⚡ At-a-glance / IoCs & MITRE map
- Model: Double extortion (encryption + leak)
- Active since: June 2024 (public since May 2025)
- Known victims: 11 (Jun 2024 – Jun 2025), mostly Europe (EMEA)
- Leak site: Tor (went offline late June 2025)
- Ransom note:
R3ADM3.txt - Encrypted file extension:
.EXTEN - Comms: Encrypted email (e.g., Riseup) & Session messenger ID
- Backdoor/Tunnel:
audiofg.exe(Go),Chisel(WebSocket tunneling) - Exploit vector: Fortinet EMS SQLi (CVE-2023-48788) → xp_cmdshell
- MITRE ATT&CK (highlights): T1190 Exploit Public-Facing App, T1059.001 PowerShell, T1021.001 RDP, T1071.001 Web Protocols, T1041 Exfil over C2, T1486 Data Encrypted for Impact
Overview and Recent Claimed Attacks
DataCarry is a relatively new ransomware group, publicly emerging in 2025 but active since at least June 2024. It operates a double-extortion model: sensitive data is exfiltrated and threatened with publication in addition to on-network encryption to coerce payment. Between June 2024 and June 2025, DataCarry claimed or was linked to 11 confirmed organizations — mostly mid-to-large European companies across finance & insurance, healthcare, IT services, manufacturing, and tourism. Confirmed victims span Belgium, Italy, the United Kingdom, Switzerland, Denmark, Spain, Greece, Türkiye, Latvia, and South Africa, underscoring an EMEA-centric focus.
The group launched its Tor-based leak site in late May 2025, simultaneously publishing stolen data from at least seven previously undisclosed victims. Among the most recent claimed attacks are Greece’s V² Development (attack on 2025-06-28) and Spain’s Món Sant Benet (2025-06-07), with data posted in June 2025. Notably, by late June 2025 the infrastructure went offline, with the onion leak site no longer reachable — possibly an operational pause or migration prompted by tracking pressure or internal reorganization. In short, DataCarry quickly established itself as an EMEA-focused ransomware threat with targeted attacks and aggressive extortion, but currently appears stalled.
Group History and Interactions with Other Ransomware Groups
Origins. First traces attributed to DataCarry date to summer 2024. The first confirmed attack occurred in June 2024 against Balcia Insurance (Latvia). For months thereafter, the group maintained a low profile with roughly monthly operations into early 2025. Until Q1 2025 DataCarry had no public victim blog, preferring discreet negotiations. The inflection point came in late May 2025 with the launch of a Tor leak site announcing seven prior victims at once — a sign the group had accumulated victims and chose to formalize its presence on the dark web only later.
Relationship to other groups. DataCarry surfaced almost in parallel with another 2025 entrant, Gunra (discovered ~late April 2025). Analysts quickly noticed both employ a Conti source-leak–based ransomware. While Conti derivatives are less common today (vs. ubiquitous LockBit 3.x builders), this overlap sparked speculation about ties. Technical analysis found similarities (e.g., the same ransom note name, R3ADM3.txt) but also material differences: Gunra appends .ENCRT while DataCarry uses .EXTEN; Gunra offers a Tor negotiation portal, whereas DataCarry favors email/Session for comms with no on-site chat. Taken together, indicators support two distinct crews that both leveraged the Conti leak rather than a single organization. Early social posts hinting DataCarry was a Gunra rebrand remain unconfirmed.
Rumor vs. fact: It is confirmed DataCarry uses a Conti-derived locker and opts for email/Session comms unlike Gunra. Unverified are any shared-membership claims; present evidence suggests separate entities with different negotiation and infrastructure choices.
Linear Timeline of Events
| Date (YYYY-MM-DD) | Event |
|---|---|
| 2024-06-26 | First attack attributed to DataCarry: Balcia Insurance (Latvia) — earliest publicly known victim. |
| 2024-09-27 | Ransomware attack on Mammut Sports Group (Switzerland), a global outdoor brand. |
| 2024-10-25 | Attack on ALB Forex (Türkiye), a financial broker (also referenced as ALX Forex in some sources). |
| 2024-11-12 | Attack on FrontierCo (South Africa), retail/wholesale sector. |
| 2024-12-09 | Attack on Alles Lægehus (Denmark), a network of medical clinics. |
| 2025-01-12 | Attack on Étude Bordet (Belgium), legal/notary services. |
| 2025-01-30 | Attack on Executive Jet Support (United Kingdom), aviation services. |
| 2025-05-16 | Attack on La Maison Liégeoise (Belgium), a major social housing organization; incident confirmed on 2025-05-18 with up to 10,000 individuals potentially affected. |
| 2025-05-23 | Attack on Alliance Healthcare IT (Italy), part of a major pharma distributor; internal HR, financial docs, and customer DBs exfiltrated. |
| 2025-05-23 | DataCarry leak site launch on Tor — first public publication of stolen data, listing ~7 earlier victims. From here, extortion activity becomes public. |
| 2025-05-28 | Attack on V² Development (Greece), real-estate company. |
| 2025-06-07 | Attack on Món Sant Benet (Spain), a cultural-tourism foundation. |
| 2025-06-12 | Leak site publication of Món Sant Benet data (listed as "discovered"); by this date, 11 total victims enumerated. |
| 2025-06-30 | Infrastructure offline: by late June the DataCarry leak site/C2s become unreachable. Timing coincides with a tool upload (Chisel) to VirusTotal, followed by rapid takedown/disappearance. |
Note: Attack dates are based on group claims and open reporting; "discovery" dates may differ when indicated by press or the leak site.
