Tag: encryption

41 Attack Reports | 0 Vulnerabilities

Attack reports

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Sarcoma Ransomware, first detected in October 2024, has rapidly become a major cybersecurity threat, targeting high-value companies across industries. It uses advanced tactics like zero-day exploits and RMM tools for network discovery and credential theft. The group has impacted organizations in va…
linux
windows
encryption
chacha20
2025-05-20
hypervisor
sarcoma ransomware
rsa
network propagation
Published: May 20, 2025
Downloadable IOCs: 2

A New Breed of Infostealer

A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and th…
powershell
infostealer
exfiltration
persistence
encryption
.net
multi-stage
2025-05-13
browser-data
chihuahua stealer
crypto-wallets
Published: May 13, 2025
Downloadable IOCs: 8

Malware Analysis Mamona: Technical Analysis of a New Ransomware Strain

Mamona is a newly identified commodity ransomware that operates entirely offline, with no observed Command and Control channels or data exfiltration. It uses custom local encryption routines and employs an obfuscated delay technique involving a ping to 127.0.0.7. The ransomware encrypts user files,…
ransomware
encryption
2025-05-07
mamona
Published: May 7, 2025
Downloadable IOCs: 0

PE32 Ransomware: A New Telegram-Based Threat on the Rise

PE32 Ransomware is a new strain of malware that utilizes Telegram for command and control. Despite its amateur execution, it effectively encrypts files and causes significant damage. The ransomware features a unique two-tiered payment model, demanding one fee to unlock files and another to prevent …
encryption
telegram
c2 communication
2025-04-22
two-tiered ransom
amateur execution
pe32 ransomware
bot api
exposed infrastructure
Published: April 22, 2025
Downloadable IOCs: 5

Two sides of the same coin

This intelligence report analyzes the similarities between two previously separate APT groups, Team46 and TaxOff, concluding they are likely the same entity. The analysis covers their shared tactics, techniques, and procedures, including similar PowerShell commands, loader functionality, and infras…
backdoor
loader
obfuscation
apt
powershell
cobalt strike
zero-day
encryption
CVE-2024-6473
CVE-2025-2783
2025-04-18
dante
trinper
Published: April 18, 2025
Downloadable IOCs: 0

GorillaBot: Technical Analysis and Code Similarities with Mirai

GorillaBot is a newly discovered Mirai-based botnet that has launched over 300,000 attacks across more than 100 countries, targeting various industries including telecommunications, finance, and education. It reuses Mirai's core logic while adding custom encryption and evasion techniques. The malwa…
evasion
encryption
botnet
mirai
c2 communication
anti-debugging
2025-03-25
xtea
sha-256
gorillabot
Published: March 25, 2025
Downloadable IOCs: 3

VanHelsing: New RaaS in Town

VanHelsing RaaS, a new ransomware-as-a-service program launched on March 7, 2025, has quickly gained traction in the cybercrime world. With a low $5,000 deposit for affiliates, it offers an 80% cut of ransom payments. The service provides a user-friendly control panel and targets multiple platforms…
encryption
cybercrime
ransomware-as-a-service
evasion techniques
multi-platform
2025-03-23
vanhelsing
affiliate program
Published: March 23, 2025
Downloadable IOCs: 0

Albabat Ransomware Group Potentially Expands Targets to Multiple OS Uses GitHub to Streamline Operations

The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts c…
ransomware
cryptocurrency
encryption
github
multi-platform
2025-03-21
albabat
database
configuration
system information
Published: March 21, 2025
Downloadable IOCs: 2

Unboxing Anubis: Exploring the Stealthy Tactics of FIN7's Latest Backdoor

FIN7, a notorious cybercrime group, has developed a new Python-based backdoor called AnubisBackdoor. This sophisticated tool employs multi-stage attacks, encryption, and obfuscation techniques to evade detection. The malware is distributed through phishing campaigns and uses AES encryption with mul…
obfuscation
apt
phishing
python
encryption
2025-03-20
financial-crime
anubisbackdoor
hospitality-sector
Published: March 20, 2025
Downloadable IOCs: 0

Uncovering .NET Malware Obfuscated by Encryption and Virtualization

This article examines advanced obfuscation techniques used in popular malware families like Agent Tesla, XWorm, and FormBook/XLoader. The techniques include code virtualization, staged payload delivery, dynamic code loading, AES encryption, and multi-stage payloads. The malware uses a three-stage p…
obfuscation
xworm
encryption
.net
formbook
agent tesla
sandbox evasion
xloader
2025-03-03
virtualization
static analysis
Published: March 3, 2025
Downloadable IOCs: 11

