Hex Active

Ransomware group first observed in 2022. Uses TrickBot for deployment.
PDF Report Back to Groups
0
Total Victims
2022-09-01
First Seen
2026-02-07
Last Seen
0
Known TTPs
25.7d
Avg Delay
0
Negotiations
ONION URLS
2ifti7ouocopqc6urtudidwss6jwoewshng2mel7mzc565dp62ejki3m.onion
TOOLS
TrickBot Sliver C2
FILE EXTENSIONS
.dead
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded

No TTPs data

Hex_rule_1 Elastic Security 
rule Hex_ransomware_1 {
    meta:
        description = "Detects Hex ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "9735d010b7e1f850a5ed715f04967c0821d422901b4460a18cf61109d285553a"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $s1 = "DECRYPT" nocase
        $s2 = "YOUR FILES" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

No IoCs

No ransom notes