Notable Victims
- Mammut Sports Group (2024-09-27) — Switzerland’s globally known outdoor brand. Breaching a high-profile brand signals capability against well-structured enterprises; potential exposure of customer/projects data carries reputational risk.
- Alliance Healthcare Italy (2025-05-23) — Italian branch of a major European pharma distributor. Exposed data included HR docs (CVs/IDs), customer DBs, financials, and confidential M&A/operations files, risking healthcare supply chain continuity.
- La Maison Liégeoise (2025-05-16) — Belgian public social housing entity. Confirmed attack with potential impact to 10,000 citizens (tenants), a socially significant breach involving personal data and pressure on local authorities.
- Balcia Insurance (2024-06-26) — Latvian insurer and earliest known victim. Financial sector targeting from the outset suggests a focus on sensitive-data enterprises.
- Executive Jet Support (2025-01-30) — UK aerospace/aviation services provider; sensitive IP/supply chain implications highlight DataCarry’s willingness to strike sectors with broader safety ramifications.
Other victims include ALB Forex (Türkiye; financial trading), Alles Lægehus (Denmark; medical clinics), and FrontierCo (South Africa; retail) — attesting to both geographic and sectoral diversity.
Financial Data and Ransom Demands
Extortion model. DataCarry practices double extortion: encrypting on-prem data while exfiltrating large volumes for leak-site pressure. WatchGuard notes both single and double-extortion behaviors, sometimes releasing free data samples to coerce negotiations.
Demand amounts. No specific public figures are known. Given target sizes (mid-market European firms), indicative demands likely span hundreds of thousands to low millions (USD/EUR), consistent with peers — but without victim confirmations any precise value would be speculative. No public payment confirmations exist. Some entities (e.g., La Maison Liégeoise) reported to authorities without commenting on payment, suggesting refusal. Industry-wide, < 50% of victims pay on average; for DataCarry, payer rates are unknown.
Negotiations. Unlike many crews, DataCarry does not offer an on-site chat; instead it provides an encrypted email and a Session messenger ID. Negotiations occur privately and off-site, obscuring details. The group proves leverage via proof-of-data screenshots and staged leaks. Observed lag between intrusion and publication averages ~200 days, implying extended negotiation windows and timed leak pressure (e.g., fiscal closings).
Currency & revenue. Payments are presumably in cryptocurrency (BTC/XMR). No wallet addresses are publicly attributed. With 11 victims, even partial six-figure payments could yield several million USD — but absent evidence, the publicly verifiable revenue is effectively 0. The abrupt late-June 2025 disappearance further suggests limited realized proceeds or a strategic retreat.
Techniques Used (MITRE ATT&CK)
- Initial Access — Exploit Public-Facing App (T1190): Repeated exploitation of Internet-exposed services; multiple cases involved Fortinet EMS SQLi (CVE-2023-48788) enabling OS command execution via
xp_cmdshell. - Execution — PowerShell (T1059.001): Heavy use of malicious PowerShell scripts (e.g., KB332.ps1) to enable RDP, relax execution policies, and alter Windows Firewall.
- Persistence/Movement — RDP (T1021.001): Enable RDP (registry
fDenyTSConnections=0) and add “Allow RDP” firewall rules for persistent backdoor and lateral movement with stolen/created creds. - Command & Control — Web Protocols/WebSocket (T1071.001): Sophisticated WebSocket-based C2 on port 8081 camouflaged as benign HTTP; long-lived, bidirectional encrypted sessions.
- Exfiltration — Exfiltration Over C2 Channel (T1041): Bulk data exfiltration tunneled through the same WS-based C2, sometimes splitting command vs. data channels for throughput and evasion.
- Impact — Data Encrypted for Impact (T1486): Final-stage deployment of a Conti-derived locker dropping
R3ADM3.txtand appending.EXTEN.
Additional techniques observed or inferred: Scheduled Task/Job (T1053) for persistence; Modify Registry (T1112) for RDP/execution policies; internal reconnaissance (T1016); and use of living-off-the-land binaries throughout.