Auto-Color: An Emerging and Evasive Linux Backdoor

Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a mali…
linux
backdoor
evasion
encryption
government
c2
proxy
universities
reverse shell
2025-02-25
auto-color
library implant
symbiote
Published: February 25, 2025
Downloadable IOCs: 10

Vgod RANSOMWARE

A new ransomware strain called Vgod has been observed targeting Windows systems. It encrypts files, appending the '.Vgod' extension, and leaves a ransom note titled 'Decryption Instructions.txt'. The ransomware changes the desktop wallpaper and employs a double extortion model, threatening data exp…
ransomware
evasion
windows
persistence
encryption
double extortion
2025-02-18
file extension
vgod
Published: February 18, 2025
Downloadable IOCs: 1

Ransomware Roundup – Lynx

The Lynx ransomware, first detected in July 2024, is a Windows-targeting malware that encrypts files and demands ransom for decryption. It shares similarities with the INC ransomware but offers more granular control. Lynx encrypts files with a .LYNX extension, changes desktop backgrounds, and print…
ransomware
windows
encryption
construction
data leak
manufacturing
2025-02-17
brave prince
lynx
Published: February 17, 2025
Downloadable IOCs: 9

Technical Analysis of Xloader Versions 6 and 7

This analysis examines the latest versions of Xloader malware, focusing on its advanced obfuscation techniques. Xloader, successor to Formbook, is an information stealer targeting browsers, email clients, and FTP applications. The malware employs complex encryption layers to protect critical code a…
obfuscation
encryption
formbook
information stealer
process injection
xloader
2025-01-28
api resolution
ntdll hook evasion
Published: January 28, 2025
Downloadable IOCs: 261

Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI

The AIRASHI botnet, an evolved version of AISURU, has been observed conducting large-scale DDoS attacks and exploiting vulnerabilities in various devices. It utilizes a 0DAY vulnerability in cnPilot routers for propagation and employs sophisticated encryption techniques for communication. The botne…
vulnerability
rc4
encryption
ddos
botnet
proxy
chacha20
hellokitty
2025-01-16
hmac-sha256
airashi
CVE-2022-3573
cnpilot
aisuru
Published: January 16, 2025
Linked vulnerabilities : CVE-2021-36260, CVE-2022-3573
Downloadable IOCs: 9

NotLockBit: A Deep Dive Into the New Ransomware Threat

NotLockBit is an emerging ransomware family that mimics LockBit's behavior while targeting both macOS and Windows systems. Distributed as an x86_64 golang binary, it showcases advanced capabilities including targeted file encryption, data exfiltration, and self-deletion mechanisms. The malware gath…
ransomware
encryption
golang
cross-platform
data-exfiltration
2024-12-19
notlockbit
aws-abuse
self-deletion
Published: December 19, 2024
Downloadable IOCs: 5

Ransomware Roundup - Interlock

The Interlock ransomware is a new variant targeting Microsoft Windows and FreeBSD systems. It encrypts files and demands ransom for decryption. The malware has both Windows and FreeBSD versions, using AES-CBC encryption and adding a '.interlock' extension to encrypted files. It excludes certain fil…
ransomware
encryption
interlock
2024-12-03
Published: December 3, 2024
Downloadable IOCs: 5

Credit Card Skimmer Malware Targeting Magento Checkout Pages

A sophisticated credit card skimmer malware has been discovered targeting Magento-powered eCommerce websites, specifically their checkout processes. The malware dynamically creates a fake credit card form or extracts payment fields, activating only on checkout pages. It uses advanced obfuscation te…
obfuscation
encryption
data exfiltration
credit card skimmer
magento
2024-11-27
ecommerce
javascript injection
checkout pages
Published: November 27, 2024
Downloadable IOCs: 0

Attack On Maritime & Defense Manufacturing

The DONOT APT group has launched a campaign targeting Pakistan's manufacturing industry supporting maritime and defense sectors. The attack uses a malicious LNK file disguised as an RTF, which executes PowerShell commands to deliver a lure document and stager malware. The malware establishes persis…
apt
powershell
pakistan
persistence
encryption
defense
lnk file
maritime
2024-11-15
stager
manufacturing
Published: November 15, 2024
Downloadable IOCs: 0

