babuk | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Sharing

Copy URL

Twitter E-mail

General

Target

RS.7z
Size

20.5MB
Sample

220913-wg1lpsgbg7
MD5

2e40472330409ed96f91e8e0bb796eb4
SHA1

8fd90404184de1a627068a93482313449dbbec91
SHA256

c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9
SHA512

b11720cb8519fc6838161ba8bf696681b242b0789ffd5c442efbb50161d511fd65229ca88a347c856e8ff91501c077f5de7714b09e29d4400f595bfe7829189d
SSDEEP

393216:NkDF1XseDcJIrXeSG0b5mKZ1F0gvpdO8GPnqzHLP3iN5M0CptgNpAcklC0CN:GDjXseDcSra45mKt0gvT0PnMbzkNpAc/

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials

Username:
aheisler@hhcp.com
Password:
120Heisler

Username:
dsmith@hhcp.com
Password:
Tesla2019

Username:
administrator@hhcp.com
Password:
iteam8**

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes

attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true

rsa_pubkey.base64

aes.base64

Extracted

Family

mespinoza

Attributes

ransomnote
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: RobertGunther@onionmail.org JeanetteCook@onionmail.org Jeffery_Hammonds@protonmail.com Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://wqmfzni2nvbbpk25.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Extracted

Family

sodinokibi

Botnet

$2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm

Campaign

7258

gasbarre.com

all-turtles.com

rksbusiness.com

christ-michael.net

mardenherefordshire-pc.gov.uk

erstatningsadvokaterne.dk

marchand-sloboda.com

unim.su

bauertree.com

faronics.com

moveonnews.com

autopfand24.de

mountsoul.de

beaconhealthsystem.org

cerebralforce.net

aprepol.com

kaotikkustomz.com

dubnew.com

simulatebrain.com

alvinschwartz.wordpress.com

Attributes

net
true
pid
$2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm
prc
outlook
agntsvc
infopath
sqbcoreservice
steam
firefox
ocomm
ocssd
mydesktopqos
oracle
powerpnt
wordpad
synctime
sql
thebat
onenote
excel
visio
encsvc
winword
mydesktopservice
dbsnmp
isqlplussvc
tbirdconfig
mspub
msaccess
thunderbird
ocautoupds
xfssvccon
dbeng50
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Data leak [+] First of all we have uploaded more then 70 GB archived data from your file server and SQL server Example of data: - Accounting - Finance - Personal Data - Banking data - Confidential files And more other... Our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/ Read what happens to those who do not pay. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
7258
svc
svc$
vss
sophos
mepocs
backup
sql
memtas
veeam

Extracted

Family

sodinokibi

Botnet

$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq

Campaign

7178

kamahouse.net

bridgeloanslenders.com

abitur-undwieweiter.de

live-your-life.jp

xn--rumung-bua.online

anteniti.com

marcuswhitten.site

ostheimer.at

joseconstela.com

deepsouthclothingcompany.com

dr-seleznev.com

ecpmedia.vn

aunexis.ch

anthonystreetrimming.com

pocket-opera.de

mooreslawngarden.com

osterberg.fi

extraordinaryoutdoors.com

kamienny-dywan24.pl

fitovitaforum.com

Attributes

net
false
pid
$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq
prc
avgadmsv
BackupUpdater
ocautoupds
synctime
thebat
excel
isqlplussvc
ccSetMgr
SPBBCSvc
Sage.NA.AT_AU.SysTray
lmibackupvssservice
CarboniteUI
powerpnt
BackupMaint
onenote
klnagent
sql
Rtvscan
xfssvccon
Smc
mspub
encsvc
LogmeInBackupService
kavfsscs
ccSvcHst
BackupExtender
NSCTOP
outlook
dbsnmp
mydesktopservice
tbirdconfig
ShadowProtectSvc
msaccess
wordpad
mydesktopqos
BackupAgent
visio
kavfswp
ocssd
thunderbird
infopath
agntsvc
sqbcoreservice
steam
AmitiAvSrv
dlomaintsvcu
Microsoft.exchange.store.worker.exe
winword
dbeng50
firefox
TSSchBkpService
DLOAdminSvcu
kavfs
ocomm
oracle
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
7178
svc
ssistelemetry
adsync
svc$
msseces
mbamservice
ssastelemetry
altaro
sbamsvc
ds_notifier
ntrtscan
ofcservice
code42service
macmnsvc
memtas
auservice
telemetryserver
tmccsf
psqlwge
sppsvc
viprepplsvc
azurea
ds_monitor
swi_filter
protectedstorage
mfemms
mfevtp
kaseyaagentendpoint
ltservice
dssvc
altiback
masvc
huntressagent
mcafee
kaendchips
kavfs
reportserver
savservice
altiftpuploader
sophos
svcgenerichost
altiphoneserv
klnagent
mepocs
ds_agent
threadlocker
sql
vss
tmlisten
backup
tmbmserver
savadminservice
vipreaapsvc
mfewc
altictproxy
ltsvcmon
altivrm
huntressupdater
kaseyaagent
teamviewer
msdtsserver
amsp
storagecraft
veeam
bedbg

