The ransomware landscape is constantly changing. New groups emerge, while old ones disappear or reorganize. However, only a few of these new players manage to establish themselves within a short period of time. One such group is BravoX, which first appeared publicly in early 2026 and was involved in several incidents shortly thereafter – including cyberattacks that we at Oneconsult had the privilege to handle.
In this blog post, we share our insights on this new ransomware group – what sets it apart, how it operates, and how businesses can protect themselves.
Table of Contents
- BravoX – A Rising Star in the Ransomware Landscape
- What Sets BravoX Apart?
- Which Companies Are Being Targeted?
- Deep Dive: Insights Into a BravoX Ransomware Attack
- How Companies Can Protect Themselves Against BravoX Attacks
- Conclusion: A New Group, But Not a New Pattern
- Support by Cybersecurity Specialists in an Emergency
BravoX – A Rising Star in the Ransomware Landscape
BravoX first came to public attention in January 2026. However, the first indications of the group can be traced back to September 2025, when its members announced their “leak site” in a forum.
Like many modern ransomware groups, BravoX operates a leak site where it publishes data from victims who refuse to pay the demanded ransom (see figure 1).

The blog was announced on January 17, 2026, on the BravoX darknet site (see figure 2), and just a few days later, on January 20, 2026, the first victims were published.

What Sets BravoX Apart?
The group relies on the now-established principle of “double extortion”. Data is not only encrypted but also exfiltrated beforehand. If no ransom is paid, the attackers threaten to publish sensitive information. While a functioning backup offers protection against the consequences of encryption, it cannot prevent the publication of the data and the resulting damage to the company’s reputation or the loss of business secrets.
BravoX also operates according to the Ransomware-as-a-Service (RaaS) model. This means that the group’s operators focus primarily on the infrastructure, the leak site, malware development, and negotiations, while the actual attacks are carried out by so-called affiliates. What is striking is that BravoX actively recruits new partners, but with high barriers to entry. Among other requirements, prospective partners must demonstrate that they already have access to valuable data (see figure 3).
Another typical characteristic is that the group does not target organizations in the CIS countries (“Commonwealth of Independent States”), since the operators themselves come from those regions. Such rules can also be observed among other ransomware groups, such as Conti, LockBit, and BlackCat.

These characteristics already provide a clear picture: From the very beginning, the group has sought to present itself in a structured and professional manner.
Which Companies Are Being Targeted?
As of the publication of this article, BravoX lists only a limited number of victims on its leak page. The first victims were based in North America, specifically in the healthcare and retail sectors.
By now, a clear trend has emerged: The group is increasingly focusing on Europe, including companies in Switzerland. This affects, among others, organizations in the finance and legal sectors.
This development comes as little surprise. Due to their high level of digitalization, economic strength, and often critical business processes, companies in the DACH region have long been considered attractive targets for cybercriminals.
Deep Dive: Insights Into a BravoX Ransomware Attack
Oneconsult’s Computer Security Incident Response Team (CSIRT) was involved as an incident response partner in a BravoX incident and was able to gain direct insight into the perpetrators’ methods.
Although the full attack chain may vary depending on the incident, the overall picture is familiar: BravoX does not use new techniques, but rather employs well-known techniques efficiently and purposefully.
Particularly striking are the clear structure and the speed of the attacks. It takes about 2.5 weeks from the encryption phase to the publication of the data on the leak site. The announcement of a victim on the leak site occurs about one week before the actual data release, which creates additional pressure.
The Ransom Note
As part of the encryption process, a ransom note is placed on the affected systems as a file named 00_Recovery_notes.txt with the following content:
WARNING! YOUR DATA HAS BEEN STOLEN AND ENCRYPTED.
The size of the stolen data is <redacted>GB.
To restore your data and prevent a leak, contact us by following the instructions below.
We are not interested in politics, we only care about money, and we always fulfill our commitments.
You have the chance to recover your files and avoid reputational damage if we reach an agreement.
