Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

DataCarry

DATACARRY is a ransomware/extortion group first reported in 2025. Multiple sources in the provided content describe it as an emerging ransomware operation and, more specifically, as a data-theft and leak-based extortion actor that in some cases did not deploy a ransomware locker. The group launched a leak site within weeks of several other new extortion brands and was reported as claiming victims across eight countries. One cited report states that victim companies in eight countries were disclosed and that 65,000 records of Korean individuals were leaked on a cybercrime forum. DATACARRY was also mentioned among ransomware variants observed targeting European financial institutions, alongside Akira and BlackLock. Additional reporting in the content links the group to a Volvo data breach associated with a Miljödata ransomware incident. Across the supplied material, the highest-confidence characterization is that DATACARRY is a newly emerged 2025 ransomware/extortion brand focused on data exfiltration and public leak pressure, with observed activity affecting organizations in multiple countries and mentions of targeting in the financial sector.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence1

Attackers increasingly combined encryption with data exfiltration, threatening public disclosure to apply additional pressure.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
help net securityNews
Apr 22, 2026
Shadow AI, deepfakes, and supply chain compromise are rewriting the financial sector threat playbook - Help Net Security

Ransomware variant observed targeting European financial institutions in 2025.

Read more
cyberthroneNews
Dec 31, 2025
New Ransomware Emerged in 2025 – Threat Intel Report

A ransomware family from 2025, exploiting cloud and SaaS misconfiguration, sometimes opting for data exposure over encryption.

Read more
cyble comNews
Dec 30, 2025
Top 10 Threat Actor Trends from 2025 — and What They Signal for 2026 

Extortion group that focuses on data theft and public leaks as a means of extortion, rather than encrypting victim data.

Read more
dragos blogNews
Dec 9, 2025
Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos

Minimal-activity ransomware brand referenced as part of the long-tail of operators.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.