Decay Active

Ransomware group first observed in 2016. Uses ConnectWise for deployment.
PDF Report Back to Groups
0
Total Victims
2016-04-01
First Seen
2026-03-16
Last Seen
0
Known TTPs
39.8d
Avg Delay
0
Negotiations
ONION URLS
hwdkqt5534ac6r7jejfkj26zhq5e4oy3mgdfojphb544lc4fm2kap5gc.onion
TOOLS
ConnectWise TrickBot SystemBC FileZilla
FILE EXTENSIONS
.gone
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded

No TTPs data

No YARA rules

TypeValueDescriptionCopy
tox FE7DB92C6C137DBCC1251EDBCAC9F8DCB60B31FA5B30F808AD0EFBAABC6EF0158CE105C08ACD Tox messenger ID observed in Decay attacks
email info278@tutanota.com Contact email - Decay campaign
ip 136.222.5.49 Infrastructure linked to Decay
md5 47665ca7629f86a9166c94fa3062fe0b Infrastructure linked to Decay
ip 5.235.44.137 C2 server IP observed in Decay attacks
sha256 6007d655afcb69a7b80106f40d02911f85983422e0613c0d8796c795b757ea28 Associated with Decay ransomware
email support621@protonmail.com Infrastructure linked to Decay
email admin666@tuta.io Associated with Decay ransomware
sha1 aaae9e3f2157b0222414d0175d14a14b59038263 Dropper hash - Decay campaign
sha256 98b807142950219d03d65d6ac9a64637919cd0990843f5668f931039efce9076 Ransomware binary hash - Decay campaign
tox 747E5B0F88BF92CF5CF7F6AADDF2E4B4E8E3CB9B94FCFE2BB6B8C94F3A3A8D69BA0404D135AC Tox messenger ID observed in Decay attacks
ip 49.150.204.8 C2 server IP - Decay campaign
btc bc1qsr4k5biciex45rthrlr3z6cfio9b8931jjmbr9 Associated with Decay ransomware

No ransom notes