Skip to main content

Operator dossier

toufan is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 117 public victims claimed by this operator between December 17, 2023 and December 27, 2023. Toufan is a ransomware group that emerged in December 2023, operating with apparent financial motivations and demonstrating a preference for targeting victims across Israel, Canada, Singapore, Australia, and Great Britain. The group has claimed responsibility for compromising 117 victims since its emergence, though detailed public documentation from major threat intelligence firms regarding their specific origin, country of operation, or organizational structure remains limited. Given the recent emergence of this group and the geographic distribution of their targeting, comprehensive technical analysis of their attack methodologies, encryption techniques, and initial access vectors has not been extensively documented in public threat intelligence reporting from established security research organizations. The group's targeting pattern suggests a focus on English-speaking countries and Israel, though the specific sectors or victim profiles they prioritize, along with details about ransom demands or notable high-profile compromises, have not been widely reported in mainstream cybersecurity intelligence channels. As a recently emerged threat actor first observed in late 2023, Toufan appears to remain active based on the accumulation of claimed victims, though comprehensive assessment of their current operational status requires further monitoring and analysis by established threat intelligence communities.

Most-affected countries

Recent disclosures by toufan

All 117 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for toufan

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

toufan

117 victims indexed · first seen 3 years ago · last activity 3 years ago

117
Victims indexed
#64 of 364 tracked operators
<1m
Active period
Dec 2023 → Dec 2023
6
Countries hit
top IL · 27

At a glance

Status
inactive
First seen
3 years ago
Last activity
3 years ago

About

Toufan is a ransomware group that emerged in December 2023, operating with apparent financial motivations and demonstrating a preference for targeting victims across Israel, Canada, Singapore, Australia, and Great Britain. The group has claimed responsibility for compromising 117 victims since its emergence, though detailed public documentation from major threat intelligence firms regarding their specific origin, country of operation, or organizational structure remains limited. Given the recent emergence of this group and the geographic distribution of their targeting, comprehensive technical analysis of their attack methodologies, encryption techniques, and initial access vectors has not been extensively documented in public threat intelligence reporting from established security research organizations. The group's targeting pattern suggests a focus on English-speaking countries and Israel, though the specific sectors or victim profiles they prioritize, along with details about ransom demands or notable high-profile compromises, have not been widely reported in mainstream cybersecurity intelligence channels. As a recently emerged threat actor first observed in late 2023, Toufan appears to remain active based on the accumulation of claimed victims, though comprehensive assessment of their current operational status requires further monitoring and analysis by established threat intelligence communities.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

1 months
2023-12-01T00:00:00+00:00 · 117
2023-12-01T00:00:00+00:002023-12-01T00:00:00+00:00

Top countries

🇮🇱 Israel
27
🇨🇦 Canada
3
🇸🇬 Singapore
2
🇦🇺 Australia
2
🇬🇧 United Kingdom
2
🇩🇪 Germany
1

MITRE ATT&CK

4 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1027Obfuscated Files or Information
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 3 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time toufan posts a victim.

Add toufan to your watchlist — Pro pings you within 5 minutes of any new toufan leak-site post, Telegram callout, or affiliate-rebrand inference.