Tag: encryption

80 Attack Reports | 0 Vulnerabilities

Attack reports

Beast Ransomware Toolkit: A Proactive Threat Intelligence Report

This analysis delves into the Beast ransomware, a Ransomware-as-a-Service (RaaS) that emerged in June 2024 as a successor to Monster ransomware. The investigation focuses on a Beast ransomware server detected in March 2026, revealing the operators' toolkit and attack methodology. The toolkit includ…
ransomware
exfiltration
encryption
reconnaissance
lateral-movement
raas
monster
2026-03-20
beast
toolkit
Published: March 20, 2026
Downloadable IOCs: 7

Nefilim Ransomware

Nefilim ransomware emerged in March 2020, evolving from Nemty's code. It targets vulnerabilities in Citrix gateway devices and uses exposed Remote Desktop Protocol for initial access. The malware exfiltrates sensitive data before encryption and threatens to publish it if ransom isn't paid. Nefilim …
ransomware
encryption
credential theft
lateral movement
rdp
data exfiltration
CVE-2019-19781
nefilim
2026-02-24
aes-128
citrix
CVE-2019-11634
nemty
netwalker
Published: February 24, 2026
Downloadable IOCs: 14

LockBit strikes with new 5.0 version, targeting Windows, Linux and ESXI systems

LockBit 5.0, the latest version of the notorious ransomware, has been released with support for Windows, Linux, and ESXi systems. This update brings improved defense evasion, faster encryption, and enhanced modularity. The Windows variant employs extensive anti-analysis techniques, while Linux and …
linux
ransomware
windows
lockbit
encryption
smokeloader
esxi
infrastructure
double-extortion
virtualization
defense-evasion
2026-02-12
Published: February 12, 2026
Downloadable IOCs: 6

The Godfather of Ransomware? Inside Cartel Ambitions

DragonForce, a ransomware group that emerged in late 2023, has become a significant cyber threat. They employ a dual-extortion strategy, encrypting and exfiltrating data, and have targeted various sectors, particularly manufacturing and construction. The group offers a flexible ransomware-as-a-serv…
ransomware
encryption
cybercrime
cross-platform
raas
dragonforce
cartel
dual-extortion
2026-02-04
data-audit
Published: February 4, 2026
Downloadable IOCs: 7

Detailed Analysis of LockBit 5.0

LockBit, originating as ABCD ransomware in 2019, has evolved to version 5.0 in September 2025. After a period of inactivity, it resumed operations in December 2025 with a reduced affiliate sign-up fee. LockBit 5.0, nicknamed ChoungDong, consists of a Loader and Ransomware component. The Loader decr…
ransomware
lockbit
encryption
conti
double-extortion
evasion-techniques
2026-01-21
abcd ransomware
affiliate-program
choungdong
cyber-attack
lockbit green
Published: January 21, 2026
Downloadable IOCs: 3

VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion

This analysis examines the VVS stealer, a Python-based malware targeting Discord users to steal sensitive information like credentials and tokens. The stealer employs Pyarmor for obfuscation, hindering analysis and detection. Key capabilities include exfiltrating Discord data, injecting malicious c…
obfuscation
python
infostealer
persistence
encryption
webhook
discord
aes encryption
browser data theft
2026-01-02
pyarmor
vvs stealer
2026-01-20
Published: January 20, 2026
Downloadable IOCs: 3

Sicarii Ransomware: Truth vs Myth

A new RaaS operation called Sicarii emerged in late 2025, claiming Israeli/Jewish affiliation. The group uses Hebrew language, historical symbols, and right-wing ideological references in its branding. However, underground activity is primarily conducted in Russian, and the Hebrew content appears n…
ransomware
encryption
data exfiltration
raas
CVE-2025-64446
2026-01-15
false-flag
geo-fencing
sicarii ransomware
Published: January 15, 2026
Linked vulnerabilities : CVE-2025-64446 (CVSS 9.8)
Downloadable IOCs: 41

From Linear to Complex: An Upgrade in RansomHouse Encryption

RansomHouse, a ransomware-as-a-service operation run by Jolly Scorpius, has undergone a significant upgrade in encryption methods. The attack chain involves operators developing tools, attackers deploying ransomware, and victims being targeted. Two key components, MrAgent and Mario, are used to com…
encryption
ransomware-as-a-service
esxi
ransomhouse
virtualization
2025-12-17
mario
mragent
Published: December 17, 2025
Downloadable IOCs: 4