New Ymir ransomware discovered used together with RustyStealer | Securelist

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 12

New Ymir ransomware discovered used together with RustyStealer

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 0

Fog Ransomware – Technical Analysis

A new ransomware called Fog has been identified, affecting education and recreation centers in the United States. The threat actors gain access through compromised VPN credentials, disable Windows Defender, and deploy the ransomware. Fog is a 32-bit EXE file compiled using Microsoft Visual C/C++. I…
ransomware
windows
encryption
vpn
cryptography
2024-10-21
fog ransomware
file-encryption
multi-threading
process-termination
service-stopping
Published: October 21, 2024
Downloadable IOCs: 1

THREAT ANALYSIS: Beast Ransomware

The Beast Ransomware group, active since 2022, offers a Ransomware-as-a-Service (RaaS) platform with constant updates. It supports Windows, Linux, and ESXi systems, providing affiliates with customizable binary options. Beast employs advanced encryption methods, including Elliptic-curve and ChaCha2…
linux
windows
encryption
esxi
raas
2024-10-19
geofencing
file-targeting
multithreading
beast ransomware
self-propagation
monster
Published: October 19, 2024
Downloadable IOCs: 0

Infiltrating the Cicada3301 Ransomware-as-a-Service Group

This analysis provides an in-depth look into the operations of the Cicada3301 Ransomware-as-a-Service (RaaS) group. It details the workflow of their affiliates within the panel and examines the multi-platform capabilities of their ransomware, encompassing Windows, Linux, ESXi, and even uncommon arc…
ransomware
sophisticated
encryption
cicada3301
2024-10-18
multi-platform
affiliate
Published: October 18, 2024
Downloadable IOCs: 5

Lynx Ransomware: A Rebranding of INC Ransomware

Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extorti…
linux
ransomware
windows
encryption
data leak
raas
double extortion
2024-10-14
lynx ransomware
inc ransomware
Published: October 14, 2024
Downloadable IOCs: 44

ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

ShrinkLocker is a new ransomware strain that exploits Windows BitLocker to encrypt targeted data. Unlike typical ransomware, it abuses this legitimate feature to create a secure boot partition, locking users out unless a ransom is paid. The malware performs system checks, modifies registry entries,…
ransomware
encryption
bitlocker
2024-09-17
shrinklocker
disk partitioning
Published: September 17, 2024
Downloadable IOCs: 2

Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware

Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
ransomware
extortion
exfiltration
encryption
cybercrime
2024-09-11
cicada3301
Published: September 11, 2024
Linked vulnerabilities : CVE-2024-1709, CVE-2024-1708
Downloadable IOCs: 8

Ransomware Roundup - Underground

The Underground ransomware, first observed in July 2023, targets Windows machines by encrypting files and demanding ransom. Attributed to the Russia-based RomCom group, it exploits CVE-2023-36884 and other common infection vectors. The ransomware deletes shadow copies, modifies RemoteDesktop settin…
windows
encryption
2024-09-02
romcom
data leak
CVE-2023-36884
storm-0978
underground
Published: September 2, 2024
Linked vulnerabilities : CVE-2023-36884
Downloadable IOCs: 4

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …
privilege-escalation
cobalt strike
encryption
CVE-2020-1472
ransomware-as-a-service
ransomhub
mimikatz
CVE-2023-3519
2024-08-30
metasploit
CVE-2023-22515
CVE-2023-46604
CVE-2017-0144
CVE-2023-48788
double-extortion
CVE-2023-27997
data-exfiltration
CVE-2023-46747
critical-infrastructure
CVE-2020-0787
lateral-movement
Published: August 30, 2024
Linked vulnerabilities : CVE-2020-1472, CVE-2023-46604, CVE-2023-22515, CVE-2020-0787, CVE-2017-0144, CVE-2023-3519, CVE-2023-27997, CVE-2023-48788, CVE-2023-46747
Downloadable IOCs: 14

Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…
malware
rat
evasion
encryption
dropper
gh0st rat
moudoor
mydoor
2024-07-31
Published: July 31, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 6

Ransomware: Activity Levels Remain High Despite Disruption

While overall activity levels dipped slightly in the first quarter of 2024, the number of claimed attacks remained high, with LockBit accounting for over 20%. The report explores the changing tactics employed by ransomware actors, including the exploitation of vulnerabilities, the use of Bring-Your…
ransomware
lockbit
vulnerability
blackcat
alphv
encryption
phobos
cyclops blink
CVE-2024-4577
noberus
tellyouthepass
blacksuit
2024-07-11
akira
warp av killer
qilin
disruption
Published: July 11, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)
Downloadable IOCs: 27

Decrypted: DoNex Ransomware and its Predecessors

Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands sin…
ransomware
lockbit
darkrace
donex
encryption
2024-07-10
chacha20
rebranding
muse
cryptography
Published: July 10, 2024
Downloadable IOCs: 8