You have 4 days to make a decision and start negotiations.
WHAT WE WILL DO FOR YOU:
1. Decrypt 3 of any files for free as proof.
2. Provide an effective decryptor for the entire network.
3. Confidentially delete all your data from our servers.
4. Give recommendations for closing the vulnerabilities.
TO MINIMIZE LOSSES, PLEASE FOLLOW THESE INSTRUCTIONS:
1. Do not use third-party or public decryption programs — they may damage the files. Only we can recover the data.
2. Do not turn off or restart the system — this may lead to file corruption.
3. Do not contact third parties for negotiations (e.g., recovery services, the police, or others) — they are not concerned with how much money and reputation you will lose. Contact us as soon as possible to begin negotiations.
WHAT WILL HAPPEN IF YOU IGNORE US:
1. Your data will be published on the dark web, leading to a breach of confidential information.
2. You may face fines from clients, the government, as well as lawsuits, resulting in increased financial losses.
3. Personal data of employees and clients may be used for unauthorized loans or online purchases.
4. Bank account details and passport information may be used to create fake invoices, launder money, and engage in other illegal activities.
5. Your reputation will be destroyed.
CONTACT OUR SUPPORT IN THE PRIVATE CHAT FOR NEGOTIATIONS:
1. Download and install Tor Browser: hXXps://torproject[.]org
2. Open one of the links in Tor Browser: hXXp://private<redacted>[.]onion
3. Create an account; to do this, click the "Sign up" button, specify your Email, generate or come up with a password, insert the token, and then click the "Submit" button.
4. Your token: <redacted>
5. For the next login, you will need your email and password, so make sure to save them.
OUR OFFICIAL BLOG:
hXXp://bravoxxtrmqeeevhl7gdh2yzvlrjxajr66d33c7ozosrccx4cz7cepad[.]onion
DO NOT COMPLICATE THE SITUATION! WE DO NOT LIKE WAITING, CONTACT US AS SOON AS POSSIBLE TO BEGIN NEGOTIATIONS.
In the case under investigation, the attackers also contacted the victim multiple times via email using randomly generated Gmail addresses. While the email primarily contained instructions on how to contact the attackers, the ransom note stored locally included additional specific threats.
Some of these emails already included screenshots of stolen data as proof of the compromise (see figure 4), with the aim of further increasing the pressure on victims to get in contact and ultimately make a payment. This form of direct and repeated communication is characteristic of modern ransomware attacks and a central element of the extortion strategy.

Initial Access and Procedure
In the incident analyzed, BravoX gained initial access using compromised credentials, specifically for Virtual Private Network (VPN) access. The access attempts originated from IP addresses that can be traced back to hosting providers – a common tactic used to conceal the source. In addition, a new account with domain administrator privileges was created.
Due to a flat network structure, internal systems could be accessed directly via the VPN. The attackers then used Remote Desktop Protocol (RDP) connections within this network segment to move further into the environment and gain access to additional systems. Such combinations of access methods remain among the most common patterns in ransomware attacks.
Within the compromised environment, the attackers used both their own tools and legitimate software (“Living off the Land”), including Netscan and ProtonVPN. These tools were used primarily to scout the network and to conceal their activities. They were stored in temporary or poorly monitored directories, such as C:\temp\.
To circumvent security solutions, services were also created in this folder that were intended to disable Endpoint Detection and Response (EDR) components (so-called “EDR killers”). However, these activities were detected by the security solution in use.
A Silver Lining
On the same day, the ransomware attack was detected and successfully thwarted by the Security Operations Center (SOC), so the systems were not encrypted. Despite everything, the victim was lucky in a way.
Analysis of the Cyberattack
The analysis in the case being investigated was significantly hampered by a lack of log data. No firewall logs were available, and the VPN logs and Windows event logs from the affected systems did not go back far enough. As a result, crucial information was missing, meaning that, for example, the exact time of the initial access could no longer be reconstructed – a situation we unfortunately observe frequently in practice. This case underscores once again how crucial adequate log collection and retention are for the effective analysis and investigation of security incidents.
