{ "id": "ba2190ad-2f58-4ab0-ad82-3a9ea1ec7153", "created_at": "2026-04-06T00:12:47.671917Z", "updated_at": "2026-04-10T03:24:24.683738Z", "deleted_at": null, "sha1_hash": "08c2da37e94f89b909aeb54a53fface388b98acd", "title": "Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign - BreakPoint Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 76326, "plain_text": "Cobalt Strike and Ransomware – Tracking An Effective Ransomware\r\nCampaign - BreakPoint Labs\r\nBy Breakpoint Labs\r\nPublished: 2021-08-31 · Archived: 2026-04-05 19:14:47 UTC\r\nPosted on August 31, 2021\r\nDuring the course of multiple incident response engagements, we encountered a persistent, unknown ransomware threat\r\ngroup utilizing an obfuscated Golang encryptor\r\n[1].  It is believed that the threat actors gained initial access through one or more SonicWall exploits [2], [3].\r\nWe can confirm prior sightings that Cobalt Strike was used by these threat actors to further gain access to exploit victim\r\nnetworks.  In this blog, we will highlight previously unreported infrastructure that is managed by this unknown threat\r\ngroup.\r\nIndicators of Compromise\r\nVictims are presented with the following ransom note:\r\nUnfortunately, your files have been encrypted and attackers are taking over 300 GB of your personal data, financial\r\nreports and many other documents.\r\nDo not try to recover files yourself, you can damage them without special software.\r\nWe can help you recover your files and prevent your data from leaking or being sold on the darknet.\r\nJust contact support using the following methods and we will decrypt one non-important file for free to convince you of\r\nour honesty.\r\nUse TOR Browser: http://[redacted].onion/[redacted]\r\nHello dear user! Unfortunately, your files have been encrypted and attackers are taking over 300 GB of your personal\r\ndata, financial reports and many other documents. Do not try to recover files yourself, you can damage them without\r\nspecial software. We can help you recover your files and prevent your data from leaking or being sold on the darknet.\r\nJust contact support using the following methods and we will decrypt one non-important file for free to convince you of\r\nour honesty. Contact us method below: Use TOR Browser: http://[redacted].onion/[redacted]\r\nHello dear user!\r\nUnfortunately, your files have been encrypted and attackers are taking over 300 GB of your personal data, f\r\nDo not try to recover files yourself, you can damage them without special software.\r\nWe can help you recover your files and prevent your data from leaking or being sold on the darknet.\r\nhttps://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/\r\nPage 1 of 4\n\nJust contact support using the following methods and we will decrypt one non-important file for free to con\r\nContact us method below:\r\nUse TOR Browser: http://[redacted].onion/[redacted]\r\nHashes\r\nA recent sample of the Golang packed malware was submitted to VirusTotal in mid July 2021 [4]:\r\nMD5     864e4a109565f8d4052b959a12bfa45b\r\nSHA-1     94388841e65c0962e56bf3e37391006d0af20bf4\r\nSHA-256     d6f7eed7e8aeffb0683639a2c5b654d216f98a68de1528ef37685103f6e24550\r\nDomains\r\nThe following domains have been attributed to the unknown threat group and have been observed hosting a Cobalt Strike\r\nserver using TLS/SSL on non-standard ports.  It is clear that these threat groups are attempting to blend in with the noise\r\nby generating seemingly legitimate domains.\r\n3comnet.biz cisco-network.org group-policy.org releases-upgrade.com\r\n3comnet.net cisco-updates.com ibgp-cisco.com repository-buster.com\r\nadvmicrodevice.com ciscodev.org intelfirmware.net routeros-update.com\r\namibios-updater.com code-signing.org juniper-firmware.com serviceupdate.net\r\namibios.net dev-repository.com juniper-vpn.net software-repository.com\r\napps-update.net dev-service.org junipervlan.com software-updater.net\r\narchive-update.com dev.updatecore.net mikrotikfirmware.com ubiquiti-vpn.com\r\narchives-firmwares.com developmentsdata.com mikrotikvpn.net unattended-upgrades.net\r\nbgp-firmware.com dlinknetwork.com nvme-updates.com updatepayments.net\r\nbuster-updates.com dlp-systems.org poweredge-update.com veeamdata.com\r\ncisco-cloud.net esxi-update.net release-update.net vpn-updater.com\r\nIP Addresses\r\nThe following IP addresses are related to the domains listed above and appear to be a single use.\r\n104.129.26.226 170.130.28.35 173.232.146.43 23.226.132.245\r\nhttps://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/\r\nPage 2 of 4\n\n104.129.26.28 170.130.28.37 173.232.98.16 23.94.83.123\r\n104.129.42.67 170.130.55.16 191.101.172.24 45.227.255.15\r\n104.149.216.58 170.130.55.160 192.154.213.119 46.161.27.19\r\n104.223.106.239 170.130.55.32 192.154.213.122 64.188.19.20\r\n107.150.19.211 170.130.55.97 192.154.224.52 64.188.27.154\r\n107.150.19.72 172.245.247.67 192.3.31.17 66.154.102.222\r\n162.218.210.152 172.245.87.3 192.3.99.71 66.154.103.212\r\n162.218.211.139 173.232.146.185 194.165.16.98 66.154.112.36\r\n162.245.191.153 173.232.146.218 198.23.141.117 66.63.162.170\r\n167.160.166.12 173.232.146.39 216.244.83.66\r\nAm I impacted?\r\nThis threat group has been very active and if you or your organization utilized a SonicWall SMA VPN device since late\r\n2020 or early 2021 without limited access, there is a likelihood that your organization has been compromised.  If you\r\nobserve any connections to the domains listed above, it is very likely you are compromised.\r\nWhat should I be doing to prevent these actors from disrupting our mission?\r\n1. Back up (or start backing up!) all of your critical business data to an offline location.  We observed these threat actors\r\nidentifying backup solutions employed by a victim and removing all backup files from an online 3rd party solution\r\nprovider.\r\n2. Patch and upgrade your SMA devices immediately.  More information can be found\r\nhere: https://www.sonicwall.com/support/product-notification/urgent-security-notice-critical-risk-to-unpatched-end-of-life-sra-sma-8-x-remote-access-devices/210713105333210/\r\n3. Review all SMA logs looking for suspicious activity – specifically looking for successful authentication attempts from\r\nnon-US based IP addresses and/or IP addresses that don’t originate from Internet service providers such as home or\r\ncommercial ISPs.\r\n4. Enforce multi-factor authentication for all VPN accounts.\r\n5. Employ signatures to detect the above mentioned domains and hashes.\r\nIf you are in need of incident response support or ways to defend against this and other threats, please contact us\r\nat https://breakpoint-labs.com/.\r\nReferences\r\n[1] https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/\r\nhttps://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/\r\nPage 3 of 4\n\n[2] https://us-cert.cisa.gov/ncas/current-activity/2021/07/15/ransomware-risk-unpatched-eol-sonicwall-sra-and-sma-8x-products\r\n[3] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001\r\n[4] https://www.virustotal.com/gui/file/d6f7eed7e8aeffb0683639a2c5b654d216f98a68de1528ef37685103f6e24550/detection\r\nSource: https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/\r\nhttps://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/" ], "report_names": [ "cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434367, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/08c2da37e94f89b909aeb54a53fface388b98acd.pdf", "text": "https://archive.orkl.eu/08c2da37e94f89b909aeb54a53fface388b98acd.txt", "img": "https://archive.orkl.eu/08c2da37e94f89b909aeb54a53fface388b98acd.jpg" } }