{
	"id": "52642b00-f42b-4805-94a8-cc57745610fc",
	"created_at": "2026-04-06T00:07:07.389123Z",
	"updated_at": "2026-04-10T03:20:48.860382Z",
	"deleted_at": null,
	"sha1_hash": "186141abfa2484766fa265e74dd9bec7caaff639",
	"title": "New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 769363,
	"plain_text": "New in Ransomware: Seth-Locker, Babuk Locker, Maoloa,\r\nTeslaCrypt, and CobraLocker\r\nPublished: 2021-02-05 · Archived: 2026-04-05 14:43:35 UTC\r\nRansomwareopen on a new tab is in constant state of development — this is true not only of ransomware families\r\nthat are big-game hunters or ransomware families that have a targeted approach in their campaigns, but also for\r\nnew ones.\r\nIn this entry, we look into a new ransomware family dubbed Seth-Locker, which was discovered while at large and\r\nis still under development. We also enumerate developments in Babuk Locker, Maoloa, and a possible TeslaCrypt\r\nvariant. Lastly, we note the appearance of a CobraLocker variant that is at large and uses a popular game as a\r\ndisguise to attract the attention of unwitting victims.\r\nNew ransomware Seth-Locker\r\nWe discovered a new ransomware named Seth-Locker at large. An interesting feature of this new ransomware is\r\nits inclusion a few backdoor routines in its malicious files, together with its ransom routine. These backdoor\r\nroutines that have been observed so far are the following:\r\nopen_link for reading content from the command-and-control (C\u0026C) server\r\ndown_exec for downloading and execute a file\r\nshell to run a command line shell command\r\nlocker to run the ransomware routine\r\nkill to terminate a process or itself\r\nOnce executed, the ransomware follows the typical routine of encrypting files and appending them with the suffix\r\n.seth, before dropping a ransom note.\r\nAs its code contains several rookie mistakes and oversights, we surmise that it is still under development. For\r\nexample, malware commands are easily visible and repetitions of file extensions to be checked are in its code.\r\nAdditionally, another tell-tale sign that it is still under development is that it lacks sophistication in hiding its\r\nroutines and techniques. In the future, however, it would be possible to encounter an improved version of this\r\nransomware.\r\nDevelopments in Babuk Locker\r\nBabuk Locker is also a new ransomware family and the first enterprise ransomware discovered in 2021open on a\r\nnew tab. It initially identified itself as Vasa Locker in December 2020. Babuk Locker is proving to be a fast-evolving and active ransomware. Early into 2021, it had already attacked several companiesopen on a new tab,\r\nutilizing the strategy of threatening to expose stolen information.\r\nEven as a new ransomware-as-a-service (RaaS), its operations follow the methods of known targeted ransomware\r\nattacks. Its initial access likely involves compromised user accounts, exploitation of vulnerabilities, or malspam.\r\nhttps://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html\r\nPage 1 of 8\n\nThreat actors then move laterally to make an inventory of the victim’s network and important files since they\r\nexfiltrate data as part of their double extortion method. Afterward, they finally proceed to deploying their\r\nransomware payload. In addition, they eventually post the exfiltrated data on a blog or a Tor site that they operate.\r\nBabuk Locker utilizes a ChaCha8 stream cipher for encryption and Elliptic-curve Diffie-Hellman (ECDH) for key\r\ngeneration, making the recovery of files without gaining access to the private key highly unlikely. Chuong Dong’s\r\nblogopen on a new tab gives further details on how this malware operates.\r\nWhat’s notable about Babuk Locker is the progression of its attacks and its threat actors’ use of a Tor site to\r\ncommunicate with their victims. The oldest and first sample that we observed involved sending a typical ransom\r\nemail to their target. Meanwhile, the second variant of the ransomware that we encountered used a Tor site, which\r\nshowed a screenshot of the data that the threat actors had stolen from their target. Based on this development, we\r\ncan see how the group behind Babuk Locker is making their extortion methods more personalized and aggressive.\r\nCertain aspects of Babuk Locker have similarities with other known ransomware. In particular, the ransom note is\r\nstriking as it matches that used by DarkSide. This is evidenced in Figure 1, which suggests that these two\r\nransomware families could be linked together. With regard to techniques, Babuk Locker also seems to have taken\r\na page out of older ransomware like Conti, Ryuk, and Ragnar Locker. For example, like these older malware, it\r\nterminates processes and services that are related to applications, back-up software, endpoint security, and servers.\r\nGiven how effective these known ransomware are, it is no surprise that Babuk Locker has mimicked some of their\r\ntechniques.\r\nhttps://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html\r\nPage 2 of 8\n\nFigure 1. A Babuk ransom note (top) compared with a DarkSide ransom note (bottom)\r\nBabuk Locker’s leak site offers more clues. For example, we observed how the leak site has been modified\r\nrecently to announce that Babuk has now been rebranded to “Babyk.” The site also claims that the group behind\r\nthe variant is not malicious, and that they aim to expose security issues in organizations.