Operator dossier

securotrop is a ransomware operator currently active on public leak sites. Darkfield has indexed 35 public victims claimed by this operator between July 22, 2025 and May 4, 2026. Securotrop is a relatively new ransomware group that emerged in July 2025 and operates with apparent financial motivations, having targeted at least 31 victims across multiple sectors. The group primarily targets English-speaking countries including the United States, Canada, and the United Kingdom, with their attacks focused heavily on manufacturing companies, business services firms, construction organizations, and telecommunications providers. Due to the group's recent emergence and limited public documentation from major cybersecurity agencies and researchers, specific details about their country of origin, operational structure, attack methodologies, and technical capabilities remain largely undocumented in open-source intelligence reports. The targeting pattern suggests a focus on critical infrastructure and industrial sectors that may be willing to pay ransoms to quickly restore operations, though no major high-profile attacks or record ransom demands have been publicly reported by established threat intelligence sources. Given the group's recent formation in mid-2025, Securotrop appears to remain active, though comprehensive analysis of their tactics, techniques, and procedures awaits further documentation by cybersecurity researchers and law enforcement agencies.

Most-targeted sectors

Manufacturing10 victims
Not Found9 victims
Business Services5 victims
Construction4 victims
Telecommunication2 victims
Consumer Services1 victims

Most-affected countries

US21 victims
CA6 victims
UK1 victims
GB1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

securotrop

35 victims indexed · first seen 10 months ago · last activity 16 days ago

Victims indexed

#124 of 348 tracked operators

10m

Active period

Jul 2025 → May 2026

Countries hit

top US · 21

At a glance

Status: active
First seen: 10 months ago
Last activity: 16 days ago
Onion sites: 1 known endpoint
Primary sector: Manufacturing · 10 hits

About

Securotrop is a relatively new ransomware group that emerged in July 2025 and operates with apparent financial motivations, having targeted at least 31 victims across multiple sectors. The group primarily targets English-speaking countries including the United States, Canada, and the United Kingdom, with their attacks focused heavily on manufacturing companies, business services firms, construction organizations, and telecommunications providers. Due to the group's recent emergence and limited public documentation from major cybersecurity agencies and researchers, specific details about their country of origin, operational structure, attack methodologies, and technical capabilities remain largely undocumented in open-source intelligence reports. The targeting pattern suggests a focus on critical infrastructure and industrial sectors that may be willing to pay ransoms to quickly restore operations, though no major high-profile attacks or record ransom demands have been publicly reported by established threat intelligence sources. Given the group's recent formation in mid-2025, Securotrop appears to remain active, though comprehensive analysis of their tactics, techniques, and procedures awaits further documentation by cybersecurity researchers and law enforcement agencies.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/securotrop

Timeline

8 months

2025-07-01T00:00:00+00:002026-02-01T00:00:00+00:00

Top countries

🇺🇸 US

🇨🇦 CA

🇺🇰 UK

🇬🇧 GB

US dossier →CA dossier →UK dossier →GB dossier →

Top sectors

Manufacturing

Not Found

Business Services

Construction

Telecommunication

Consumer Services

Manufacturing dossier →Not Found dossier →Business Services dossier →Construction dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://securo45z554mw7rgrt7wcgv5eenj2xmxyrsdj3fcjsvindu63s4bsid.onion

Source

Updated 16 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.