Skip to content
Ransomware group

Kazu

Kazu is a digital extortion threat actor and relative newcomer among cybercrime gangs that has been active since at least spring 2025.

Profile source: Mallory opens in a new tab

Kazu

Family profile

Kazu is a digital extortion threat actor and relative newcomer among cybercrime gangs that has been active since at least spring 2025. The actor is described as focusing on data-theft extortion rather than ransomware encryption, with activity accelerating in the June-July 2025 timeframe. Available reporting indicates Kazu has targeted healthcare, government, and military-related organizations, with victims largely in South America, Southeast Asia, and the Middle East; Doctor Alliance was described as the only listed U.S. victim and the incident was characterized as Kazu’s apparent first attack in North America. Known victims and claimed targets in the provided content include ManageMyHealth in New Zealand, Doctor Alliance in Texas, and the Argentine healthcare platforms Meducar and ConsultorioMovil, both owned by Grupo Cormos. Kazu has claimed thefts involving large volumes of sensitive data, especially medical records and PHI/PII, and has issued ransom demands including US$60,000, US$150,000, US$200,000, and US$500,000 in different incidents, threatening to leak or sell data if unpaid. The actor has used Telegram, a dark web leak site, and underground/clearnet forum posts to publicize claims, publish samples, and communicate extortion demands. In the Doctor Alliance case, Kazu claimed to have exploited an older unpatched vulnerability, later claimed a second intrusion using the same vulnerability, and asserted access via a high-privilege account; separate researcher commentary in the content assesses that Kazu appears to favor web portals and web-enabled services and likely exploits web applications or web hosting platforms to steal data directly. The content also notes no solid evidence that Kazu is a rebrand, splinter, or affiliate of another known extortion group. No aliases other than Kazu are provided in the content.

Ransomware.live

Operational record

View group record ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.