MoneyMessage is a ransomware threat group associated with data theft and extortion activity against organizations in multiple sectors. Reported victimology includes nonprofit and professional services organizations in North America, and incident reporting has linked the group to ransomware intrusions as well as pre-ransomware activity that was disrupted before encryption occurred. Security reporting has assessed with moderate confidence that MoneyMessage was involved in at least some contained intrusions where defenders interrupted the attack chain prior to full ransomware deployment. The group is commonly referred to as MoneyMessage, including the styling Money Message in some reporting. Its operations are consistent with financially motivated ransomware actors that conduct network intrusion, data theft, and extortion-oriented attacks. Available reporting in this context does not provide high-confidence detail on a state affiliation, and MoneyMessage should be treated as a criminal ransomware actor rather than a confirmed nation-state operation. Observed activity attributed to MoneyMessage indicates targeting of organizations in the United States and Canada. The group has been associated with attacks framed as data breaches, reflecting the broader ransomware ecosystem’s emphasis on exfiltration and extortion in addition to, or in some cases instead of, encryption. Reporting also places MoneyMessage alongside other ransomware actors in pre-ransomware incidents, suggesting use of intrusion workflows that may be detected during reconnaissance, access establishment, lateral movement, or staging phases before final payload execution. Publicly available information in this context is limited, and no additional high-confidence sub-groups, exclusive malware variants, or distinctive tradecraft details are established here beyond its identification as a ransomware and extortion actor.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack against Envision Unlimited.
Conducting a ransomware attack resulting in a data breach against X-Copper Professional.
Assessed involvement in pre-ransomware intrusions during Q1 2026; no encryption occurred because incidents were contained early.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.