A new, highly aggressive, and financially motivated organized crime group, “Genesis,” has emerged in the cyber threat landscape, executing a campaign of rapid, high-impact data breaches. First identified in September 2025, the group has distinguished itself through a focused, multi-sectoral attack strategy targeting U.S. organizations and a modus operandi centered on double extortion.

Key Findings

All available intelligence indicates that Genesis operates as a Ransomware-as-a-Service (RaaS) affiliate. The group is not a standalone developer but is rather a new variant or affiliate of the established MedusaLocker ransomware family. This affiliation provides Genesis with sophisticated and field-tested malware, allowing the group to focus its efforts entirely on intrusion, data exfiltration, and extortion.

Threat Profile

• Motive: Organized Crime (Financially Motivated).
• Model: Double Extortion. Genesis combines crippling data encryption with data theft, threatening to publicly release exfiltrated data to pressure victims into payment.
• Targets: Exclusively U.S.-based organizations.
• Sectors: A diverse, data-rich target list, including critical infrastructure sectors such as Health Care, Financials, Energy (Oil & Gas), and Manufacturing.

Genesis’s debut was audacious, marked by the simultaneous publication of nine data breach claims on its dark web leak site. Across these initial victims, the group claims to have exfiltrated a total of 2.2 terabytes (TB) of sensitive data. Confirmed breaches include the theft of patient medical records, Social Security numbers (SSNs), driver’s license numbers, and corporate financial and HR data.

Due to the confirmed affiliation, all defensive and threat-hunting activities must be oriented against the known Tactics, Techniques, and Procedures (TTPs) of the MedusaLocker ransomware family. Priority must be given to securing the primary initial access vector: vulnerable Remote Desktop Protocol (RDP) services. Furthermore, organizations must ensure the implementation of robust, immutable, and offline backups, as this remains the most effective mitigation against ransomware impact.

The rapid, multi-victim debut of Genesis is a strong indicator of its RaaS-affiliate nature. A threat actor developing a new ransomware platform from the ground up would typically exhibit a slower, more iterative emergence while they build and test their encryptor, command-and-control (C2) infrastructure, and leak site. In contrast, Genesis appeared “fully formed”. By launching with a list of nine victims across hardened sectors and a massive 2.2 TB data claim, the group demonstrates pre-built, “out-of-the-box” capability. This strongly implies they are customers of the established MedusaLocker RaaS platform, which provides the core malware and infrastructure. This relationship allows the Genesis affiliate to bypass the development phase and focus exclusively on gaining access and exfiltrating data, maximizing their operational tempo.

Furthermore, the classification of Genesis as a “Data Broker” by some security trackers is a more accurate descriptor of its threat than “ransomware group”. An analysis of its modus operandi and the case studies of its victims reveals a clear emphasis on data exfiltration first. The ransomware, or encryption phase, is merely the final tool used to apply pressure. The primary threat posed by Genesis is the theft, sale, and public exposure of sensitive data, which invites severe reputational damage, regulatory fines, and loss of competitive advantage. This “data-broker” model means that even victims who can successfully restore from backups are not “safe”; the extortion will proceed regardless, as the leverage has already been secured.

Profile of a New Ransomware Operator

Emergence

The Genesis threat actor was first identified in September 2025. The group’s public-facing operations began in October 2025 with the launch of a new data leak site on the dark web, which was immediately populated with its first set of victim claims.

Modus Operandi

The group’s operational model follows a clear, four-stage attack chain characteristic of modern double-extortion RaaS:

1. Infiltration: The actors gain initial access to a target network. Based on the TTPs of its parent family, MedusaLocker, this is achieved primarily through the exploitation of poorly-secured Remote Desktop Protocol (RDP) services.
2. Exfiltration: Once inside, the group conducts discovery and exfiltrates significant volumes of sensitive, high-value data. This is the primary objective.
3. Impact: After the data has been stolen, the actors deploy the ransomware payload to encrypt the victim’s systems, causing operational downtime.
4. Extortion: Genesis employs double-extortion tactics. The victim is now pressured from two sides: they must pay a ransom to receive a decryption key and restore operations, and they must pay to prevent the public release of their stolen data.