License to Encrypt: Make Their Move

'The Gentlemen' ransomware group emerged in July 2025, employing advanced dual-extortion tactics. They encrypt data and exfiltrate sensitive information, threatening to release it unless a ransom is paid. The group developed their own Ransomware-as-a-Service (RaaS) platform after experimenting with…
linux
ransomware
windows
persistence
encryption
esxi
raas
2025-11-19
the gentlemen
dual-extortion
Published: November 19, 2025
Downloadable IOCs: 0

Analysis of Encryption Structure of Yurei Ransomware Go-based Builder

The Yurei ransomware group, first identified in September 2025, employs a typical ransomware operation model targeting corporate networks. Their attacks have affected Sri Lanka and Nigeria, focusing on transportation, IT, marketing, and food industries. The ransomware, developed in Go, uses ChaCha2…
ransomware
encryption
chacha20-poly1305
go-based
yurei
2025-11-14
darkweb
secp256k1-ecies
corporate networks
Published: November 14, 2025
Downloadable IOCs: 1

Unleashing the Kraken ransomware group

The Kraken ransomware group, emerging from the remnants of the HelloKitty cartel, has been observed conducting big-game hunting and double extortion attacks. Utilizing SMB vulnerabilities for initial access, they employ tools like Cloudflared for persistence and SSHFS for data exfiltration. Kraken'…
ransomware
encryption
cross-platform
data leak
russian-speaking
double extortion
2025-11-13
kraken
underground forum
Published: November 13, 2025
Downloadable IOCs: 11

The DragonForce Cartel: Scattered Spider at the gate

DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate pro…
social engineering
ransomware
encryption
conti
byovd
dragonforce
affiliate program
mamona
devman
2025-11-05
scattered spider
global
cartel
Published: November 5, 2025
Downloadable IOCs: 0

Leveraging Generative AI to Reverse Engineer XLoader

This report details how generative AI was used to accelerate the reverse engineering of XLoader malware. The researchers employed a combination of cloud-based static analysis using exported IDA data and occasional dynamic checks via MCP to rapidly unpack encrypted code, deobfuscate API calls, and d…
obfuscation
encryption
malware analysis
chatgpt
reverse engineering
xloader
generative ai
2025-11-03
ioc extraction
Published: November 3, 2025
Downloadable IOCs: 16

A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities

Warlock ransomware, exploiting SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771, represents an advanced threat combining sophisticated encryption methods with targeted defense evasion techniques. The malware employs a multi-stage attack, terminating security services, removing recovery …
ransomware
encryption
chacha20
defense evasion
sharepoint
vulnerabilities
CVE-2025-53770
CVE-2025-53771
warlock
curve25519
2025-10-30
volume shadow copies
Published: October 30, 2025
Downloadable IOCs: 1

Analysis: AI-powered Ransomware from APT Group

FunkLocker, a ransomware strain developed by the FunkSec APT group, showcases the growing trend of AI-assisted malware creation. The ransomware exhibits inconsistent quality across multiple builds, with some versions incorporating advanced features like anti-VM checks. It aggressively disrupts syst…
ransomware
powershell
encryption
ai-assisted
2025-10-02
funklocker
process-disruption
system-abuse
Published: October 2, 2025
Downloadable IOCs: 1

Rhadamanthys 0.9.x - walk through the updates

Rhadamanthys, a complex multi-modular stealer, has released version 0.9.2 with significant updates. The malware now uses PNG files to deliver payloads, implements new evasion techniques, and introduces changes to its custom executable formats. Key modifications include a new message box mimicking L…
evasion
rhadamanthys
stealer
encryption
2025-10-01
configurability
png payload
custom formats
Published: October 1, 2025
Downloadable IOCs: 51

New LockBit 5.0 Targets Windows, Linux, ESXi

Trend Research analyzed the latest version of LockBit ransomware, LockBit 5.0, which exhibits advanced obfuscation, anti-analysis techniques, and cross-platform capabilities for Windows, Linux, and ESXi systems. The Windows variant uses heavy obfuscation and packing, loading its payload through DLL…
obfuscation
ransomware
anti-analysis
encryption
cross-platform
esxi
virtualization
2025-09-29
dll reflection
lockbit 5.0
Published: September 29, 2025
Downloadable IOCs: 5

The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU

The AISURU botnet has emerged as a formidable threat, capable of launching massive DDoS attacks reaching 11.5 Tbps. First disclosed in 2024, it expanded significantly in 2025 by compromising a router firmware update server. The botnet, with approximately 300,000 nodes, is operated by a group of thr…
encryption
ddos
botnet
router
cybercrime
proxy
CVE-2022-35733
CVE-2023-50381
vulnerabilities
firmware
airashi
aisuru
CVE-2024-3721
2025-09-25
CVE-2017-5259
CVE-2013-5948
CVE-2013-1599
CVE-2023-28771
CVE-2022-44149
CVE-2013-3307
Published: September 25, 2025
Linked vulnerabilities : CVE-2023-50381 (CVSS 7.2), CVE-2023-28771, CVE-2024-3721, CVE-2022-35733, CVE-2013-1599, CVE-2022-44149, CVE-2013-5948, CVE-2013-3307, CVE-2017-5259
Downloadable IOCs: 11

GUNRA RANSOMWARE: What You Don't Know!

