Skip to main content

Operator dossier

Metaencryptor is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 31 public victims claimed by this operator between August 16, 2023 and June 24, 2025. Metaencryptor is a relatively new ransomware group that emerged in August 2023, operating with primarily financial motivations and targeting organizations across multiple sectors and geographical regions. The group appears to be an independent operation rather than a Ransomware-as-a-Service model, though limited public documentation makes definitive attribution challenging regarding their specific country of origin or connections to established cybercriminal networks. Based on their targeting patterns, Metaencryptor demonstrates a preference for manufacturing organizations, business services, and transportation/logistics companies, with their operations concentrated primarily in Western nations including Germany, the United States, Canada, Spain, and the United Kingdom. With 31 documented victims since their emergence, the group represents a moderate but persistent threat in the ransomware landscape. However, due to their recent emergence and relatively lower profile compared to major ransomware families, comprehensive technical analysis of their attack methodologies, encryption techniques, and specific initial access vectors has not been extensively documented by major cybersecurity firms or government agencies. The group's current operational status remains active as of available intelligence, though the limited public reporting suggests they operate with a smaller scale and lower visibility than prominent ransomware-as-a-service operations that typically attract more attention from law enforcement and security researchers.

Most-targeted sectors

Most-affected countries

Recent disclosures by Metaencryptor

All 31 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Metaencryptor

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Metaencryptor

31 victims indexed · first seen 3 years ago · last activity 1 year ago

31
Victims indexed
#142 of 364 tracked operators
1y 10m
Active period
Aug 2023 → Jun 2025
8
Countries hit
top Germany · 9

At a glance

Status
inactive
First seen
3 years ago
Last activity
1 year ago
Onion sites
2 known endpoints
Primary sector
Manufacturing · 3 hits

About

Metaencryptor is a relatively new ransomware group that emerged in August 2023, operating with primarily financial motivations and targeting organizations across multiple sectors and geographical regions. The group appears to be an independent operation rather than a Ransomware-as-a-Service model, though limited public documentation makes definitive attribution challenging regarding their specific country of origin or connections to established cybercriminal networks. Based on their targeting patterns, Metaencryptor demonstrates a preference for manufacturing organizations, business services, and transportation/logistics companies, with their operations concentrated primarily in Western nations including Germany, the United States, Canada, Spain, and the United Kingdom. With 31 documented victims since their emergence, the group represents a moderate but persistent threat in the ransomware landscape. However, due to their recent emergence and relatively lower profile compared to major ransomware families, comprehensive technical analysis of their attack methodologies, encryption techniques, and specific initial access vectors has not been extensively documented by major cybersecurity firms or government agencies. The group's current operational status remains active as of available intelligence, though the limited public reporting suggests they operate with a smaller scale and lower visibility than prominent ransomware-as-a-service operations that typically attract more attention from law enforcement and security researchers.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

11 months
2023-08-01T00:00:00+00:00 · 122023-09-01T00:00:00+00:00 · 12023-11-01T00:00:00+00:00 · 22023-12-01T00:00:00+00:00 · 22024-05-01T00:00:00+00:00 · 52024-06-01T00:00:00+00:00 · 12024-07-01T00:00:00+00:00 · 12024-08-01T00:00:00+00:00 · 32025-01-01T00:00:00+00:00 · 12025-04-01T00:00:00+00:00 · 12025-06-01T00:00:00+00:00 · 2
2023-08-01T00:00:00+00:002025-06-01T00:00:00+00:00

Top countries

🇩🇪 Germany
9
🇺🇸 United States
6
🇨🇦 Canada
3
🇪🇸 Spain
1
🇬🇧 United Kingdom
1
🇧🇪 Belgium
1
🇱🇺 Luxembourg
1
🇦🇹 Austria
1

Top sectors

Manufacturing
3
Business Services
3
Transportation/Logistics
2
Financial Services
1
Hospitality and Tourism
1
Financial
1
Education
1
Construction
1

MITRE ATT&CK

6 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1204User Execution
  • T1059Command and Scripting Interpreter
  • T1027Obfuscated Files or Information
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known
  • http://metacrptmytukkj7ajwjovdpjqzd7esg5v3sg344uzhigagpezcqlpyd.onion
  • http://metacrptmytukkj7ajwjovdpjqzd7esg5v3sg344uzhigagpezcqlpyd.onion/#!

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Metaencryptor posts a victim.

Add Metaencryptor to your watchlist — Pro pings you within 5 minutes of any new Metaencryptor leak-site post, Telegram callout, or affiliate-rebrand inference.