Skip to content
Ransomware group

MoneyMessage

Money Message is a ransomware and data-extortion threat actor active since at least 2023.

Profile source: Mallory opens in a new tab

MoneyMessage

Family profile

Money Message is a ransomware and data-extortion threat actor active since at least 2023. The group is publicly associated with double-extortion operations in which victim data is stolen and victims are pressured through leak-site postings and threats of staged publication. Reported victimology includes healthcare and pharmacy services, nonprofit organizations, and professional services firms, with publicly claimed incidents involving PharMerica, Envision Unlimited, and X-Copper Professional.

The actor is known primarily under the names Money Message, moneymessage, and money_message. Its operations have been tied to ransomware intrusion activity as well as pre-ransomware stages in which defenders contained the intrusion before encryption occurred. Cisco Talos assessed with moderate confidence that Money Message was involved in one of two pre-ransomware engagements observed in early 2026, indicating the group’s activity can include access, staging, and extortion preparation even when full ransomware deployment is not completed.

Money Message has demonstrated a strong emphasis on data theft and public coercion. In the widely reported PharMerica incident from March 2023, the group claimed to have exfiltrated a large volume of sensitive patient and health-related information and subsequently leaked samples while threatening broader publication. Public reporting on that case indicates the group used leak-site pressure and claimed negotiations had reached an impasse. This behavior is consistent with financially motivated ransomware actors that combine exfiltration, reputational pressure, and potential encryption or disruption claims to force payment.

Observed targeting suggests opportunistic victim selection across multiple sectors rather than a narrowly specialized vertical focus, although healthcare-related organizations have featured prominently in public reporting. The group’s tradecraft, as reflected in available reporting, aligns with common modern ransomware intrusion patterns: unauthorized access to enterprise environments, theft of sensitive data, extortion through public disclosure threats, and in some cases attempted or claimed infrastructure locking. High-confidence public information in this dataset does not establish a specific national-state sponsor or formal government affiliation for Money Message.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.