Threat Research

Dark Web Profile: BravoX Ransomware

SocRadar
Dark Web Profile: BravoX Ransomware

BravoX is a newly observed Ransomware-as-a-Service operation that publicly surfaced on January 23, 2026 after posting a Tor address on the RAMP forum and launching a TOR-based data leak site. The operation currently lists three alleged U.S. victims (two healthcare, one retail) and is advertising a selective affiliate model to scale its activities. #BravoX #RAMP

Keypoints

  • BravoX publicly appeared on January 23, 2026 by publishing a Tor address on the RAMP forum and shortly afterward deploying a TOR-based data leak site (DLS).
  • The group’s DLS lists three alleged victims located in the United States, including two healthcare organizations and one retail organization.
  • BravoX markets itself as a selective RaaS operation with strict affiliate requirements: proof of access to unpublished data from targets with >$5M revenue, a financial deposit on another forum, or trusted recommendations.
  • The operator emphasizes secrecy, proof-based extortion, and non-engagement with CIS-based targets—phrasing similar to Russian-speaking ransomware groups and likely intended as signaling.
  • Current activity is low-volume and early-stage, suggesting the group is focused on reputation-building and selective disclosures rather than large-scale campaigns.
  • SOCRadar monitoring and Threat Actor Intelligence enable continuous visibility into BravoX’s TOR-based leak site, affiliate recruitment posts, forum registrations, and potential infrastructure reuse or links to other actors.

MITRE Techniques

  • No MITRE ATT&CK techniques are explicitly mentioned in the article.

Indicators of Compromise

  • [Onion domain ] TOR-based data leak site – Tor address published on RAMP forum (specific .onion URL not disclosed in the article)
  • [Forum account/registration ] RAMP forum presence – BravoX registered on RAMP in September 2025 and announced the Tor address on January 23, 2026 (no account handle provided)
  • [Victim identifiers ] Alleged victims listed on DLS – three U.S. victims: two healthcare organizations and one retail organization (victim names not disclosed)

Read more: https://socradar.io/blog/dark-web-profile-bravox-ransomware/