Tools Used
a. Remote Access Tools (RAT)
- audiofg.exe — custom Go backdoor: Persistent RAT establishing encrypted WebSocket sessions with C2; supports integrated tunneling/proxy to pivot inside networks.
- Chisel (proxy/tunnel): Open-source TCP/UDP tunneling over HTTP/WebSocket (requests to
/version.jsobserved); used for port-forwarding and stealthy lateral access. - Session & encrypted email: Off-site, secure victim communications (no Tor chat portal).
b. Encryption Malware / Ransomware Payload
- Conti-derived locker: Customized variant appending
.EXTENand leavingR3ADM3.txt. No public locker samples confirmed early on; likely memory/scripter-driven distribution at impact time.
c. Lateral Movement
- RDP enablement + credentials: Pivoting “desktop-to-desktop”; probable credential dumping (e.g., LSASS/Mimikatz) though not always confirmed in open sources.
- WMI/PsExec/schtasks: Admin tooling to copy/launch payloads remotely and coordinate mass deployment.
d. Data Exfiltration
- Chisel + WS C2: Bulk exfiltration inside encrypted tunnels; likely pre-compression (WinRAR/7-Zip) for efficiency (inferred).
e. Living-off-the-Land (LoTL)
- PowerShell: System modification, payload launch, RDP enabling (
-ExecutionPolicy Bypass). - Windows CLI/WMI:
netsh, registry edits, scheduled tasks; administrative look-and-feel hampers detection. - OSINT/Scanning: Target discovery via Shodan; Tor exit and residential IP infrastructure for scanning camouflage.
Geographic Trends
Documented activity shows a clear European focus. With one notable exception (South Africa), all known victims are European organizations.
- Western/Northern Europe. Multiple attacks in Belgium (two victims), the UK (EJS), Switzerland (Mammut), Denmark (Alles Lægehus), Italy (Alliance Healthcare IT), and Spain (Món Sant Benet). Greece (V² Development) extends into Southern Europe.
- Eastern fringe. Latvia (Balcia) and Türkiye (ALB Forex) illustrate pan-European reach to the bloc’s edges; no known cases in Russia/CIS, consistent with many Russian-speaking crews’ targeting norms.
- Africa (sub‑Saharan). South Africa (FrontierCo) stands out as an extra-European target of opportunity.
- Absent regions. No validated victims in North America or APAC to date; some vendor roundups mention the U.S., but without corroboration.
Geopolitical take. The NATO/EU bias and avoidance of Russia/CIS is typical of Eastern European cybercrime crews. Selection appears opportunistic (exposure-based) rather than geopolitical, with Shodan-driven scanning guiding victim choice.
Law Enforcement Actions
As of July 2025, there are no public arrests or takedowns specifically linked to DataCarry. Late June 2025 saw the crew take infrastructure offline (leak site and C2s) shortly after their tunneling tool was identified and uploaded to VirusTotal — suggesting fear of tracking and a voluntary disappearance or migration. No official seizures of servers/wallets have been announced.
Broader anti-ransomware actions (e.g., Endgame/Duck Hunt in May 2025) did not name DataCarry but attest to elevated pressure. National CERTs likely disseminated patching guidance for Fortinet EMS and related exposures. Should DataCarry resurface, it would likely draw closer scrutiny from international task forces.
Source Transparency
| Source | Reliability | Original Language | Publication Date |
|---|---|---|---|
| CCITIC — TLP:WHITE analysis on DataCarry (technical report) | High | English | 2025-07-05 |
| LeMagIT (TechTarget): Gunra, Datacarry... — by Valéry Rieß‑Marchive | High | French | 2025-06-03 |
| Cyble: Ransomware Landscape (May 2025) | High | English | 2025-06-03 |
| Bitdefender — Threat Debrief (June 2025) | High | English | 2025-07 (early) |
| WatchGuard — Ransomware Tracker (DataCarry) | Medium | English | 2025-05-23 |
| Ransomware.live — DataCarry group listing | Medium | English | 2025-07-11 (dataset) |
| Daily Dark Web — Alliance Healthcare Italy allegedly targeted | Medium | English | 2025-05-29 |
| HookPhish — Datacarry hits Mammut Sports Group | Medium-Low | English | 2025-05-26 |
Methodology: Technical vectors/IoCs cross-checked primarily via CCITIC, Cyble, and LeMagIT; victim lists reconciled with WatchGuard and Ransomware.live. Where discrepancies exist (e.g., ALB/ALX Forex naming, exact dates), primary disclosures were favored when available.
Note: This report aggregates public OSINT from sources of varying reliability and may evolve. We will update periodically to provide the most accurate view of the DataCarry ransomware group’s activities.