SETTRA Ransomware: Emerging Double-Extortion Threat



SETTRA is a ransomware and data extortion group first publicly observed in June 2026. Within days of its emergence, the group claimed multiple victims across several sectors and countries, operating a confirmed public extortion portal with active victim listings.
The group emphasizes data theft and public exposure as its primary pressure mechanisms, consistent with the double-extortion model now common across financially motivated threat groups.
Contact professional incident response services if you suspect your systems are compromised.
What is SETTRA ransomware?
SETTRA is a human-operated extortion group that emerged in June 2026, with all known victim disclosures occurring between June 26 and June 28, 2026. Researchers currently describe SETTRA as a "data broker," reflecting a pattern in which data theft and public shaming serve as the primary extortion mechanisms. Encryption may play a secondary role, but has not been confirmed through any public malware analysis.
No confirmed attribution links SETTRA to a previously known ransomware family or threat group. SETTRA may represent a newly launched independent operation or a rebranded affiliate cluster.
Known victims and targeting pattern
Ransomware-tracking platforms disclose 11 victims associated with SETTRA. Estimated attack dates cluster in early June 2026, suggesting an average gap of approximately twenty days between initial compromise and public disclosure, a staging window that points to deliberate dwell time and intelligence gathering before extortion pressure is applied.
Claimed victims include organizations from Taiwan, the United States, Singapore, Canada, South Korea, Portugal, Germany, and the United Kingdom. Observed sectors across claimed victims include e-commerce, retail, consumer goods, manufacturing, healthcare-adjacent services, security services, and agriculture.
The diversity of targeted sectors suggests a financially opportunistic approach: targeting organizations with monetizable customer or operational data rather than selecting victims by industry.
Disclaimer: Victim listings on ransomware leak sites represent unverified claims made by the threat actor. They should be treated as unconfirmed unless corroborated by company disclosures, SEC filings, regulatory notifications, or law enforcement confirmation.
Attack lifecycle
SETTRA's attack chain is partially reconstructed from public reporting and statistical analysis of victim domains.
Phase 1: Initial access
The strongest evidence points to compromised credentials derived from infostealer infections. Public reporting indicates that 31.8% of SETTRA's known victim domains were associated with infostealer logs, a proportion that elevates confidence in this hypothesis to medium-high. There is also evidence of valid account abuse and internal escalation from that foothold.
Phase 2: Data exfiltration
Data exfiltration is SETTRA's best-supported observed behavior. Claimed stolen data across victims includes credentials, employee records, customer PII, internal documentation, financial records, and audit materials.
Across multiple victims, the breadth and sensitivity of the information claimed to have been stolen indicate that data exfiltration is a deliberate and organized phase of the attack.
Phase 3: Encryption and extortion deployment
Encryption mechanics, including any appended file extensions, ransom note filename, and algorithm used, have not yet been documented. No publicly available malware sample has been analyzed. It remains unclear whether SETTRA deploys encryption as a primary impact mechanism or as secondary leverage after data theft.
Extortion model and leak site
SETTRA maintains a Tor-hosted leak site alongside a Tox contact channel. The site runs on NGINX infrastructure with four separate onion file servers for data storage.
A notable behavioral characteristic is SETTRA's extortion post format: rather than publishing minimal metadata alongside a data link, the group publishes long-form narratives constructed as investigative exposés about each victim. This approach, designed to maximize reputational damage, is distinctive from that of most contemporary ransomware operators.
Payment method and ransom demand amounts are not publicly disclosed.
DO NOT PAY THE RANSOM. Decisions about ransom payment carry legal, operational, and financial consequences that should be assessed with qualified legal counsel and an incident response team before any response action is taken.
Indicators of compromise (IOCs)
No reliable technical indicators of compromise (IOCs) for SETTRA have been published as of early July 2026. No sample hashes, C2 IP addresses, campaign domains, mutexes, or host-based registry artifacts are available from public sources.
