The Emergence of the Tengu Ransomware

Tengu is a modern ransomware variant that surfaced around October 2025 and has quickly established itself as an active cyber threat across multiple regions. Operating as a Ransomware-as-a-Service (RaaS) model, Tengu enables affiliates to carry out attacks using shared infrastructure and tooling. Once deployed, the malware encrypts victim data and appends the ransomware file extension “.tengu” to affected files, rendering them inaccessible.

Recent activity indicates that Tengu has targeted organizations across North America, Europe, and other global regions, including confirmed incidents such as the attack on Samson Equipment in January 2026. The group follows a well-established double-extortion model, combining file encryption with data exfiltration to increase pressure on victims.

Information on “Tengu Ransomware”

How Tengu Ransomware Operates

Tengu ransomware follows a structured intrusion lifecycle commonly seen in modern enterprise ransomware attacks. Initial access is typically achieved through compromised credentials, exposed remote services such as RDP or VPN without MFA, or phishing campaigns. Once inside, attackers conduct reconnaissance to identify high-value systems and sensitive data.

The group relies heavily on “living-off-the-land” techniques, using legitimate tools such as PowerShell and command-line utilities to execute commands and evade detection. Defense evasion includes disabling security tools, clearing event logs, and manipulating system services. Persistence is established through registry run keys and scheduled tasks.

Before encryption, attackers often exfiltrate sensitive data using tools like Rclone or WinSCP. This enables double extortion—threatening both data loss and public exposure. The encryption phase then locks files across endpoints and servers, followed by ransom notes directing victims to Tor-based negotiation portals.

Technical Indicators and Attack Artifacts

Analysis of Tengu ransomware activity reveals several identifiable artifacts that can assist in detection and response. These indicators are primarily host-based and reflect post-compromise activity rather than initial access vectors.

• File artifacts such as wraithnet_bot.exe, controller_gui.exe, and related logs dropped in system directories
• Registry persistence keys including SystemSecurityMonitor, WraithNet, and WindowsSecurityUpdate
• Use of tools like wevtutil to clear event logs and disable monitoring
• Deletion of Volume Shadow Copies to prevent recovery
• Outbound data transfers using legitimate tools like Rclone or WinSCP

Additional Information

• Tengu ransomware targets organizations across multiple industries, including technology, manufacturing, and public sector entities.
• The group employs a double-extortion strategy, combining encryption with data theft to increase leverage over victims.
• Initial access commonly involves credential abuse and exposed remote services lacking proper authentication controls.
• The ransomware payload is typically delivered as a .NET executable and includes functionality to disable security tools.
• Tengu maintains a leak site where stolen data may be published if ransom demands are not met.
• Activity has been observed globally, including regions such as the United States, Europe, Asia, and Africa.
• Recovery can be complicated due to deliberate deletion of backups and system logs, emphasizing the importance of secure, offline backups.

Conclusion

Tengu ransomware represents a significant and evolving threat within the modern ransomware landscape. Its reliance on proven attack techniques—credential abuse, lateral movement, data exfiltration, and encryption—demonstrates that effective execution of established methods remains highly impactful. Organizations must prioritize strong access controls, continuous monitoring, and resilient backup strategies to mitigate the risk.

As specialists in ransomware recovery and cybersecurity, we provide essential services such as Ransomware Recovery Services, Ransomware Negotiation Services, and our Incident Response Retainer. Contact us today to safeguard your data and recover from cyber threats effectively.

Last updated on: March 19, 2026