Frag explodes onto the scene – New DLS emerges for Frag ransomware

Introduction

In 2024, Cyjax observed the emergence of 72 extortion and ransomware group data-leak sites (DLSs). As of late March 2025, Cyjax has identified DLSs for 21 new groups this year, as noted in recent blogs on Morpheus, GD LockerSec, Babuk2, Linkc, Anubis, and Arkana.

The latest DLS Cyjax has identified is named Frag, which constitutes one of 14 new DLSs identified in March 2025 alone. This group appears to operate independently rather than running a Ransomware-as-a-Service (RaaS) model, making no mention of hiring affiliates anywhere on its DLS. Alongside this, Cyjax has not noted the group’s presence on well-known cybercriminal forums.

Figure 1 – DLS sites which have emerged in 2025 by month.

Key takeaways

• The Frag ransomware DLS first emerged on 28 February 2025, listing a US-based manufacturing organisation as its first alleged victim.
• This group has listed 27 alleged victims in the space of one month, showing that it is highly motivated.
• In March 2025, a hospitality organisation which was previously listed by the Play ransomware group in July 2023 appeared on Frag’s DLS. The group provides detailed blog entries for each alleged victim, including its name, location, industry vertical, the types of data stolen, and sample files.
• Unlike other known ransomware groups, Frag does not provide a countdown timer to indicate when full datasets will be leaked.

Context

Extortion groups commonly use DLSs to further extort victims, typically proceeding in multiple stages. The first threat is that the victim’s name and news of a successful attack against it will be published on the extortion group’s website. Should this fail to motivate a victim to pay a ransom, the group’s next step is typically to provide proof of the successful theft of its data, such as screenshots of internal file trees, samples of employee or customer PII, or other sensitive documents. The group may add a countdown at this stage, noting that should the victim fail to pay by the conclusion, it will make available to DLS visitors all stolen data, either for free or at cost.

The Frag DLS

Frag’s data-leak site on the dark web is comprised of three sections, namely News, Leaks, and Contact. The purpose of the group’s DLS is to leak data from alleged victims which have not paid a ransom demand. As of March 2025, Frag has not used its platform to spread a political agenda or other messages and it appears that the group is simply financially motivated.

The News section appears to be aimed at alleged victims and describes some of Frag’s demands and practices. This includes the fact that the group will provide a decryptor, remove stolen files from its system, and will not share stolen data if a ransom is paid.

Figure 2 – The News section on Frag’s DLS.

The Leaks section is where Frag publicly lists its purported victims. Each post currently displays details including the organisation’s name, a description of its business, the date and time when it was added to the DLS, a brief description of the stolen data, and a download link for samples where applicable. 

Figure 3 – The Leaks section of Frag’s DLS.

The Contact section is where the group lists its Tuta Mail and ProtonMail email addresses for communication purposes.

Figure 4 – The Contact section of Frag’s DLS.

Tactics, Techniques, and Procedures

Frag highly likely employs a double-extortion methodology, exfiltrating data before encrypting a victim’s systems and files. This is due to the group providing sample file images for its victims and references to allegedly impacted organisations paying for a “decryptor” to secure data. Alongside this, the group reportedly appends affected files with “.frag” after encryption, dropping the victim a ransomware note. This note states that the group has exploited vulnerabilities it has found to “download your data [and] encrypt the contents of your servers“.

The threat group may be saying that it exploited a vulnerability in order to appear more credible. There are several alternative ways that Frag may have gained access to a victim network, including the use of leaked credentials or Initial Access Brokers (IABs). Cyjax’s blog regarding IAB and ransomware collaboration can be viewed here.

As of March 2025, Frag is not known to be associated with any other threat actors or cybercriminal forum accounts.

Victimology

Frag has publicly claimed attacks against 27 organisations operating in the maritime, professional services, retail, hospitality, transportation, real estate, legal, manufacturing, healthcare, information technology, financial, and aviation sectors. The group’s alleged victims are based across the United States, the Netherlands, and Singapore. Of these victims, 25 of the 27 listed on Frag’s DLS are based in the US. This indicates that the country is a key geographical area for the group. 

For each listed victim, Frag provides the organisation’s name, its description, and a list of documents which were stolen. This typically appears to include personal, HR, medical, or financial documents, as well as various types of contracts and licenses. At the time of writing, sample data has been published for 26 of the 27 victims. There does not appear to be a countdown indicating when victim’s data will be released, as is common on other extortion group DLSs. 

The group named its first victim AmeriKen Die Supply, a packaging and container manufacturing organisation, in late February 2025. It claims to have stolen personal employee information, financial documents, customer and employee contact details, non-disclosure agreements, and driving licenses from the organisation. A collection of sample data has been released for this victim. However, since there is no countdown timer, it is unclear when the full data will be released.

Figure 5 – First data leak listing on the Frag DLS.

When new ransomware groups emerge, Cyjax has observed a trend of threat actors falsely claiming attacks on several organisations to bolster the number of DLS listings. These fake listings usually contain data; however, this is often sourced from other ransomware groups who have previously leaked it. When investigating the victims on Frag’s DLS, 26 of the listings appear to be original whilst one allegedly impacted organisation was previously listed by another ransomware group. Woodbine Hospitality, a family of organisations which provides hospitality facilities and services in New York, was listed by Frag on 4 March 2025. However, it was also previously listed on the Play ransomware DLS on 19 July 2023. The Play ransomware group leaked 95GB of data from the company in 2023, whilst Frag has only released a small sample. Whilst it is possible that Frag has taken and reposted part of the previous leak from Play, it is more likely that the organisation has been impacted by the two groups separately. This is due to the period between listings, as they occurred almost two years apart. 

Figure 6 – Woodbine Hospitality listing on the Frag DLS.

Figure 7 – Woodbine Hospitality listing on the Play DLS.

Threat Assessment

As of late March 2025, there is little publicly known information regarding Frag and its operations, apart from what it claims on its DLS. Whilst none of the alleged victims have publicly confirmed an attack, the group’s posts contain information about the types of stolen data and mostly have sample data attached. This adds credibility to the group’s claims. The naming of 27 victims in a one-month period suggests that Frag is relatively sophisticated and highly motivated. With the vast majority of victims appearing to be original to Frag, this suggests that it is not simply claiming responsibility for another group’s attacks. Instead, the group is operating a successful ransomware operation. With the rate at which the group is adding victims to its DLS, it is likely that it will continue its operations in the near future.

To access our full intelligence repository containing detailed profiles like this one, covering extortion groups, advanced persistence threat groups (APTs), data brokers, hacktivists, initial access brokers, and more, click here to take a test drive of Cymon.