Inside Tengu: How an emerging ransomware operation exploits familiar weaknesses

Tengu is a ransomware-as-a-service (RaaS) operation that emerged in late 2025 and has quickly established a consistent and effective attack pattern.

While it does not yet have the profile of more established groups, its activity reflects a broader reality.Modern ransomware operations do not need sophisticated exploits to succeed. They rely on dependable access and disciplined execution.

Although reporting remains limited, early observations suggest Tengu follows a familiar ransomware playbook seen across multiple active groups.

If you are reading this because you have just experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.

How Tengu attacks

Tengu appears to follow a well understood ransomware lifecycle, executed with consistency rather than technical novelty. The most credible reporting points to initial access via exposed remote services, particularly RDP, often involving brute force or valid account abuse. There are also references to activity involving Fortinet environments, suggesting attackers may target exposed network infrastructure where controls are weak.

Once inside, operators move quickly to understand the environment. Observed activity includes standard discovery commands and enumeration of network resources. Lateral movement has been associated with SMB-based techniques and tooling such as NetExec, allowing attackers to expand access across systems.

There are also indications of remote access tooling such as ScreenConnect being used, which can provide persistent and interactive control of compromised environments.

As with many ransomware operations, data theft is likely to occur before encryption, although specific tooling used by Tengu for exfiltration is not consistently evidenced across sources.

The final stage combines encryption with disruption. This typically includes actions designed to limit recovery and increase pressure on the victim. Ransom notes direct victims to Tor-based portals for negotiation and reference the threat of data exposure.

Why it works

Tengu’s effectiveness is not based on innovation, but on consistency.

By focusing on exposed services and weak credential security, attackers can gain access without relying on complex exploits. This reduces noise and increases the likelihood of success.

Once inside, activity often blends with legitimate administration. Standard tools and protocols are used to move laterally, making it difficult to distinguish malicious behaviour from routine operations.

At the same time, attackers work to maintain control and reduce visibility, giving them time to complete their objectives before detection.

The gap it exploits

Tengu highlights a recurring issue across many organisations. Security controls often exist, but they are not consistently applied or effectively monitored.

Remote access is frequently exposed more widely than intended, and MFA coverage is not always comprehensive. Where credentials are weak or reused, attackers only need a valid login or sufficient time to brute force access.

Detection is often delayed because malicious activity resembles legitimate administration. Without strong visibility and correlation across identity, endpoint, and network data, early indicators are missed or deprioritised.

Common weaknesses include gaps in identity and access management, limited visibility across remote access and lateral movement, and insufficient monitoring of administrative activity.

What defenders should do

Tengu does not introduce a new problem. It reinforces an existing one. Attackers are succeeding by exploiting gaps between controls rather than bypassing them entirely.

Organisations should prioritise strengthening remote access controls, ensuring services such as RDP and VPN are not unnecessarily exposed and are protected by strong MFA. Where possible, access should be restricted through controlled pathways.

Detection should focus on behaviour rather than specific tools. Indicators such as repeated login attempts, unusual remote access patterns, and unexpected lateral movement should be treated as high priority signals.

Network segmentation and control of administrative privileges are critical to limiting attacker movement. Visibility into remote access tooling and internal communication between systems should also be improved.

Recovery must be realistic, with backups that are protected, regularly tested, and not easily accessible from compromised environments.

Conclusion

Tengu represents a modern ransomware operation built on proven techniques. Its success comes from executing familiar tactics with discipline and speed.

While intelligence on the group is still developing, the patterns observed so far reinforce a clear message. Organisations are most at risk where remote access is exposed, credentials are weak, and internal visibility is limited.

Ransomware incidents are rarely defined by how attackers get in. They are defined by how long they remain undetected and how effectively organisations respond once they are inside.