Threat Actor Profile
Low
Cybercriminal
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (7)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': None,
'firstseen': '2022-07-14T00:20:20.176178+00:00',
'group': '0mega',
'has_negotiations': False,
'has_ransomnote': False,
'lastseen': '2024-01-25T00:00:00+00:00',
'locations': [{'available': False,
'fqdn': 'omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion',
'slug': 'http://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion',
'title': '0mega | Blog',
'type': 'DLS'},
{'available': True,
'fqdn': '0mega.cc',
'slug': 'http://0mega.cc',
'title': 'Redirecting...',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': False,
'locations': [{'available': False,
'fqdn': 'omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion',
'slug': 'http://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion',
'title': '0mega | Blog',
'type': 'DLS'},
{'available': True,
'fqdn': '0mega.cc',
'slug': 'http://0mega.cc',
'title': 'Redirecting...',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'ransomware_live_group': '0mega',
'tools': {},
'url': 'https://www.ransomware.live/group/0mega',
'victims': 7,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'Access was obtained through '
'the compromise of global '
'Microsoft SaaS administrator '
'accounts that were weakly '
'protected.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'After gaining initial access, '
'the group created a new user '
'in Active Directory (AD) '
'named "0mega" with multiple '
'administrator roles (e.g., '
'Global Administrator, '
'SharePoint Administrator) to '
'maintain maximum control.',
'technique_id': 'T1136',
'technique_name': 'Create Account: Cloud Account'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'The group systematically '
'deleted over 220 corporate '
'administrator accounts within '
'a two-hour period, impairing '
"the victim's ability to "
'respond and recover.',
'technique_id': 'T1531',
'technique_name': 'Account Access Removal'}]},
{'tactic_id': 'TA0009',
'tactic_name': 'Collection',
'techniques': [{'technique_details': 'The group collected sensitive '
'data using the obtained '
'permissions.',
'technique_id': 'T1119',
'technique_name': 'Automated Collection'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Data was exfiltrated from '
'environments such as the '
"victim's SharePoint, "
'consistent with a double '
'extortion tactic.',
'technique_id': 'T1041',
'technique_name': 'Exfiltration Over C2 Channel'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'The attack used AES-256 or '
'RSA encryption on critical '
'files after network mapping, '
'blocking legitimate access. '
'In some cases, the focus was '
'solely on exfiltration and '
'extortion without encryption.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_details': 'The ransomware searched for '
'and disabled connected or '
'online backups to prevent '
'quick data recovery without '
'paying the ransom.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'}]}],
'url': 'https://www.ransomware.live/group/0mega',
'victims': 7,
'vulnerabilities': []}