HiveForce Labs · Threat Advisory · Attack Report
Insomnia is a data-theft-only extortion group active since October 2025 that steals sensitive patient records and publishes them for free on a Tor leak site — with no encryptor, no negotiation portal, and no affiliate program. Targeting small and mid-sized US healthcare providers, the group has claimed over 30 victims using infostealer-harvested credentials and WSUS-based lateral movement. Backups offer no protection once data leaves the environment.
Insomnia is a data-theft-only extortion group active since October 2025 that operates without an encryptor, instead stealing sensitive records and publishing them for free on a Tor leak site to extort victims through the threat of exposure. The group gains entry via infostealer-harvested credentials and authentication bypass, then moves laterally using legitimate tools such as WSUS to evade detection, leaving no malicious payload behind. Targeting overwhelmingly small and mid-sized US healthcare providers, it has claimed over 30 victims — including a dermatology breach affecting more than 160,000 individuals — with the US comprising roughly nine in ten claims. Because the threat is data exposure rather than encryption, backups and disaster-recovery plans offer no remediation once records leave the environment.
⚠ Critical distinction: Insomnia deploys no ransomware or encryptor. Backup-based recovery and disaster recovery plans provide zero protection against this group's primary weapon — free public release of stolen sensitive records on its Tor data leak site.
Insomnia represents the broader threat ecosystem's pivot away from encryption-based ransomware toward pure data-exfiltration leverage. Unlike traditional ransomware-as-a-service operations, Insomnia maintains no affiliate program, no negotiation portal, no builder panel, and no dedicated chat infrastructure. Its sole communication channel is a single Tox ID, and its data leak site runs on a single Tor hidden service.
There is no predecessor group, forum recruitment activity, or builder advertisement preceding its October 2025 launch, and no victim overlap with any prior leak-site database — consistent with a genuinely new operation rather than a rebrand. The operation has been observed practicing direct extortion, double extortion, and free public data release, with indications it may also function as a data broker that monetizes stolen records, potentially in cooperation with separate access-as-a-service actors.
Insomnia is a data-theft-only extortion group that surfaced on the dark web in October 2025, operating with no encryptor, no negotiation portal, and no affiliate program. Rather than disrupting operations through encryption, the group steals sensitive records and publishes them for free download on a single Tor data leak site (DLS), relying on the threat of exposure rather than system disruption. It is best characterized as a data broker, with its model representing the broader ecosystem pivot away from encryption toward pure exfiltration leverage.
The operation's first DLS entry is dated October 8, 2025, against a United States food and beverage company, with postings then accumulating across healthcare, legal, defense, and manufacturing sectors. There is no predecessor group, forum recruitment, or builder advertisement preceding the launch, and no victim overlap with any prior leak-site database — consistent with a genuinely new operation rather than a rebrand. Targeting patterns are consistent with Russian-speaking operators, though this assessment remains unconfirmed at this time.
Technically, Insomnia's initial access derives from stolen credentials harvested by infostealer malware purchased from underground markets, combined with exploitation of authentication bypass vulnerabilities, with no specific CVEs publicly attributed. For lateral movement the group abuses Windows Server Update Services (WSUS) and other legitimate administrative tooling to blend with normal IT activity, delivering no malicious payload and deploying no RMM, implant, or backdoor.
Known infrastructure is limited to a single Tor hidden service running NGINX 1.22.1 and one Tox ID — the sole communication channel — with no email, negotiation portal, or dedicated chat infrastructure, and no clear-web C2 or beaconing identified. The absence of any affiliate program, builder panel, or recruitment activity reinforces the assessment of a small, tightly controlled operation or data brokerage.
Victimology skews heavily toward small and mid-sized US healthcare providers with estimated revenues of $5M–$57M and between 11 and 200 employees. The largest confirmed impact is a US dermatology practice where an autumn 2025 intrusion exposed data on over 160,000 individuals per the HHS OCR filing. Following a bulk site ingestion in early February 2026, postings averaged one to two per week, surpassing 30 victims by late April 2026, with the US accounting for roughly nine in ten claims and healthcare representing approximately one third of all targets.