Extracted

Path

C:\PerfLogs\How To Restore Your Files.txt

Ransom Note

############## [ babuk ransomware greetings you ] ############## Introduction ---------------------------------------------- Congratulations! If you see this note, your company've been randomly chosen for security audit and your company haven't passed it. Unfortunately your servers are encrypted, backups are encrtypted too or deleted. Our enctyption algorythms are strong and it's impossible to decrypt your stuff without our help. Only one method to restore all your network and systems is - to buy our universal decryption software. Follow simple steps that discribed down below and your data will be saved. In case you ignore this situation, the consequences could me much serious, than you can imagine. Guarantees ---------------------------------------------- The hack and system encryption wasn't compromised by your competitors or any other 3rd party, this is just and only our initiative and only thing we interested is profit. Accurding the previous sentence We are very much value of our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We guarantee full support and help through the all decryption process. As the proof of our abilities and honesty, we can decrypt few small files for free, check the link provided and ask any questions. Data leakage ---------------------------------------------- We have copied some quantity of data from your servers. Check those proofs and estimate the seriousness of consequences which can occur in case you ignore us: http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/55a5aa93131ff81478afe895d99ccb1e5350128a6a85abe0955dc9af55c31e66/ This link is private and only you can see it. Use tor browser to open link. Ignoring the interaction with us brings you the publishing your data in our public blog http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/ Contact ---------------------------------------------- 1) Download tor browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/92c51a11c29950b07fc1e46c752e7d40a363ce64447d698442331feaf7de7397 * 6 simple steps do minimize harm from ransomware. ----------------------------------------------------------------------------------------------------------------- Thousands of companies around the world are struggling on ransomware these days, and the most of companies are making the same mistakes again and again. Let�s figure out how to minimize harm and do not be a dumb and pathetic donkey which will make fun for journalists and so on.. 1. If you see small fella malicious .exe file never load it to virustotal.com or any other virus researching website. Otherwise the info about the hack is not a secret anymore. The fact that your company is under ransomware attack is already known by filthy predators data security agents who will post in their pity twitters the fresh known news �OMG ANOTHER RANSOMWARE NOW IT�S �Your company name LLC!!!!! We are all gonna die aaaaaa halp� 2. No any public announcements about the hack or data leakage. And do not applicate to law enforcement. If you commit this actions, more serious consequences can occur and you pay much more than a ransom amount. Law structures like GDPR in this case can oblige you to pay huge fine. 3. As soon as you see your network compromised, follow the link inside any note and follow instructions. 4. Calm your employees. Explain them that this is a drill. And you test your network security systems. 5. If you decide to hire the data recovery company, obligate them to do not inform anyone and any third party about details of the attack. We strongly do not recommend to cooperate with data recovery company, because they do absolutely nothing that you can do by yourself and take money for it. all communications with hackers could be conducted by your it department indipendently without any extra payments. 6. Do not try to decrypt your data via 3rd party software. Most of ransomware use strong encryption algorthm and you can harm your files by using 3rd party decryption software.

URLs

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/55a5aa93131ff81478afe895d99ccb1e5350128a6a85abe0955dc9af55c31e66/

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/

http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/92c51a11c29950b07fc1e46c752e7d40a363ce64447d698442331feaf7de7397

Extracted

Path

C:\decrypt_file.TxT

Ransom Note

*************************** | We Are Back ? *************************** We hacked your (( Network )), and now all files, documents, images, databases and other important data are safely encrypted using the strongest algorithms ever. You cannot access any of your files or services . But do not worry. You can restore everthing and get back business very soon ( depends on your actions ) before I tell how you can restore your data, you have to know certain things : We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public. To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware ) *************************** | What guarantees ? *************************** We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free just send the files you want to decrypt to (support_blackkingdom2@protonmail.com *************************************************** | How to contact us and recover all of your files ? *************************************************** The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses . [ + ] Instructions: 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address : [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ] 3- confirm your payment by sending the transfer url to our email address 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you, so that you can recover all your files. ## Note ## Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible. By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites. Your ID ==> UhP7bpB2jHFhFjjqr90i

Emails

support_blackkingdom2@protonmail.com

Wallets

1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT

Extracted

Path

C:\4tYDr68D1.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Extracted

Path

C:\R3ADM3.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- V8gTskvaU8gGgzzk0qC2sM90noCXm1AgvCkADBk9JhxwjahEd2MSBLQ5sgBZOEkq ---END ID---

URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Extracted

Path

\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\odt\!!FAQ for Decryption!!.txt

Ransom Note

Good day. All your files are encrypted. For decryption contact us. Write here aam_sysadmin@protonmail.com We also inform that your databases, ftp server and file server were downloaded by us to our servers. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss.