Gunra Ransomware is a double extortion group targeting global victims, excluding the US. They primarily attack Windows systems, recently expanding to Linux. The group uses phishing as their main vector and negotiates through a WhatsApp-themed chat panel. They can encrypt large files quickly using a…
linux
phishing
ransomware
windows
encryption
lumma stealer
double extortion
data leak site
2025-09-24
negotiation
gunra ransomware
donot loader
Published: September 24, 2025
Downloadable IOCs: 0

Unmasking Akira: The ransomware tactics you can't afford to ignore

The Akira ransomware group has been targeting UK businesses since 2023, primarily affecting retail, finance, manufacturing, and medical sectors. Their tactics include exploiting SSL VPNs, using double extortion, and focusing on financial gain. Key observations from 2023-2025 include initial access …
ransomware
encryption
credential theft
data exfiltration
akira
CVE-2023-27532
CVE-2024-40766
CVE-2024-40711
double extortion
CVE-2023-20269
2025-09-22
backup destruction
Published: September 22, 2025
Downloadable IOCs: 0

Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis

The BlackNevas ransomware group, first appearing in November 2024, has been targeting various industries and critical infrastructure globally, with a focus on the Asia-Pacific region. The group uses AES and RSA encryption, adding the '.-encrypted' extension to affected files. BlackNevas operates in…
ransomware
encryption
data leak
global threats
rsa
asia-pacific
aes
2025-09-12
blacknevas
Published: September 12, 2025
Downloadable IOCs: 1

Dire Wolf Ransomware: Threat Combining Data Encryption and Leak Extortion

The DireWolf ransomware group emerged in May 2025, targeting various industries globally. They employ a double extortion technique, encrypting data and threatening leaks. The ransomware uses Curve25519 key exchange and ChaCha20 encryption, generating unique keys for each file. It implements anti-re…
ransomware
encryption
chacha20
double extortion
self-deletion
dire wolf
2025-09-03
curve25519
anti-recovery
data leakage
Published: September 3, 2025
Downloadable IOCs: 2

Dissecting RapperBot Botnet: From Infection to DDoS & More

This report details the analysis of RapperBot, a sophisticated botnet targeting IoT devices, particularly Network Video Recorders (NVRs). The malware exploits vulnerabilities in these devices to create a large-scale DDoS infrastructure. The analysis covers the botnet's infection process, command an…
exploit
dns
encryption
ddos
iot
botnet
infrastructure
2025-09-03
nvr
rapperbot
Published: September 3, 2025
Downloadable IOCs: 84

Warning About NightSpire Ransomware Following Cases of Damage in South Korea

NightSpire, a ransomware group active since February 2025, employs an aggressive strategy and specialized infrastructure similar to Ransomware-as-a-Service models. They operate a Dedicated Leak Site, posting victim information and countdown timers for data release. Using highly threatening language…
ransomware
encryption
south korea
double-extortion
nightspire
rsa
2025-08-29
2025-09-01
aes
cyber extortion
dedicated leak site
Published: September 1, 2025
Downloadable IOCs: 2

The Covert Dual-Mode Backdoor Threat

MystRodX is a sophisticated backdoor discovered in June 2025, featuring stealth and flexibility. It uses multi-layer encryption for sensitive information and can operate in active or passive modes. The backdoor supports file management, port forwarding, reverse shell, and socket management. Its pas…
backdoor
encryption
stealth
c2 servers
2025-08-28
icmp trigger
mystrodx
dual-process guardian
dns trigger
passive mode
Published: August 28, 2025
Downloadable IOCs: 12

Underground Ransomware Being Distributed Worldwide

The Underground ransomware gang is conducting global attacks against companies across various countries and industries. First identified in July 2023, the group resurfaced in May 2024 with a new Dedicated Leak Site. Their targets include multinational corporations from diverse sectors, with annual …
ransomware
data theft
encryption
2025-08-27
underground ransomware
striping method
global attacks
Published: August 27, 2025
Downloadable IOCs: 0

Ransomware incidents in Japan during the first half of 2025

The first half of 2025 saw a 1.4-fold increase in ransomware attacks in Japan compared to the previous year, with 68 confirmed cases. Small and medium-sized enterprises remained the primary targets, with manufacturing being the most affected industry. The ransomware group Qilin emerged as the most …
ransomware
encryption
double-extortion
manufacturing
japan
kawa4096
kawalocker
2025-08-19
kawalocker 2.0
salsa20
small-medium-enterprises
Published: August 19, 2025
Downloadable IOCs: 0

