Cyber Threat Actor: Pay or Grief
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
1 incident |
|---|
Profile
Thethreat actor known by the aliases Pay or Grief has been observed operating from the United States of America. Public reporting associates these aliases with a ransomware incident that occurred in May 2021. No further details about the actor's structure or origins have been disclosed in open sources. The actor remains primarily identified through the alias set used in the reported attack.
Observed activity indicates a focus on local government entities within the United States. The only publicly documented target is Mobile County, Alabama, where the actor disrupted county operations. This suggests a pattern of targeting municipal infrastructure rather than private sector or federal agencies. No other sectors or regions have been attributed to the actor in available sources.
The actor's tactics have been described as employing ransomware to encrypt data and halt system functionality. In the Mobile County case, the ransomware forced a three‑day shutdown of certain county systems. The incident prompted a federal investigation and led the county to issue public warnings about the ongoing disruption. No specific malware family, initial access vector, or ancillary tools have been named in the reports.
The Mobile County ransomware event of May 17, 2021 stands as the sole publicly cited operation linked to Pay or Grief. It illustrates the actor's capability to affect critical local services and attract federal attention. No additional campaigns or affiliated groups have been identified in open source reporting. Consequently, the actor's profile remains defined by this single incident and the associated aliases.
