Securotrop is a ransomware threat actor and ransomware-as-a-service operation that emerged publicly in 2025 and is widely described as a splinter or affiliate operating within the Qilin ecosystem. The group has maintained its own leak site while reportedly leveraging Qilin-associated infrastructure, code, or network relationships. Securotrop is associated with double-extortion operations, combining data theft with extortion pressure, and appears to place particular emphasis on exfiltrated data and public leak-site shaming. Victim reporting and public claims indicate that Securotrop has targeted organizations primarily in the United States across multiple sectors, including retail, manufacturing, construction, transportation and logistics, energy, media, and technology. Publicly attributed victims include organizations such as Mister Guns and Structural Component Systems, alongside numerous additional claimed victims across 2025 and 2026. Reporting also places Securotrop among newer ransomware brands that appeared during 2024, with continued activity into 2025 and 2026. The actor is known by the aliases Securotrop and securotrop_ransomware. Available information supports characterizing Securotrop as a financially motivated cybercriminal group rather than a state-sponsored intrusion set. High-confidence reporting links it to the broader Qilin ransomware network, but publicly available information does not establish a confirmed national affiliation, leadership structure, or distinct sub-groups beyond its apparent relationship as a splinter or affiliate of Qilin.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack resulting in a data breach against ProDirectional Drilling.
Conducting a ransomware attack resulting in a data breach against Charisma Media.
Conducting a ransomware attack and associated data breach against Kriete Truck Centers.
RaaS ransomware group active since at least August 2025, publishing victims on its own leak site, conducting double-extortion attacks, and appearing to emphasize data theft and review of exfiltrated data.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.