A new, highly aggressive, and financially motivated organized crime group, “Genesis,” has emerged in the cyber threat landscape, executing a campaign of rapid, high-impact data breaches. First identified in September 2025, the group has distinguished itself through a focused, multi-sectoral attack strategy targeting U.S. organizations and a modus operandi centered on double extortion.
Key Findings
All available intelligence indicates that Genesis operates as a Ransomware-as-a-Service (RaaS) affiliate. The group is not a standalone developer but is rather a new variant or affiliate of the established MedusaLocker ransomware family. This affiliation provides Genesis with sophisticated and field-tested malware, allowing the group to focus its efforts entirely on intrusion, data exfiltration, and extortion.
Threat Profile
- Motive: Organized Crime (Financially Motivated).
- Model: Double Extortion. Genesis combines crippling data encryption with data theft, threatening to publicly release exfiltrated data to pressure victims into payment.
- Targets: Exclusively U.S.-based organizations.
- Sectors: A diverse, data-rich target list, including critical infrastructure sectors such as Health Care, Financials, Energy (Oil & Gas), and Manufacturing.
Genesis’s debut was audacious, marked by the simultaneous publication of nine data breach claims on its dark web leak site. Across these initial victims, the group claims to have exfiltrated a total of 2.2 terabytes (TB) of sensitive data. Confirmed breaches include the theft of patient medical records, Social Security numbers (SSNs), driver’s license numbers, and corporate financial and HR data.
Due to the confirmed affiliation, all defensive and threat-hunting activities must be oriented against the known Tactics, Techniques, and Procedures (TTPs) of the MedusaLocker ransomware family. Priority must be given to securing the primary initial access vector: vulnerable Remote Desktop Protocol (RDP) services. Furthermore, organizations must ensure the implementation of robust, immutable, and offline backups, as this remains the most effective mitigation against ransomware impact.
The rapid, multi-victim debut of Genesis is a strong indicator of its RaaS-affiliate nature. A threat actor developing a new ransomware platform from the ground up would typically exhibit a slower, more iterative emergence while they build and test their encryptor, command-and-control (C2) infrastructure, and leak site. In contrast, Genesis appeared “fully formed”. By launching with a list of nine victims across hardened sectors and a massive 2.2 TB data claim, the group demonstrates pre-built, “out-of-the-box” capability. This strongly implies they are customers of the established MedusaLocker RaaS platform, which provides the core malware and infrastructure. This relationship allows the Genesis affiliate to bypass the development phase and focus exclusively on gaining access and exfiltrating data, maximizing their operational tempo.
Furthermore, the classification of Genesis as a “Data Broker” by some security trackers is a more accurate descriptor of its threat than “ransomware group”. An analysis of its modus operandi and the case studies of its victims reveals a clear emphasis on data exfiltration first. The ransomware, or encryption phase, is merely the final tool used to apply pressure. The primary threat posed by Genesis is the theft, sale, and public exposure of sensitive data, which invites severe reputational damage, regulatory fines, and loss of competitive advantage. This “data-broker” model means that even victims who can successfully restore from backups are not “safe”; the extortion will proceed regardless, as the leverage has already been secured.
Profile of a New Ransomware Operator
Emergence
The Genesis threat actor was first identified in September 2025. The group’s public-facing operations began in October 2025 with the launch of a new data leak site on the dark web, which was immediately populated with its first set of victim claims.
Modus Operandi
The group’s operational model follows a clear, four-stage attack chain characteristic of modern double-extortion RaaS:
- Infiltration: The actors gain initial access to a target network. Based on the TTPs of its parent family, MedusaLocker, this is achieved primarily through the exploitation of poorly-secured Remote Desktop Protocol (RDP) services.
- Exfiltration: Once inside, the group conducts discovery and exfiltrates significant volumes of sensitive, high-value data. This is the primary objective.
- Impact: After the data has been stolen, the actors deploy the ransomware payload to encrypt the victim’s systems, causing operational downtime.
- Extortion: Genesis employs double-extortion tactics. The victim is now pressured from two sides: they must pay a ransom to receive a decryption key and restore operations, and they must pay to prevent the public release of their stolen data.
