Skip to main content

Operator dossier

RunSomeWares (also tracked as run some wares) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 6 public victims claimed by this operator between February 27, 2025 and August 13, 2025. RunSomeWares is an emerging ransomware group first observed in February 2025, operating with apparent financial motivations based on their targeting of high-value sectors. Given the recent emergence and limited public documentation, the group's country of origin and potential affiliations with other cybercriminal organizations remain unclear, though their operational structure suggests they may operate as an independent entity rather than a Ransomware-as-a-Service model. The group has demonstrated a preference for targeting critical infrastructure sectors including financial services, healthcare, and manufacturing across the United States, France, and Thailand, suggesting sophisticated initial access capabilities, though specific attack vectors and encryption methodologies have not yet been publicly documented by major security researchers or government agencies. With only six known victims documented since their February 2025 emergence, RunSomeWares appears to be conducting selective, targeted operations rather than broad-scale campaigns, and no major ransoms or high-profile incidents have been publicly reported by CISA, FBI, or established threat intelligence firms. The group remains active as of current reporting, though the limited intelligence available suggests they are either maintaining a low operational profile or represent a relatively small-scale ransomware operation compared to established groups.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

RunSomeWares

aka run some wares · 6 victims indexed · first seen 1 year ago · last activity 11 months ago

6
Victims indexed
#238 of 364 tracked operators
6m
Active period
Feb 2025 → Aug 2025
3
Countries hit
top US · 3

At a glance

Status
inactive
Aliases
run some wares
First seen
1 year ago
Last activity
11 months ago
Onion sites
1 known endpoint
Primary sector
Financial Services · 3 hits

About

RunSomeWares is an emerging ransomware group first observed in February 2025, operating with apparent financial motivations based on their targeting of high-value sectors. Given the recent emergence and limited public documentation, the group's country of origin and potential affiliations with other cybercriminal organizations remain unclear, though their operational structure suggests they may operate as an independent entity rather than a Ransomware-as-a-Service model. The group has demonstrated a preference for targeting critical infrastructure sectors including financial services, healthcare, and manufacturing across the United States, France, and Thailand, suggesting sophisticated initial access capabilities, though specific attack vectors and encryption methodologies have not yet been publicly documented by major security researchers or government agencies. With only six known victims documented since their February 2025 emergence, RunSomeWares appears to be conducting selective, targeted operations rather than broad-scale campaigns, and no major ransoms or high-profile incidents have been publicly reported by CISA, FBI, or established threat intelligence firms. The group remains active as of current reporting, though the limited intelligence available suggests they are either maintaining a low operational profile or represent a relatively small-scale ransomware operation compared to established groups.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

3 months
2025-02-01T00:00:00+00:00 · 42025-04-01T00:00:00+00:00 · 12025-08-01T00:00:00+00:00 · 1
2025-02-01T00:00:00+00:002025-08-01T00:00:00+00:00

Top countries

🇺🇸 United States
3
🇫🇷 France
1
🇹🇭 Thailand
1

Top sectors

Financial Services
3
Healthcare
1
Manufacturing
1

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://rnsmwareartse3m4hjsumjf222pnka6gad26cqxqmbjvevhbnym5p6ad.onion

Source

Updated 11 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time RunSomeWares posts a victim.

Add RunSomeWares to your watchlist — Pro pings you within 5 minutes of any new RunSomeWares leak-site post, Telegram callout, or affiliate-rebrand inference.