IMN Crew

IMN Crew is a newly identified ransomware group observed in 2025 as part of a highly fragmented ransomware ecosystem. Reporting cited it among new ransomware groups impacting industrial sectors, and also noted that IMN Crew launched a leak site within weeks of several other emerging groups, including Silent, Gunra, JGroup, Dire Wolf, DATACARRY, and SatanLock. The available content does not provide family-specific technical details unique to IMN Crew, but places it within the broader 2025 pattern of short-lived ransomware and extortion operations that commonly shared infrastructure, tooling, and access brokers rather than relying on distinctive malware. In that ecosystem, operations were typically run as Ransomware-as-a-Service, with initial access most often obtained through identity compromise such as stolen VPN credentials, MFA fatigue, session token hijacking, and OAuth abuse; secondary access vectors included exploitation of edge infrastructure like VPN appliances and firewalls, phishing and SaaS abuse such as HTML smuggling and fake login portals, and cloud/SaaS misconfigurations including over-permissioned IAM roles and exposed API tokens. The broader reporting states that encryption was often optional, with data theft and leak-site extortion frequently replacing or preceding encryption, and that these groups commonly targeted small and mid-sized enterprises, cloud-first environments with weak identity governance, and organizations in industrial sectors. No IMN Crew-specific indicators of compromise, malware capabilities, victimology, or actor attribution are provided in the source content.