Skip to main content

Operator dossier

MS13-089 is a ransomware operator currently active on public leak sites. Darkfield has indexed 2 public victims claimed by this operator between May 14, 2026 and May 15, 2026. MS13-089 is a ransomware group first observed in May 2026 with an apparent financial motivation, though its limited documented activity makes comprehensive attribution difficult at this time. Based on available data, the group has claimed or been linked to a single known victim, with targeting focused on the United States and specifically the Healthcare and Social Services sector, a pattern consistent with threat actors who deliberately select high-pressure targets likely to pay ransoms quickly to restore critical operations. No public reporting from CISA, the FBI, Mandiant, or other established threat intelligence sources has yet documented the group's specific initial access vectors, tooling, encryption methods, or affiliation with known ransomware ecosystems, and it remains unclear whether MS13-089 operates as a Ransomware-as-a-Service platform or as an independent closed group. Given its extremely recent emergence and minimal victim footprint at the time of this writing, MS13-089 should be considered an emerging and under-documented threat, and the Healthcare sector in particular should monitor for indicators of compromise as the group's tactics, techniques, and procedures become more clearly defined through ongoing incident investigations and threat intelligence collection. Current status remains active based on first observation date, though the full scope of its operations has yet to be established in open-source reporting.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

MS13-089

2 victims indexed · first seen 2 months ago · last activity 2 months ago

2
Victims indexed
#300 of 364 tracked operators
<1m
Active period
May 2026 → May 2026
Countries hit

At a glance

Status
active
First seen
2 months ago
Last activity
2 months ago
Onion sites
1 known endpoint

About

MS13-089 is a ransomware group first observed in May 2026 with an apparent financial motivation, though its limited documented activity makes comprehensive attribution difficult at this time. Based on available data, the group has claimed or been linked to a single known victim, with targeting focused on the United States and specifically the Healthcare and Social Services sector, a pattern consistent with threat actors who deliberately select high-pressure targets likely to pay ransoms quickly to restore critical operations. No public reporting from CISA, the FBI, Mandiant, or other established threat intelligence sources has yet documented the group's specific initial access vectors, tooling, encryption methods, or affiliation with known ransomware ecosystems, and it remains unclear whether MS13-089 operates as a Ransomware-as-a-Service platform or as an independent closed group. Given its extremely recent emergence and minimal victim footprint at the time of this writing, MS13-089 should be considered an emerging and under-documented threat, and the Healthcare sector in particular should monitor for indicators of compromise as the group's tactics, techniques, and procedures become more clearly defined through ongoing incident investigations and threat intelligence collection. Current status remains active based on first observation date, though the full scope of its operations has yet to be established in open-source reporting.

References

1 link

External sources curated by the MISP threat-intel community.

Recent victims

Loading…

Onion infrastructure

1 known
  • http://msleakjir7pxbe6onlqe5uwgvdmy6nq4mnwfy7ojswbhnleenm77vgad.onion

Source

Updated 2 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time MS13-089 posts a victim.

Add MS13-089 to your watchlist — Pro pings you within 5 minutes of any new MS13-089 leak-site post, Telegram callout, or affiliate-rebrand inference.