Analysis
-
max time kernel
53s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
04-10-2024 04:17
General
-
Target
https://github.com/ThreatLabz/ransomware_notes
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Downloads\ransomware_notes-main.zip
Family
avaddon
Ransom Note
PK
������UBY������������� �ransomware_notes-main/UT����fPK
������UBY������������� �ransomware_notes-main/3am/UT����fPK
�����UBY���@��Z
��+� �ransomware_notes-main/3am/RECOVER-FILES.txtUT����f�U�n�6��+&1�z �>���Cўz�
��聖(�k�Ԓ����w��d9�� aX�4���7C�MKp��o�e��b��% ������Q�X�B��9�F"�N�01
��]5�1B�hq�f��'��h֖��y�k���m�R�Ɯ<e˹<}]�G�7rg��3����X�)�s����+!V���>
��?��Z�~���p����
� o�<U8M�����,t�La��
"�G���Y#
�f|Chc�5c�#<}G`���@
��F���G(Qs'�f�ڰ��\e @PΊǵyA2E����
Β\�|I�`��v����m�+�����[����C���̚��H�j^�͝�k>]��t�b�ƃc��&����P:0����+��9 �������_����X�
��iC��M��r�,��
�����Ӕ��:"�V�/��f�}�f����{pΓ^*c���G��=|�+��Q�jh�u�C�A�S
+�ߍ��u
jmT��U
T^�.�
�-}�FUq�������7��ޝ�:zg�0�V�<mey�����m�V��"���B��We�X
��|�:]
�"��*vނ|A߸Vy��To�&:p^ﴕB�Q��81��)ʫ
ʬd���a���L
'�s���Q!�dE�XD{�n�NM
��u!��6:�D�8�!�o�\�.��M�l�R�K��z �̝���
����2f��P�6�
PN��DdMN8d�
���:m�3���
R�ZjO2�'ލ�0
�e���8P{���ƕh�U����-�Җ U��PD
��Sp䰶���Ԉ��+8�
�h0�C+}�x� wK���a�L���:tʖ���+��`�P8Z�zU�`���TKU��p���G2
v��al�w}��킶*ɾ�zO�M)��5vh�
:$���H��)r��"��a�li�����4Ԡ�ԕ������4XX-8�Ơ���6
�l3g�O�9�(�觤.��)���'���Q���p"k��Q4X������?o�;埋}���f�H]6 믏���O�ɘ��ҷ��C��_�O!"�w��
���:}���ب�8�ʒ�
T�\��n�-�PK
������UBY������������
� �ransomware_notes-main/8base/UT����fPK
�����UBY��߃���~'��*� �ransomware_notes-main/8base/8base_note.htaUT����f�Z�o�J���+��P;#m�U:�I��t4�6�0`B��Q`��r\e�Y����ʐ�Gw���J+mZ�W�y��9����Ptٜ�T�3}4�����N���Y].�S)�J�\V����c,�*��,+e�I�esR�X4ʔ%��J.sOo���5 ?�����'x1���Y ���i�G.��y�֬�
�0��GN��
������~ۯ�L�J�@T���a�!Mև�NC��-vJ����bh�n_Ն�)
e��i���ZN8J��="aA�ď
�h�ZK����o2"TH^
����f�
jV����j�����@㨔�.��9�V`������NJ���B�#�X
`��dax����������
>!� �B�f�E����~VD�)N�ş/�B+Y����ׁۣ ��B�+Tk�Z�-g�LH�W� ���=���o�� ��K.�ɉ��8��+?��8�?Ŗ
N�l�o%?�����1���z}|��HJE���#�c�u�h ��5�uy!�#'��ܼ�V�/�,�N�|#
w����d��k �trR���&����Vy-�Y<?Z���k��9���E����Q��V����'��
:
��6>�,>`'��b�
A��qע
.�^�u�K�
�~&
�הN�RFއ��ޜ�G��S�#����υ+B"�� p��e�A� Eћ����oȽ����!դZ����ip|p ���w�'��3��h~_�j�}���j�ȅ҂��}�Ƅ��'�����"��^���`P)�f��}F��g