'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan

A new ransomware strain called 'Blue Locker' is targeting Pakistan's oil and gas sector, particularly affecting Pakistan Petroleum Limited. The National Cyber Emergency Response Team (NCERT) has issued warnings to 39 key ministries and institutions about this severe threat. The ransomware, which sh…
phishing
ransomware
pakistan
encryption
cybersecurity
2025-08-15
oil and gas
ncert
proton
shinra
blue locker
Published: August 15, 2025
Downloadable IOCs: 0

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It ta…
phishing
social engineering
ransomware
encryption
bitcoin
keylogger
data exfiltration
2025-08-15
sap ariba
leeme ransomware
Published: August 15, 2025
Downloadable IOCs: 0

Kawabunga, Dude, You've Been Ransomed!

A new ransomware variant called KawaLocker (KAWA4096) was recently observed in an attack. The threat actor gained initial access via RDP using a compromised account and employed various tools to disable security measures. HRSword, a monitoring tool, was deployed along with kernel drivers sysdiag.sy…
ransomware
encryption
rdp
psexec
kawa4096
2025-08-15
hrsword
kawalocker
Published: August 15, 2025
Downloadable IOCs: 5

New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction tec…
apt
ransomware
evasion
encryption
dll sideloading
aviation
middle east
network propagation
2025-08-12
charon
Published: August 12, 2025
Downloadable IOCs: 0

Tracking Updates to Raspberry Robin

Raspberry Robin, an advanced malware downloader active since 2021, has undergone significant updates. The malware now employs improved obfuscation methods, including multiple initialization loops and obfuscated stack pointers, making analysis more challenging. It has switched from AES-CTR to ChaCha…
obfuscation
evasion
privilege-escalation
encryption
downloader
CVE-2024-38196
tor
raspberry robin
roshtyak
2025-08-07
usb-spread
Published: August 7, 2025
Linked vulnerabilities : CVE-2024-38196 (CVSS 7.8)
Downloadable IOCs: 121

Raspberry Robin: Latest Updates and Improvements

Raspberry Robin, a malicious downloader active since 2021, has undergone significant updates. It now employs improved obfuscation methods, including multiple initialization loops and flattened control flow, making brute-force decryption less effective. The network encryption algorithm has shifted f…
obfuscation
privilege-escalation
usb
encryption
downloader
CVE-2024-38196
tor
raspberry robin
2025-08-05
roshtyak
Published: August 5, 2025
Linked vulnerabilities : CVE-2024-38196 (CVSS 7.8)
Downloadable IOCs: 121

Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading Tactics

This analysis explores the sophisticated tactics employed by LockBit ransomware attackers, focusing on DLL sideloading and masquerading techniques. These methods allow attackers to evade detection and maximize impact. DLL sideloading involves tricking legitimate applications into loading malicious …
ransomware
evasion
lockbit
persistence
encryption
dll sideloading
2025-08-01
masquerading
Published: August 1, 2025
Downloadable IOCs: 11

Gunra Ransomware Emerges with New DLS

A new ransomware group called Gunra has emerged with a Dedicated Leak Site (DLS) in April 2025. Gunra's code shows similarities to the infamous Conti ransomware, suggesting it may be leveraging Conti's leaked source code. The group employs aggressive tactics, including a time-based pressure techniq…
ransomware
encryption
conti
chacha20
dls
2025-07-24
volume shadow copy
gunra
Published: July 24, 2025
Downloadable IOCs: 3

Analysis of Secp0 Ransomware

Secp0 is a ransomware that emerged in early 2025, initially mischaracterized as a vulnerability disclosure extortion group. It operates as a conventional double-extortion ransomware, encrypting data while threatening public disclosure. The malware is an ELF binary targeting Linux systems, using Cha…
ransomware
encryption
double-extortion
2025-07-16
secp0
Published: July 16, 2025
Downloadable IOCs: 6

A Hybrid Approach with Data Exfiltration and Encryption

The BlackSuit ransomware group, believed to be a rebrand of Royal ransomware, has emerged as a significant threat to organizations. This sophisticated attack combines data exfiltration and encryption, utilizing tools like Cobalt Strike for command and control, rclone for data exfiltration, and Blac…
ransomware
cobalt strike
rclone
encryption
data exfiltration
blacksuit
2025-07-12
Published: July 12, 2025
Downloadable IOCs: 0

