Operator dossier

Handala is a ransomware operator currently active on public leak sites. Darkfield has indexed 182 public victims claimed by this operator between May 26, 2024 and April 15, 2026. Handala is a recently emerged ransomware group that first appeared in May 2024, primarily motivated by financial gain with potential geopolitical overtones given their targeting patterns. The group's country of origin remains unclear, though their focus on Israeli targets alongside Western nations suggests possible Middle Eastern connections or sympathies, and it is unknown whether they operate as a standalone group or utilize a Ransomware-as-a-Service model. Limited public information exists regarding their specific attack methodologies, initial access vectors, or technical capabilities, though their rapid accumulation of 164 documented victims suggests they employ effective compromise techniques across multiple sectors including technology, government, energy, and healthcare organizations. The group has demonstrated a clear preference for targeting victims in Israel, the United States, and the United Kingdom, with additional activity observed in Iran and the UAE, indicating either opportunistic targeting or strategic selection based on geopolitical considerations. Given their recent emergence and continued victim acquisitions throughout 2024, Handala appears to remain active, though comprehensive technical analysis and law enforcement reporting on their operations remain limited due to their relatively short operational history.

Most-targeted sectors

Not Found86 victims
Technology24 victims
Government10 victims
Energy9 victims
Healthcare8 victims
Public Sector7 victims

Most-affected countries

Israel70 victims
United States6 victims
United Kingdom4 victims
IR3 victims
UAE2 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Handala

182 victims indexed · first seen 2 years ago · last activity 2 months ago

182

Victims indexed

#48 of 356 tracked operators

1y 11m

Active period

May 2024 → Apr 2026

Countries hit

top Israel · 70

At a glance

Status: active
First seen: 2 years ago
Last activity: 2 months ago
Onion sites: 3 known endpoints
Primary sector: Not Found · 86 hits

About

Handala is a recently emerged ransomware group that first appeared in May 2024, primarily motivated by financial gain with potential geopolitical overtones given their targeting patterns. The group's country of origin remains unclear, though their focus on Israeli targets alongside Western nations suggests possible Middle Eastern connections or sympathies, and it is unknown whether they operate as a standalone group or utilize a Ransomware-as-a-Service model. Limited public information exists regarding their specific attack methodologies, initial access vectors, or technical capabilities, though their rapid accumulation of 164 documented victims suggests they employ effective compromise techniques across multiple sectors including technology, government, energy, and healthcare organizations. The group has demonstrated a clear preference for targeting victims in Israel, the United States, and the United Kingdom, with additional activity observed in Iran and the UAE, indicating either opportunistic targeting or strategic selection based on geopolitical considerations. Given their recent emergence and continued victim acquisitions throughout 2024, Handala appears to remain active, though comprehensive technical analysis and law enforcement reporting on their operations remain limited due to their relatively short operational history.

References

6 links

External sources curated by the MISP threat-intel community.

Timeline

19 months

2024-05-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇮🇱 Israel

🇺🇸 United States

🇬🇧 United Kingdom

🇮🇷 IR

🇦🇪 UAE

🇵🇸 PS

🇪🇨 Ecuador

🇨🇳 China

Israel dossier →United States dossier →United Kingdom dossier →IR dossier →

Top sectors

Not Found

Technology

Government

Energy

Healthcare

Public Sector

Manufacturing

Telecommunication

Not Found dossier →Technology dossier →Government dossier →Energy dossier →

MITRE ATT&CK

63 techniques · 15 tactics

Tactics

CollectionCommand And ControlCredential AccessDefense ImpairmentDiscoveryExecutionExfiltrationImpactInitial AccessLateral MovementPersistencePrivilege EscalationReconnaissanceResource DevelopmentStealth

Techniques

T1003.001LSASS Memory
T1005Data from Local System
T1021.001Remote Desktop Protocol
T1027.015Compression
T1036.004Masquerade Task or Service
T1036.005Match Legitimate Resource Name or Location
T1041Exfiltration Over C2 Channel
T1047Windows Management Instrumentation
T1059.001PowerShell
T1059.006Python
T1071.001Web Protocols
T1072Software Deployment Tools
T1074Data Staged
T1078Valid Accounts
T1078.002Domain Accounts
T1078.004Cloud Accounts
T1082System Information Discovery
T1087.002Domain Account
T1098Account Manipulation
T1102Web Service
T1105Ingress Tool Transfer
T1110Brute Force
T1110.001Password Guessing
T1110.004Credential Stuffing
T1113Screen Capture
T1114.002Remote Email Collection
T1119Automated Collection
T1123Audio Capture
T1125Video Capture
T1133External Remote Services
T1190Exploit Public-Facing Application
T1199Trusted Relationship
T1204.002Malicious File
T1213.002Sharepoint
T1219.002Remote Desktop Software
T1484.001Group Policy Modification
T1485Data Destruction
T1486Data Encrypted for Impact
T1490Inhibit System Recovery
T1547.001Registry Run Keys / Startup Folder
T1552.002Credentials in Registry
T1560.001Archive via Utility
T1561.001Disk Content Wipe
T1561.002Disk Structure Wipe
T1564.003Hidden Window
T1566Phishing
T1572Protocol Tunneling
T1583.001Domains
T1583.003Virtual Private Server
T1583.004Server
T1583.006Web Services
T1585.001Social Media Accounts
T1585.002Email Accounts
T1587.001Malware
T1588.001Malware
T1588.002Tool
T1589Gather Victim Identity Information
T1595.002Vulnerability Scanning
T1651Cloud Administration Command
T1657Financial Theft
T1679Selective Exclusion
T1684.001Impersonation
T1686.003Windows Host Firewall

Recent victims

Loading…

Onion infrastructure

3 known

http://handala-hack.to
http://handala.to
http://vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onion

Source

Updated 2 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Handala posts a victim.

Add Handala to your watchlist — Pro pings you within 5 minutes of any new Handala leak-site post, Telegram callout, or affiliate-rebrand inference.