Operational Infrastructure
The central hub for Genesis’s extortion operations is its TOR data leak site. This site serves as its public-facing brand, its negotiation portal, and its “shaming” blog where victim data is exposed.
- Onion Address:
http://genesis6ixpb5mcy4kudybtw5op2wqlrkocfogbnenz3c647ibqixiad.onion
This infrastructure is actively used to manage its extortion process. In its posts against victims like Austin Capital Trust, the group states, “The full dump… will be made public unless Austin Capital Trust initiates negotiations”. Similarly, its threat to the law firm Ronemus & Vilensky demands that “a company representative contacts us via the channels provided”.
The language used in these threats points to a structured, business-like criminal operation. This is not the chaotic work of a lone actor. The demands for “negotiation” and the use of tactics like “Extortion Price Increases” are all hallmarks of a mature RaaS operation. The “price increase” tactic, in particular, is a standard feature of RaaS platforms, designed to create urgency and penalize victims for indecision. This structured, business-like approach further cements the analysis that Genesis is a franchisee leveraging the established processes of a larger RaaS backend, identified as MedusaLocker.
Victim and Impact Analysis
Targeting Scope
The targeting strategy for the Genesis group is highly specific and, to date, exclusive. Analysis of all known victims confirms that 100% (12 out of 12) are based in the United States.
Sectoral Analysis
Genesis targets a diverse range of high-value, data-rich sectors. The group understands that organizations in these industries have a low tolerance for downtime and a high sensitivity to data breaches, making them more likely to pay a ransom. Targeted sectors include:
- Healthcare: (e.g., River City Eye, Claimlinx)
- Financial Services: (e.g., Advantage CDC, Austin Capital Trust)
- Legal Services: (e.g., Kipp & Christian, Roth & Scholl, Ronemus & Vilensky)
- Manufacturing: (e.g., Heimbrock, Dependable Plastic)
- Technology: (e.g., I-Tek Medical Technologies)
- Energy / Oil & Gas: (e.g., Southern Specialty and Supply)
- Consumer Services / Retail: (e.g., Healthy Living Market and Café)
Victim Roster
The following table provides a comprehensive list of known organizations claimed by the Genesis ransomware group on its data leak site as of October 28, 2025.
Table 1: Genesis Victim Roster
| Victim Name | Sector | Discovery Date | Estimated Attack Date | Description |
| Heimbrock | Manufacturing | 2025-10-28 | 2025-10-27 | National refractory contractor. |
| Advantage CDC | Financial Services | 2025-10-28 | 2024-08-20 | Long-term loan provider. |
| Kipp & Christian | Legal Services | 2025-10-28 | 2025-10-26 | Law firm in Salt Lake City. |
| Southern Specialty and Supply | Energy (Oil & Gas) | 2025-10-21 | 2024-05-07 | Support for offshore/onshore drilling. |
| Roth & Scholl | Legal Services | 2025-10-21 | 2025-09-09 | Commercial litigation/real estate law. |
| River City Eye | Healthcare | 2025-10-21 | 2025-09-25 | Optometry clinic. |
| Austin Capital Trust | Financial Services | 2025-10-21 | 2025-09-04 | Trust company. |
| Healthy Living Market and Café | Consumer Services | 2025-10-21 | 2025-08-31 | Organic marketplace. |
| Claimlinx | Healthcare | 2025-10-21 | 2025-08-15 | Health insurance benefit provider. |
| Ronemus & Vilensky | Legal Services | 2025-10-21 | 2025-09-19 | New York-based law firm. |
| Dependable Plastic | Manufacturing | 2025-10-21 | 2025-10-13 | Janitorial supplies company. |
| I-Tek Medical Technologies | Technology | 2025-10-21 | 2025-09-09 | Contract design/manufacturing. |
Case Studies
The impact of these attacks is not theoretical. At least two of the victims listed by Genesis have confirmed data breaches, validating the group’s claims.
- River City Eye Care (Healthcare): The organization confirmed it was the victim of a ransomware attack. Genesis claimed the attack on its leak site on October 21, 2025, alleging the exfiltration of 200 GB of data. This data was claimed to include “patient medical records, personal information, and data from company management systems”. The company’s own disclosure confirmed that the breach compromised highly sensitive PII, including names, Social Security numbers, and driver’s license numbers for some patients.
