Skip to content
Ransomware group

APT73

APT73 is a ransomware threat group that emerged in mid-April 2024 and has been described as operating a ransomware-as-a-service model.

Profile source: Mallory opens in a new tab

APT73

Family profile

APT73 is a ransomware threat group that emerged in mid-April 2024 and has been described as operating a ransomware-as-a-service model. Despite its name, it is not established as a state-sponsored advanced persistent threat; rather, it appears to be a financially motivated extortion actor that self-branded using APT terminology. Reporting indicates that publicly available knowledge about the group has been limited and in part derived from information associated with LockBit.

APT73 has been linked to attacks across a broad range of sectors, including business services, technology, financial services, public sector, healthcare, manufacturing, transportation and logistics, hospitality, and critical or industrial infrastructure. Victim reporting spans multiple regions, with activity observed against organizations in North America, Europe, Asia, the Middle East, Africa, and South America. The group has been specifically described as targeting industrial and critical infrastructure sectors, consistent with broader ransomware trends affecting operationally significant organizations.

The group is associated with double-extortion style ransomware activity in which victim organizations are allegedly compromised and data theft claims are used to pressure payment. Reported incidents attributed to APT73 include compromises of government, aviation, retail, manufacturing, and technology-related entities. Some reporting also associates a substantial portion of its victim set with prior infostealer exposure, suggesting that stolen credentials or access obtained through commodity credential theft may play a role in victimization, although specific intrusion chains are not firmly established.

APT73 is also associated with leak-site or negotiation infrastructure used to publicize victims and extortion claims. Known aliases include apt73 and group_apt73. No high-confidence evidence in the available information supports attribution to a particular nation-state or intelligence service. The most defensible characterization is that APT73 is an emerging, globally active ransomware/extortion operation with opportunistic targeting and an emphasis on organizations whose disruption or data exposure can increase leverage during negotiations.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

MITRE ATT&CK

APT73 in ATT&CK

5 distinct techniques

Reporting

Research mentioning APT73

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.