Operator dossier

hddcryptor (also tracked as Mamba) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 1 public victims claimed by this operator between November 25, 2016. HDDCryptor is an obscure ransomware variant that emerged in November 2016, primarily motivated by financial gain through targeted encryption attacks. The group's origin and affiliations remain largely undocumented in public threat intelligence reporting, with limited information available about their operational structure or ties to other cybercriminal organizations. Based on available incident data, HDDCryptor appears to have conducted targeted attacks with a specific focus on transportation systems infrastructure within the United States, though their exact initial access vectors and technical methodologies have not been extensively documented by major security research firms. The group's operational footprint appears minimal, with only one publicly documented victim case, suggesting either highly selective targeting or limited operational scope compared to more prolific ransomware families. Current intelligence indicates HDDCryptor has remained largely inactive or dormant since its initial observation period, with no significant campaigns or law enforcement actions publicly reported against the operators.

Most-targeted sectors

Transportation Systems1 victims

Most-affected countries

US1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

hddcryptor

aka Mamba · 1 victims indexed · first seen 9 years ago · last activity 9 years ago

Victims indexed

#330 of 348 tracked operators

<1m

Active period

Nov 2016 → Nov 2016

Countries hit

top US · 1

At a glance

Status: inactive
Aliases: Mamba
First seen: 9 years ago
Last activity: 9 years ago
Primary sector: Transportation Systems · 1 hits

About

HDDCryptor is an obscure ransomware variant that emerged in November 2016, primarily motivated by financial gain through targeted encryption attacks. The group's origin and affiliations remain largely undocumented in public threat intelligence reporting, with limited information available about their operational structure or ties to other cybercriminal organizations. Based on available incident data, HDDCryptor appears to have conducted targeted attacks with a specific focus on transportation systems infrastructure within the United States, though their exact initial access vectors and technical methodologies have not been extensively documented by major security research firms. The group's operational footprint appears minimal, with only one publicly documented victim case, suggesting either highly selective targeting or limited operational scope compared to more prolific ransomware families. Current intelligence indicates HDDCryptor has remained largely inactive or dormant since its initial observation period, with no significant campaigns or law enforcement actions publicly reported against the operators.

References

3 links

External sources curated by the MISP threat-intel community.

Timeline

1 months

2016-11-01T00:00:00+00:002016-11-01T00:00:00+00:00

Top countries

🇺🇸 US

US dossier →

Top sectors

Transportation Systems

Transportation Systems dossier →

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1204User Execution
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 9 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.