- Healthy Living Market & Café (Retail): This organic grocery chain also reported a September 2025 ransomware attack. Genesis claimed to have stolen 400 GB of data, specifically “financial, payroll, and HR information”. The company’s report corroborated this, admitting the breach compromised names, Social Security numbers, direct deposit information, and employee medical records.
Across its initial nine victims alone, Genesis claims a total data theft of 2.2 TB. The resulting impacts are severe and multi-faceted, spanning Data Theft, Financial Losses (from ransom payments and recovery), crippling Operational Downtime, and long-term Reputational Damage.
An analysis of the victim list reveals that the group is not targeting Fortune 500 giants. Instead, its “sweet spot” appears to be the mid-market: regional optometry clinics, local law firms, and specialty manufacturing companies. These organizations represent a vulnerable “sweet spot” for RaaS operators. They are large enough to have significant cash flow and a low tolerance for downtime (making them able and willing to pay a ransom), but are often small enough to lack the 24/7 Security Operations Center (SOC) and mature security posture (such as universal MFA and network segmentation) needed to defend against TTPs like RDP exploitation. This targeting strategy also aligns with the known M.O. of the MedusaLocker parent, which is known to target small and medium-sized companies.
A more complex and deeply significant finding is the “victim overlap” observed in Genesis’s claims. Reports indicate that the attack claims against two of the listed legal firms—Roth & Scholl and Ronemus & Vilensky—were previously claimed by other, different ransomware groups (Play and Kraken, respectively). This is not a mistake, but rather a sign of a complex, interconnected criminal ecosystem. This overlap could be explained by one of several hypotheses:
- Scavenging: Genesis is a low-level actor “padding its stats” by re-posting publicly leaked data from other groups’ attacks to appear more credible.
- Re-Extortion: Genesis purchased the stolen data from the “Play” or “Kraken” affiliates on an underground market and. is now attempting a second extortion against the same, already-victimized company.
- Initial Access Broker (IAB) Conflict: An IAB, a criminal who specializes in gaining network access, sold the same access (e.g., RDP credentials) to multiple ransomware groups, who are now, in effect, fighting over the victim.
Regardless of which hypothesis is correct, all three scenarios point to the same conclusion: Genesis is an active participant in the broader cybercrime economy, where network access and stolen data are commodities to be bought, sold, and re-used.
Important Note: “Genesis” and “Medusa”
This section is the most critical component of this advisory for any technical audience. The cyber threat landscape is saturated with “false friends”—actors and malware with similar names. This ambiguity is a primary cause of flawed threat hunting and catastrophic misattribution. Any security team responding to an alert for “Genesis” or “Medusa” without the following deconfliction will fail.
Genesis (Ransomware) vs. Genesis Market
It is imperative to understand that the Genesis (Ransomware) group is not related to the Genesis (Market).
- Genesis (Ransomware): This is the subject of this report. It is a Ransomware-as-a-Service (RaaS) affiliate that has been active since September 2025. Its TTPs are inferred from its parent family, MedusaLocker.
- Genesis (Market): This was an unrelated criminal marketplace that specialized in selling stolen credentials, browser cookies, and device fingerprints. It was a key enabler of ransomware and other cybercrime, but it was not a ransomware group itself.
- Status: The Genesis Market is defunct. It was dismantled and seized by an international law enforcement operation, including the FBI, in April 2023.
The identical naming is not a coincidence. The Genesis Market was one of the largest and most infamous criminal platforms of its time. The emergence of a new RaaS group in 2025 using the exact same name is a deliberate branding and marketing tactic. It is designed to capitalize on the “Genesis” name’s infamy, signaling to other criminals and to victims that they are a serious, professional operation.
Note for Analysts: TTPs and Indicators of Compromise (IOCs) associated with the defunct Genesis Market are NOT associated with the Genesis (Ransomware) group. Security teams must explicitly exclude these false leads from their threat hunts. These misattributed IOCs include:
- Malware: DanaBot trojan,
JS/CookieGenesis - Tools: Malicious browser extensions
- C2 Domains:
last-blink[.]com,root-head[.]com
Using these IOCs to hunt for the 2025 Genesis ransomware will lead to false negatives and a complete failure of the investigation.