BERT Ransomware Group Targets Asia and Europe on Multiple Platforms

A newly emerged ransomware group called BERT has been targeting organizations across Asia and Europe since April. The group employs simple code with effective execution, impacting sectors such as healthcare, technology, and event services. BERT's ransomware operates on both Windows and Linux platfo…
linux
ransomware
powershell
windows
encryption
esxi
europe
asia
2025-07-07
bert
Published: July 7, 2025
Downloadable IOCs: 9

BERT RANSOMWARE - THE RAVEN FILE

BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufactu…
linux
phishing
ransomware
powershell
windows
encryption
revil
sodinokibi
dark web
2025-06-20
bert ransomware
Published: June 20, 2025
Downloadable IOCs: 11

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Sarcoma Ransomware, first detected in October 2024, has rapidly become a major cybersecurity threat, targeting high-value companies across industries. It uses advanced tactics like zero-day exploits and RMM tools for network discovery and credential theft. The group has impacted organizations in va…
linux
windows
encryption
chacha20
2025-05-20
hypervisor
sarcoma ransomware
rsa
network propagation
Published: May 20, 2025
Downloadable IOCs: 2

A New Breed of Infostealer

A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and th…
powershell
infostealer
exfiltration
persistence
encryption
.net
multi-stage
2025-05-13
browser-data
chihuahua stealer
crypto-wallets
Published: May 13, 2025
Downloadable IOCs: 8

Malware Analysis Mamona: Technical Analysis of a New Ransomware Strain

Mamona is a newly identified commodity ransomware that operates entirely offline, with no observed Command and Control channels or data exfiltration. It uses custom local encryption routines and employs an obfuscated delay technique involving a ping to 127.0.0.7. The ransomware encrypts user files,…
ransomware
encryption
2025-05-07
mamona
Published: May 7, 2025
Downloadable IOCs: 0

PE32 Ransomware: A New Telegram-Based Threat on the Rise

PE32 Ransomware is a new strain of malware that utilizes Telegram for command and control. Despite its amateur execution, it effectively encrypts files and causes significant damage. The ransomware features a unique two-tiered payment model, demanding one fee to unlock files and another to prevent …
encryption
telegram
c2 communication
2025-04-22
two-tiered ransom
amateur execution
pe32 ransomware
bot api
exposed infrastructure
Published: April 22, 2025
Downloadable IOCs: 5

Two sides of the same coin

This intelligence report analyzes the similarities between two previously separate APT groups, Team46 and TaxOff, concluding they are likely the same entity. The analysis covers their shared tactics, techniques, and procedures, including similar PowerShell commands, loader functionality, and infras…
backdoor
loader
obfuscation
apt
powershell
cobalt strike
zero-day
encryption
CVE-2024-6473
CVE-2025-2783
2025-04-18
dante
trinper
Published: April 18, 2025
Downloadable IOCs: 0

GorillaBot: Technical Analysis and Code Similarities with Mirai

GorillaBot is a newly discovered Mirai-based botnet that has launched over 300,000 attacks across more than 100 countries, targeting various industries including telecommunications, finance, and education. It reuses Mirai's core logic while adding custom encryption and evasion techniques. The malwa…
evasion
encryption
botnet
mirai
c2 communication
anti-debugging
2025-03-25
xtea
sha-256
gorillabot
Published: March 25, 2025
Downloadable IOCs: 3

VanHelsing: New RaaS in Town

VanHelsing RaaS, a new ransomware-as-a-service program launched on March 7, 2025, has quickly gained traction in the cybercrime world. With a low $5,000 deposit for affiliates, it offers an 80% cut of ransom payments. The service provides a user-friendly control panel and targets multiple platforms…
encryption
cybercrime
ransomware-as-a-service
evasion techniques
multi-platform
2025-03-23
vanhelsing
affiliate program
Published: March 23, 2025
Downloadable IOCs: 0

Albabat Ransomware Group Potentially Expands Targets to Multiple OS Uses GitHub to Streamline Operations

The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts c…
ransomware
cryptocurrency
encryption
github
multi-platform
2025-03-21
albabat
database
configuration
system information
Published: March 21, 2025
Downloadable IOCs: 2

Unboxing Anubis: Exploring the Stealthy Tactics of FIN7's Latest Backdoor

FIN7, a notorious cybercrime group, has developed a new Python-based backdoor called AnubisBackdoor. This sophisticated tool employs multi-stage attacks, encryption, and obfuscation techniques to evade detection. The malware is distributed through phishing campaigns and uses AES encryption with mul…
obfuscation
apt
phishing
python
encryption
2025-03-20
financial-crime
anubisbackdoor
hospitality-sector
Published: March 20, 2025
Downloadable IOCs: 0

