00:00 · 2
2025-08-01T00:00:00+00:002025-09-01T00:00:00+00:00

Top countries

🇨🇴 Colombia
2
🇺🇸 United States
1
🇻🇳 Vietnam
1

Top sectors

Construction
2
Technology
1

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://po4tq2brx4rgwbdx4mac24fz34uuuf7oigosebp32n2462m2vxl6biqd.onion/wall_of_shame

Source

Updated 11 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time desolator posts a victim.

Add desolator to your watchlist — Pro pings you within 5 minutes of any new desolator leak-site post, Telegram callout, or affiliate-rebrand inference.