Emails

aam_sysadmin@protonmail.com

Extracted

Path

C:\\README.8c94de27.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3 When you open our website, put the following data in the input form: Key: 5l5BZPnhuDEYAVqJR4MgValoWwML2OjDOtYwubDXeXGefcJDd4otfGdb9pJPrHW7Rt0XqdwabTWl9I5xhiHBsW6mg5BoqR4M2LZ0TI1hN4ifY7RVgRakjxxhhyImncWtgNb8LWtJlhn6cwtDLlsIjq0wAn8s7YsdzgTPPreHXEyFiFH1ozVIpZXV1mO5QXMZu16DNkFcXVIfdw5gPeSYjd3VAa7VlIH8IXgwCuza7YprCeDIOmvRqYK1jBH4s4nn0VyEHnWRndP7jNNUmat6FMhNzeKnLYGbMDRwmZR6iFdFX0Y3lhEWenDamVRchRSE5YwiL9LqTfkrnrswflssAB0SOcodZXRxG5HNItcitj3Za1NzC5fmBpdKN4jV01hMBG98ZEN8HMKeOdVxKtbAZP86K9IfBy8QcNrWLQ2hAeup6DD6KsG8R0Jj8czKTu4MDlGaxQMtPSycA0B6IzpPVV0Tbn9yWIIFH6y4mir71zDWbcPH3p5Hnr80gTnOFHXGzkGfrdy1bjn5H99zniLFFjchV8EEPMtgG2PwKF7NVQ9dTdlMBHWQpGc !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3

Extracted

Family

sodinokibi

Botnet

Campaign

367

craftingalegacy.com

g2mediainc.com

brinkdoepke.eu

vipcarrental.ae

autoteamlast.de

hostastay.com

gavelmasters.com

ronaldhendriks.nl

successcolony.com.ng

medicalsupportco.com

kompresory-opravy.com

sveneulberg.de

oththukaruva.com

voetbalhoogeveen.nl

selected-minds.de

log-barn.co.uk

fsbforsale.com

jobkiwi.com.ng

ivancacu.com

11.in.ua

Attributes

net
true
pid
5
prc
wordpad.exe
outlook.exe
tbirdconfig.exe
agntsvc.exe
thebat.exe
mydesktopservice.exe
sqbcoreservice.exe
thunderbird.exe
ocomm.exe
excel.exe
thebat64.exe
steam.exe
xfssvccon.exe
firefoxconfig.exe
sqlagent.exe
ocssd.exe
mydesktopqos.exe
msaccess.exe
isqlplussvc.exe
mspub.exe
winword.exe
sqlbrowser.exe
dbeng50.exe
sqlservr.exe
oracle.exe
encsvc.exe
powerpnt.exe
dbsnmp.exe
infopath.exe
ocautoupds.exe
mysqld_opt.exe
visio.exe
msftesql.exe
mysqld_nt.exe
synctime.exe
sqlwriter.exe
mysqld.exe
onenote.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
367

Targets

- Target
  
  RansomwareSamples/Babuk_20_04_2021_79KB.exe
- Size
  
  79KB
- MD5
  
  024382eef9abab8edd804548f94b78fc
- SHA1
  
  b69a5385d880f4d0acd3358df002aba42b12820f
- SHA256
  
  c4282e9040cdc1df92b722568a8b4c42ce9f6533fed0bd34b7fdbae264947784
- SHA512
  
  011bd185ef5aef409dbd198f59829d9812d2b1ead69e867e8b9983eb7c742356b074b17383c17fe22f417b61e6aaf7858cbb9e3abd5d25d02f256b69834c42d4
- SSDEEP
  
  1536:jRS6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:jRMhZ5YesrQLOJgY8Zp8LHD4XWaNH71m
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1
- Target
  
  RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
- Size
  
  12.2MB
- MD5
  
  96c2f4acef5807b54ded4e0dae6ed79d
- SHA1
  
  3e93999954ce080a4dc2875638745a92c539bd50
- SHA256
  
  c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908
- SHA512
  
  bfb933ce0e68c2d320a49e29eb883c505012895bd04b82f29167cd791e4bd507ee5529a2199a51c6faaf9f70053869b488833766b6dfa1efeab2700c0bcea30c
- SSDEEP
  
