Ransomware Group "Genesis" Claims Multiple Victims in Double Extortion Campaign

New Ransomware Group 'Genesis' Emerges, Claiming Attacks on Healthcare, Real Estate, and Tech Firms

HIGH
July 6, 2026
4m read
RansomwareThreat ActorData Breach

Impact Scope

Affected Companies

Dunagan AssociatesEast Texas Family MedicineSynergy Interactive

Industries Affected

HealthcareTechnologyOther

Geographic Impact

United States (national)

Related Entities

Threat Actors

Genesis

Other

Dunagan AssociatesEast Texas Family MedicineSynergy Interactive

Full Report

Executive Summary

A nascent ransomware group, identifying as Genesis, has escalated its activities by publicly naming several U.S. companies as its latest victims. The group, first observed in October 2025, operates a data leak site on the dark web where it practices double extortion. On July 5, 2026, the real estate firm Dunagan Associates, healthcare provider East Texas Family Medicine, and digital marketing agency Synergy Interactive were added to the list. This tactic of naming and shaming is designed to pressure victims into paying a ransom by threatening the public release of stolen data. The group's focus on small to mid-sized organizations handling sensitive data indicates a strategic approach to maximize leverage.

Threat Overview

The Genesis ransomware group represents an emerging threat in the digital extortion landscape. Their primary modus operandi is double extortion. This involves two phases: first, the attackers exfiltrate large volumes of sensitive data from the victim's network (T1567). Second, they deploy their ransomware to encrypt files across the compromised systems (T1486).

The ransom demand is then accompanied by a threat to publish the stolen data on their leak site, rendering data backups insufficient as a sole defense. This strategy is particularly effective against organizations in regulated industries like healthcare (East Texas Family Medicine), which face severe penalties for data breaches. Initial access is believed to be gained through common vectors such as phishing or the use of stolen credentials.

Technical Analysis

While the exact technical details of the Genesis ransomware payload are not fully public, the attack lifecycle follows a well-established pattern for double extortion groups:

  1. Initial Access: Likely achieved through Phishing (T1566) or using compromised credentials purchased from the dark web to access remote services like RDP or VPN (T1078).
  2. Reconnaissance and Lateral Movement: Once inside, the attackers map the network, identify critical data stores, and escalate privileges, often using legitimate tools to blend in.
  3. Data Staging and Exfiltration: Sensitive files are collected and compressed into archives, then exfiltrated to attacker-controlled cloud storage (T1537). This stage is critical for the double extortion threat.
  4. Impact: The Genesis ransomware is deployed across the network, encrypting files and leaving a ransom note with instructions for payment and a link to their leak site.

Impact Assessment

The impact on victims like Dunagan Associates and East Texas Family Medicine is multi-faceted. Operationally, they face significant downtime and disruption. Financially, they must contend with the cost of incident response, recovery, and potentially the ransom payment itself. For East Texas Family Medicine, the breach of patient data could trigger regulatory fines under HIPAA and severe reputational damage. The public listing of victims on the Genesis leak site immediately harms brand reputation and can erode customer and partner trust.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for precursors to a Genesis-style ransomware attack by searching for the following:

Type
command_line_pattern
Value
rclone.exe or megasync.exe
Description
Use of legitimate file transfer tools for data exfiltration. Often executed from non-standard directories.
Type
network_traffic_pattern
Value
Sustained, large outbound data flows from internal workstations or servers to unfamiliar IP addresses or cloud services.
Description
Type
process_name
Value
mimikatz.exe, lsass.exe (accessed by unusual process)
Description
Credential dumping activity.
Type
command_line_pattern
Value
net group "Domain Admins" /domain
Description
Reconnaissance commands used to identify privileged accounts.

Detection & Response

  • Data Exfiltration Detection: Deploy tools that monitor for large, anomalous outbound data transfers. Set alerts for traffic to known anonymous file-sharing sites. D3FEND's User Data Transfer Analysis (D3-UDTA) can be applied here.
  • Endpoint Detection and Response (EDR): Configure EDR to detect and block common ransomware behaviors, such as the deletion of Volume Shadow Copies (vssadmin), rapid file encryption (file entropy changes), and credential dumping from lsass.exe.
  • Decoy Files and Accounts: Place decoy files (honeypots) on file shares and monitor for access. Any interaction with these files is a high-confidence indicator of malicious activity.

Mitigation

  • Immutable Backups (3-2-1 Rule): While not a defense against data leaks, having robust, tested, and offline/immutable backups is crucial for recovery from the encryption portion of the attack.
  • Network Segmentation: Segment the network to prevent attackers from easily moving from a compromised workstation to critical servers.
  • Phishing-Resistant MFA: Implement phishing-resistant MFA (e.g., FIDO2) for all remote access and for access to sensitive applications to counter credential theft.
  • Principle of Least Privilege: Ensure user accounts only have the permissions necessary for their roles to limit the impact of a compromised account.

Timeline of Events

1
October 1, 2025
The Genesis ransomware group is first observed in the wild.
2
July 3, 2026
Initial breach of Dunagan Associates reportedly occurs.
3
July 5, 2026
Genesis adds Dunagan Associates, East Texas Family Medicine, and Synergy Interactive to its data leak site.
4
July 6, 2026
This article was published

MITRE ATT&CK Mitigations

Provides a defense-in-depth layer against phishing, a common initial access vector for ransomware groups.

Prevents attackers from using stolen credentials to access corporate resources, significantly hardening the perimeter.

Limits the blast radius of a ransomware attack by preventing its spread from less-critical network segments to high-value assets.

Audit

M1047enterprise

Enables detection of precursor activities like reconnaissance and data staging through comprehensive logging and monitoring.

Timeline of Events

1
October 1, 2025

The Genesis ransomware group is first observed in the wild.

2
July 3, 2026

Initial breach of Dunagan Associates reportedly occurs.

3
July 5, 2026

Genesis adds Dunagan Associates, East Texas Family Medicine, and Synergy Interactive to its data leak site.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

ransomwaregenesisdouble extortiondata breachhealthcare

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.