dan0n

Also known as: dan0n

dAn0n is a data-extortion actor that first appeared in April 2024. Operating primarily in a leak-focused extortion model, they publish stolen data on a Tor-hosted site rather than encrypting files. Their victims include organizations across sectors like business services, technology, healthcare, transportation, and legalβ€”all largely based in the United States, with a few in Ireland and South Korea. Activity surged in May 2024, landing them in the top 10 most active ransomware actors that month. Despite limited branding efforts, their smaller operational footprint has allowed for swift, targeted breaches that prioritize rapid data exposure over elaborate cryptographic tactics.

Introduction

dAn0n is a data-extortion actor that first appeared in April 2024. Operating primarily in a leak-focused extortion model, they publish stolen data on a Tor-hosted site rather than encrypting files. Their victims include organizations across sectors like business services, technology, healthcare, transportation, and legalβ€”all largely based in the United States, with a few in Ireland and South Korea. Activity surged in May 2024, landing them in the top 10 most active ransomware actors that month. Despite limited branding efforts, their smaller operational footprint has allowed for swift, targeted breaches that prioritize rapid data exposure over elaborate cryptographic tactics.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Small-Net:
  • UNITEDRAKE:
  • GraphicBooting:
  • CrossRat:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.