  393216:Rd9c5hlEK/PNKwtN3ZWyp032LOqKT1g8Cy:RXEhxtKwtN3p232LOqKgz
Score

10^/10

ransomware spyware stealer
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral2
- Target
  
  RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
- Size
  
  67KB
- MD5
  
  598c53bfef81e489375f09792e487f1a
- SHA1
  
  80a29bd2c349a8588edf42653ed739054f9a10f5
- SHA256
  
  22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
- SHA512
  
  6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35
- SSDEEP
  
  1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:qR7auJXSkZg3C
Score

10^/10

blackmatter ransomware
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3
- Target
  
  RansomwareSamples/Conti_22_12_2020_186KB.exe
- Size
  
  185KB
- MD5
  
  7076f9674bc42536d1e0e2ca80d1e4f6
- SHA1
  
  854485ee63e5a399fffe150f04cd038d6a5490ef
- SHA256
  
  ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124
- SHA512
  
  71c507108cc0c8b5609076672bd0b64a42c015995fe7220aa97e273c1754e63271edb06b284f4fc01b71a4751c1bcac0f572339e94ff0fd538dc0250caa9181a
- SSDEEP
  
  3072:+qS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4f:zS7gtyuzFxm16axugfqlMw5g5BkOdSlr
Score

10^/10

conti ransomware spyware stealer
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral4
- Target
  
  RansomwareSamples/Cuba_08_03_2021_1130KB.exe
- Size
  
  1.1MB
- MD5
  
  a12e733ddbe6f404b27474fa0e5de61d
- SHA1
  
  e8d0c95621a19131ef9480e58a8d6dd3d15c9acd
- SHA256
  
  271ef3c1d022829f0b15f2471d05a28d4786abafd0a9e1e742bde3f6b36872ad
- SHA512
  
  f27605a283e958690eb7ad50aa46110b6d155217ad09d658ad3f9c4368d4c66ab623a0cc3489d695a02db462fec3bcf8ebee13f9da1bd61e2e3db46de2d73ddf
- SSDEEP
  
  12288:xtwee4XgIijsCMtcTCWVRapiyC9vwic8CPK3EOnA+u+:8efgIiICMtIChp8N2K3EOAK
Score

10^/10

ransomware
behavioral5
- Target
  
  RansomwareSamples/DarkSide_01_05_2021_30KB.exe
- Size
  
  30KB
- MD5
  
  f00aded4c16c0e8c3b5adfc23d19c609
- SHA1
  
  86ca4973a98072c32db97c9433c16d405e4154ac
- SHA256
  
  4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
- SHA512
  
  a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf
- SSDEEP
  
  768:lXnIczxCbTRNl71wHpZQgYI1TQPB3aYJEOW:hIMxCXd1+pZQgYIxk3vJE
Score

10^/10

darkside ransomware spyware stealer upx
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral6
- Target
  
  RansomwareSamples/DarkSide_16_01_2021_59KB.exe
- Size
  
  59KB
- MD5
  
  0ed51a595631e9b4d60896ab5573332f
- SHA1
  
  7ae73b5e1622049380c9b615ce3b7f636665584b
- SHA256
  
  243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
- SHA512
  
  9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5
- SSDEEP
  
  768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1yl3RYY23W58:0x7Fu4/ihrhDTV1ylhZ58
Score

10^/10

darkside ransomware spyware stealer
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral7
- Target
  
  RansomwareSamples/DarkSide_18_11_2020_17KB.exe
- Size
  
  17KB
- MD5
  
  f87a2e1c3d148a67eaeb696b1ab69133
- SHA1
  
  d1dfe82775c1d698dd7861d6dfa1352a74551d35
- SHA256
  
  9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
- SHA512
  
  e361811b07a66d9a784be37bdace0bdec9e11374083d7ccf7d9830e47a59afa8b9d12d80d4d47ea1932116354ad60bbc8ea6a6a265885d264b35486986415ea3
- SSDEEP
  
  384:SGyUrEk/yEoQE+yckIYN/pBa3AWK3T2oTboHblKR/:l4klFypIYFpB/x9ngb
Score

10^/10

darkside ransomware spyware stealer upx
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral8
- Target
  
  RansomwareSamples/DearCry_13_03_2021_1292KB.exe
- Size
  
  1.3MB
- MD5
  
  0e55ead3b8fd305d9a54f78c7b56741a
- SHA1
  
  f7b084e581a8dcea450c2652f8058d93797413c3
- SHA256
  
  2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
- SHA512
  
  5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa
- SSDEEP
  
  24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3
Score

10^/10

dearcry persistence ransomware spyware stealer
- DearCry
  DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
  ransomware dearcry
- Modifies Installed Components in the registry
  persistence
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral9
- Target
  