Indicators of Compromise (IOCs)
In addition to these general attack patterns, Indicators of Compromise (IOCs) were also identified in the analyzed case, which can be used to detect and analyze attacks. The following table shows the observed IOCs.
| IOC | SHA256 Hash Value |
| “MalDriver” service (vulnerable driver): C:\temp\vulndriver.sys | ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8 |
| “eb” service (EDR killer): C:\temp\UnknownKiller.sys | 97bd65e98cdc4e93d49edd4ea905d43a61244df0fd3323e6649330de3b1be091 |
| “Syslk3dt6” service (EDR killer): C:\Users\<User>\AppData\Local\Temp\umdaau99.sys | 47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428 |
| Ransomware: C:\temp\k1.exe | 88979970b579d42bb9c29051ee3abe6272ddfa49f32dbcfd4751dd4f30b51372 7235e8a5ada2a27a11fc91ea168dc73d2fc3edee53ddb867c272d7d1e2c39127 Note: These are the hashes of the ransomware processes that were running. |
Note: The IP addresses are not listed because they are short-term indicators. So much time has passed between the attack and the publication of this blog post that the information can no longer be considered reliable.
For SOC and incident response teams, the listed IOCs provide concrete clues for expanding existing detection use cases and specifically searching for BravoX activity. However, these indicators should always be considered in context and supplemented with behavior-based detection approaches.
How Companies Can Protect Themselves Against BravoX Attacks
Even though BravoX is a new ransomware group, its underlying attack methods differ little from those of other ransomware groups. Accordingly, basic protective measures remain crucial:
- At the technical level, external access points – such as VPN and RDP access – should be secured in particular, for example, through the consistent use of multi-factor authentication and access restrictions. In addition, only those services, ports, and systems that are actually needed should be accessible and exposed to the public in order to minimize the attack surface as much as possible.
- At the same time, structured patch management remains essential for promptly addressing known vulnerabilities. In addition, Active Directory environments should be hardened, privileged accounts should be regularly reviewed, and strong password policies should be enforced.
- In addition, consistent network segmentation plays a crucial role in limiting an attacker’s ability to spread within the environment. This is particularly effective against attacks such as those carried out by BravoX, as it prevents attackers from moving laterally unimpeded and compromising additional systems after gaining initial access.
- Centralized logging and continuous monitoring of alerts and suspicious activities generated by security solutions (e.g., EDR) are crucial for detecting attacks early on. This includes, in particular, anomalies in log data, such as unusual login activity via VPN connections.
- In addition to technical measures, organizational preparation also plays a key role. Companies should have a clearly defined incident response plan that specifies responsibilities, procedures, and decision-making processes in the event of an emergency.
- It is equally important to address regulatory requirements early on, particularly with regard to reporting obligations such as the federal government’s reporting obligation. In addition, communication processes should be put in place to ensure a swift and coordinated reaction to employees, customers, partners, and authorities in the event of an attack.
Most of these measures have been known for years, but what matters most is their consistent and sustainable implementation in practice. Further information can be found in the following blog posts by Oneconsult:
- How To Protect Against Ransomware: Effective Tips for Companies
- Ransomware: Detection and Prevention
Conclusion: A New Group, But Not a New Pattern
Even though BravoX is currently still one of the lesser-known ransomware groups, observations to date paint a clear picture: The group is already operating at a level more typically associated with established actors.
Newcomers to the ransomware landscape should therefore not be underestimated. Often, it is precisely these new groups that efficiently adopt existing attack patterns and thus become a real threat particularly quickly.
This makes it all the more important to recognize typical characteristics of ransomware early on and respond accordingly to ensure a successful defense.
Support by Cybersecurity Specialists in an Emergency
When a company falls victim to a ransomware attack, swift and structured action is essential. Our CSIRT has extensive experience in analyzing and responding to ransomware incidents and supports companies with both technical analysis and incident management.


