Blackwater is a ransomware and data-extortion threat group that emerged publicly in March 2026. The group operates a leak site and has claimed intrusions against organizations in multiple countries, including healthcare targets in the United States and Turkey as well as at least one organization in China. Its observed operating model is consistent with double extortion: Blackwater publicly alleges theft of victim data, threatens publication on a leak site, and demands payment in exchange for withholding release of the stolen information; reporting also associates the group with ransomware encryption and offers to restore affected systems in addition to deleting exfiltrated data. Known publicly reported Blackwater claims include an April 2026 incident affecting Minidoka Memorial Hospital in Idaho, where the victim disclosed operational disruption involving internal systems and medical imaging services, and a claimed attack against Medical Park Hospitals Group in Turkey that was reportedly denied by the victim. Another reported Blackwater-attributed incident involved an organization based in China. Available reporting indicates Blackwater has made several public victim claims since first surfacing, but some of those claims have not been independently verified. Tradecraft details remain limited. Publicly observed behavior centers on naming victims on a dedicated leak site, asserting large-scale data theft, setting deadlines for publication, and using reputational and regulatory pressure to coerce payment. The intrusion vectors, tooling, malware lineage, and any stable sub-groups are not currently available from the reported information. Blackwater may be a newly formed group or a rebrand, but that assessment is not yet corroborated. No additional aliases beyond Blackwater are currently available from the reported information.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware attack against txdkj.com, with a threat to release confidential data soon.
A newly emerged ransomware group that claims attacks via a data leak site, steals data, encrypts or locks target systems, and demands ransom for data deletion and system restoration. It claimed attacks against Minidoka Memorial Hospital in the US and Medical Park Hospitals Group in Turkey.
A newly observed extortion-focused group or possible rebrand that listed Minidoka Memorial Hospital on its leak site and claimed to have stolen data, threatening to leak it. The content does not confirm encryption activity.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.