A ransomware crew called Genesis has spent the past few months quietly working its way through American small businesses and medical practices, and over the July 4 weekend it posted its largest single batch of victims to date. On July 5 the group added nine new organizations to its dark web leak site in a single day, its busiest posting since it first surfaced at the end of March.
Unlike the higher profile gangs that chase Fortune 500 logos, Genesis has stuck to a steady diet of clinics, contractors, law offices and regional firms, the kind of targets that rarely make national headlines but often lack the security budget to fight back. The latest batch fits that pattern: two healthcare providers, East Texas Family Medicine and Mirage Endoscopy Center, sat alongside an agricultural supplier, a pair of small software companies and several professional services businesses. Almost every victim is based in the United States.
Who is behind it
Genesis, which threat trackers also log under the handle Rive Flux, runs a conventional double extortion operation: it claims to break into a company, steal internal files, and then threaten to publish the data unless a ransom is paid. The names it posts are extortion claims, not confirmed breaches. Listing a victim is itself the pressure tactic, and some entries turn out to be exaggerated, recycled, or never confirmed by the organization named. IntelFusions has not independently verified that any specific company listed was breached.
What stands out is the consistency. Since late March 2026, IntelFusions has tracked 41 Genesis claims, roughly 90 percent of them against US organizations, with healthcare the single most targeted sector. The pace has been unglamorous but relentless, a reminder that the ransomware threat to small and mid sized American businesses is not driven only by the crews that make the news. In late June the group even listed Brooklyn Defender Services, a New York legal aid organization, the sort of nonprofit that holds sensitive personal records but has little to spend on incident response.
Why it matters
Genesis is part of a wider surge of leak site activity hitting US healthcare and small business over the holiday weekend, when IT teams are thin and response times slow. It appeared as several other crews piled onto US healthcare providers over the same July 4 stretch. Attackers know that a long weekend buys them extra hours inside a network before anyone notices.
What you should do
Appearing on a leak site usually means data has already been stolen, so speed matters. Security teams at small organizations, especially medical practices and their IT vendors, should confirm that offline, tested backups exist, enforce multi factor authentication on remote access and email, keep internet facing systems patched, and watch for unusual data transfers leaving the network. If your organization is named on a leak site, treat it as a live data breach: preserve logs, engage counsel and, where required, prepare breach notifications rather than waiting for the attackers to make the next move.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.