The network indicators below reflect observations from tracker data. Organizations investigating potential SETTRA activity should contact Proven Data's ransomware response team for current guidance.
- Tor leak site: settra5ldqwgtw5q7z5awbsvlksakyfojuc5slgrz5lvapune4fantqd[.]onion
- Tox contact: D288571294F08ADDFE46DF631194745143BE8B40F9F846379040DC40EB39BC2E8CE056B66927
MITRE ATT&CK mapping
The following mappings reflect current public intelligence on SETTRA's observed and probable techniques.
Techniques marked as probable are consistent with the actor's known behavior pattern but have not been verified through malware analysis or corroborated forensic reporting.
| Tactic | Technique ID | Technique | Confidence |
|---|---|---|---|
| Initial Access | T1078 | Valid Accounts | Medium-High |
| Initial Access | T1566 | Phishing | Low |
| Credential Access | T1555 | Credentials from Password Stores | Medium |
| Collection | T1119 | Automated Collection | Low |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol | Low |
| Impact | T1486 | Data Encrypted for Impact | Medium |
Security checklist
The controls below are tied directly to SETTRA's known and probable attack patterns. Organizations in sectors represented among current victims should treat these as priority actions, particularly those with externally accessible authentication infrastructure or recent credential exposure events.
Audit exposed credentials
Review whether employee or service account credentials appear in infostealer logs or breach databases. Services such as Have I Been Pwned and commercial threat intelligence platforms surface this exposure.
Enforce phishing-resistant MFA on all remote access points
VPN gateways, RDP endpoints, and cloud authentication portals should require MFA that cannot be bypassed by credential replay. Valid account abuse is the best-supported initial access vector.
Monitor for the pre-encryption behavioral cluster
Magdy Abdelaziz, Head of DFIR at Proven Data, identifies the sequence to watch: "Security tools being disabled, shadow copies being deleted, backup consoles being accessed, remote execution spreading across systems, and payloads staged on admin shares. When those events cluster within minutes, we treat it as ransomware deployment in progress, not isolated suspicious activity." Unusual archive creation (RAR, 7-Zip) and sustained high-volume outbound transfers are earlier-stage signals that may surface during SETTRA's approximately 20-day pre-disclosure window.
Protect and test backup integrity
Ensure backups are stored in offline or immutable locations inaccessible from the primary network. An extended pre-disclosure staging window means backups created during an active intrusion may themselves be compromised.
Implement network segmentation
Restrict access between general network segments and high-value targets, including domain controllers, backup systems, and financial data infrastructure.
Monitor privileged account activity
Unusual privilege escalation, service account behavior, or new account creation (particularly following a known credential exposure event) should trigger immediate investigation.
Prepare a response plan for data extortion without encryption
SETTRA may apply negotiation pressure through data theft alone. Reviewing ransomware incident response steps and ensuring your plan covers extortion scenarios where systems remain operationally intact is a distinct preparation requirement from standard ransomware readiness.
Can files be recovered?
No public decryptor for SETTRA is currently available. Because SETTRA's encryption implementation has not been publicly analyzed, no assessment of cryptographic weaknesses or key recovery potential can be made from open sources at this time.
Recovery depends on the availability of intact, uncompromised backups and whether encryption was successfully completed across affected systems. In cases where encryption was interrupted, partial file salvage may be possible through forensic techniques.
If your organization has been affected, contact Proven Data's ransomware breach response team for an immediate recovery assessment.
DISCLAIMER: This article reflects public intelligence available as of early July 2026. Forensic findings on SETTRA's technical profile will be published separately.


Written by
Magdy Abdelaziz is a dedicated cybersecurity professional with over 6 years of extensive experience in digital forensics, incident response, reverse engineering, and security operations. He currently serves as Head of Digital Forensics and Incident Response (DFIR) at Proven Data LLC, leading a multinational team to develop and execute incident response strategies, align security initiatives with business objectives, and manage global-scale incidents.






