Redransomware is a relatively new ransomware operation that emerged in March 2024, operating with apparent financial motivations and demonstrating a geographically diverse targeting approach across multiple continents. Due to the group's recent emergence and limited public documentation from established threat intelligence sources, specific details about their country of origin, organizational structure, and potential affiliations remain largely unconfirmed by major security agencies. The group has targeted at least 16 known victims across a varied sector portfolio including technology companies, business services, manufacturing firms, hospitality and tourism organizations, and healthcare entities, with attacks concentrated primarily in the United States while also extending to international targets in Mexico, Denmark, Singapore, and Antigua and Barbuda. Given the nascent nature of this threat actor and the limited timeframe since their first observed activity, comprehensive details about their specific attack methodologies, tools, encryption techniques, and operational tactics have not yet been extensively documented in public threat intelligence reports from established sources such as CISA, FBI, or major cybersecurity firms. As of available reporting, Redransomware appears to remain an active threat, though the group's relatively small victim count and recent emergence suggest they may still be in early operational phases or represent a smaller-scale ransomware operation compared to more established and widely-documented threat groups. The group has been linked to 16 public disclosures across our corpus. First observed on a leak site on March 28, 2024; most recent post June 12, 2024. The operation is currently inactive.
Also tracked as: red ransomware.
Sector and geography
This disclosure adds to ransomware activity in the Technology sector, which has 2,524 disclosures indexed across all operators we track. Geographically, Thors-Data.dk is reported in Denmark, a country with 7 ransomware disclosures in our corpus.
How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.
