Tengu
Tengu Ransomware is a financially motivated ransomware-as-a-service (RaaS) operation first observed on 2025-10-09.
Profile source: Mallory opens in a new tabTengu
Family profile
Tengu Ransomware is a financially motivated ransomware-as-a-service (RaaS) operation first observed on 2025-10-09. It uses a double-extortion model, stealing data before encryption, and rebranded as Shisa Ransomware on 2026-03-10. In fewer than six months, it claimed approximately 50 victims across multiple continents. Early victimology included Qatar, Morocco, the UAE, Spain, and Brazil, later expanding to North America, Europe, India, Southeast Asia, Africa, and the Middle East. The group was also reported active in the META region in Q1 2026.
Tengu operated a structured affiliate program advertised on dark web forums, offering an 80/20 revenue split in favor of affiliates, a dedicated TOX contact, and ransomware builds for Windows, Linux, and ESXi. The program prohibited attacks on Russia and CIS countries, and affiliates without victim data were required to provide a refundable $1,500 deposit. Verified partners could receive access to an EDR-killer and a custom multi-chain pivot tool.
Its tradecraft emphasized hands-on intrusions and administration-like behavior until final encryption. Affiliates primarily gained initial access through brute-force attacks against exposed RDP and SMB services, spearphishing, exploitation of public-facing applications, and reuse of valid credentials from prior breaches. In at least one confirmed case, affiliates exploited ZeroLogon (CVE-2020-1472) against an unpatched domain controller to obtain domain administrator privileges. The group used custom exfiltration tooling including StealTENGU and StealTG, as well as Rclone and WinSCP, with MEGA as the primary storage destination and SFTP, PixelDrain, and StorJ as secondary options.
During execution and defense evasion, Tengu used LOLBins including powershell.exe, cmd.exe, rundll32.exe, sc.exe, wevtutil.exe, and vssadmin.exe. It disabled Windows Defender with an unsigned .NET executable, stopped wscsvc and wuauserv via sc.exe, cleared event logs with wevtutil, deleted shadow copies, appended the .tengu extension to encrypted files, and dropped ransom notes including TENGU_README.txt. The ransomware used intermittent encryption targeting file headers to accelerate encryption speed.
Tengu maintained a dedicated Tor-based data leak site displaying stolen documents, countdown timers, and sometimes ransom negotiation chat logs. The original leak site launched in October 2025, later underwent infrastructure changes in early 2026, and by February 2026 included a separate file server and backup onion domains. Research cited in the content identified operational security failures exposing infrastructure details and attack IPs.
The group appears sector-agnostic, with technology and manufacturing specifically noted among the most affected sectors. Known aliases and related naming in the content are Tengu and Shisa Ransomware.
Ransomware.live
Operational record
Exploited software
Vulnerabilities linked to Tengu
3 CVEsMITRE ATT&CK