Ransomware - dAn0n

The dAn0n Hacker Group, or dAn0n, was first observed in the Spring of 2024. They posted their first victim on their simultaneous dark web and clear net data leak site on March 26. The dAn0n group is often lumped in with other ransomware groups, but there's no evidence they ever deployed a ransomware encryptor (crypto-ransomware). The only evidence of their operations comes from their victims and any information they provide. Based on their own data and admissions, they only stole, extorted, and sold data, which we refer to as Data Brokers.

The most interesting aspect of the dAn0n operation was their quiet approach, but loud extortion techniques. There isn't too much research on their tactics and techniques, but the manner in which they extorted victims on their data leak sites was overtly verbose. For example, each victim publication included a "Status" GUI that tracked the extortion chain. The most observed Status process was six steps:

1. Setting a deadline of X hours (usually 180 or 240)
2. Informing leadership team
3. Informing insurance company
4. Refuse of the deal
5. Informing clients and partners
6. Informing regulatory authorities

Their M.O. was to inform just about everyone to coerce victims into payment. After publishing 19 victims, they suddenly ceased operations in late August of the same year. Although they didn't utilize an encryptor in this operation, this group reappeared in 2025 as White Lock, which did use a traditional crypto-ransomware.