Obscura
Obscura is a ransomware group/ransomware variant first identified in reporting as an emerging group in September 2025 and later described as one of a proliferation of smaller, short-lived ransomware crews operating under the radar. Reporting cited in the content places Obscura among new ransomware groups alongside Yurei, The Gentlemen, and Radar, and also lists it among ransomware variants that emerged in September 2024. Public victim claims mentioned in the content include MeamarGroup, WZV Warndt, Plazadental, HeavenlyDental, The Fixing Company, Rulmaksan Makina, and RelationsMedia A/S. The content associates Obscura with ransomware operations and extortion activity, including public victim posting on leak sites. It is specifically noted as having a serious encryption implementation flaw: files larger than 1 GB can become permanently unrecoverable regardless of payment because, according to Coveware reporting cited in the content, the malware fails to write the encrypted temporary key to the file footer for large files. The content also notes that proof-of-life decryption tests may miss this defect because they rarely include large files. Tradecraft referenced in the content includes use of Bring Your Own Vulnerable Driver (BYOVD) methodology; Obscura is explicitly named as one of the ransomware groups observed using this approach. Sector reporting in the content states that Obscura showed one of the highest levels of focus on the energy and utilities industry among ransomware groups with meaningful victim counts, accounting for 27% in the cited comparison. No nation-state attribution is provided in the content. Known alias provided in the content: obscura.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operation noted here for flawed encryption implementation causing irreversible file loss for large files.
Referenced as a ransomware group observed using BYOVD-style defense evasion (vulnerable driver abuse) to impair endpoint defenses.
Ransomware group showing comparatively high focus on the energy and utilities industry.
Obscura is a small, short-lived ransomware crew, part of the new generation of agile ransomware groups that have emerged as the ecosystem splinters.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.