TartarusRansom Active
Ransomware group first observed in 2017. Uses nltest for deployment.1
Total Victims
2017-07-01
First Seen
2026-03-05
Last Seen
23
Known TTPs
36.2d
Avg Delay
0
Negotiations
ONION URLS
v7iabfzpsk4bw465mnhiofnes4hnne2uozzethortfagpk5nthx5bofv.onion
TOOLS
nltest
LaZagne
FILE EXTENSIONS
.ransom
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
| Date | Victim Name | Country | Sector | Status |
|---|---|---|---|---|
| 2026-03-05 | Innovation Power | United States | Government | Published |
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1039 | Data from Network Shared Drive | Collection |
| T1074.001 | Local Data Staging | Collection |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1219 | Remote Access Software | Command and Control |
| T1572 | Protocol Tunneling | Command and Control |
| T1003.001 | LSASS Memory | Credential Access |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1070.004 | File Deletion | Defense Evasion |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1018 | Remote System Discovery | Discovery |
| T1069 | Permission Groups Discovery | Discovery |
| T1059.003 | Windows Command Shell | Execution |
| T1059.005 | Visual Basic | Execution |
| T1059.006 | Python | Execution |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1491.001 | Internal Defacement | Impact |
| T1078 | Valid Accounts | Initial Access |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1021.004 | SSH | Lateral Movement |
| T1543.003 | Windows Service | Persistence |
| T1134 | Access Token Manipulation | Privilege Escalation |
No YARA rules
No IoCs
No ransom notes