  RansomwareSamples/Hades_29_03_2021_1909KB.exe
- Size
  
  1.9MB
- MD5
  
  9fa1ba3e7d6e32f240c790753cdaaf8e
- SHA1
  
  7bcea3fbfcb4c170c57c9050499e1fae40f5d731
- SHA256
  
  fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
- SHA512
  
  8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
- SSDEEP
  
  49152:zHOalx8WJjq64Hv7OHxTAhEu5undVmB9dn5AI7EyP3S:Z/8WJjiPSRRu5undVmDd5VEyvS
Score

10^/10

hades cryptone packer ransomware
- Hades Ransomware
  Ransomware family attributed to Evil Corp APT first seen in late 2020.
  ransomware hades
- Hades payload
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
behavioral10
- Target
  
  RansomwareSamples/Hive_17_07_2021_808KB.exe
- Size
  
  808KB
- MD5
  
  504bd1695de326bc533fde29b8a69319
- SHA1
  
  67f0c8d81aefcfc5943b31d695972194ac15e9f2
- SHA256
  
  a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
- SHA512
  
  18c5b28bafb13edf47f6a2b803d9d9a914945f037b266a765f2a324842c5ef04ebda27eba31851d2d63e00779a42900e0edfe4ad5bd817eb4f43fa4d4e3a4767
- SSDEEP
  
  24576:lafTGwLNdRk4RBtr/ioF4/I+CMx3cMt3/4KFG8Qz4YwY:IT7dRFr/ioFjicMtvV4z
Score

10^/10

hive persistence ransomware spyware stealer upx
- Detects Go variant of Hive Ransomware
- Hive
  A ransomware written in Golang first seen in June 2021.
  ransomware hive
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral11
- Target
  
  RansomwareSamples/LockBit_14_02_2021_146KB.exe
- Size
  
  146KB
- MD5
  
  69bec32d50744293e85606a5e8f80425
- SHA1
  
  101b90ac7e0c2a8b570686c13dfa0e161ddd00e0
- SHA256
  
  95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf
- SHA512
  
  e01f976fcbfa67cfd6e97855d07350a27b67fcc825d4e813ac9d2f4e8f464bb4f8bbbbe58a26bc27e78fa15db0ee5271e8f041dd72f036c11964eb1c591b438f
- SSDEEP
  
  3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVcH:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMcH
Score

10^/10

lockbit evasion persistence ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral12
- Target
  
  RansomwareSamples/MAKOP_27_10_2020_115KB.exe
- Size
  
  114KB
- MD5
  
  b33e8ce6a7035bee5c5472d5b870b68a
- SHA1
  
  783d08fe374f287a4e0412ed8b7f5446c6e65687
- SHA256
  
  2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
- SHA512
  
  78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f
- SSDEEP
  
  3072:Rf1BDZ0kVB67Duw9AMcUTeQnbZ7pgHzL8O1oc8rEUvZfqv8dOWVIc:R9X0GGZpYzL8VcFUvZyUdb
Score

10^/10

makop persistence ransomware spyware stealer
- Makop
  Ransomware family discovered by @VK_Intel in early 2020.
  ransomware makop
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral13
- Target
  
  RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
- Size
  
  661KB
- MD5
  
  19ddac9782acd73f66c5fe040e86ddee
- SHA1
  
  24ceba1e2951cde8e41939da21c6ba3030fc531d
- SHA256
  
  dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
- SHA512
  
  e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4
- SSDEEP
  
  12288:vN3K5e8nbwFigzk6VVMqX8aQNRMcauV9B/rtiPnA40Q8:hCXbwFigzkQVdXvlcayDh49
Score

10^/10

medusalocker evasion ransomware spyware stealer trojan
- MedusaLocker
  Ransomware with several variants first seen in September 2019.
  ransomware medusalocker
- MedusaLocker payload
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral14
- Target
  
  RansomwareSamples/MountLocker_20_11_2020_200KB.exe
- Size
  
  200KB
- MD5
  
  c2671bf5b5dedbfd3cfe3f0f944fbe01
- SHA1
  
  da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
- SHA256
  
  226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
- SHA512
  
  256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9
- SSDEEP
  
  1536:ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR+3itGSh6ZVvg:ssS3oifBoaXhDWA4G3eeJaeIbmC00
Score

10^/10

mountlocker ransomware
- MountLocker Ransomware
  Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
  ransomware mountlocker
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops desktop.ini file(s)
behavioral15
- Target
  
  RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
- Size
  
  3.0MB
- MD5
  
  cd7b5d2391af7cc10f5ab11f2baef503
- SHA1
  
  c735ff582ab489f13cfc76ee744e52b868012e2e
- SHA256
  
  0bafde9b22d7147de8fdb852bcd529b1730acddc9eb71316b66c180106f777f5
- SHA512
  
  b01c843c9a7c154ab592b667fe66b49123bfc2218904391600c1d17623b91c4e83eb6049aba01813586251596d999cce953ca689957390e658ee306a9859adca
- SSDEEP
  
  24576:YOXKA8qDbjm8N3CNWYqdQCVzCYXjG9xLAW0bUXo2xdQS3aVOqL1UrSlcbHLWcR4+:tXKOm8mkdHJC0jG9xE9gdQS3aLibLw
Score

10^/10

ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
behavioral16
- Target
  
  RansomwareSamples/Nemty_03_02_2021_124KB.exe
- Size
  
  123KB
- MD5
  
  78c3c27df6232caa15679c6b72406799
- SHA1
  
  e439d28b6bb6fd449bddad9cf36c97433a363aed
- SHA256
  
  a2fe2942436546be34c1f83639f1624cae786ab2a57a29a75f27520792cbf3da
- SHA512
  
  36dcdaffaef3ea2136cca3386f18ee3f6462aa66c82ef64660e3c300f3d58720a9c742930e2ee8e94c2379fbc7b3e6932dda20b5caa30b1c1f1ef38095aac6f6
- SSDEEP
  
  3072:xlwfdbiGnmYcAbwc7HNXG8/IEjkeOBeFtEv9VTYnH5upMocGMn7qxR1tMkTJNzn:DwfY2sA0kHFkktN5upMocGMns/lNzn
Score

10^/10

ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral17
- Target
  
  RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
- Size
  
  902KB
- MD5
  
  7770c598848339cf3562b7480856d584
- SHA1
  
  b3d39042aab832b7d2bed732c8b8e600a4cf5197
- SHA256
  
  ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304
- SHA512
  
  02af6d5910f0627074fbea72901b2f2b491f7dba58f53ae1fad1dc47230e000a7b459c8475a76aaf006629bb5822d89d4672d32fb64d073464ca41140cb134d2
- SSDEEP
  
  6144:KxYcCQ2x63Ib0NQrqxpPbI1ZVedvUhwDNGjG+zBumDKemdglhykA:KCQ2x6TdvUqDUjG+zBumDKemdgy9
Score

10^/10

netwalker ransomware
- Netwalker Ransomware
  Ransomware family with multiple versions. Also known as MailTo.
  ransomware netwalker
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
behavioral18
- Target
  
  RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
- Size
  
  1.9MB
- MD5
  
  d86f451bbff804e59a549f9fb33d6e3f
- SHA1
  
  3cb0cb07cc2542f1d98060adccda726ea865db98
- SHA256
  
  008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
- SHA512
  
  c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
- SSDEEP
  
  49152:olyGDEemRoq2KKpgL5lWKDFcmjkf8cudB/8WjM:UYerFq/FgUcuf/85
Score

10^/10

hades cryptone packer ransomware
- Hades Ransomware
  Ransomware family attributed to Evil Corp APT first seen in late 2020.
  ransomware hades
- Hades payload
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
behavioral19
- Target
  
  RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
- Size
  
  17KB
- MD5
  
  16a29314e8563135b18668036a6f63c8
- SHA1
  
  90cf5ca4df9d78cf92bb865b5b399a4d2752e55b
- SHA256
  
  4e6c191325b37da546e72f4a7334d820995d744bf7bb1a03605adb3ad30ce9ca
- SHA512
  
  45c023e6dd4202079e913b8946825b47fab30b584bbd79b0416152cc4a54975b12205393827289c1f03feb71b54d3b6b34490be3001e9b565c1f89e13e752032
- SSDEEP
  
  384:RJueT9Jtx33bRsoOjhveu+q7hPOx58Zbxe:RJueJx33bDO1uMbc
Score

10^/10

ransomware spyware stealer
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral20
- Target
  
  RansomwareSamples/Pysa_08_04_2021_500KB.exe
- Size
  
  500KB
- MD5
  
  d751f54365181f544f908cc9ae3c91c5
- SHA1
  
  51cbc9455b7781cf0529f299631e59016fe52e95
- SHA256
  
  af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8
- SHA512
  
  04497dcac535c18247b13634db35a3a53369719696e700ff2c45637c616f6932ba22ddad2e3925055c92e5922f38c34f09ce8d87106f894a7a586ad0d41e6d33
- SSDEEP
  
  12288:oDMUibBYoo+OeO+OeNhBBhhBB7TRU+FR+q1mITXimIscFa:KMUiFTTRU+3+qAILfo
Score

10^/10

mespinoza ransomware spyware stealer
- Mespinoza Ransomware
  Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
  ransomware mespinoza
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral21
- Target
  
