Operator dossier

MS13-089 is a ransomware operator currently active on public leak sites. Darkfield has indexed 2 public victims claimed by this operator between May 14, 2026 and May 15, 2026. MS13-089 is a ransomware group first observed in May 2026 with an apparent financial motivation, though its limited documented activity makes comprehensive attribution difficult at this time. Based on available data, the group has claimed or been linked to a single known victim, with targeting focused on the United States and specifically the Healthcare and Social Services sector, a pattern consistent with threat actors who deliberately select high-pressure targets likely to pay ransoms quickly to restore critical operations. No public reporting from CISA, the FBI, Mandiant, or other established threat intelligence sources has yet documented the group's specific initial access vectors, tooling, encryption methods, or affiliation with known ransomware ecosystems, and it remains unclear whether MS13-089 operates as a Ransomware-as-a-Service platform or as an independent closed group. Given its extremely recent emergence and minimal victim footprint at the time of this writing, MS13-089 should be considered an emerging and under-documented threat, and the Healthcare sector in particular should monitor for indicators of compromise as the group's tactics, techniques, and procedures become more clearly defined through ongoing incident investigations and threat intelligence collection. Current status remains active based on first observation date, though the full scope of its operations has yet to be established in open-source reporting.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

MS13-089

2 victims indexed · first seen 7 days ago · last activity 6 days ago

Victims indexed

#287 of 348 tracked operators

<1m

Active period

May 2026 → May 2026

—

Countries hit

At a glance

Status: active
First seen: 7 days ago
Last activity: 6 days ago
Onion sites: 1 known endpoint

About

MS13-089 is a ransomware group first observed in May 2026 with an apparent financial motivation, though its limited documented activity makes comprehensive attribution difficult at this time. Based on available data, the group has claimed or been linked to a single known victim, with targeting focused on the United States and specifically the Healthcare and Social Services sector, a pattern consistent with threat actors who deliberately select high-pressure targets likely to pay ransoms quickly to restore critical operations. No public reporting from CISA, the FBI, Mandiant, or other established threat intelligence sources has yet documented the group's specific initial access vectors, tooling, encryption methods, or affiliation with known ransomware ecosystems, and it remains unclear whether MS13-089 operates as a Ransomware-as-a-Service platform or as an independent closed group. Given its extremely recent emergence and minimal victim footprint at the time of this writing, MS13-089 should be considered an emerging and under-documented threat, and the Healthcare sector in particular should monitor for indicators of compromise as the group's tactics, techniques, and procedures become more clearly defined through ongoing incident investigations and threat intelligence collection. Current status remains active based on first observation date, though the full scope of its operations has yet to be established in open-source reporting.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/ms13-089

Recent victims

Loading…

Onion infrastructure

1 known

http://msleakjir7pxbe6onlqe5uwgvdmy6nq4mnwfy7ojswbhnleenm77vgad.onion

Source

Updated 6 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.