Operational Infrastructure

The central hub for Genesis’s extortion operations is its TOR data leak site. This site serves as its public-facing brand, its negotiation portal, and its “shaming” blog where victim data is exposed.

• Onion Address: http://genesis6ixpb5mcy4kudybtw5op2wqlrkocfogbnenz3c647ibqixiad.onion

This infrastructure is actively used to manage its extortion process. In its posts against victims like Austin Capital Trust, the group states, “The full dump… will be made public unless Austin Capital Trust initiates negotiations”. Similarly, its threat to the law firm Ronemus & Vilensky demands that “a company representative contacts us via the channels provided”.

The language used in these threats points to a structured, business-like criminal operation. This is not the chaotic work of a lone actor. The demands for “negotiation” and the use of tactics like “Extortion Price Increases” are all hallmarks of a mature RaaS operation. The “price increase” tactic, in particular, is a standard feature of RaaS platforms, designed to create urgency and penalize victims for indecision. This structured, business-like approach further cements the analysis that Genesis is a franchisee leveraging the established processes of a larger RaaS backend, identified as MedusaLocker.

Victim and Impact Analysis

Targeting Scope

The targeting strategy for the Genesis group is highly specific and, to date, exclusive. Analysis of all known victims confirms that 100% (12 out of 12) are based in the United States.

Sectoral Analysis

Genesis targets a diverse range of high-value, data-rich sectors. The group understands that organizations in these industries have a low tolerance for downtime and a high sensitivity to data breaches, making them more likely to pay a ransom. Targeted sectors include:

• Healthcare: (e.g., River City Eye, Claimlinx)
• Financial Services: (e.g., Advantage CDC, Austin Capital Trust)
• Legal Services: (e.g., Kipp & Christian, Roth & Scholl, Ronemus & Vilensky)
• Manufacturing: (e.g., Heimbrock, Dependable Plastic)
• Technology: (e.g., I-Tek Medical Technologies)
• Energy / Oil & Gas: (e.g., Southern Specialty and Supply)
• Consumer Services / Retail: (e.g., Healthy Living Market and Café)

Victim Roster

The following table provides a comprehensive list of known organizations claimed by the Genesis ransomware group on its data leak site as of October 28, 2025.

Table 1: Genesis Victim Roster

Case Studies

The impact of these attacks is not theoretical. At least two of the victims listed by Genesis have confirmed data breaches, validating the group’s claims.

• River City Eye Care (Healthcare): The organization confirmed it was the victim of a ransomware attack. Genesis claimed the attack on its leak site on October 21, 2025, alleging the exfiltration of 200 GB of data. This data was claimed to include “patient medical records, personal information, and data from company management systems”. The company’s own disclosure confirmed that the breach compromised highly sensitive PII, including names, Social Security numbers, and driver’s license numbers for some patients.
• Healthy Living Market & Café (Retail): This organic grocery chain also reported a September 2025 ransomware attack. Genesis claimed to have stolen 400 GB of data, specifically “financial, payroll, and HR information”. The company’s report corroborated this, admitting the breach compromised names, Social Security numbers, direct deposit information, and employee medical records.

Across its initial nine victims alone, Genesis claims a total data theft of 2.2 TB. The resulting impacts are severe and multi-faceted, spanning Data Theft, Financial Losses (from ransom payments and recovery), crippling Operational Downtime, and long-term Reputational Damage.

An analysis of the victim list reveals that the group is not targeting Fortune 500 giants. Instead, its “sweet spot” appears to be the mid-market: regional optometry clinics, local law firms, and specialty manufacturing companies. These organizations represent a vulnerable “sweet spot” for RaaS operators. They are large enough to have significant cash flow and a low tolerance for downtime (making them able and willing to pay a ransom), but are often small enough to lack the 24/7 Security Operations Center (SOC) and mature security posture (such as universal MFA and network segmentation) needed to defend against TTPs like RDP exploitation. This targeting strategy also aligns with the known M.O. of the MedusaLocker parent, which is known to target small and medium-sized companies.

