A new, highly aggressive, and financially motivated organized crime group, “Genesis,” has emerged in the cyber threat landscape, executing a campaign of rapid, high-impact data breaches. First identified in September 2025, the group has distinguished itself through a focused, multi-sectoral attack strategy targeting U.S. organizations and a modus operandi centered on double extortion.

Key Findings

All available intelligence indicates that Genesis operates as a Ransomware-as-a-Service (RaaS) affiliate. The group is not a standalone developer but is rather a new variant or affiliate of the established MedusaLocker ransomware family. This affiliation provides Genesis with sophisticated and field-tested malware, allowing the group to focus its efforts entirely on intrusion, data exfiltration, and extortion.

Threat Profile

• Motive: Organized Crime (Financially Motivated).
• Model: Double Extortion. Genesis combines crippling data encryption with data theft, threatening to publicly release exfiltrated data to pressure victims into payment.
• Targets: Exclusively U.S.-based organizations.
• Sectors: A diverse, data-rich target list, including critical infrastructure sectors such as Health Care, Financials, Energy (Oil & Gas), and Manufacturing.

Genesis’s debut was audacious, marked by the simultaneous publication of nine data breach claims on its dark web leak site. Across these initial victims, the group claims to have exfiltrated a total of 2.2 terabytes (TB) of sensitive data. Confirmed breaches include the theft of patient medical records, Social Security numbers (SSNs), driver’s license numbers, and corporate financial and HR data.

Due to the confirmed affiliation, all defensive and threat-hunting activities must be oriented against the known Tactics, Techniques, and Procedures (TTPs) of the MedusaLocker ransomware family. Priority must be given to securing the primary initial access vector: vulnerable Remote Desktop Protocol (RDP) services. Furthermore, organizations must ensure the implementation of robust, immutable, and offline backups, as this remains the most effective mitigation against ransomware impact.

The rapid, multi-victim debut of Genesis is a strong indicator of its RaaS-affiliate nature. A threat actor developing a new ransomware platform from the ground up would typically exhibit a slower, more iterative emergence while they build and test their encryptor, command-and-control (C2) infrastructure, and leak site. In contrast, Genesis appeared “fully formed”. By launching with a list of nine victims across hardened sectors and a massive 2.2 TB data claim, the group demonstrates pre-built, “out-of-the-box” capability. This strongly implies they are customers of the established MedusaLocker RaaS platform, which provides the core malware and infrastructure. This relationship allows the Genesis affiliate to bypass the development phase and focus exclusively on gaining access and exfiltrating data, maximizing their operational tempo.

Furthermore, the classification of Genesis as a “Data Broker” by some security trackers is a more accurate descriptor of its threat than “ransomware group”. An analysis of its modus operandi and the case studies of its victims reveals a clear emphasis on data exfiltration first. The ransomware, or encryption phase, is merely the final tool used to apply pressure. The primary threat posed by Genesis is the theft, sale, and public exposure of sensitive data, which invites severe reputational damage, regulatory fines, and loss of competitive advantage. This “data-broker” model means that even victims who can successfully restore from backups are not “safe”; the extortion will proceed regardless, as the leverage has already been secured.

Profile of a New Ransomware Operator

Emergence

The Genesis threat actor was first identified in September 2025. The group’s public-facing operations began in October 2025 with the launch of a new data leak site on the dark web, which was immediately populated with its first set of victim claims.

Modus Operandi

The group’s operational model follows a clear, four-stage attack chain characteristic of modern double-extortion RaaS:

1. Infiltration: The actors gain initial access to a target network. Based on the TTPs of its parent family, MedusaLocker, this is achieved primarily through the exploitation of poorly-secured Remote Desktop Protocol (RDP) services.
2. Exfiltration: Once inside, the group conducts discovery and exfiltrates significant volumes of sensitive, high-value data. This is the primary objective.
3. Impact: After the data has been stolen, the actors deploy the ransomware payload to encrypt the victim’s systems, causing operational downtime.
4. Extortion: Genesis employs double-extortion tactics. The victim is now pressured from two sides: they must pay a ransom to receive a decryption key and restore operations, and they must pay to prevent the public release of their stolen data.

Operational Infrastructure

The central hub for Genesis’s extortion operations is its TOR data leak site. This site serves as its public-facing brand, its negotiation portal, and its “shaming” blog where victim data is exposed.

• Onion Address: http://genesis6ixpb5mcy4kudybtw5op2wqlrkocfogbnenz3c647ibqixiad.onion

This infrastructure is actively used to manage its extortion process. In its posts against victims like Austin Capital Trust, the group states, “The full dump… will be made public unless Austin Capital Trust initiates negotiations”. Similarly, its threat to the law firm Ronemus & Vilensky demands that “a company representative contacts us via the channels provided”.

The language used in these threats points to a structured, business-like criminal operation. This is not the chaotic work of a lone actor. The demands for “negotiation” and the use of tactics like “Extortion Price Increases” are all hallmarks of a mature RaaS operation. The “price increase” tactic, in particular, is a standard feature of RaaS platforms, designed to create urgency and penalize victims for indecision. This structured, business-like approach further cements the analysis that Genesis is a franchisee leveraging the established processes of a larger RaaS backend, identified as MedusaLocker.

Victim and Impact Analysis

Targeting Scope

The targeting strategy for the Genesis group is highly specific and, to date, exclusive. Analysis of all known victims confirms that 100% (12 out of 12) are based in the United States.

Sectoral Analysis

Genesis targets a diverse range of high-value, data-rich sectors. The group understands that organizations in these industries have a low tolerance for downtime and a high sensitivity to data breaches, making them more likely to pay a ransom. Targeted sectors include:

• Healthcare: (e.g., River City Eye, Claimlinx)
• Financial Services: (e.g., Advantage CDC, Austin Capital Trust)
• Legal Services: (e.g., Kipp & Christian, Roth & Scholl, Ronemus & Vilensky)
• Manufacturing: (e.g., Heimbrock, Dependable Plastic)
• Technology: (e.g., I-Tek Medical Technologies)
• Energy / Oil & Gas: (e.g., Southern Specialty and Supply)
• Consumer Services / Retail: (e.g., Healthy Living Market and Café)

Victim Roster

The following table provides a comprehensive list of known organizations claimed by the Genesis ransomware group on its data leak site as of October 28, 2025.

Table 1: Genesis Victim Roster

Case Studies

The impact of these attacks is not theoretical. At least two of the victims listed by Genesis have confirmed data breaches, validating the group’s claims.

• River City Eye Care (Healthcare): The organization confirmed it was the victim of a ransomware attack. Genesis claimed the attack on its leak site on October 21, 2025, alleging the exfiltration of 200 GB of data. This data was claimed to include “patient medical records, personal information, and data from company management systems”. The company’s own disclosure confirmed that the breach compromised highly sensitive PII, including names, Social Security numbers, and driver’s license numbers for some patients.
• Healthy Living Market & Café (Retail): This organic grocery chain also report