MedusaLocker vs. Medusa (RaaS)
This is the second critical intelligence pitfall. The Genesis ransomware group is an affiliate of MedusaLocker. There is, however, another major, unrelated RaaS group known simply as Medusa.
- The Link: Genesis is a variant/affiliate of the MedusaLocker ransomware family.
- The Confusion: An unrelated, highly active RaaS group named Medusa is also prominent in 2025.
- The Proof: The evidence definitively separating these two groups is explicit. A joint Cybersecurity Advisory (CSA) from the FBI and CISA (Product ID: AA25-071A) issued in March 2025 unequivocally states: “The Medusa ransomware variant is unrelated to the MedusaLocker variant… per the FBI’s investigation”. This finding is further corroborated by security vendor analysis.
Note for Analysts: An analyst, correctly identifying Genesis as a “MedusaLocker” affiliate, might mistakenly search for “Medusa TTPs.” This search would lead them to the CISA advisory for the wrong group. They would then be hunting for TTPs and IOCs belonging to the Medusa (RaaS) group, such as:
- Encryptor Executable:
gaze.exe - File Extension:
.MEDUSA - Exfiltration Tool:
Rclone - Vulnerabilities: Exploitation of CVE-2024-1709
These TTPs are for the wrong threat actor. The correct TTPs to hunt for, which will be detailed in Part 5, are those of the MedusaLocker family (e.g., RDP abuse, NetShareEnum API, ICMP scans).
To provide absolute clarity, the following table deconflicts these entities.
Table 2: Deconfliction Summary
| Threat Actor | Known As | Status (2025) | Relationship | Key TTPs / IOCs (Do NOT confuse) |
| Genesis (Ransomware) | Genesis | Active | Subject of this report. A RaaS affiliate. | Affiliate of MedusaLocker. TTPs proxied from MedusaLocker (RDP abuse). IOC: genesis6ix...onion |
| Genesis (Market) | Genesis Market | Defunct | Unrelated to Genesis (Ransomware). Seized by FBI in April 2023. | Enabled ransomware but was not one. IOCs: DanaBot, JS/CookieGenesis, last-blink[.]com |
| MedusaLocker | MedusaLocker | Active | Parent family of Genesis. | TTPs to hunt for: RDP exploitation, UAC bypass, NetShareEnum API, ICMP scans. |
| Medusa (RaaS) | Medusa | Active | Unrelated to MedusaLocker and Genesis. | TTPs NOT to use for Genesis: .MEDUSA extension, gaze.exe, Rclone, CVE-2024-1709. |
Technical Analysis: Inferred TTPs
Overview
As Genesis is a new affiliate (first seen September 2025), no public, in-depth reports have yet captured its unique payload for sandboxing and analysis. However, its confirmed link to the MedusaLocker family provides a high-confidence foundation for threat hunting. By analyzing the well-documented behaviors of MedusaLocker, defenders can build a proxy TTP profile to hunt for Genesis activity.
RaaS Model
MedusaLocker operates as a RaaS, a business model that lowers the barrier to entry for affiliates. This model involves a profit-sharing arrangement where the ransomware developers take a percentage of the ransom, and the affiliates (like Genesis) who perform the intrusion receive the rest. This split is consistently 55-60% for the affiliate and the remainder for the developer.
Inferred TTPs
The following TTPs are associated with the MedusaLocker parent family and should be used to hunt for Genesis.
- Initial Access:
- External Remote Services / Valid Accounts: This is the primary attack vector. MedusaLocker predominantly relies on exploiting vulnerabilities in Remote Desktop Protocol (RDP) to gain initial access to victim networks. Phishing and spam email campaigns are also used as a secondary vector.
- Execution:
- Command and Scripting Interpreter: Like many modern malware families, MedusaLocker uses built-in interpreters like PowerShell and Windows Command Prompt for execution.
- Persistence:
- Scheduled Task/Job: The ransomware establishes persistence by creating a scheduled task designed to run the locker (encryption) component every 15 minutes, ensuring the system remains encrypted.
- Privilege Escalation:
- Bypass User Account Control: The ransomware payload performs a UAC bypass. This technique elevates its permissions to run the malware with administrative rights, giving it full control over the system for encryption and defense evasion.
