Operator dossier

RunSomeWares (also tracked as run some wares) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 6 public victims claimed by this operator between February 27, 2025 and August 13, 2025. RunSomeWares is an emerging ransomware group first observed in February 2025, operating with apparent financial motivations based on their targeting of high-value sectors. Given the recent emergence and limited public documentation, the group's country of origin and potential affiliations with other cybercriminal organizations remain unclear, though their operational structure suggests they may operate as an independent entity rather than a Ransomware-as-a-Service model. The group has demonstrated a preference for targeting critical infrastructure sectors including financial services, healthcare, and manufacturing across the United States, France, and Thailand, suggesting sophisticated initial access capabilities, though specific attack vectors and encryption methodologies have not yet been publicly documented by major security researchers or government agencies. With only six known victims documented since their February 2025 emergence, RunSomeWares appears to be conducting selective, targeted operations rather than broad-scale campaigns, and no major ransoms or high-profile incidents have been publicly reported by CISA, FBI, or established threat intelligence firms. The group remains active as of current reporting, though the limited intelligence available suggests they are either maintaining a low operational profile or represent a relatively small-scale ransomware operation compared to established groups.

Most-targeted sectors

Financial Services3 victims
Healthcare1 victims
Manufacturing1 victims
Not Found1 victims

Most-affected countries

US3 victims
FR1 victims
TH1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

RunSomeWares

aka run some wares · 6 victims indexed · first seen 1 year ago · last activity 9 months ago

Victims indexed

#227 of 348 tracked operators

Active period

Feb 2025 → Aug 2025

Countries hit

top US · 3

At a glance

Status: inactive
Aliases: run some wares
First seen: 1 year ago
Last activity: 9 months ago
Onion sites: 1 known endpoint
Primary sector: Financial Services · 3 hits

About

RunSomeWares is an emerging ransomware group first observed in February 2025, operating with apparent financial motivations based on their targeting of high-value sectors. Given the recent emergence and limited public documentation, the group's country of origin and potential affiliations with other cybercriminal organizations remain unclear, though their operational structure suggests they may operate as an independent entity rather than a Ransomware-as-a-Service model. The group has demonstrated a preference for targeting critical infrastructure sectors including financial services, healthcare, and manufacturing across the United States, France, and Thailand, suggesting sophisticated initial access capabilities, though specific attack vectors and encryption methodologies have not yet been publicly documented by major security researchers or government agencies. With only six known victims documented since their February 2025 emergence, RunSomeWares appears to be conducting selective, targeted operations rather than broad-scale campaigns, and no major ransoms or high-profile incidents have been publicly reported by CISA, FBI, or established threat intelligence firms. The group remains active as of current reporting, though the limited intelligence available suggests they are either maintaining a low operational profile or represent a relatively small-scale ransomware operation compared to established groups.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/run some wares

Timeline

3 months

2025-02-01T00:00:00+00:002025-08-01T00:00:00+00:00

Top countries

🇺🇸 US

🇫🇷 FR

🇹🇭 TH

US dossier →FR dossier →TH dossier →

Top sectors

Financial Services

Healthcare

Manufacturing

Not Found

Financial Services dossier →Healthcare dossier →Manufacturing dossier →Not Found dossier →

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://rnsmwareartse3m4hjsumjf222pnka6gad26cqxqmbjvevhbnym5p6ad.onion

Source

Updated 9 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.