'Ransomware in focus' is our series unravelling the complexities of ransomware groups throughout the ecosystem. By detailing their business strategies, target victims, and the tactics, techniques, and procedures (TTPs) behind their operations, we hope to arm businesses with essential knowledge required to confront and overcome the challenges posed by ransomware. In this instalment, we focus on an emerging threat: that of the new IMN Crew operation.
Background
IMN crew is a newly constituted extortion group, first identified in late March 2025. Beginning as a data-extortion operation, more recently, the group has also deployed payloads to encrypt data following exfiltration.
Notably, the group launched their own leak site on approximately April 15, 2025, where the group names and shames victims, and enables visitors to download breached data. At the time of writing, IMN Crew has named five victims on their leak site. To date victims have originated from the United States, Croatia and Indonesia, and from across different sectors, which is likely indicative of an opportunistic targeting strategy.
Figure 1. Image of IMN Crew leak site as of April 23, 2025
Group affiliations
Unlike other groups which emerge as a rebrand of a well-established operation, there are no confirmed associations between IMN crew and other extortion operations to date. In one case S-RM supported, Powershell commands used by the threat actor included references to ‘moisha’, the name of a double-extortion group which emerged in August 2022 and was known for their .Net-based ransomware. It is possible the actor previously distributed Moisha ransomware, though this connection could not be confirmed to date.
Motivations
Based on intelligence received to date, we believe that the actor is likely to be financially-motivated, seeking to exfiltrate sensitive information from a target and monetize through extortion.
Victimology
Since their emergence in March 2025, IMN Crew has targeted at least five victims based in the United States, Croatia and Indonesia. Although 40% of their attacks to date have targeted the financial services sector, the geographic spread of their victims indicates they likely opportunistically target organizations based on the availability of exposed services or unpatched vulnerabilities. So far all of IMN Crew’s victims have been small to medium-sized businesses, or organizations with fewer than 1,000 employees.
Negotiation
Due to the limited information available about the threat actor, S-RM is currently unable to determine whether the IMN crew is likely to honor negotiation commitments. The group communicates with victims through GetSession, indicating a preference for secure communication to minimize detection. This could suggest that the group’s operators have prior experience at other extortion operations, but further analysis is needed to draw definitive conclusions.
Encryption
IMN crew began as a data-extortion only operation and only recently began to deploy payloads to encrypt data following exfiltration, using the .imn file extension for encrypted files. It is likely that the group is utilizing a leaked ransomware builder to conduct its operations – a tactic often seen in emerging threat groups with limited technical capabilities.
Tactics Techniques & Procedures
Initial Access
IMN Crew’s initial access methods include the exploitation of vulnerable external perimeter services such as firewalls and virtual private networks (VPNs).
Propagation
Once within a network, IMN Crew use lazagne to recover passwords for other accounts which can then be leveraged. The group spend little time to get to know the network and RDP to various machines before staging the data in .zip files and using the opensource exfiltration tool, 'restic.exe'.
Encryption
IMN crew began as a data-extortion only operation and only recently began to deploy payloads to encrypt data following exfiltration, using the .imn file extension for encrypted files. It is likely that the group is utilizing a leaked ransomware builder to conduct its operations – a tactic often seen in emerging threat groups with limited technical capabilities. To date the group has only been observed targeting Windows-based machines.
Extortion
IMN Crew demands ransom payments in cryptocurrency, notably Bitcoin, and threatens to publish exfiltrated data on their leak site in absence of payment. The group has not been observed to be particularly aggressive and are well spoken and polite, potentially taking the persona of a British or American individual. IMN Crew have not been observed employing any additional pressure tactics to secure payment in engagements supported to date.
Indicators of compromise
|
Indicator
|
Description
|
SHA256
|
|
Recovery Instruction.txt
|
Ransomware note
|
Hash was not retrievable.
|
|
e_win.exe
|
Ransomware payload
|
c99fe0534a5d9283fbcbe087c5d 87e2ee1bcb92
|
|
Pussy-killer-v1.exe
|
Unknown tool downloaded to a compromised system
|
Hash was not retrievable.
|
|
lazagne.exe
|
Credential stealer
|
Hash was not retrievable.
|
|
list.txt
|
List defining the files and folders to target for exfiltration
|
Hash was not retrievable.
|
|
restic.exe
|
Open-source backup tool used for exfiltration.
|
Hash was not retrievable.
|
