Threat Actor Profile
Low Cybercriminal
Description

According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with an extension consisting of a ransom string of characters.For example, a file originally named "1.jpg" could appear as something similar to "1.jpg.rnyZoV" following encryption. After this process is complete, Exorcist ransomware changes the desktop wallpaper and drops HTML applications - "[random-string]-decrypt.hta" (e.g. "rnyZoV-decrypt.hta") - into affected folders. These files contain identical ransom messages.

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'According to PCrisk, Exorcist is a ransomware-type malicious '
                'program. Systems infected with this malware experience data '
                'encryption and users receive ransom demands for decryption. '
                'During the encryption process, all compromised files are '
                'appended with an extension consisting of a ransom string of '
                'characters.For example, a file originally named "1.jpg" could '
                'appear as something similar to "1.jpg.rnyZoV" following '
                'encryption. After this process is complete, Exorcist '
                'ransomware changes the desktop wallpaper and drops HTML '
                'applications - "[random-string]-decrypt.hta" (e.g. '
                '"rnyZoV-decrypt.hta") - into affected folders. These files '
                'contain identical ransom messages.',
 'firstseen': None,
 'group': 'exorcist',
 'has_negotiations': False,
 'has_ransomnote': False,
 'lastseen': None,
 'locations': [{'available': False,
                'fqdn': '7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion',
                'slug': 'http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion',
                'title': '',
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 0,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': False,
                     'locations': [{'available': False,
                                    'fqdn': '7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion',
                                    'slug': 'http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion',
                                    'title': '',
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 0,
                     'ransomware_live_group': 'exorcist',
                     'tools': {},
                     'url': 'https://www.ransomware.live/group/exorcist',
                     'victims': 0,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/exorcist',
 'victims': 0,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home