The end objective is bulk theft of sensitive data followed by extortion through multiple mechanisms. Insomnia exfiltrates records including patient files, drivers' licenses, tax forms, and sensitive correspondence, then leverages the threat of disclosure — or actual free release with countdown timers — on its Tor-based leak site. The operation has been observed practicing direct extortion, double extortion, and free public data leaks. Indications suggest it may also function as a broker or platform that monetizes stolen data, potentially in cooperation with separate actors that supply initial network access. The result is a data-exposure threat that backups and disaster-recovery plans cannot remediate once records have left the environment.
Harden Against Infostealer-Driven Credential Access
Insomnia's access begins with valid credentials harvested by infostealers and purchased on underground markets — not malware delivery. Enforce phishing-resistant FIDO2 or hardware-token MFA across VPN, RDP, webmail, and SaaS platforms. Subscribe to infostealer log monitoring services and treat any credential surfaced in stealer logs as confirmed compromise requiring immediate remediation.
Close Authentication-Bypass Exposure on Edge Services
Insomnia also exploits authentication-bypass weaknesses at exposed access points, with no CVE publicly attributed. Inventory all internet-facing access services, apply patches and bypass mitigations promptly, disable legacy protocol paths that may lack MFA enforcement, and alert on any login events that skip expected MFA challenges or exhibit anomalous authentication flows.
Detect Credential-Based Intrusion Without Malware
Insomnia deploys no encryptor, ransom note, RMM, or backdoor, operating interactively with held access using legitimate credentials. Shift detection strategy to identity and behavioral signals: impossible-travel logins, off-hours access to sensitive file shares, valid accounts accessed outside their normal operational scope, and unusual privileged account activity.
Monitor and Constrain Windows Server Update Services (WSUS)
Lateral movement abuses WSUS and other sanctioned administrative tooling to blend with routine IT operations. Restrict WSUS access to tiered privileged accounts only, establish a baseline of normal WSUS usage patterns, and configure alerts on unexpected configuration changes, unusual update-package deployment activity, or WSUS access from non-standard accounts or time windows.
Protect Against Bulk Data Exfiltration
The primary objective is bulk theft of patient files, identification documents, tax forms, and sensitive correspondence. Backups cannot remediate once data leaves the environment. Deploy Data Loss Prevention (DLP) and egress monitoring for anomalous outbound transfers, govern and restrict consumer file-sharing services, and ensure PHI and PII repositories are encrypted at rest with strict access controls.
Prepare for Exfiltration-Only Extortion Scenarios
Stolen data is released freely on the Tor leak site with countdown timers, and payment may not prevent public release. Update incident response playbooks specifically for exposure-based extortion where decryption keys are not applicable. Brief legal counsel on HHS OCR breach notification timelines under HIPAA, and actively monitor the Insomnia leak site for any posting of organizational data or references to your environment.
| Type | Value |
|---|---|
| TOR Address | i62huw7ve22rpyw6lnq3kmfump2dmsg4xpveec3ere73njwatrz74gad[.]onion R3keoxye5mki4fqcvlk4hpfqqzxmakchjpmem7oppynobcieamdbmcyd[.]onion |
| TOX ID | FA21E360945F602504728A05A39758C38B6A5B5DA1969717AF05838D14FDCD3DE17455833F11 |
| DLS Server Banner | NGINX 1.22.1 |
Acquire Access
— No sub-technique
Valid Accounts
— No sub-technique
Exploit Public-Facing Application
— No sub-technique
Software Deployment Tools
— No sub-technique (WSUS abuse observed)
Data from Local System
— No sub-technique
Exfiltration Over Web Service
— No sub-technique
Financial Theft
— No sub-technique
The following organizations have been claimed as victims by the Insomnia extortion group on its Tor-based data leak site. Healthcare and medical providers are highlighted. This list reflects breach disclosures up to the date of this advisory.
