Operator dossier

Metaencryptor is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 31 public victims claimed by this operator between August 16, 2023 and June 24, 2025. Metaencryptor is a relatively new ransomware group that emerged in August 2023, operating with primarily financial motivations and targeting organizations across multiple sectors and geographical regions. The group appears to be an independent operation rather than a Ransomware-as-a-Service model, though limited public documentation makes definitive attribution challenging regarding their specific country of origin or connections to established cybercriminal networks. Based on their targeting patterns, Metaencryptor demonstrates a preference for manufacturing organizations, business services, and transportation/logistics companies, with their operations concentrated primarily in Western nations including Germany, the United States, Canada, Spain, and the United Kingdom. With 31 documented victims since their emergence, the group represents a moderate but persistent threat in the ransomware landscape. However, due to their recent emergence and relatively lower profile compared to major ransomware families, comprehensive technical analysis of their attack methodologies, encryption techniques, and specific initial access vectors has not been extensively documented by major cybersecurity firms or government agencies. The group's current operational status remains active as of available intelligence, though the limited public reporting suggests they operate with a smaller scale and lower visibility than prominent ransomware-as-a-service operations that typically attract more attention from law enforcement and security researchers.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

Metaencryptor

31 victims indexed · first seen 3 years ago · last activity 11 months ago

Victims indexed

#137 of 348 tracked operators

1y 10m

Active period

Aug 2023 → Jun 2025

Countries hit

top Germany · 9

At a glance

Status: inactive
First seen: 3 years ago
Last activity: 11 months ago
Onion sites: 2 known endpoints
Primary sector: Manufacturing · 3 hits

About

Metaencryptor is a relatively new ransomware group that emerged in August 2023, operating with primarily financial motivations and targeting organizations across multiple sectors and geographical regions. The group appears to be an independent operation rather than a Ransomware-as-a-Service model, though limited public documentation makes definitive attribution challenging regarding their specific country of origin or connections to established cybercriminal networks. Based on their targeting patterns, Metaencryptor demonstrates a preference for manufacturing organizations, business services, and transportation/logistics companies, with their operations concentrated primarily in Western nations including Germany, the United States, Canada, Spain, and the United Kingdom. With 31 documented victims since their emergence, the group represents a moderate but persistent threat in the ransomware landscape. However, due to their recent emergence and relatively lower profile compared to major ransomware families, comprehensive technical analysis of their attack methodologies, encryption techniques, and specific initial access vectors has not been extensively documented by major cybersecurity firms or government agencies. The group's current operational status remains active as of available intelligence, though the limited public reporting suggests they operate with a smaller scale and lower visibility than prominent ransomware-as-a-service operations that typically attract more attention from law enforcement and security researchers.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/metaencryptor

Timeline

11 months

2023-08-01T00:00:00+00:002025-06-01T00:00:00+00:00

Top countries

🇩🇪 Germany

🇺🇸 United States

🇨🇦 Canada

🇪🇸 Spain

🇬🇧 United Kingdom

🇧🇪 Belgium

🇱🇺 LU

🇦🇹 Austria

Germany dossier →United States dossier →Canada dossier →Spain dossier →

Top sectors

Manufacturing

Business Services

Transportation/Logistics

Not Found

Financial Services

Hospitality and Tourism

Financial

Education

Manufacturing dossier →Business Services dossier →Transportation/Logistics dossier →Not Found dossier →

MITRE ATT&CK

6 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1204User Execution
T1059Command and Scripting Interpreter
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://metacrptmytukkj7ajwjovdpjqzd7esg5v3sg344uzhigagpezcqlpyd.onion
http://metacrptmytukkj7ajwjovdpjqzd7esg5v3sg344uzhigagpezcqlpyd.onion/#!

Source

Updated 11 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.