℟]z�N����%�� n�;��=+���s4/jcy_
����*�����N
t�prr���&ηS�b֕ By*���Oۢ���ſo듬r�] ����S�KxR�Ƕ$Kc� ����x�u���ݑ\�zm�,�WF�v���y�
$i�aA��Ϯ {��S��[�vf<�px۟T�R��G�~���uT������HԔƲ��q����p2^��,�fF'�"~H�u|?!���hN��tb�;�
�$|��s5\/n�j�g��P��*k�X��d�=u���C�0�2��N�t
�LQ�;��m=
*��C��f߽���t䞝�ζ��ca��[.��
N�j�p�PѪ�mԯLK[�m=�
u�E�H���3��;��/=�2s�Vce��!�
�Z���m~Mz# ����?�6KK��mF�m�㛊��͡��8��
9U;˧3����Џ:-��ݫ�&�<��V9�
�=��6�*
U{57���1.��C;A4[����ŃӘ�m���1�ԣۉm^�T��|Pi��e8����
K�$�)V#�����C�լQJh{�w��c��u�(^UfgY�n�I���O���"�f=�x\�R��BI����0
�w�8��e4
��ǎn4X3�6k)� %[�ij%Ӻ�]H��;�a=�Ift��W�[+o�ګ5�,۶� R��
�ͬ��kH�E��6i�m{6���u{�e�1�ֽF�
w�̔�lW��f�~l
|�|Y�<�
ϫ�5�%�Nw��
��f33 ��l�X���-�?*
}��Y���ѯ}{͂�p0�q�!Uk5w���jm����,*w5�%����y��J���ﯞ��$���SHs����fbF��Uzy�f,�3�P�rV��w�< �����߭:�>���E�§m-d�m{�5�q�����#���V�� �ێBd�E��q���l�1i�R�<n��Iz�A��>>e�KIN�aFk�gc��w����
�����p�>y��iխJ����i����=e[�����q��+�+Mz
H�me��̕�V^�x1n�w�������"��'�q"�+}]����,ϛI=~d�qi?�Sl<���~9"#ŪH�r��)�q�%=�^��R�5In]*��v���ݲ�����6��QŐ=Ng�v�ެ��epy�P�t6;ٻ$����W��56g��*���aҙ�&���$��a�8�T
�R>P�f ��7��^Qs}5h�+�r��2��u/m�ql��L���cΙ1�k��1ZK���ՍJ6�+�A0�Vd��$�4($t�Jk(�P2�����)�5��
��ol%h`E��!�
�e�V�
�7No�3�i���wm�r�"
s���<��S
Կ ��3���bW�vrs������ OP�YF����3�`�K
�IϢȆ�9И�>��N�sNF�;V�x�B�
���x��0 �}PG��B�벐��3ڛ
�(CV�"9W
L�M�Xr [0�G�rJ�'Hy#��th1�k�xA@"+�Q@(��� -���R�4,��o����ެ��\[�K���a���O5k�̝0p��W8r�(��0�lB��t��Ov#�^8!q�8̿R�-�����B��l��]M
�eb�|Џ"
�\c
��R�ˢ7��L���� ��C�(ON�H)�T>B�L��ˢ�;�����SQG����6�"�@�9�d�?�����(��C3<7� ٢Z�"U�LN���U�C�S��3��{
YP��_ *㜇+IPH6��`� IaZV���UE�:~�A��Hw�H
e� �0�C�L}��(�~"w
M�� �E�(�#ibΑ�w̙4Q�Ho&BdȢ;de>����,X����P�l���[��~���A�H?0��
���MME�
�>A�0A
����F�6
B�g)p�����Z��>���
��F�&)X����n
*p��O0���
T%YS] �)F��I��JH}����CzG(hh�T�����A���R4�{�@=i4:
���`�}�#�(��L��1�Ϗ
��g��b|���a� ��9<;��� /@�Y<���� 8G v�Dxc�Q
D��~���,��"��)�
c��!���A�/*��2�K- Ih̷�+R� 6(Ti�+Ғ�m$����A����K��]p��H��ڱ7�
�EP�����C�0���gm@��W�
B)���
�x)��� /$z-9�� ��^��Ad���uxQ���
�T��b�T:@��s��P@�/����u�T�a~=
k�$�R*��*`�)��
�2������J��בu�P��= * א8)o���
%��ȋ$�Q�-�qG���
I�
z'�;��� c��}����Ȋ
�Xt�����j�ц���r
�Q�,��l��3��ǧ��x��o�
�������~�|^t~[��
�����&�h��{�W
��Ш#SG����a��E�'�ΐ1��
��_d�r
~>����vt\t�~�x>��#���l����{�$�8�@w�Xa~�)�Q