Uncovering .NET Malware Obfuscated by Encryption and Virtualization

This article examines advanced obfuscation techniques used in popular malware families like Agent Tesla, XWorm, and FormBook/XLoader. The techniques include code virtualization, staged payload delivery, dynamic code loading, AES encryption, and multi-stage payloads. The malware uses a three-stage p…
obfuscation
xworm
encryption
.net
formbook
agent tesla
sandbox evasion
xloader
2025-03-03
virtualization
static analysis
Published: March 3, 2025
Downloadable IOCs: 11

Auto-Color: An Emerging and Evasive Linux Backdoor

Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a mali…
linux
backdoor
evasion
encryption
government
c2
proxy
universities
reverse shell
2025-02-25
auto-color
library implant
symbiote
Published: February 25, 2025
Downloadable IOCs: 10

Vgod RANSOMWARE

A new ransomware strain called Vgod has been observed targeting Windows systems. It encrypts files, appending the '.Vgod' extension, and leaves a ransom note titled 'Decryption Instructions.txt'. The ransomware changes the desktop wallpaper and employs a double extortion model, threatening data exp…
ransomware
evasion
windows
persistence
encryption
double extortion
2025-02-18
file extension
vgod
Published: February 18, 2025
Downloadable IOCs: 1

Ransomware Roundup – Lynx

The Lynx ransomware, first detected in July 2024, is a Windows-targeting malware that encrypts files and demands ransom for decryption. It shares similarities with the INC ransomware but offers more granular control. Lynx encrypts files with a .LYNX extension, changes desktop backgrounds, and print…
ransomware
windows
encryption
construction
data leak
manufacturing
2025-02-17
brave prince
lynx
Published: February 17, 2025
Downloadable IOCs: 9

Technical Analysis of Xloader Versions 6 and 7

This analysis examines the latest versions of Xloader malware, focusing on its advanced obfuscation techniques. Xloader, successor to Formbook, is an information stealer targeting browsers, email clients, and FTP applications. The malware employs complex encryption layers to protect critical code a…
obfuscation
encryption
formbook
information stealer
process injection
xloader
2025-01-28
api resolution
ntdll hook evasion
Published: January 28, 2025
Downloadable IOCs: 261

Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI

The AIRASHI botnet, an evolved version of AISURU, has been observed conducting large-scale DDoS attacks and exploiting vulnerabilities in various devices. It utilizes a 0DAY vulnerability in cnPilot routers for propagation and employs sophisticated encryption techniques for communication. The botne…
vulnerability
rc4
encryption
ddos
botnet
proxy
chacha20
hellokitty
2025-01-16
hmac-sha256
airashi
CVE-2022-3573
cnpilot
aisuru
Published: January 16, 2025
Linked vulnerabilities : CVE-2021-36260, CVE-2022-3573
Downloadable IOCs: 9

NotLockBit: A Deep Dive Into the New Ransomware Threat

NotLockBit is an emerging ransomware family that mimics LockBit's behavior while targeting both macOS and Windows systems. Distributed as an x86_64 golang binary, it showcases advanced capabilities including targeted file encryption, data exfiltration, and self-deletion mechanisms. The malware gath…
ransomware
encryption
golang
cross-platform
data-exfiltration
2024-12-19
notlockbit
aws-abuse
self-deletion
Published: December 19, 2024
Downloadable IOCs: 5

Ransomware Roundup - Interlock

The Interlock ransomware is a new variant targeting Microsoft Windows and FreeBSD systems. It encrypts files and demands ransom for decryption. The malware has both Windows and FreeBSD versions, using AES-CBC encryption and adding a '.interlock' extension to encrypted files. It excludes certain fil…
ransomware
encryption
interlock
2024-12-03
Published: December 3, 2024
Downloadable IOCs: 5

Credit Card Skimmer Malware Targeting Magento Checkout Pages

A sophisticated credit card skimmer malware has been discovered targeting Magento-powered eCommerce websites, specifically their checkout processes. The malware dynamically creates a fake credit card form or extracts payment fields, activating only on checkout pages. It uses advanced obfuscation te…
obfuscation
encryption
data exfiltration
credit card skimmer
magento
2024-11-27
ecommerce
javascript injection
checkout pages
Published: November 27, 2024
Downloadable IOCs: 0

Attack On Maritime & Defense Manufacturing

The DONOT APT group has launched a campaign targeting Pakistan's manufacturing industry supporting maritime and defense sectors. The attack uses a malicious LNK file disguised as an RTF, which executes PowerShell commands to deliver a lure document and stager malware. The malware establishes persis…
apt
powershell
pakistan
persistence
encryption
defense
lnk file
maritime
2024-11-15
stager
manufacturing
Published: November 15, 2024
Downloadable IOCs: 0

