Skip to content
Ransomware group

Tengu

Tengu Ransomware is a financially motivated ransomware-as-a-service (RaaS) operation first observed on 2025-10-09.

Profile source: Mallory opens in a new tab

Tengu

Family profile

Tengu Ransomware is a financially motivated ransomware-as-a-service (RaaS) operation first observed on 2025-10-09. It uses a double-extortion model, stealing data before encryption, and rebranded as Shisa Ransomware on 2026-03-10. In fewer than six months, it claimed approximately 50 victims across multiple continents. Early victimology included Qatar, Morocco, the UAE, Spain, and Brazil, later expanding to North America, Europe, India, Southeast Asia, Africa, and the Middle East. The group was also reported active in the META region in Q1 2026.

Tengu operated a structured affiliate program advertised on dark web forums, offering an 80/20 revenue split in favor of affiliates, a dedicated TOX contact, and ransomware builds for Windows, Linux, and ESXi. The program prohibited attacks on Russia and CIS countries, and affiliates without victim data were required to provide a refundable $1,500 deposit. Verified partners could receive access to an EDR-killer and a custom multi-chain pivot tool.

Its tradecraft emphasized hands-on intrusions and administration-like behavior until final encryption. Affiliates primarily gained initial access through brute-force attacks against exposed RDP and SMB services, spearphishing, exploitation of public-facing applications, and reuse of valid credentials from prior breaches. In at least one confirmed case, affiliates exploited ZeroLogon (CVE-2020-1472) against an unpatched domain controller to obtain domain administrator privileges. The group used custom exfiltration tooling including StealTENGU and StealTG, as well as Rclone and WinSCP, with MEGA as the primary storage destination and SFTP, PixelDrain, and StorJ as secondary options.

During execution and defense evasion, Tengu used LOLBins including powershell.exe, cmd.exe, rundll32.exe, sc.exe, wevtutil.exe, and vssadmin.exe. It disabled Windows Defender with an unsigned .NET executable, stopped wscsvc and wuauserv via sc.exe, cleared event logs with wevtutil, deleted shadow copies, appended the .tengu extension to encrypted files, and dropped ransom notes including TENGU_README.txt. The ransomware used intermittent encryption targeting file headers to accelerate encryption speed.

Tengu maintained a dedicated Tor-based data leak site displaying stolen documents, countdown timers, and sometimes ransom negotiation chat logs. The original leak site launched in October 2025, later underwent infrastructure changes in early 2026, and by February 2026 included a separate file server and backup onion domains. Research cited in the content identified operational security failures exposing infrastructure details and attack IPs.

The group appears sector-agnostic, with technology and manufacturing specifically noted among the most affected sectors. Known aliases and related naming in the content are Tengu and Shisa Ransomware.

Ransomware.live

Operational record

View group record ↗

Exploited software

Vulnerabilities linked to Tengu

3 CVEs

MITRE ATT&CK

Tengu in ATT&CK

10 distinct techniques

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.