���"h �dFHp\���n����
�H!��9�V�Uy��S�l��
���H\Жw�
�=|n�=m�:Tu������rcq �H
|8
q<[
��� �E�����U�� FB�B��BR����(����+�
0N���V5(�K�x�~U���g\X9^�w�;x��\��?(�����r��F�ah�TY3��^��P�����]ыqjR�mjH
^p�S9d{�X�e@�Z1}���}���d���?�8� �"�y}S
�WP�y�@DS^Qh
��ZL�$YZ��;*�Gu���� [��6��x
�����!��~1��nA��R!�>��MS^#ym��faizR�F;u���:*֡`
���s�����W
���� ��[�%��xP
��<`���윑��|`q�K����2��[�A����
Ȓ������gjD�s�Z��<�~.���{����9��
�a��u�j6�(�
,
��ـ��ųƳ!����,��e�
306g��[�p�x����F�L~
�0c�k0��a����
̡�
>y7UT���
�L1�Z~p���^E�����u�����x3U\I��P�ȵD/�O�������(r+p�8�{����G�"�P����Wg��f�����ڪI��y�Ѫ
��
��
68���m�$Y�1e}hJ� ��
齽�Pc���%��B����~�̉�_WA����w�\G�U��
W��&�z�p��ˀ
�<��,�7b_�hZ���K�O)o,����*ފ�����W�G���
�,5�)� T�c��
[�?.������!^l�GCq)���ҋ��H��*G\?�}�f�@��7�����Q%�RzD�iC^(
� ���퇫^����T�ݳ G���D�N�?��a
\�����O���5s�
��aKr)���v�nL�k�����?����X�����=�۳����Q����Kܰ�7��h�hAujq�I����v俣8|��'6��a�
�Xr$���m+_T�Y
�l8C��y�p?�
1x[������� ���7PK
�����UBY>M=
�����*� �ransomware_notes-main/8base/8base_note.txtUT����f�X]o�6���ޭbM��E���n#̵�ZJ�\�ms�H��캿~��$�ɺ�����E>���G#�
��_�B(w���{ъ�uŸ��I�fn#-+��Xw¤�5W��{��=�z�0%�N�{&��p�L��
[m�eK!KuQ]H+���wS#�Ly�2�8�au.���5+�
�
*5�҉���د=��%��c\eL�|OQ@,(6)W,�
Aq)�S�*�
�������
Vp����+
�ڳ\[
�t�V�O����{3%�b�t�}��q�|����[QJ���"�����pi�.�p��
��?�n����-�F�j��_�NK��6{��%"k�
v��J����bo⭐덣S^6������%�c�a6��n��G�,N�U2����e4���W��.x�ƣ(�e ��8f�)�
�����B��>Ab�=e\V�-]Q��"|~�TWy�F����ا>����Rz��L�¦��d��X�,J��\�"`�g��&&���h1��Er��ه�6\����}Be��-��I���Y�r;���P�<��-�?�
�=x�zD@;0�|,���3_�$�����l1����?����R��m' c���g���
�e�
��K]9{'l��LS,�G��40�]
�z����>�
���埛�9���N6�}> �a�]f |��(��7��St��얍�U_̮���n9�K+�d���^�1�V
#
A��-
`����2��a�J�G?��o(#�GH_oH�b
��>�Vd�q��)]
���
d����7�
�K#�ș���a���1 2�[�r�����
f�����
���&u���5��8��3TH광�M���N�ZO��Jԕ�M6|
�s��=*n�r�3ă�M�慮�����d�=��Z�6�;����T�UIa����}/
@�g(�P.(��>�s�0]l�Y��9�I�����9�܄��1`/ ��uN��q2'��/��fb��CN��"M��
��
i
m
���
������.nmW������������U*��e�c��h,�j�eJN�4�<ybq�iEU+\��4���T#~��T8EY�*��*C��n'a����UIy��U}�J�����
(�g,��bM�8a��
*
�
��봫]�Ʒ-��.�����Q�ݐz�T�;��A��JQ�Cu��(D���y��E���G����}��{us�
$
�o!�k#�W��LЄ$�;O]�˯�3 N�����-�J��
���m��Ԃ^
�w����E}N@�s%n�ǮnD^����O��a!�F�k���M-Yp�:ɻ���W��%7�%�爗 q��h*P���g�Q�td!�F
��
�~y�l>���c��*���q�wʜ��)���l�4�tmE�y8ڣy
BV˶- ��XOH��Ԩő�)Ɗ��FQ�셑Ď���e*��B�[�[!�`R�Di��J~="�cVx���C��<��Qy=.�o�⮣&���9�אt���).fmE�F�O�^
]L?�qYek�|�����҈d�ߕλ������c�J�Q4�xh�F�N*4#�tX�%S�
Dn�+�q!x�!&�kj�-�!{C�����c! $���(�Ok�3��ـ=�j��
Qn�3�p7�TN(<����jQ!!?
��:�E%�CV�K��a �6�F���<�s��9��{5n��d
����[�����Gۯ$����e�b_�ͱ
��ZY���'t�7���y.%5�����a�G
���4 �(Zzs@ 52�װT�g�Y�A��li�i?�@��T���QS��- ;�4 �^8
C踻V"�?+R�%z�V����O[)v�x�^�g�ap���.��c_%5,�L�ge
�� F��y>�S���v��j
�
�n�X��gI��M
����]�o� �<�uL%���ᩝ�H���c{�����Jc\�)da]F�(���.P���-���Zϐ�,����APR��tdG,���)��,^
��-G�i��~��6��]���G�e
Ḃ��yk��g��'���1I�N�t:<:�4�͜��g�;����PK
�����UBY`.(+z��3��
� �ransomware_notes-main/LICENSEUT����f]R[o�0~��8�S+E��ǽ��k��1e��$�x
1��P��wN��: )��|�C!5䮵c�����:�C ��}���OO�3�f��~�&�f����NG��#����������Oւ�Cۛ�`�
��
';\��h���h���d�&�}����p&�:�x���|�c4���n��co᮹m�=�$�5s#P��{�0�'�Fnl�sG�ڃ;�������HgG߹=}�l�t�
.� t��w���@�9̄||�;
ꞽ~��gH�����U.�?~v�۟�)���y�lf�e�H��a�����s�(|cLc���o;{��x��^%�N W��Bo�v��b�� ;ч��wf���f��m>"�J@S-��+��ZU/2���w l�^Uk
8�x��P-��[�.�,��V�i�RLu.�d���L�ϰ������,�FP]ޠ�h�*]��/d.�6aK�K�\V
8�\i��s��^��j�g[�r��E�ԏȊ5/��f����_�zE� �ꭒ�+
�*���E.�Th*,�x��żU!�b4vU����q��ZV%�H�R+|&�R��ՍlD\ɆY��Hʼn�
�{���P���"8B�u#�!<G�������#�
PK
�����UBY�"�\�������� � �ransomware_notes-main/README.mdUT����fE�1
�@
���
l�N��� ��!=R���H�z�_��*�
���������Q�l�ε!*�C��y�<��F�<)�f�����^��kR�r�RV8C1�N��I�S��v�c �^�Ե���<�?8wN�l�_�9W�zL�jW��J~�h�����PK
������UBY������������"� �ransomware_notes-main/abysslocker/UT����fPK
�����UBY)�$���?��2� �ransomware_notes-main/abysslocker/WhatHappened.txtUT����fmUMo�F
��W�V,�:�|�@n�=(
��XE#��&
�(�+�������#E�5b8�H>�����d"S��>U��a��=�HuF�g����Q�S
�1qC�74�Sc���U̞$��H���|��Bh��$Ԇ����
}�@_��x��X�������2K���Q+�
Extracted
Path
C:\Users\Admin\Downloads\ransomware_notes-main\stop\stop.txt
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-V2fE396VPW
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
[snip]
URLs
https://we.tl/t-V2fE396VPW
Extracted
Path
C:\Users\Admin\Downloads\ransomware_notes-main\ragnarlocker\!_^_README_NOTES_RAGNAR_^_!.txt
Ransom Note
********************************************************************************************************************
HELLO [snip] !
If you reading this message, it means your network was PENETRATED and your most sensitive files were COMPROMISED
-------------------------------------------------
| |
| by R A G N A R L O C K E R ! |
| |
-------------------------------------------------
********************************************************************************************************************
[ YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL ]
(contact information you will find at the bottom of this notes)
**** WARNING ****
DO NOT Hire any third-party negotiators (recovery/FBI/police and etc), otherwise we will close chat immediately and Publish your Data.
---------------------------------------------------------------------------------------------------------------------------------------
----[WHAT'S HAPPENED]
With this message we want to let you know that we has obtained access everywhere in your network and we was able to encrypt your files and servers.
However, we didn't do that only because of willing to avoid interruption in hospitals normal business processes and don't put health of the patients under risk.
But unfortunately, you has allowed data leak, about 1TB of personal data was compromised. So, your clients didn't get the required protection.
Tottally we has DOWNLOADED about 1TB of your CONFIDENTIAL and most SENSITIVE Data just in case if you will NOT PAY, if so, than everything will be PUBLISHED in Media and/or SOLD to any third-party.
WE HAS COLLECTED SUCH DATA AS:
- Medical record, medical history, Information regarding diagnoses and surgeries
- Clients personal info: Relatives/Address/DOB/email/phones and etc., Private letters and correspondence
- Departments: Oncology, Pediatrics, Surgery, Urology, Oculist, Cardiology, Gynecology and others
- Financial reports, Revenue, Budgets, Payrolls, Expenses, Bank statements
- Databases, Credentials, access to emails and accounts, Passwords, Workfiles
- And many other sensitive data...
----[WHAT SHOULD YOU DO]
- You have to contact us as soon as possible (you can find contacts below)
- You should make a Deal with us, to avoid LEAK of your Sensitive Data
- You should avoid any scammers using our name in different communication ways. We communicate only via LIVE CHAT
- You should avoid any third-party negotiators and recovery groups
----[YOUR OPTIONS]
1) IF NO CONTACT OR DEAL MADE IN 3 DAYS:
All your Data will be Published and/or Sold to any third-parties
Information regarding vulnerabilities of your network also can be published and/or sold
Such Leakage will have disastrous consequences to your business reputation.
2) If WE MAKE A DEAL:
We will remove all your files from our file-storage with proof of Deletion
We will permanently delete post with your company name
We guarantee to avoid sharing any details with third-parties
We will provide you with the penetration report and list of security-recommendations
[Here are couple of screenshots just as a proofs of Data possession, you can find more in our Leak Blog]
Screenshots:
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
-------------------------------------------------------------------------------------------------------------
LEAK BLOG ACCESS:
This temporary post stays hidden only during 3(three) days until we make a Deal.
If the Deal not made, Post would be supplemented and become permanent and accessible for everyone!
LEAK BLOG: http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip]
Password: [snip]
(use Tor Browser to open the link)
======================================================================
[ HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1) Download and install TOR browser from this site : https://torproject.org
2) For contact us via LIVE CHAT open our website : http://ragnarmj3hlykxstyanwtgf33eyacccleg45ctygkuw7dkgysict6xyd.onion/client/?[snip]
3) To visit TEMPORARY LEAK PAGE with your data on our Leaks Blog
open this website: http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip]
password: [snip]
4) If Tor is restricted in your area, use VPN
5) All your Data will be published in 3(three) Days if NO contact made
6) Information regarding vulnerabilities in your network will be Sold or Published
7) Your Data will be published if you will hire third-party negotiators to contact us
*We advise you to find some information about us in google
Also check the tab "About Us" in our Blog (http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?about-us)
URLs
https://prnt.sc/[snip]
http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip]
http://ragnarmj3hlykxstyanwtgf33eyacccleg45ctygkuw7dkgysict6xyd.onion/client/?[snip]
http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?about-us
Extracted
Path
C:\Users\Admin\Downloads\ransomware_notes-main\ragnarlocker\ragnarlocker1.txt
Ransom Note
***************************************************************************************************************
HELLO [snip] !
If you reading this message, it means your network was PENETRATED and all of your files and data has been ENCRYPTED
-------------------------------------------------
| |
| by R A G N A R L O C K E R ! |
| |
-------------------------------------------------
***************************************************************************************************************
[ YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL ]
(contact information you will find at the bottom of this notes)
**** WARNING ****
DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible.
DO NOT Use any third-party or public Decryption software, it also may DAMAGE files.
DO NOT Shutdown or Reset your system, it can DAMAGE files
---------------------------------------------------------------------
----[WHAT'S HAPPENED]
Your security perimeter was BREACHED and all files on your critically important servers and hosts were completely ENCRYPTED.
Also we has DOWNLOADED about 500GB of your's most SENSITIVE Data just in case if you will NOT PAY, than everything will be PUBLISHED in Media and/or SOLD to any third-party.
We have collected the most important info such as:
-Accounting files, Financial Reports, Banking and Billing statements, HR documents, Payrolls, AFIP/ASIF databases
-Logistics Files, SQL Databases, ID cards, DL's, Transport Documents, Certificates of Transport Ministry, Phonebooks
-Confidential Agreements, Corporate Contracts, WorkFiles, Clients Information, License Keys, Surveillance cameras video
-Also we have your Private emails in .msg and .pst files and a lot of other Sensitive info.
----[WHAT SHOULD YOU DO]
- You have to contact us as soon as possible(you can find contacts below), we are offering discounts for quick deals so price can be better if you will respect our time.
- You should purchase our decryption tool, so will be able to restore your files. Without our Decryption keys it's impossible.
- You should make a Deal with us, to avoid your Data leakage.
- You should stay away from any third-parties recovery soft, since it could damage files.
- You should avoid any scammers using our name in different communication ways. We communicate only via LIVE CHAT
----[YOUR OPTIONS]
#1 If NO contact or Deal made in 3(three) Days than all your Data will be Published and/or Sold to any third-parties, Decryption key will be deleted permanently and recovery will be impossible.
Also this would be disastrous consequences to your's business reputation.
#2 If we make a Deal:
We will provide you with the Decryption Key and Manual how-to-use.
We will remove all your files from our file-storage with proof of Deletion and delete posts regarding your company with Guarantee to avoid any Data Leaks to public or to any third-parties.
Also we will help you to improve the security measures and provide you with the technical report and list of security-recommendations.
----
[There are couple of screenshots just as a proofs of data possession, you can find more in our Leak Blog]
Screenshots:
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
https://prnt.sc/[snip]
---------------------------------------------------------------------
Leak Blog Access:
This temporary post stays hidden only during 4(four) days until we make a Deal. Later, if we don't make a Deal it would be supplemented and become permanent and accessible for everyone.
Leak Blog: http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip]
Password: [snip]
(use Tor Browser to open the link)
======================================================================
[ HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
a) Download and install TOR browser from this site : https://torproject.org
b) For contact us via LIVE CHAT open our website : http://ragnarjtm25k3w4cy6kvfttfhm24mpynikjt7yll5pvpfo4a7yuzweyd.onion/client/?[snip]
c) To visit TEMPORARY LEAK PAGE with your data on our News Blog, open this website: http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip]
password: [snip]
d) If Tor is restricted in your area, use VPN
e) All your Data will be published in 4(four) Days if NO contact made
f) Your Decryption keys will be permanently destroyed in 4(four) Days if no contact made
When you open LIVE CHAT website follow rules :
Follow the instructions on the website.
At the top you will find CHAT tab.
Send message to us and wait for response (we are not online 24/7, So you have to wait for your turn).
*We advise you to find some information about us in google and also check the tab "About Us" in our Blog (http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?about-us)
***********************************************************************************
---A PRIVATE KEY---
[snip]
---Z PRIVATE KEY---
***********************************************************************************
URLs
https://prnt.sc/[snip]
http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?[snip]
http://ragnarjtm25k3w4cy6kvfttfhm24mpynikjt7yll5pvpfo4a7yuzweyd.onion/client/?[snip]
http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?about-us
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Azov
A wiper seeking only damage, first seen in 2022.
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Maze
Ransomware family also known as ChaCha.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ThreatLabz/ransomware_notes1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff26d146f8,0x7fff26d14708,0x7fff26d147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5412 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14111681232324374511,9317999729313836875,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ransomware_notes-main\" -spe -an -ai#7zMap18184:104:7zEvent318441⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ransomware_notes-main\stop\stop.txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ransomware_notes-main\ragnarlocker\!_^_README_NOTES_RAGNAR_^_!.txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ransomware_notes-main\ragnarlocker\ragnarlocker1.txt1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57006aacd11b992cd29fca21e619e86ea
SHA1f224b726a114d4c73d7379236739d5fbb8e7f7b7
SHA2563c434b96841d5a0fa0a04a6b503c3c4d46f1c4e3a1be77853175e5680e182814
SHA5126de169882c0e01217c4ca01f6ead8e5ebb316a77558e51cd862532dbf9147d9e267f8db667ff6e9fa33164243724f5e437cb882392382f3cae1072dadb762c1d
-
Filesize
152B
MD5b80cf20d9e8cf6a579981bfaab1bdce2
SHA1171a886be3a882bd04206295ce7f1db5b8b7035e
SHA25610d995b136b604440ac4033b2222543975779068a321d7bddf675d0cb2a4c2b1
SHA5120233b34866be1afd214a1c8a9dcf8328d16246b3a5ef142295333547b4cfdc787c8627439a2ca03c20cb49107f7428d39696143b71f56b7f1f05029b3a14376a
-
Filesize
1KB
MD5d0f32bbade3a60816721747adf749844
SHA16216d9faa250c24031a389ada572609cc791dbb4
SHA256186f3b86d904f1ee22879da7590e3e9b28c4733b4d56b559193580b8dcf85e7c
SHA512e71381927ea7ae8513281d0cfd4c603c4f59555724120df2e79e765c53a9220c4de4219e5f1ee6565ce8c2f7ea776b85dee9ac9a012b766dabae0c51e80ea07b
-
Filesize
5KB
MD52bc87bbe4ac07df95144c3fc4a292ad2
SHA1b9a8e8bf9491e851c1092b154b14ca4a4136028c
SHA256492bfdb55846def947cf184f07c91f064f2f41b94cd4588880b630930948bbb3
SHA51298380c914f33e637cb9aee556c6a7cacd3b58eb560371bf8ecde185d3ead3673b083357ba424ab1944ac08c7ebfde671850101d6658ac1556911400fca3cc840
-
Filesize
6KB
MD512c0ceece17cea6e2702890fb65f2108
SHA1e35c5a402c25213847b42dc62c1070e57fd0e6ab
SHA256d9750d32111bbea304ae3fcad1604fd7d81d51fd18c3f2204a56b023ef9d8a52
SHA512af6cdfbbdce836d62fde8208bc2ee06f6e9bfeaf309f6a61c67671b7e8965a86cc2e18852aff86437d358a20a7fd7daeb85deffe019fd82761e85a19137d1e25
-
Filesize
1KB
MD55075e4466019fd7523453ca1104c8eb4
SHA14702b445ce3eb19d06758228f91ea07d4086c1f0
SHA2568c9e34bfad2288cedd0f4c422e1d72cce86fc61f7acd980ffe5a5e4327bc4aea
SHA512ffc95b044a37e4a76bed5fd74269d612142186f47b7e06acf402857b277d37fa8c1693846d13d99426fc8622b3adeb866c1cf059a060dacc890ffffe70613a80
-
Filesize
1KB
MD51533f16376cf89f6bd51dcf0ce753bf4
SHA1fe9bf9ada77a59d1ac5403260687b4c0a7ca37e3
SHA25650902ad694bf6169a3160427638d2d9a3e6e45eee232d1e47e22a1fe99bd9461
SHA5127c2396be049b788b88f9109620e2c3a91b3bcd2c9b5c84e1a17bfcae4be981e0fb0d4a71061f17e133bb73dc1cdcb21b12bc7ed3f58702a4589ceff06d3b1ef3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD540d01ac64b37484a56a9caade639870b
SHA10614b60bbd7d192046c5aad6709b914a2941e5ca
SHA2568c911010c31abb9e181202f6b9ffe5a0f76bb2c31a28930b36a700f01c7fa0eb
SHA5124505748cdff66cb3100e6e1b3771d03fd2ada0c3be3768c95542ce7f3254e885646221557954d339f54815695d59ff4a99fc92b4c9b8c6a5dbdaab25b07a0a8c
-
Filesize
10KB
MD50125e01d1b38a881d46eb60e1df828c3
SHA191deb9005ef3c48e759a40f93f23029abcb2d161
SHA2561994b9fc98b2b24c391aa2048b338092fdc2d2c02a2b617e76a3fabdaa27d92f
SHA5129ca433342f3f2bf4ca7f88f487aa6f976e87cdca8004c3f38875372f75b01ad6fef98be7b12947ccf1b2e28d1b27c9e0fed3cc4ede0de63586ca261ad4922218
-
Filesize
758KB
MD59ae2249c8e85edd83136b0f9a408df45
SHA152e972592b883f16378b8597fb5e588b51518b69
SHA2568a8ef0bd7f5ecba1e8a32d0aa1dc97722caac357b5d9d886e0ef0bb1396e6eff
SHA512e3fc4691d6fcd5fc95cd656466a81a54b8e8cbc5312adb5385c877047941c469b28dec32cf998c5b5454199aa283ea5a0b13932c11434834d551113d64eca248
-
Filesize
5KB
MD51c9c984854180991c4d95492b386a91d
SHA199888c9ffbadf0efdd03f2e628c2adcfe0a56f50
SHA2568c90c6796e632829c215d017b71c4d7c6311f6cc8580a9409165a7ce3156f423
SHA5120a739fe83cceb82f45213dcb14a0f49b06d26bfd986e0013ea4c35d64113a9c0a05b60bf7ba41d2631c757b88b6425c5b374fdb8edbd6d11595ad5e16b39ec3e
-
Filesize
5KB
MD5f2fda3f7fde7b2bad1af02523bf12878
SHA148736310cf9609e8a8d8dd1dddc3d8e59d441944
SHA2562fee36d0468509804142969f6ee2f5e37f9cb17427bd7e5a6d437e2a4bbf6a9e
SHA512aa737b6408f9265f31fd6c0af8f49e42969a5c0ac0f32a6ece10f53fcb5cabc8e2d108361efbf7e285a870add73b800f309759363053095885c5a4286b50f0b8
-
Filesize
1KB
MD54df17dc9d6d6f2879e8aeb6bf16f2eb2
SHA1bf4a4b5ab68ce7122f02cce3b5e6234476295d99
SHA256a27cb1e12ad18e43d593d55075416ff571a8a74b22fe84abfa283a0ee5dbef60
SHA5123ceb545b9668b1404580130c9d98a76524a85d7d1e65eee4538d272140301f09fe361a6a54f40c2dea4be8f760b19af51b2e10c900cc720a8ca8559327a8efac
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e