Operator dossier

skira is a ransomware operator currently active on public leak sites. Darkfield has indexed 8 public victims claimed by this operator between March 6, 2025 and November 18, 2025. Skira is a recently emerged ransomware group first observed in March 2025, operating with apparent financial motivations through targeted attacks against organizations primarily in the United States, India, Japan, and Turkey. The group's origin and potential affiliations remain unclear given their recent emergence, and there is insufficient public documentation to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. Based on their targeting pattern across diverse geographic regions and sectors including financial services, technology, manufacturing, and construction, the group appears to employ opportunistic attack vectors, though specific technical methodologies, encryption techniques, and data extortion tactics have not been publicly documented by major security researchers or government agencies. With only eight documented victims since their March 2025 emergence, Skira has not yet conducted any widely publicized high-profile campaigns or attracted significant law enforcement attention. The group appears to remain active as of current reporting, though comprehensive threat intelligence remains limited due to their recent operational timeline.

Most-targeted sectors

Financial Services2 victims
Technology2 victims
Manufacturing1 victims
Construction1 victims
Public Sector1 victims

Most-affected countries

United States4 victims
India2 victims
Japan1 victims
Türkiye1 victims

Recent disclosures by skira

All 8 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for skira →

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

skira

8 victims indexed · first seen 1 year ago · last activity 7 months ago

Victims indexed

#216 of 355 tracked operators

Active period

Mar 2025 → Nov 2025

Countries hit

top US · 4

At a glance

Status: active
First seen: 1 year ago
Last activity: 7 months ago
Primary sector: Financial Services · 2 hits

About

Skira is a recently emerged ransomware group first observed in March 2025, operating with apparent financial motivations through targeted attacks against organizations primarily in the United States, India, Japan, and Turkey. The group's origin and potential affiliations remain unclear given their recent emergence, and there is insufficient public documentation to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. Based on their targeting pattern across diverse geographic regions and sectors including financial services, technology, manufacturing, and construction, the group appears to employ opportunistic attack vectors, though specific technical methodologies, encryption techniques, and data extortion tactics have not been publicly documented by major security researchers or government agencies. With only eight documented victims since their March 2025 emergence, Skira has not yet conducted any widely publicized high-profile campaigns or attracted significant law enforcement attention. The group appears to remain active as of current reporting, though comprehensive threat intelligence remains limited due to their recent operational timeline.

Timeline

4 months

2025-03-01T00:00:00+00:002025-11-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇮🇳 India

🇯🇵 Japan

🇹🇷 Türkiye

United States dossier →India dossier →Japan dossier →Türkiye dossier →

Top sectors

Financial Services

Technology

Manufacturing

Construction

Public Sector

Financial Services dossier →Technology dossier →Manufacturing dossier →Construction dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 7 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time skira posts a victim.

Add skira to your watchlist — Pro pings you within 5 minutes of any new skira leak-site post, Telegram callout, or affiliate-rebrand inference.