Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

Genesis

Also known asgenesis

Genesis is a ransomware group active since at least October 2025. It launched a dark web data leak site in October 2025 and was described in 2026 reporting as a newer/emerging ransomware actor. Reporting cited in the content states that Genesis malware steals data and locks systems, and that the group demands payment to destroy stolen data and restore infected systems. Separate reporting in the content also associates Genesis with credential access and underground market activity, including the sale or use of compromised enterprise access; in 2026, Genesis-linked activity was reported as contributing to healthcare intrusions by enabling initial access through stolen credentials, facilitating downstream ransomware and data theft operations. Genesis shows a strong US focus. One cited Q1 2026 assessment says 27 of 29 confirmed victims were in the United States (93.1%), with a notable emphasis on the healthcare sector (20.7%), and no documented affiliate program. The content repeatedly links Genesis to healthcare and healthcare-adjacent victims, including the National Association on Drug Abuse Programs (NADAP), Advanced Family Surgery Center (AFSC), and Community Health Action of Staten Island. In the NADAP case, Genesis claimed responsibility in March 2026, said it stole 2 TB of data including medical information and HR files, and listed the organization on its leak site. In the AFSC case, Genesis claimed it exfiltrated 100 GB of healthcare, personal, financial, and operational data and posted a file tree; reviewed sample files reportedly included PHI. In the Community Health Action of Staten Island case, Genesis added the organization to its leak site and claimed exfiltration of approximately 200,000 records, including sensitive personal and medical data. The content also states that Genesis had claimed 49 ransomware attacks in total at the time of one report, with seven attacks confirmed by targeted organizations. Additional cited victims or claimed victims include Upper Township and the local government of Hart, Michigan. Known alias information in the provided content is limited to the lowercase form "genesis"; no sub-groups are identified in the source material.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Health Care Equipment & Services
  • Government & Administration
  • Non-Governmental Organizations

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics11 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1589×2
Gather Victim Identity Information
TA0001
Initial Access
1 technique
T1078
Valid Accounts
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0009
Collection
1 technique
T1074
Data Staged
TA0010
Exfiltration
3 techniques
T1020×2
Automated Exfiltration
T1041×3
Exfiltration Over C2 Channel
T1567×3
Exfiltration Over Web Service
TA0040
Impact
2 techniques
T1486×3
Data Encrypted for Impact
T1657×2
Financial Theft
IOCS

Observables

15 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

15 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
checkpoint research blogNews
May 11, 2026
The State of Ransomware - Q1 2026 - Check Point Research

Emerging ransomware actor with near-exclusive US targeting and notable healthcare focus.

Read more
polyswarmNews
May 4, 2026
Critical Condition: The 2026 Healthcare Cyber Threat Landscape

Provides or enables initial access into healthcare environments through stolen credentials and underground access sales.

Read more
comparitechNews
Apr 16, 2026
Phoenix Art Museum warns of data breach that leaked SSNs - Comparitech

Named as the group claiming responsibility for a ransomware attack against a non-profit organization.

Read more
comparitechNews
Mar 10, 2026
Cybercriminal group says it hacked New York drug abuse program - Comparitech

A newer ransomware group active since October 2025 that claims attacks against organizations, steals data, encrypts systems, and extorts victims for payment to delete stolen data and restore access.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables15

Domains, IPs, and hashes tied to this actor, refreshed continuously.