Skip to content
Ransomware group Cloud

CipherForce

CipherForce is a ransomware operation associated with the financially motivated threat group TeamPCP.

Profile source: Mallory opens in a new tab

CipherForce

Family profile

CipherForce is a ransomware operation associated with the financially motivated threat group TeamPCP. It emerged as TeamPCP’s proprietary ransomware track, distinct from the group’s separate cooperation with the Vect ransomware ecosystem, and has been used as a direct monetization channel for access and credentials harvested during TeamPCP’s broader cloud and software supply-chain intrusions. Reporting links CipherForce to TeamPCP’s wider criminal infrastructure and aliases, and indicates the operation maintained its own leak site and victim publication workflow.

CipherForce has been described as TeamPCP’s in-house ransomware brand, including tooling advertised as capable of encrypting major enterprise database and cloud storage solutions. The operation appears to have run in parallel with TeamPCP’s credential-theft and initial-access activity, allowing the group to convert stolen secrets and downstream enterprise access into extortion and ransomware deployments. Intelligence also indicates TeamPCP sought affiliates for CipherForce while simultaneously supporting a separate affiliate-oriented ransomware channel through Vect.

Victimology associated with TeamPCP-linked operations indicates interest in enterprise and cloud-centric environments across multiple sectors and geographies, including technology, financial services, retail, legal, insurance, education, government, and other large organizations. CipherForce has been publicly tied to named victims on its leak infrastructure, and has been discussed in connection with ransomware activity following TeamPCP’s compromises of trusted developer and security tooling. High-confidence reporting supports classifying CipherForce as a ransomware brand operated by TeamPCP for extortion and encryption-based attacks, but detailed technical specifics of the locker itself remain limited in the available information.

Capabilities

  • Extortion

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

2 named in public reporting
TeamPCP

Arctic Wolf Labs assessed the group may operate in part as an Initial Access Broker (IAB), selling harvested credentials to other threat actors including the CipherForce and Vect ransomware affiliates.

Vect

A note on CipherForce ransomware blog, March 2026

Exploited software

Vulnerabilities linked to CipherForce

1 CVEs

MITRE ATT&CK

CipherForce in ATT&CK

10 distinct techniques

Reporting

Research mentioning CipherForce

Jul 2
Sophos

Vect and TeamPCP partner for ransomware campaigns | SOPHOS

Prior to the Vect partnership, TeamPCP was running another ransomware operation under the CipherForce brand. CipherForce listed six victims on its leak site in February 2026 and rebranded as a TeamPCP leak site in May.

May 18
Handlers Diary Full

TeamPCP Supply Chain Campaign: Activity Through 2026-05-17

CipherForce remained inactive at roughly 84 days, with 6 victims unchanged.

Apr 17
Dataminr

Cyber Intel Brief: Vect, BreachForums, and TeamPCP Converge

TeamPCP have previously created and promoted ransomware brands such as Black Witch and CipherForce. TeamPCP’s advertised CipherForce ransomware-branded tooling was designed to encrypt all major enterprise database and cloud storage solutions.

Apr 15
Kelacyber

Is Your Next Vacation a Trap? Inside the...

A note on CipherForce ransomware blog, March 2026

Apr 13
The Hacker News

OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

Evidence indicates that the threat actor has also launched a proprietary ransomware operation under the name CipherForce.

Apr 9
Socradar

Dark Web Profile: TeamPCP

The group operates under five confirmed aliases: PCPcat, the name of their first documented campaign; ShellForce, their data leak publication persona; DeadCatx3, a GitHub account hosting attacker tooling; CipherForce, their proprietary ransomware operation; and Persy_PCP, an earlier Telegram identity.

Apr 3
Handlers Diary Full

TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments

CipherForce ransomware: Listed on the CipherForce shame site with the original 14-15 day publication deadline.

Apr 1
Handlers Diary Full

TeamPCP Supply Chain Campaign: Update 005 - First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows

Keywords: ownCloud ... ransomware ... Vect ... CipherForce ... CanisterWorm ...

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.