ms13@onionmail.org
MS13-089
MS13-089 is a cybercriminal threat actor group that claimed responsibility for the November 2025 breach of Virginia Urology, a major medical practice in Richmond, Virginia.
Profile source: Mallory opens in a new tabMS13-089
Family profile
MS13-089 is a cybercriminal threat actor group that claimed responsibility for the November 2025 breach of Virginia Urology, a major medical practice in Richmond, Virginia. The group claims to have exfiltrated 927 GB of sensitive data, including protected health information (PHI) such as patient names, dates of birth, account numbers, insurance details, and medical histories. MS13-089 published a file tree and sample data to demonstrate the breach, with independent verification confirming the presence of PHI in the leaked samples. The group claims to be composed of former members of the Conti, Royal, and LockBit ransomware groups, but explicitly states they are not affiliated with the Mara Salvatrucha (MS-13) gang. Notably, MS13-089 stated they did not encrypt the victim's systems to avoid harming patients, focusing solely on data theft and extortion. Their tactics include exfiltration and public exposure of sensitive data to pressure victims. There is no evidence of nation-state affiliation; the group appears to be financially motivated and targets healthcare organizations, leveraging their experience from previous ransomware operations.
Ransomware.live
Operational record
Ransomware.live