A more complex and deeply significant finding is the “victim overlap” observed in Genesis’s claims. Reports indicate that the attack claims against two of the listed legal firms—Roth & Scholl and Ronemus & Vilensky—were previously claimed by other, different ransomware groups (Play and Kraken, respectively). This is not a mistake, but rather a sign of a complex, interconnected criminal ecosystem. This overlap could be explained by one of several hypotheses:

1. Scavenging: Genesis is a low-level actor “padding its stats” by re-posting publicly leaked data from other groups’ attacks to appear more credible.
2. Re-Extortion: Genesis purchased the stolen data from the “Play” or “Kraken” affiliates on an underground market and. is now attempting a second extortion against the same, already-victimized company.
3. Initial Access Broker (IAB) Conflict: An IAB, a criminal who specializes in gaining network access, sold the same access (e.g., RDP credentials) to multiple ransomware groups, who are now, in effect, fighting over the victim.

Regardless of which hypothesis is correct, all three scenarios point to the same conclusion: Genesis is an active participant in the broader cybercrime economy, where network access and stolen data are commodities to be bought, sold, and re-used.

Important Note: “Genesis” and “Medusa”

This section is the most critical component of this advisory for any technical audience. The cyber threat landscape is saturated with “false friends”—actors and malware with similar names. This ambiguity is a primary cause of flawed threat hunting and catastrophic misattribution. Any security team responding to an alert for “Genesis” or “Medusa” without the following deconfliction will fail.

Genesis (Ransomware) vs. Genesis Market

It is imperative to understand that the Genesis (Ransomware) group is not related to the Genesis (Market).

• Genesis (Ransomware): This is the subject of this report. It is a Ransomware-as-a-Service (RaaS) affiliate that has been active since September 2025. Its TTPs are inferred from its parent family, MedusaLocker.
• Genesis (Market): This was an unrelated criminal marketplace that specialized in selling stolen credentials, browser cookies, and device fingerprints. It was a key enabler of ransomware and other cybercrime, but it was not a ransomware group itself.
• Status: The Genesis Market is defunct. It was dismantled and seized by an international law enforcement operation, including the FBI, in April 2023.

The identical naming is not a coincidence. The Genesis Market was one of the largest and most infamous criminal platforms of its time. The emergence of a new RaaS group in 2025 using the exact same name is a deliberate branding and marketing tactic. It is designed to capitalize on the “Genesis” name’s infamy, signaling to other criminals and to victims that they are a serious, professional operation.

Note for Analysts: TTPs and Indicators of Compromise (IOCs) associated with the defunct Genesis Market are NOT associated with the Genesis (Ransomware) group. Security teams must explicitly exclude these false leads from their threat hunts. These misattributed IOCs include:

• Malware: DanaBot trojan, JS/CookieGenesis
• Tools: Malicious browser extensions
• C2 Domains: last-blink[.]com, root-head[.]com

Using these IOCs to hunt for the 2025 Genesis ransomware will lead to false negatives and a complete failure of the investigation.

MedusaLocker vs. Medusa (RaaS)

This is the second critical intelligence pitfall. The Genesis ransomware group is an affiliate of MedusaLocker. There is, however, another major, unrelated RaaS group known simply as Medusa.

• The Link: Genesis is a variant/affiliate of the MedusaLocker ransomware family.
• The Confusion: An unrelated, highly active RaaS group named Medusa is also prominent in 2025.
• The Proof: The evidence definitively separating these two groups is explicit. A joint Cybersecurity Advisory (CSA) from the FBI and CISA (Product ID: AA25-071A) issued in March 2025 unequivocally states: “The Medusa ransomware variant is unrelated to the MedusaLocker variant… per the FBI’s investigation”. This finding is further c