The Green Blood Group was both the group name and the encryptor name of this operation. The group, or threat actor, operated for about a month, between January 2026 and February 2026. Although it's likely operations began shortly before that, possibly towards the end of 2025. During that time, at least two known encryptor samples were identified in the wild. One being version two (v2) of the encryptor, as self-identified in the console during dynamic analysis, and the other being unidentified but likely version one (v1). Typically, we separate each version into its own entry, but only if there are enough differences between them. In this case, each version was similar enough that a different entry for v2 isn't warranted.

Research of the v2 encryptor from this group is contradictory, with some research claiming the files are encrypted with ChaCha8 or ChaCha20. However, during our own research, we found that both v1 and v2 encrypted files using AES-256-CTR, a finding corroborated by ASEC. This is also self-stated by the group itself in the v2 ransom note. ASEC's research also showed how encrypted files can possibly be reversed using system information and the cryptographic IV, a 16-byte chunk prepended to each file.

The group is mostly known for its claimed attack on the Senegalese Directorate of File Automation (DAF), which was posted on its data leak site (DLS) at the beginning of February 2026. However, based on public information and emails from the organization, the breach occurred on or around January 19, 2026. The group also posted a manufacturing organization from Egypt and claims of breaches in organizations from India (x2), Colombia, and Belgium. However, those were never disclosed as the group's DLS went dark around mid-February 2026.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/green-blood-group