Tengu Ransomware: What Security Teams Need to Know 

Tengu is a Ransomware-as-a-Service (RaaS) operation that surfaced in October 2025 and has nearly 50 publicly claimed victims across multiple continents and sectors. Its playbook reads like a checklist of modern enterprise ransomware tradecraft: steal credentials, move laterally, exfiltrate everything valuable, encrypt, and extort.

Here’s a practical breakdown of Tengu’s tactics, infrastructure, and what security teams can do about it.

For the full details about Tengu ransomware, read Senior Threat Intelligence Researcher Tammy Harper’s report.

Who Tengu Targets

As of early March 2026, leak-site monitoring data tracks 49 publicly claimed victims. The most-represented sectors include technology, manufacturing, agriculture/food, and public sector organizations. Geographically, victims span Morocco, India, the United States, Mexico, and Indonesia, among others.

The takeaway: Tengu isn’t focused on a single industry or region. Organizations with exposed remote access and weak credential hygiene are the common thread.

How Tengu Operates: The Intrusion Lifecycle

Tengu follows a hands-on-keyboard, double-extortion model. Affiliates conduct the intrusions while a core team maintains the ransomware payload and extortion infrastructure.

Initial Access

The consistent pattern across reporting is valid-account abuse against exposed remote services, such as RDP and VPN endpoints without multifactor authentication (MFA). Phishing and exploitation of public-facing applications are assessed as plausible secondary vectors, though specific lures or CVEs haven’t been publicly tied to Tengu intrusions.

Execution and Defense Evasion

Once inside, Tengu affiliates lean heavily on living-off-the-land binaries (LOLBins). PowerShell and cmd are the primary execution vehicles. Defense evasion tactics include:

• Disabling Microsoft Defender via PowerShell (Set-MpPreference abuse)
• Clearing Windows event logs using wevtutil cl
• Tampering with security services (sc config … start= disabled)

Sandbox analysis of a publicly available Tengu-associated sample confirms these behaviors directly.

Persistence

Tengu establishes persistence through:

• Registry Run keys with telling value names: SystemSecurityMonitor, WraithNet, and WindowsSecurityUpdate, all pointing to executables in user temp directories
• Scheduled tasks created via schtasks.exe

Credential Access and Lateral Movement

LSASS dumping is described as standard Tengu tradecraft for harvesting credentials, enabling privilege escalation and lateral movement across the network using compromised admin accounts. The exact tooling hasn’t been fully disclosed in public reporting.

Exfiltration and Encryption

This is where double extortion kicks in:

1. Stage and compress targeted data
2. Exfiltrate using Rclone and WinSCP over encrypted channels to cloud storage
3. Deploy the encryptor, described as a .NET payload, appending the .tengu extension to encrypted files
4. Inhibit recovery by deleting Volume Shadow Copies (vssadmin delete shadows /all /quiet) and clearing logs
5. Drop ransom notes directing victims to Tor-based negotiation portals and threatening data publication on a dedicated leak site

Key Indicators and Host Artifacts

The most reliable detection pivots are host-based, since network IOCs beyond Tor infrastructure are sparse in public reporting.

File System Artifacts

Tengu drops several files to C:\Windows\System32\:

• wraithnet_bot.exe
• controller_gui.exe
• controller_console.exe
• wraithnet.log

Registry Persistence

• HKLM\…\Run\SystemSecurityMonitor
• HKCU\…\Run\WraithNet
• HKCU\…\Run\WindowsSecurityUpdate

All point to executables in user temp directories.

Ransom Notes

Two note variants have been publicly archived:

• TENGU.README.txt — uses “TENGU Locker” branding
• [rand].README.txt — includes a per-victim Ticket ID

Both direct victims to Tor-based negotiation portals.

Known Malware Sample

• SHA-256: fafb6c5e12dfeefaba5ac8982d5bb13dd206cfcd328b9d36aa87257f762ee24a
• MD5: dfbc9412be99b25137ab6ab575489a93

Flagged as an unsigned .NET executable with code to disable Defender. Notably, this same hash is labeled as “SalatStealer” on ThreatFox while exhibiting ransomware behaviors in sandbox analysis, suggesting possible multi-use tooling or classification overlap between credential-theft and ransomware ecosystems.

Practical Recommendations for Security Teams

These are ordered by impact, targeting the access patterns and post-compromise behaviors that define Tengu intrusions.

Harden Remote Access

Since exposed remote services combined with valid credentials are Tengu’s primary foothold, security teams can focus on:

• Enforcing phishing-resistant MFA (FIDO2/WebAuthn) for all remote access and privileged accounts
• Eliminating direct internet exposure of RDP
• Implementing conditional access policies and monitoring for anomalous logins (impossible travel, first-time devices, unusual admin authentication)

Detect Post-Compromise Behaviors

Security teams can build detections around Tengu’s most visible behaviors:

• Event log clearing (wevtutil cl) correlated with other admin tool abuse — this is a strong “imminent impact” signal
• Defender/EDR impairment via PowerShell or suspicious service configuration changes
• Run-key persistence matching known value names (WraithNet, SystemSecurityMonitor, WindowsSecurityUpdate) and execution from user temp directories
• Monitor for suspicious scheduled task creation

Control Exfiltration Channels

Rclone and WinSCP are explicitly called out as exfiltration tools. Security teams can restrict or monitor these tools where they aren’t part of standard operations, and layer in DLP or UEBA detections for bulk outbound transfers.

Protect Backup Infrastructure

Recovery inhibition (shadow copy deletion, log clearing) is a core part of Tengu’s playbook. Maintaining offline, segmented backups with separate admin credentials and routinely testing restoration is a direct counter to this tactic.

What We Don’t Know Yet

Several intelligence gaps remain open:

• Encryption specifics are undisclosed: ransom notes use vague “military-grade” language, but no public reverse-engineering report details the actual cryptographic implementation
• Initial access details beyond “valid accounts and exposed remote services” are limited — no specific CVEs, phishing lures, or credential sources have been publicly attributed
• The relationship between WraithNet artifacts and the encryptor is ambiguous:it’s unclear whether these are operator tooling, part of the encryption chain, or separate components entirely
• The SalatStealer/ransomware classification overlap for the known sample raises questions about shared toolchains or ecosystem connections that haven’t been fully explored

Main Takeaway for Security Teams

Tengu isn’t reinventing the wheel. Its effectiveness comes from consistent execution of well-known tactics: credential abuse, LOLBin execution, bulk exfiltration with legitimate tools, and aggressive recovery inhibition. For security teams, the good news is that the same fundamentals that counter other modern ransomware operations — strong MFA on remote access, endpoint detection tuned to defense evasion behaviors, egress monitoring, and resilient backup infrastructure — directly address Tengu’s documented tradecraft.

For the full details, read Senior Threat Intelligence Researcher Tammy Harper’s full report.