BlackSuit Ransomware: Insights and Defense Strategies

This report provides an in-depth analysis of the BlackSuit ransomware, a threat that has been actively targeting various sectors since May 2023. It presents statistics from incident response engagements, explores the ransomware's behavior and technical analysis, and offers insights into the potenti…
ransomware
encryption
data exfiltration
2024-07-08
blacksuit
cybersecurity
threat analysis
Published: July 8, 2024
Downloadable IOCs: 8

Mallox Ransomware: Linux Variant Decryptor Found

The report analyzes the Mallox ransomware, which has been active since mid-2021 and focuses on multi-extortion by encrypting victims' data and threatening to post it on public TOR sites. Initially targeting Windows systems, Mallox has now developed Linux variants using custom Python scripts for pay…
ransomware
encryption
mallox
targetcompany
2024-07-04
fargo
cyber-extortion
mawahelper
Published: July 4, 2024
Downloadable IOCs: 5

Update: CVE-2024-4577 quickly weaponized to distribute Ransomware

The report describes an attack campaign leveraging the CVE-2024-4577 vulnerability to deliver the "TellYouThePass" ransomware. The attackers use the vulnerability to execute arbitrary PHP code and run a malicious HTML application that loads a .NET variant of the ransomware into memory. Upon executi…
exploit
ransomware
encryption
CVE-2024-4577
2024-06-11
tellyouthepass
infection
Published: June 11, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2021-44228, CVE-2024-3577, CVE-2023-22524, CVE-2023-46604
Downloadable IOCs: 5

Lost in the Fog: A New Ransomware Threat

Arctic Wolf Labs began monitoring the deployment of a new ransomware variant called Fog in early May 2024. The ransomware attacks targeted organizations in the education and recreation sectors within the United States. Evidence suggests threat actors gained initial access through compromised VPN cr…
ransomware
encryption
lateral movement
credential
2024-06-07
backup deletion
foggyweb
Published: June 7, 2024
Linked vulnerabilities : CVE-2024-4358 (CVSS 9.8), CVE-2024-1800
Downloadable IOCs: 5

Malicious Campaign Analysis: JScript RAT and CobaltStrike

This report examines a recent malicious campaign involving a JScript-based Remote Access Trojan (RAT) and its connections to the CobaltStrike penetration testing tool. The attack commences with an obfuscated JScript loader distributed through suspected phishing campaigns. Upon execution, it contact…
obfuscation
rat
encryption
cobaltstrike
2024-06-07
jscript
jscript rat
Published: June 7, 2024
Downloadable IOCs: 4

New ransomware group abusing BitLocker

The report examines an incident where threat actors leveraged Microsoft's BitLocker encryption utility to deploy unauthorized file encryption on targeted systems. The adversaries employed a sophisticated VBScript that resized disk partitions, modified registry entries, enabled BitLocker with random…
ransomware
exfiltration
encryption
2024-05-23
bitlocker
trojan-ransom.vbs.bitlock.gen
trojan.vbs.sagent.gen
trojan.win32.generic
partitions
Published: May 23, 2024
Linked vulnerabilities : CVE-2024-30051 (CVSS 7.8)
Downloadable IOCs: 6

Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear

This comprehensive analysis delves into the continuous evolution and refinement of sophisticated malware entities employed by a persistent cyberespionage group targeting organizations in the Asia-Pacific region. The malware, known as Waterbear and its latest iteration, Deuterbear, have undergone si…
malware
evasion
anti-analysis
encryption
2024-05-21
cyberespionage
deuterbear
waterbear
Published: May 21, 2024
Downloadable IOCs: 29

StopRansomware: Black Basta

This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Publ…
phishing
ransomware
exfiltration
encryption
2024-05-08
qakbot
qbot
CVE-2020-1472
quackbot
pinkslipbot
CVE-2024-1709
healthcare
CVE-2021-34527
CVE-2021-42278
CVE-2021-42287
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2024-1709, CVE-2021-34527, CVE-2020-1472
Downloadable IOCs: 174

Ransomware Roundup (April 29, 2024)

This concise report provides insights into the evolving ransomware landscape, covering the KageNoHitobito and DoNex variants. It analyzes their infection vectors, victimology, attack methods, and associated indicators of compromise (IoCs). The report also highlights Fortinet's protections against t…
ransomware
windows
data theft
ransom
darkrace
donex
encryption
kagenohitobito
Published: April 29, 2024
Downloadable IOCs: 7
Click here to see more Attack Reports