Insomnia

Insomnia is a newly observed cybercriminal data-theft and extortion group that surfaced on the dark web by at least October 8, 2025, and was described as newly prominent in February 2026. Reporting in the provided content consistently characterizes it as a leak-site/data-theft operation rather than a confirmed ransomware-encryption actor. Kela stated it had not identified a negotiation portal or ransomware variant linked to Insomnia and was monitoring it primarily as a data leak site. Rapid7 assessed that Insomnia is optimized for stealthy data theft, speed, and low visibility, using extortion leverage via exposure of sensitive data rather than disruptive encryption. The group disproportionately targets healthcare-related organizations. The content states Insomnia had 18 alleged victims on its leak site, with more than half tied to healthcare and 9 confirmed healthcare victims in one cited analysis. Most listed victims are U.S.-based healthcare providers or healthcare-adjacent organizations, with two exceptions in Brazil and Singapore. Named healthcare victims in the content include Valley Family Health Care (VFHC), Southern Illinois Dermatology, Advanced Healthcare Professionals, Carlyle Senior Care of Florence, Internal Medicine of Milford, Flint Hills Dialysis, Optimum Health Institute, Tri-Cities Gastroenterology, and Anatomic Clinical Laboratory Associates. The content also notes healthcare-adjacent victims including two law firms handling medical malpractice cases and a manufacturer of surgical and medical gear. Observed tradecraft in the provided reporting includes credential-based access, including use of infostealer-sourced credentials; exploitation of authentication-bypass vulnerabilities; and lateral movement through abuse of legitimate infrastructure, including Windows Server updates. The group uses TOX messaging for victim contact. Analysts cited in the content also noted that Insomnia may function as a broker or platform for monetizing stolen data, although this is framed as an assessment rather than a confirmed operational model. The group’s leak-site postings reportedly include sensitive personal and medical data. ISMG observed samples including patient information, drivers’ licenses, and tax forms, and stated the data was available for free download. In the VFHC case, Insomnia added the organization to its leak site on March 7 with proof-of-claims and claimed to have exfiltrated more than one million records containing Social Security numbers, dates of birth, Medicaid IDs, and private email addresses. DataBreaches reported that dumped VFHC data included internal documents, patient charts, insurance information, and other protected health information, with most PHI files reportedly lacking password protection or encryption. However, Kela stated it had not independently verified the authenticity of data posted by Insomnia, and some victim claims in the content were not independently confirmed. The content notes a possible geographic pattern: Rapid7 stated Insomnia appears to avoid targeting most former Soviet Union countries, a pattern historically associated with Russian-speaking cybercrime actors operating under informal safe-harbor norms. This is not sufficient in the provided content to attribute Insomnia to a specific nation state. No sub-groups are identified in the content. Known alias in the provided content: insomnia.