BravoX
BravoX is an emerging ransomware-as-a-service (RaaS) operation publicly observed since January 2026.
Profile source: Mallory opens in a new tabBravoX
Family profile
BravoX is an emerging ransomware-as-a-service (RaaS) operation publicly observed since January 2026. The group is associated with double-extortion activity, combining data theft with file encryption and threats to publish stolen information through a leak platform if victims refuse to pay. Reported victims span multiple sectors and geographies, including healthcare, financial services, technology, food and beverage distribution, and diversified industrial businesses in the United States, Brazil, Canada, and Switzerland.
Observed BravoX tradecraft includes initial access through externally exposed remote access infrastructure with weak authentication, followed by internal reconnaissance, credential theft, lateral movement, persistence, defense evasion, data exfiltration, and ransomware deployment. In documented intrusions, the actors performed network and host discovery, gathered system and software inventory information, searched for credentials and VPN-related data, and dumped LSASS memory to obtain privileged credentials. Lateral movement relied heavily on Remote Desktop Protocol, including movement to domain controllers and other high-value systems.
BravoX has demonstrated unusual persistence mechanisms for ransomware operators. Reported activity includes scheduled tasks used to launch Tor-based remote access and an SSH-based SOCKS5 tunneling capability, enabling covert continued access into compromised environments. For defense evasion, the group has used an EDR-killing tool together with a vulnerable driver to disable or impair security products, including Microsoft Defender and Sophos protections. Data theft has been conducted with Rclone prior to encryption.
Encryption activity has targeted both virtualized and physical infrastructure, including virtual disk files and operating-system-level encryption on servers. BravoX operates a negotiation portal and leak site that support its extortion workflow. Its extortion process has been described as phased, progressing from private pressure to pre-release and then public release of stolen data. The group has also used aggressive coercive tactics beyond standard ransom negotiations, including mail bombing and direct outreach to employees via professional networking platforms.
Behavioral indicators have led some researchers to assess that BravoX likely operates from the former Soviet sphere. That assessment is partly based on the group’s reported prohibition against targeting organizations in CIS countries, a pattern commonly associated with Russian-speaking cybercriminal ecosystems. This attribution remains an assessment rather than a confirmed state linkage. No verified sub-groups are currently established. Known aliases are limited to BravoX and bravox.
Ransomware.live
Operational record
Ransomware.live