Three New Ransomware Brands Surfaced in One Week. None of Them Built Their Own Malware.

Three ransomware and extortion brands showed up in our breach sweep this week — Brain Cipher listing an Australian newspaper, Kairos listing a jeweler, Nitrogen claiming eight terabytes from Foxconn. We added all three to our adversary index. And then we noticed the thing that actually matters, the thing that connects them and connects them to the npm supply-chain story we keep writing: none of these crews built their own capability from scratch. They assembled it from parts.

That is the whole post. The ransomware economy has finished modularizing. Running a ransomware brand in 2026 is no longer a feat of engineering — it is procurement.

Three crews, three rented capabilities

Brain Cipher, active since June 2024, runs an encryptor that is LockBit 3.0-derived — Salsa20/RSA, the same lineage that leaked when LockBit's builder spilled. They didn't write a novel cryptor; they reskinned a leaked one, bolted on steal-then-encrypt double extortion and a Tor leak site, and went to work. Group-IB assesses them as a brand that "wears many masks," which is the tell: the malware is interchangeable, the brand is disposable, the operation is what persists. Their résumé includes Indonesia's national data center (210 institutions) and, this month, the regional newspaper The Adviser at 350 gigabytes.

Kairos didn't even bother with an encryptor. Active since late 2024, they steal data and extort — no cryptography at all. Their initial access? Purchased, from initial access brokers. Their model is pure operations: buy the door, take the data, run a time-bound escalation, and if the victim stalls, contact the victim's customers and employees directly. Eighty-eight victims across fourteen countries by June 2026, and not one line of malware that's theirs. This month: an Australian jeweler, 574 gigabytes.

Nitrogen is the most instructive. They started in 2023 as a malvertising loader — a delivery service feeding initial access to BlackCat/ALPHV. When BlackCat imploded, Nitrogen went independent by taking the leaked Conti 2 builder, compiling their own strain, and keeping their existing malvertising machine: poisoned Google and Bing ads for AnyDesk, WinSCP, FileZilla, PuTTY, leading to DLL sideloading, Cobalt Strike, and exfiltration before encryption. Ex-BlackCat tradecraft, Conti's cryptor, commodity post-exploitation tooling. This month: Foxconn, eight terabytes claimed.

The supply chain isn't just for software

Look at what each crew sourced rather than built. The encryptor: a leaked builder (LockBit, Conti). The initial access: bought from brokers, or generated by a rented malvertising funnel. The post-exploitation: Cobalt Strike and Meterpreter, the same off-the-shelf tools every red team and every criminal uses. The leak infrastructure: a Tor template. What's left that's actually theirs? The brand name and the willingness to do it.

This is the exact same dynamic we documented when the Shai-Hulud worm's authors released its source code and it promptly infected a hundred-plus npm and PyPI packages. Capability that used to be a moat becomes a download. The barrier to entry collapses, and the population of actors who can run a credible operation explodes — not because they got smarter, but because the parts got cheaper. We have a name for this pattern in our own notes: capability acquired, not refined. You don't need to be good anymore. You need to be willing, and you need a shopping list.

Why this changes what defenders should watch

If the malware is commodity and interchangeable, then chasing the malware family is chasing the disposable part. Brain Cipher's LockBit-derived binary will have a different hash next month under a different brand. Kairos has no binary to hash at all. The durable, defensible signals are the ones upstream of the encryptor: the initial-access vector and the operator behavior.

That reframes the priorities. Malvertising for sysadmin tools — the AnyDesk, WinSCP, PuTTY lures Nitrogen rides — is a detectable, blockable funnel, and it's shared across many brands. Initial-access-broker chatter is an early-warning layer that precedes the Kairos-style data-theft crews by weeks. Leaked-builder reuse means a single good detection for the LockBit or Conti lineage covers a rotating cast of brand names. And the leak-site infrastructure, the Tor portals and the new-domain registrations behind them, is exactly the kind of thing we track for actors like Handala — operator infrastructure outlives brand names.

The counterintuitive conclusion is almost optimistic: because these crews share so many rented parts, defending against the parts defends against all of them at once. Block the malvertising funnel and you've degraded Nitrogen and everyone else using it. Detect the leaked-builder lineage and you've caught next month's rebrand for free. The commoditization that lowered the barrier for attackers also concentrated the choke points for defenders — if you aim at the supply chain instead of the brand.

We're capping confidence at 95 percent, as always: attribution on emerging crews is soft, victim claims are self-reported on leak sites, and some of these brands will merge or vanish by autumn. But the shape isn't in doubt. Three brands in a week, zero original malware between them, every capability sourced from a leaked builder, a broker, or an ad network. The ransomware business has become a parts business. Defend the parts.

Brain Cipher, Kairos, and Nitrogen are now in our adversary index. Primary research credit: Group-IB (Brain Cipher), SOCRadar and TRM Labs (Kairos), Barracuda and Halcyon (Nitrogen). We brought the pattern.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register