New Ymir ransomware discovered used together with RustyStealer | Securelist

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 12

New Ymir ransomware discovered used together with RustyStealer

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 0

Fog Ransomware – Technical Analysis

A new ransomware called Fog has been identified, affecting education and recreation centers in the United States. The threat actors gain access through compromised VPN credentials, disable Windows Defender, and deploy the ransomware. Fog is a 32-bit EXE file compiled using Microsoft Visual C/C++. I…
ransomware
windows
encryption
vpn
cryptography
2024-10-21
fog ransomware
file-encryption
multi-threading
process-termination
service-stopping
Published: October 21, 2024
Downloadable IOCs: 1

THREAT ANALYSIS: Beast Ransomware

The Beast Ransomware group, active since 2022, offers a Ransomware-as-a-Service (RaaS) platform with constant updates. It supports Windows, Linux, and ESXi systems, providing affiliates with customizable binary options. Beast employs advanced encryption methods, including Elliptic-curve and ChaCha2…
linux
windows
encryption
esxi
raas
2024-10-19
geofencing
file-targeting
multithreading
beast ransomware
self-propagation
monster
Published: October 19, 2024
Downloadable IOCs: 0

Infiltrating the Cicada3301 Ransomware-as-a-Service Group

This analysis provides an in-depth look into the operations of the Cicada3301 Ransomware-as-a-Service (RaaS) group. It details the workflow of their affiliates within the panel and examines the multi-platform capabilities of their ransomware, encompassing Windows, Linux, ESXi, and even uncommon arc…
ransomware
sophisticated
encryption
cicada3301
2024-10-18
multi-platform
affiliate
Published: October 18, 2024
Downloadable IOCs: 5

Lynx Ransomware: A Rebranding of INC Ransomware

Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extorti…
linux
ransomware
windows
encryption
data leak
raas
double extortion
2024-10-14
lynx ransomware
inc ransomware
Published: October 14, 2024
Downloadable IOCs: 44

ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

ShrinkLocker is a new ransomware strain that exploits Windows BitLocker to encrypt targeted data. Unlike typical ransomware, it abuses this legitimate feature to create a secure boot partition, locking users out unless a ransom is paid. The malware performs system checks, modifies registry entries,…
ransomware
encryption
bitlocker
2024-09-17
shrinklocker
disk partitioning
Published: September 17, 2024
Downloadable IOCs: 2

Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware

Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
ransomware
extortion
exfiltration
encryption
cybercrime
2024-09-11
cicada3301
Published: September 11, 2024
Linked vulnerabilities : CVE-2024-1709, CVE-2024-1708
Downloadable IOCs: 8

Ransomware Roundup - Underground

The Underground ransomware, first observed in July 2023, targets Windows machines by encrypting files and demanding ransom. Attributed to the Russia-based RomCom group, it exploits CVE-2023-36884 and other common infection vectors. The ransomware deletes shadow copies, modifies RemoteDesktop settin…
windows
encryption
2024-09-02
romcom
data leak
CVE-2023-36884
storm-0978
underground
Published: September 2, 2024
Linked vulnerabilities : CVE-2023-36884
Downloadable IOCs: 4

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …
privilege-escalation
cobalt strike
encryption
CVE-2020-1472
ransomware-as-a-service
ransomhub
mimikatz
CVE-2023-3519
2024-08-30
metasploit
CVE-2023-22515
CVE-2023-46604
CVE-2017-0144
CVE-2023-48788
double-extortion
CVE-2023-27997
data-exfiltration
CVE-2023-46747
critical-infrastructure
CVE-2020-0787
lateral-movement
Published: August 30, 2024
Linked vulnerabilities : CVE-2020-1472, CVE-2023-46604, CVE-2023-22515, CVE-2020-0787, CVE-2017-0144, CVE-2023-3519, CVE-2023-27997, CVE-2023-48788, CVE-2023-46747
Downloadable IOCs: 14

Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…
malware
rat
evasion
encryption
dropper
gh0st rat
moudoor
mydoor
2024-07-31
Published: July 31, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 6

Ransomware: Activity Levels Remain High Despite Disruption

While overall activity levels dipped slightly in the first quarter of 2024, the number of claimed attacks remained high, with LockBit accounting for over 20%. The report explores the changing tactics employed by ransomware actors, including the exploitation of vulnerabilities, the use of Bring-Your…
ransomware
lockbit
vulnerability
blackcat
alphv
encryption
phobos
cyclops blink
CVE-2024-4577
noberus
tellyouthepass
blacksuit
2024-07-11
akira
warp av killer
qilin
disruption
Published: July 11, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)
Downloadable IOCs: 27