- Defense Evasion:
- Impair Defenses: MedusaLocker actively enumerates and terminates specific processes, focusing on security tools, backup software, and database services to ensure smooth execution.
- Inhibit System Recovery: The malware is designed to prevent easy recovery. It incorporates processes to explicitly delete backups and recovery options, such as Volume Shadow Copies, to ensure the victim has no alternative but to negotiate.
- Discovery:
- Remote System Discovery: The malware is capable of crafting and sending ICMP packets (ping scans) across the network. This allows it to discover other connected assets and identify further targets for lateral movement and encryption.
- Network Share Discovery: The malware uses the
NetShareEnumAPI. This function gathers information about all resources shared by remote servers in the network, allowing the ransomware to find and encrypt data on network drives.
- Lateral Movement:
- Remote Desktop Protocol: After gaining initial access, the actors can use RDP to move laterally to other systems. The MedusaLocker malware is specifically designed to lock files on both the local machine and any connected systems it can access.
- Impact:
- Data Encrypted for Impact: MedusaLocker employs a hybrid-encryption model. It locks user data using the symmetric AES-256 algorithm. The AES key, which is required for decryption, is then protected using the asymmetric RSA-2048 cryptosystem.
A critical analytical point emerges when comparing the TTPs of Genesis and its MedusaLocker parent. A 2023 report on MedusaLocker noted that, “Although MedusaLocker threatens… there is no evidence of data exfiltration“. This creates a direct contradiction with the modus operandi of Genesis, which is defined by its mass data exfiltration (2.2 TB claimed, 200-400GB confirmed per victim).
This contradiction strongly suggests that the Genesis operators are not standard, “out-of-the-box” MedusaLocker affiliates. The Genesis group has evolved the attack chain. They have bolted-on their own custom TTPs—likely using common data exfiltration tools and techniques—on top of the base MedusaLocker encryption payload. Genesis has modernized its parent’s attack, adding the double-extortion-and-leak-site model that was absent in “classic” MedusaLocker. This makes Genesis a more dangerous, evolved, and modern variant of its parent family.
Indicators of Compromise (IOCs)
This section is provided for Security Operations Center (SOC) teams and threat hunters. It is critical to use only the vetted IOCs for the Genesis (Ransomware) group and its parent, MedusaLocker. All IOCs from the similarly named (but unrelated) Genesis (Market) must be discarded to prevent false negatives.
The lack of public, unique IOCs for the Genesis ransomware itself is a significant finding. A comprehensive review of security vendor reporting reveals no file hashes, C2 IPs, or specific file extensions attributable to the Genesis (Ransomware) payload. The only definitively vetted IOC is its TOR leak site.
This lack of data implies that, as of November 2025, security vendors have not yet captured and fully analyzed a live sample of the Genesis payload. This makes defense extremely difficult for any organization relying solely on signature-based detection. It forces defenders to shift from reactive, signature-based blocking to proactive, behavior-based hunting (using the TTPs in Part 5) and preventative mitigation (Part 7).
Genesis (Ransomware) IOCs
- Network (Data Leak Site):
http://genesis6ixpb5mcy4kudybtw5op2wqlrkocfogbnenz3c647ibqixiad.onion
Inferred MedusaLocker IOCs
- File Extensions (Note: Genesis may use its own custom extension):
.encrypted.bomber.boroff.breakingbad.locker16.newlock.nlocker.skynet
The following IOCs are associated with the defunct (Seized April 2023) Genesis Market and are NOT related to the active Genesis (Ransomware) group. Hunting for these will provide a false sense of security and fail to detect the active threat.
- Source:
- Malware Names:
DanaBot.b trojanJS/CookieGenesis.a/JS/CookieGenesis.b
- File Hashes (SHA256):
FB67F006C56AB5F511BE9A7B14787396FC17F587188E7DA05DFDEC4EBF28F924(setup.exe)E4F5EE78CF7F8147AB5D5286F4AF31DC94CFCED6913F3F5F5DAD8D87A8CBCA7C(DanaBot svchost.exe)
- Network (C2 Domains):
last-blink[.]comroot-head[.]comexilepolsiy[.]sbs
- Network (IP Address):
104.21.13[.]217
