MS13-089 is a cybercriminal threat actor group that claimed responsibility for the November 2025 breach of Virginia Urology, a major medical practice in Richmond, Virginia. The group claims to have exfiltrated 927 GB of sensitive data, including protected health information (PHI) such as patient names, dates of birth, account numbers, insurance details, and medical histories. MS13-089 published a file tree and sample data to demonstrate the breach, with independent verification confirming the presence of PHI in the leaked samples. The group claims to be composed of former members of the Conti, Royal, and LockBit ransomware groups, but explicitly states they are not affiliated with the Mara Salvatrucha (MS-13) gang. Notably, MS13-089 stated they did not encrypt the victim's systems to avoid harming patients, focusing solely on data theft and extortion. Their tactics include exfiltration and public exposure of sensitive data to pressure victims. There is no evidence of nation-state affiliation; the group appears to be financially motivated and targets healthcare organizations, leveraging their experience from previous ransomware operations.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
MS13-089 is a newly emerged threat actor group targeting healthcare organizations, exfiltrating large volumes of sensitive data without encrypting systems.
MS13-089 is a cybercriminal group claiming to be composed of high-level specialists from Conti, Royal, and LockBit. They exfiltrated 927 GB of sensitive data from Virginia Urology, including protected health information, but stated they did not encrypt the data to avoid harming patients. They operate a dark web leak site and use data exfiltration and extortion tactics.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.