Decrypted: DoNex Ransomware and its Predecessors

Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands sin…
ransomware
lockbit
darkrace
donex
encryption
2024-07-10
chacha20
rebranding
muse
cryptography
Published: July 10, 2024
Downloadable IOCs: 8

BlackSuit Ransomware: Insights and Defense Strategies

This report provides an in-depth analysis of the BlackSuit ransomware, a threat that has been actively targeting various sectors since May 2023. It presents statistics from incident response engagements, explores the ransomware's behavior and technical analysis, and offers insights into the potenti…
ransomware
encryption
data exfiltration
2024-07-08
blacksuit
cybersecurity
threat analysis
Published: July 8, 2024
Downloadable IOCs: 8

Mallox Ransomware: Linux Variant Decryptor Found

The report analyzes the Mallox ransomware, which has been active since mid-2021 and focuses on multi-extortion by encrypting victims' data and threatening to post it on public TOR sites. Initially targeting Windows systems, Mallox has now developed Linux variants using custom Python scripts for pay…
ransomware
encryption
mallox
targetcompany
2024-07-04
fargo
cyber-extortion
mawahelper
Published: July 4, 2024
Downloadable IOCs: 5

Update: CVE-2024-4577 quickly weaponized to distribute Ransomware

The report describes an attack campaign leveraging the CVE-2024-4577 vulnerability to deliver the "TellYouThePass" ransomware. The attackers use the vulnerability to execute arbitrary PHP code and run a malicious HTML application that loads a .NET variant of the ransomware into memory. Upon executi…
exploit
ransomware
encryption
CVE-2024-4577
2024-06-11
tellyouthepass
infection
Published: June 11, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2021-44228, CVE-2024-3577, CVE-2023-22524, CVE-2023-46604
Downloadable IOCs: 5

Lost in the Fog: A New Ransomware Threat

Arctic Wolf Labs began monitoring the deployment of a new ransomware variant called Fog in early May 2024. The ransomware attacks targeted organizations in the education and recreation sectors within the United States. Evidence suggests threat actors gained initial access through compromised VPN cr…
ransomware
encryption
lateral movement
credential
2024-06-07
backup deletion
foggyweb
Published: June 7, 2024
Linked vulnerabilities : CVE-2024-4358 (CVSS 9.8), CVE-2024-1800
Downloadable IOCs: 5

Malicious Campaign Analysis: JScript RAT and CobaltStrike

This report examines a recent malicious campaign involving a JScript-based Remote Access Trojan (RAT) and its connections to the CobaltStrike penetration testing tool. The attack commences with an obfuscated JScript loader distributed through suspected phishing campaigns. Upon execution, it contact…
obfuscation
rat
encryption
cobaltstrike
2024-06-07
jscript
jscript rat
Published: June 7, 2024
Downloadable IOCs: 4

New ransomware group abusing BitLocker

The report examines an incident where threat actors leveraged Microsoft's BitLocker encryption utility to deploy unauthorized file encryption on targeted systems. The adversaries employed a sophisticated VBScript that resized disk partitions, modified registry entries, enabled BitLocker with random…
ransomware
exfiltration
encryption
2024-05-23
bitlocker
trojan-ransom.vbs.bitlock.gen
trojan.vbs.sagent.gen
trojan.win32.generic
partitions
Published: May 23, 2024
Linked vulnerabilities : CVE-2024-30051 (CVSS 7.8)
Downloadable IOCs: 6

Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear

This comprehensive analysis delves into the continuous evolution and refinement of sophisticated malware entities employed by a persistent cyberespionage group targeting organizations in the Asia-Pacific region. The malware, known as Waterbear and its latest iteration, Deuterbear, have undergone si…
malware
evasion
anti-analysis
encryption
2024-05-21
cyberespionage
deuterbear
waterbear
Published: May 21, 2024
Downloadable IOCs: 29

StopRansomware: Black Basta

This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Publ…
phishing
ransomware
exfiltration
encryption
2024-05-08
qakbot
qbot
CVE-2020-1472
quackbot
pinkslipbot
CVE-2024-1709
healthcare
CVE-2021-34527
CVE-2021-42278
CVE-2021-42287
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2024-1709, CVE-2021-34527, CVE-2020-1472
Downloadable IOCs: 174

Ransomware Roundup (April 29, 2024)

This concise report provides insights into the evolving ransomware landscape, covering the KageNoHitobito and DoNex variants. It analyzes their infection vectors, victimology, attack methods, and associated indicators of compromise (IoCs). The report also highlights Fortinet's protections against t…
ransomware
windows
data theft
ransom
darkrace
donex
encryption
kagenohitobito
Published: April 29, 2024
Downloadable IOCs: 7
Click here to see more Attack Reports