Skip to content
Ransomware group

Redact

Redact is a data extortion and ransomware brand that emerged in 2026 and is assessed as part of the post-BlackFile fragmentation of English-speaking extortion actors associated by multiple researchers with the broader Com-linked ecosystem.

Profile source: Mallory opens in a new tab

Redact

Family profile

Redact is a data extortion and ransomware brand that emerged in 2026 and is assessed as part of the post-BlackFile fragmentation of English-speaking extortion actors associated by multiple researchers with the broader Com-linked ecosystem. It has been cited alongside Pink as one of the brands that appeared shortly after BlackFile ceased operations, and some reporting treats Redact as a likely rebrand or successor operation rather than a wholly distinct actor. Attribution continuity remains unconfirmed, but the available reporting consistently places Redact in the same operational milieu as BlackFile and related extortion crews.

Redact has been publicly associated with attacks against U.S.-based enterprises, including organizations in healthcare and financial services. Its activity is described in the context of ransomware and data-breach-style extortion operations, indicating a focus on stealing organizational data and pressuring victims into payment through exposure or disruption.

Although detailed Redact-specific intrusion chains are limited in the available reporting, the group is repeatedly linked to a tradecraft pattern shared with adjacent extortion brands: social engineering-driven initial access, identity-centric compromise of enterprise cloud accounts, rapid data discovery and exfiltration from collaboration platforms, and extortion using stolen information. Reporting on successor and related brands in the same cluster describes the use of voice phishing, impersonation of internal personnel, credential theft or session capture, abuse of multi-factor authentication workflows, and theft of data from Microsoft 365 services such as SharePoint and OneDrive. Redact is therefore best understood as part of a fluid extortion ecosystem characterized by rebranding, overlapping operators, and continuity of tactics despite changes in public-facing names.

Known associated or related names in reporting include BlackFile and Pink. Redact has also been mentioned in discussions of possible overlap with newer extortion brands that inherited similar playbooks after BlackFile’s shutdown. High-confidence public information on formal sub-groups, leadership, or a unique malware family exclusively tied to Redact is currently not available.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.