  RansomwareSamples/REvil_07_04_2021_121KB.exe
- Size
  
  120KB
- MD5
  
  726d948d365cb9db1dfd84a30203a642
- SHA1
  
  78ed4bcf9c0aca8d14b25da2e679a91c48dd6797
- SHA256
  
  d74f04f0b948d9586629e06e2a2a21bdf20d678e47058afb637414eb3701c1f6
- SHA512
  
  bd17f2b265c30f0d9ddc60e01026f21ad6b6355f68b762b14b3e8882a90de0a20970f77105a2515a7cb4a0d1429f3a70cdf40d4247384592d36da6f2907a690a
- SSDEEP
  
  1536:bjxXC9jVwbhEW8z3w1R+KjJLRiOQJo0SoLCdpuOk2ICS4Ang6lUkdq0tK3CmZ6+n:mmV1wKdLoLC/OemUkdq4WCmA0qG9
Score

10^/10

sodinokibi ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral22
- Target
  
  RansomwareSamples/REvil_08_04_2021_121KB.exe
- Size
  
  120KB
- MD5
  
  2075566e7855679d66705741dabe82b4
- SHA1
  
  136443e2746558b403ae6fc9d9b40bfa92b23420
- SHA256
  
  12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39
- SHA512
  
  312dcb3d83a5201ef16c5027aabd8d7baebfd9761bf9514cafecc8a6936970b897b18b993e056d0f7aec81e6f0ab5756aa5efd3165e43f64692d5dbdb7423129
- SSDEEP
  
  1536:bjxXC9jVwbhEW8z3w1R+KjJLRiOQJo0SoLCdpuOk2ICS4Ang6lUgvfYiFyRFywX/:mmV1wKdLoLC/OemUWYjfywpbPa
Score

10^/10

sodinokibi ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral23
- Target
  
  RansomwareSamples/Ragnar_11_02_2020_40KB.exe
- Size
  
  39KB
- MD5
  
  6171000983cf3896d167e0d8aa9b94ba
- SHA1
  
  b155264bbfbad7226b5eb3be2ab38c3ecd9f3e18
- SHA256
  
  9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376
- SHA512
  
  1b10008d5eaeb3755c899334d416e8d0a30695e093dc597b21e630fd8bde4b9c5d808fd2663f1acd7489e33b947660dacdb80f7f3aa4911cd24d605cfc44e73a
- SSDEEP
  
  768:spCmKJILjsoq65corBjd/3oqab0k3RLKul1FX8xUtE:splco4aFoqaXpTX8xa
Score

10^/10

ragnarlocker bootkit persistence ransomware
- RagnarLocker
  Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
  ransomware ragnarlocker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral24
- Target
  
  RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
- Size
  
  156KB
- MD5
  
  fcd21c6fca3b9378961aa1865bee7ecb
- SHA1
  
  0abaa05da2a05977e0baf68838cff1712f1789e0
- SHA256
  
  4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
- SHA512
  
  e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a
- SSDEEP
  
  1536:7ZLTzASUIG0TOOYTufIaSWvRYkekdvizSBXxNe9VPw6s6aUCT7Q7qn:OBI9HYyfNBdviGBBQsrhPk4
Score

10^/10

ransomexx_win evasion ransomware
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- RansomEXX Ransomware
  Targeted ransomware with variants which affect Windows and Linux systems.
  ransomware ransomexx_win
- Clears Windows event logs
  evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables use of System Restore points
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Overwrites deleted data with Cipher tool
  Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral25
- Target
  
  RansomwareSamples/Ranzy_20_11_2020_138KB.exe
- Size
  
  138KB
- MD5
  
  954479f95ce67fcb855c5b882d68e74b
- SHA1
  
  43ccf398999f70b613e1353cfb6845ee09b393ca
- SHA256
  
  c4f72b292750e9332b1f1b9761d5aefc07301bc15edf31adeaf2e608000ec1c9
- SHA512
  
  515e675401ec67d2d06f06264cb33808ad7d214a0609492ddf73f40a3b829358d75f79fff04b29c6953fc3f450c0d55207d5a6fd3b571f60ae05e25327c41a5f
- SSDEEP
  
  3072:WNnBEPCZ788hExMfHg/50iIETyyCDRk8gE9QIluYEh0VZvcWrMFh:WPEa586nHg/50/ET3CoE7uYEau
Score

