A nascent ransomware group, identifying as Genesis, has escalated its activities by publicly naming several U.S. companies as its latest victims. The group, first observed in October 2025, operates a data leak site on the dark web where it practices double extortion. On July 5, 2026, the real estate firm Dunagan Associates, healthcare provider East Texas Family Medicine, and digital marketing agency Synergy Interactive were added to the list. This tactic of naming and shaming is designed to pressure victims into paying a ransom by threatening the public release of stolen data. The group's focus on small to mid-sized organizations handling sensitive data indicates a strategic approach to maximize leverage.
The Genesis ransomware group represents an emerging threat in the digital extortion landscape. Their primary modus operandi is double extortion. This involves two phases: first, the attackers exfiltrate large volumes of sensitive data from the victim's network (T1567). Second, they deploy their ransomware to encrypt files across the compromised systems (T1486).
The ransom demand is then accompanied by a threat to publish the stolen data on their leak site, rendering data backups insufficient as a sole defense. This strategy is particularly effective against organizations in regulated industries like healthcare (East Texas Family Medicine), which face severe penalties for data breaches. Initial access is believed to be gained through common vectors such as phishing or the use of stolen credentials.
While the exact technical details of the Genesis ransomware payload are not fully public, the attack lifecycle follows a well-established pattern for double extortion groups:
The impact on victims like Dunagan Associates and East Texas Family Medicine is multi-faceted. Operationally, they face significant downtime and disruption. Financially, they must contend with the cost of incident response, recovery, and potentially the ransom payment itself. For East Texas Family Medicine, the breach of patient data could trigger regulatory fines under HIPAA and severe reputational damage. The public listing of victims on the Genesis leak site immediately harms brand reputation and can erode customer and partner trust.
No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.
Security teams can hunt for precursors to a Genesis-style ransomware attack by searching for the following:
command_line_patternrclone.exe or megasync.exenetwork_traffic_patternprocess_namemimikatz.exe, lsass.exe (accessed by unusual process)command_line_patternnet group "Domain Admins" /domainvssadmin), rapid file encryption (file entropy changes), and credential dumping from lsass.exe.Provides a defense-in-depth layer against phishing, a common initial access vector for ransomware groups.
Prevents attackers from using stolen credentials to access corporate resources, significantly hardening the perimeter.
Limits the blast radius of a ransomware attack by preventing its spread from less-critical network segments to high-value assets.
The Genesis ransomware group is first observed in the wild.
Initial breach of Dunagan Associates reportedly occurs.
Genesis adds Dunagan Associates, East Texas Family Medicine, and Synergy Interactive to its data leak site.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.