xp95
XP95 is an emerging cybercrime extortion group.
Profile source: Mallory opens in a new tabxp95
Family profile
XP95 is an emerging cybercrime extortion group. Reporting cited in the source material says the group was first observed on 4 March, with no prior threat intelligence references linking it to any known organized group or earlier campaigns. XP95 has been described as operating a pure data theft and extortion model rather than deploying ransomware encryption: it steals sensitive data from victim environments, publishes proof-of-compromise samples on a Tor-hosted leak site, cross-posts victim data samples to BreachForums, issues ransom demands with hard payment deadlines, and threatens to publicly release or sell stolen datasets if victims do not pay.
Victims mentioned in the source material include Healthdaq, a recruitment platform used by Northern Ireland health trusts; Statistics South Africa; Gauteng Province in South Africa; and Eholo Health, a Spanish mental health SaaS platform serving psychologists in Spain and Andorra. In the Healthdaq incident, XP95 claimed responsibility, demanded a ransom, and said it stole nearly half a million files including driving licences, criminal background checks, and vaccine records. Reporting on that breach says the exposed data may have included names, contact details, CVs, qualifications, passport copies, other government-issued identification, forms, and in some cases health information. In the Statistics South Africa case, XP95 claimed to have stolen 453,362 files totaling 154 GB and demanded $100,000 to prevent release. In the Eholo Health case, XP95 claimed to have stolen 165 GB of data, including 1,146,700 medical notes and personal information of 601,308 users, and said it leaked the data after a $300,000 ransom was not paid.
The available reporting in the provided content does not confirm that XP95 encrypts victim systems. No aliases or sub-groups other than the name XP95 are identified in the source material.
Ransomware.live