10^/10

ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral26
- Target
  
  RansomwareSamples/Ryuk_21_03_2021_274KB.exe
- Size
  
  273KB
- MD5
  
  0eed6a270c65ab473f149b8b13c46c68
- SHA1
  
  bffb380ef3952770464823d55d0f4dfa6ab0b8df
- SHA256
  
  7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
- SHA512
  
  1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff
- SSDEEP
  
  3072:n/YRw64GUbH9dpWYEFq5hY9e1Z36NS31gs03ApyCb6DnE/PdrfS6sOK5hI+z7XI:Qa6owYEFq5hY9aqNS1y4/PdzS+s64I
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
behavioral27
- Target
  
  RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
- Size
  
  364KB
- MD5
  
  15fc8a15e86c367586e3661b03bcab44
- SHA1
  
  a6a6f2dc244d75cac1509e46c7de88ff479b9ee6
- SHA256
  
  b2945f293ee3f68a97cc493774ff1e8818f104fb92ef9dbeead05a32fc7006ff
- SHA512
  
  cad4c868065a4715126a6e644c1fc1c5d9832e027f62f2f9370172e523fe7db63119871ba64977fc2f25959197a20f0e0e98bd66b2539eae7d46ded9d571436b
- SSDEEP
  
  6144:nj+vyxz9WYWqpkGbOAqMK/oVZUlz/F8GO53OuzZOJM7CQ5g//s4Y:j+wpWYkGA/WGUGO53OIZkh/Y
Score

10^/10

egregor sekhmet ransomware
- Detected Egregor ransomware
- Egregor Ransomware
  Variant of the Sekhmet ransomware first seen in September 2020.
  ransomware egregor
- Sekhmet Ransomware
  Ransomware family active in the wild since early 2020.
  ransomware sekhmet
- Blocklisted process makes network request
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral28
- Target
  
  RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
- Size
  
  252KB
- MD5
  
  1ce1ca85bff4517a1ef7e8f9a7c22b16
- SHA1
  
  f35f0cd23692e5f5d0a3be7aefc8b01dfdd4e614
- SHA256
  
  06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851
- SHA512
  
  6e67fa01a8792453b148074fe027def90e1d3f6042037216986ee9e3d0c436c177764bc5e5900dbbab91e10d8a3c86a2ea04ef547149bfc92a33ec0236759949
- SSDEEP
  
  6144:Rb8oNGxoFlv2ynsDJv++C3uGsKTYZH7nJHVyjG7q9J4:RTvnOdtC+GENnvyjGN
Score

10^/10

sodinokibi 5 367 ransomware spyware stealer upx
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral29
- Target
  
  RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
- Size
  
  1.4MB
- MD5
  
  d87fcd8d2bf450b0056a151e9a116f72
- SHA1
  
  48cb6bdbe092e5a90c778114b2dda43ce3221c9f
- SHA256
  
  3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
- SHA512
  
  61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b
- SSDEEP
  
  12288:1deyF8N4Ateo7FURIFdnHt+gifa/kf5jOcXsikHOQLWOj9:1deyF8N4Ateo7WROdnHQgmSccikHh9
Score

10^/10

suncrypt ransomware
- SunCrypt Ransomware
  Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.
  ransomware suncrypt
- Blocklisted process makes network request
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral30
- Target
  
  RansomwareSamples/Thanos_23_03_2021_91KB.exe
- Size
  
  91KB
- MD5
  
  3e0c0275c22f75048511cbcbdcca3641
- SHA1
  
  18c97fafbb6bed70e3b3f88bd39fba342e49b112
- SHA256
  
  8a4a038a965ba42a0442d44abf25e4d21f5049d4a4a8aa9cb6691ec4282814a1
- SHA512
  
  c11e7606efb18af92f3b4ce800df8cc4d239fcf0c2423492f4a61a383dd2644d11b7034a53981f3f24aa2b45d654db4f7bd0527fd712e36dd578e32fd994215e
- SSDEEP
  
  1536:NrZGUvlLrx6FfCRo1wjAb5JjlbKTzHVt39JZmpvn+mJm:Nrk+lLr8wS1lbg39JZmpvn+mA
Score

8^/10

discovery evasion ransomware
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Modifies file permissions
  discovery
behavioral31
- Target
  
  RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
- Size
  
  812KB
- MD5
  
  5181f541a6d97bab854d5eba326ea7d9
- SHA1
  
  16d9967a2658ac765d7acbea18c556b927b810be
- SHA256
  
  b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
- SHA512
  
  c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
- SSDEEP
  
  6144:73KIrUL3UE1S5mY5/i+i6thb2/VMpfkgXkJX/h/O11/vMLZ935PFXwz6Ui:DTru3FS5C/VMpfkg2ROs9dSz6
Score

10^/10

buran zeppelin persistence ransomware
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Detects Zeppelin payload
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral32