Full Report
I recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here) which contains a whole array of ransom notes from known and new ransomware families. I imagine that Zscaler has some sort of malware hunting capability (potentially LiveHunt YARA rules in VirusTotal) and they manually check for ransom notes uploaded to VT containing strings such as ".onion" to find new and interesting ransomware families. However they actually do it, this is a handy repo for the community to use.Three new ransom notes that Zscaler shared that caught my eye belonged to Shadow, 8BASE, and Rancoz. Tracking new ransomware families can be an interesting task because so many new groups are appearing, it is hard to tell which ones are worth paying attention to of the literal hundreds of variants out there launching attacks. These three stick out, however, due to the presence of the ".onion" Tor link inside their ransom notes though because that means they have setup custom infrastructure for advanced cyber extortion, such as negotiation portals, decryption sites, or a data leak site (DLS) to post stolen data if the victim refuses to pay.Figure 1: An original Seinfeld memeCybercrime intelligence analysts who investigate new ransomware groups should know that it's important to make note when new groups appear and try to see if there are any connections to known threat actors. This helps with intelligence collection efforts and can help analysts decide whether investigating these groups should be a priority. There is only a limited amount of time and a limited amount of resources and, unfortunately, so so many ransomware groups. Using the ransom notes we can try to identify similarities to other known ransomware families.Figure 2: Ransom NotesWhat is Stylometry and Stylometric Analysis?Stylometry is the application of the study of linguistic style, usually to written language but it can also be applied to code and ransom notes. It has also been applied successfully to music, paintings, and chess. We can evaluate an author's style through manual comparisons as well as the application of statistical analysis to a body of their work. Stylometry is often used to attribute authorship to anonymous or disputed documents. To unmask these ransomware group for who they really are, I used a mixture of the text comparison site copyleaks.com and by doing it manually.ShadowAnalysis of Shadow's ransom note, although with some original elements, there are numerous similarities between it an LockBit3.0's ransom note. We can say with fairly strong accuracy that this is a reskin of the leaked LockBit3.0 (aka LockBitBlack) builder. There are multiple similarities in the notes that tie these two together. The wide availability of the leaked builder also makes this overlap a very likely scenario. The Shadow ransom note is available in Zscaler's GitHub repo (see here). The LockBit3.0 ransom note is available from PCRisk (see here).Figure 3: Comparison between Shadow and LockBit3.0 ransom notes8BASEWhen I examined the 8BASE ransom note it also looked familiar. It turned out that it share a ton of similarities to a ransom note from the leaked builder of Babuk ransomware. Again, due to the availability of the Babuk ransomware builder and numerous ransomware groups that use it, this is also a likely scenario. The 8BASE ransom note is available in Zscaler's GitHub repo (see here). The ransom note of the DarkAngel's variant of Babuk ESXi is available from PCRisk (see here).Figure 4: Comparison of 8BASE and Babuk ESXi ransom notesRancozRancoz seemed to be a little bit more interesting as Cyble analyzed Rancoz (see here) and shared some technical insights. Twitter researcher @F_kZ_ also highlighted the similarities between the Rancoz and 0mega data leak sites (see here). However, neither mentioned that the ransom note is practically identical to the LockBit3.0 note. The Rancoz ransom note is available in Zscaler GitHub repo (see here)Figure 5: Comparison of Rancoz and LockBit 3.0 ransom notesConclusionRansomware research is pretty straight forward these days. These types of cybercriminals prefer templated attacks, reusing tried and trust TTPs. Now, they do not even need to code their own ransomware or partner with RaaS groups. There are multiple freely available leaked builders ready for them to use instantly. LockBit and Babuk provide low skilled and few resourced the immediate ability to attack and ransom large organizations. There have already been dozens of variants of these two families. Shadow, 8BASE, and Rancoz are also not likely to be the last.My advice is to keep an eye on these threat actors as eventually they may begin to retool and evolve. While they are still inexperienced is the best time to try and track them down. Any tips you have to do that are best sent to law enforcement, as well as groups like The Ransomware Task Force and NoMoreRansom.
Analysis Summary
# Tool/Technique: Shadow Ransomware
## Overview
Shadow is a ransomware variant identified through stylometric analysis of its ransom note, showing significant linguistic similarities to LockBit 3.0 (LockBitBlack). This suggests it is likely a reskin utilizing the leaked LockBit 3.0 builder. Its presence, signaled by a ".onion" Tor link in the note, indicates the deployment of custom infrastructure for advanced cyber extortion operations.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Likely Windows (inferred from association with LockBit 3.0 builder)
- Capabilities: File encryption, communication via custom Tor infrastructure for negotiation/decryption.
- First Seen: May 2023 (based on article publication date)
## MITRE ATT&CK Mapping
The primary focus of the analysis is the artifact (ransom note) rather than execution details, but typical ransomware TTPs apply:
- **TA0011 - Command and Control**
- T1573 - Encrypted Channel
- T1573.002 - Asymmetric Cryptography
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Extortion through encryption of victim files.
- Uses Tor infrastructure (indicated by ".onion" link) for victim interaction (negotiation, data leak site access).
### Advanced Features
- Based on leaked LockBit 3.0 builder, inheriting potential capabilities from that framework.
- Stylometric analysis of the ransom note reveals strong linkages to LockBit 3.0/LockBitBlack.
## Indicators of Compromise
- File Hashes: N/A (No specific hashes provided in the text)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Presence of a ".onion" Tor link in the ransom note (specific URL defanged/not provided).
- Behavioral Indicators: Extortion demands delivered via a ransom note resembling LockBit 3.0.
## Associated Threat Actors
- Unidentified group operating the "Shadow" ransomware variant.
- Implied relationship or use of components from the **LockBit 3.0** ecosystem.
## Detection Methods
- **Signature-based detection:** Potential YARA rules targeting unique strings found in the Shadow ransom note or comparing note structure to known LockBit 3.0 samples.
- **Behavioral detection:** Monitoring for processes related to data encryption or establishment of unusual network connections associated with Tor.
- **Stylometric Analysis:** Comparing the linguistic patterns of observed ransom notes against known families like LockBit 3.0.
## Mitigation Strategies
- Applying general ransomware prevention strategies.
- Monitoring for communications related to Tor infrastructure used for extortion.
- Staying updated on threats derived from leaked ransomware source code/builders (like LockBit 3.0).
## Related Tools/Techniques
- **LockBit 3.0 (LockBitBlack):** Directly implicated as the likely prior version/builder used for Shadow.
- **Babuk Ransomware:** Mentioned as the source code/builder for the 8BASE ransomware, indicating a general trend of utilizing leaked builders.
***
# Tool/Technique: 8BASE Ransomware
## Overview
8BASE is a ransomware observed via its ransom note, which exhibits significant cryptographic and linguistic overlap with notes derived from the **leaked Babuk ransomware builder**. Like Shadow, its inclusion of a ".onion" link points towards established advanced extortion infrastructure.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Likely Windows (inferred from association with Babuk code)
- Capabilities: File encryption, communication via custom Tor infrastructure.
- First Seen: May 2023 (based on article publication date)
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1573 - Encrypted Channel
- T1573.002 - Asymmetric Cryptography
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Encryption of victim data for financial gain.
- Use of Tor services to manage the extortion process.
### Advanced Features
- Derived from the leaked Babuk ransomware builder, which has been widely adopted by numerous threat groups.
- Stylometric analysis confirms high similarity to Babuk ransom notes.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Presence of a ".onion" Tor link in the ransom note (specific URL defanged/not provided).
- Behavioral Indicators: Ransom behavior consistent with Babuk derivatives.
## Associated Threat Actors
- Unidentified group using the 8BASE moniker.
- Implied relationship/use of components derived from the **Babuk ransomware** build environment.
## Detection Methods
- **Signature-based detection:** YARA rules targeting strings specific to the 8BASE note structure or patterns derived from Babuk.
- **Behavioral detection:** Monitoring for encryption activities characteristic of known Babuk variants.
- **Stylometric Analysis:** Comparing note language against Babuk samples.
## Mitigation Strategies
- Deploying defenses tuned against known Babuk derivatives, especially those targeting ESXi environments (as mentioned in the context of Babuk usage).
- Isolating and analyzing threat artifacts resulting from leaked builders.
## Related Tools/Techniques
- **Babuk Ransomware:** Confirmed source of the technical DNA for 8BASE, based on ransom note similarities.
***
# Tool/Technique: Rancoz Ransomware
## Overview
Rancoz is a new ransomware family identified via stylometric analysis of its ransom note shared by Zscaler ThreatLabz. While the article notes its similarity to Babuk/LockBit derivations, it specifically points out that Rancoz is *not* a direct derivative of LockBit 3.0 or Babuk, distinguishing it stylistically, though it does employ the standard extortion method involving Tor.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Undefined based on text, but standard ransomware platforms apply.
- Capabilities: Encryption, Tor infrastructure for extortion.
- First Seen: May 2023 (based on article publication date)
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1573 - Encrypted Channel
- T1573.002 - Asymmetric Cryptography
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Executes ransomware activity resulting in data encryption.
- Maintains custom Tor infrastructure for victim negotiation.
### Advanced Features
- Its ransom note exhibits unique stylistic properties, differentiating it stylistically from major prevalent ransomware families like LockBit 3.0 and Babuk derivatives, suggesting a potentially new or distinct developer/authorial source behind the note text.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Presence of a ".onion" Tor link in the ransom note (specific URL defanged/not provided).
- Behavioral Indicators: Unique linguistic fingerprint in the ransom note text.
## Associated Threat Actors
- The group responsible for the **Rancoz** ransomware.
## Detection Methods
- **Stylometric Analysis:** Crucial for categorizing Rancoz due to its distinct linguistic fingerprint compared to other known ransomware types analyzed in the context.
- **Network Monitoring:** Detection of traffic associated with its custom Tor site.
## Mitigation Strategies
- Standard robust ransomware defenses.
- Prioritizing intelligence collection on Rancoz due to its apparent novelty compared to the LockBit/Babuk offshoots.
## Related Tools/Techniques
- **LockBit 3.0 / Babuk:** Mentioned primarily as contrast points for stylometric comparison.
***
# Technique: Stylometric Analysis for Ransomware Attribution
## Overview
Stylometric analysis is the application of statistical linguistics to written artifacts (like code or ransom notes) to evaluate an author's style, often used to attribute authorship to anonymous sources. In this context, it is used to investigate new ransomware groups (Shadow, 8BASE, Rancoz) by comparing their ransom notes for linguistic similarities to known ransomware families.
## Technical Details
- Type: Technique (Forensic/Analytical Method)
- Platform: Applicable to textual artifacts across any platform.
- Capabilities: Identifying linguistic patterns, measuring similarity scores (via tools like copyleaks.com or manual comparison) between disparate documents.
- First Seen: Long-standing field in linguistics, applied here in May 2023.
## MITRE ATT&CK Mapping
- **T1565 - Unique Data Staging** (General intelligence gathering on adversary artifacts)
- **T1560 - Archive Collected Data** (Associated with collection process)
- *Note: This technique directly supports intelligence analysis rather than direct adversary action.*
## Functionality
### Core Capabilities
- Comparison of textual content (ransom notes) to determine reuse or derivation between ransomware families.
- Identifying authorships or tool origins (e.g., linking Shadow to LockBit 3.0 builder).
### Advanced Features
- Can be used to track the evolution and lineage of ransomware families, especially when malware binaries are unavailable or heavily obfuscated.
## Indicators of Compromise
N/A (This is an analysis technique, not malware)
## Associated Threat Actors
Used by Cybercrime intelligence analysts to profile and track Threat Actors running ransomware operations.
## Detection Methods
N/A
## Mitigation Strategies
N/A
## Related Tools/Techniques
- **Text Comparison Tools:** Mention of copyleaks.com being used in the analysis process.
- **Threat Intelligence Knowledge:** Requires deep knowledge of existing ransomware builders (Babuk, LockBit 3.0) and their artifacts.