Menu
Browse

Cyber Threat Actor: RIPPRGANG

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Criminal
0 incidents
Profile

DESORDEN Group is a cyber threat actor conducting financially motivated attacks primarily against businesses in Southeast Asia, with notable operations in Thailand, Malaysia, Indonesia, Taiwan, and Vietnam. Their campaigns consistently target multinational corporations and publicly listed companies across diverse sectors, including retail (Johnson Fitness and Wellness), telecommunications (redONE, redTONE), insurance (The Icon Group, Srikrung Broker), transportation infrastructure (PT Jasamarga Tollroad Operator), food services (BOGA Group), and cosmetics (Mistine Better Way Thailand). The group’s core objective is financial gain through extortion, demanding ransoms from victims in exchange for not leaking or selling stolen data. When victims refuse to engage, DESORDEN monetizes exfiltrated corporate data, trade secrets, and personal information by selling it on hacking forums, citing profitability from buyers in regions like China. A secondary objective involves coercing transparency, exemplified by their attacks on Malaysian telecoms to pressure public breach disclosures when media outlets allegedly suppressed incident reporting.

DESORDEN employs opportunistic initial access by exploiting unpatched vulnerabilities in victim networks, often maintaining access for months to exfiltrate data. They adapt to network defenses, as seen in the Johnson Fitness breach, where they pivoted across servers to bypass firewalls and antivirus systems. The group typically avoids ransomware deployment, preferring data theft and extortion, though they have distributed ransomware builders (e.g., Yashma) on forums after pre-submitting samples to VirusTotal to limit their effectiveness. Their post-breach tactics include deleting databases to prove compromise while assuming victims have backups, leaking samples of sensitive data (KYC documents, plaintext credentials, financial records), and auctioning full datasets on hacking forums. DESORDEN has claimed high-impact breaches, such as the exfiltration of 20 million customer and sales representative records from Mistine, 369 GB of insurance data from Srikrung Broker, and 31 GB from BOGA Group’s restaurant chains. They discontinue attacks in oversaturated markets like Indonesia, where personal data became commercially worthless due to excessive supply.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
9 sources