\r\nhttps://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html\r\nPage 3 of 8\n\nFigure 2. The leak site shows both the rebranding from “Babuk” ransomware to “Babyk” and details\r\nabout the malware.\r\nInterestingly, the leak site also lists entities that are excluded from the group’s scope of interest. This list was\r\npresent before the modification and is the first time that we have observed a ransomware variant showing this kind\r\nof discretion.\r\nhttps://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html\r\nPage 4 of 8\n\nFigure 3. The list of organizations exempted from Babuk’s attacks as posted on their leak site\r\nBased on its code, the latest sample that we saw is already the third version of Babuk, which involves a more\r\npersonalized ransom note that directly addresses the victim organization by name. It is likely that we will see more\r\nof this malware in the future, given the level of activity that we have described.\r\nFigure 4. The Babuk Locker code showing that this sample is from the third version of Babuk\r\nPossible TeslaCrypt disabling system security\r\nThe variant described here arrives through a spam email, which downloads a malicious binary that we detected as\r\nthe ransomware TeslaCrypt. While Babuk is new, TeslaCrypt is an older ransomware family. Notably, TeslaCrypt’s\r\nkey was released in 2016open on a new tab so it should now be considered a defunct ransomware; however, a new\r\nhttps://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html\r\nPage 5 of 8\n\nvariant seems to have emerged (detected as Ransom.MSIL.TESLACRYPT.THABGBAopen on a new tab). At\r\npresent, we do not have enough information to say why the ransomware has made a reappearance. Additionally,\r\nwe are not ruling out the possibility that the sample is simply a copycat version of TeslaCrypt.\r\nWhatever the case might be, a notable feature of this malware is how it downgrades its victim’s security. The\r\nmalware initially disables Windows Defender before terminating a very long list of around 300 other services such\r\nas debuggers and security-related applications. Authors of this variant seem to be aiming to narrow down the\r\navailability of a recovery method for their victim’s system.\r\nFor a ransomware variant, we very rarely see this many security-related processes and applications being closed in\r\na campaign.\r\nFigure 5. A screenshot showing a partial list of security-related applications terminated by the\r\nransomware\r\nDevelopments for Maoloa\r\nThe Maoloa ransomware was first seen in 2019. It is also one of the malware used in an attack on hospitalsopen\r\non a new tab in Romania in July 2019. Maoloa has also been linked to the older GlobeImposteropen on a new tab\r\nransomware.\r\nA newer sample that we encountered (detected as Ransom.Win32.MAOLOA.THAAHBAopen on a new tab) was\r\npackaged inside a 7-Zip SFX file. This variant also used the legitimate tools certutil.exe and Autoit script. All of\r\nthese additions are evasion tactics that we have not observed in previous variants. The older Maoloa variants that\r\nwe encountered used a bare, unpackaged, binary.\r\nhttps://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html\r\nPage 6 of 8\n\nFigure 6. Execution of the SFX file where the Maoloa ransomware is packaged\r\nOnce executed, the self-extracting archive carrying the Maoloa ransomware payload will drop four files as seen in\r\nFigure 6.  \r\nAmong these files is the Maoloa ransomware which, once decrypted, will proceed with its encryption routine and\r\ndropping of ransom notes. Similar to past variantsopen on a new tab, this Maoloa sample’s appended extension is\r\n“.Globeimposter-Alpha865qqz” despite belonging to the Maoloa ransomware family and not GlobeImposter’s.\r\nFigure 7. Dropping of Maoloa encryption and ransom note components showing GlobeImposter file\r\nextensions\r\nCobraLocker disguised as Among Us\r\nFinally, part of our notable discoveries is a CobraLocker  variant (detected as\r\nRansom.MSIL.COBRALOCKER.Bopen on a new tab) that was found at large and that uses the popular game\r\nAmong Us as a disguise to lure users.  The file name used by this ransomware is “AmongUsHorrorEdition.”\r\nhttps://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html\r\nPage 7 of 8\n\nFigure 8. The file name of CobraLocker that disguises itself as a version of Among Us\r\nIf executed, it will run an image in line with the “horror” aspect of the file and will display the text “Do you want\r\nto play?” It will then run typical malicious activities, such as terminating cmd.exe, regedit.exe, and Process\r\nHacker, as well as adding registries for persistence.\r\nHow to secure against ransomware?\r\nAs shown by these ransomware families, threat actors will continue to hone their malware to ensure the success of\r\ntheir campaigns, be it by placing heavier pressure on their victims to comply to their demands or simply better\r\ndisguising their malicious activities to evade detection.\r\nRansomware of the present is undergoing rapid changes that need to be observed and prepared for. Here\r\nare measures that users and organizations can use to protect themselves from ransomware:\r\nCreate an effective back-up strategy by following the 3-2-1 ruleopen on a new tab.\r\nAdopt strong passwords throughout the network.\r\nConsider network segmentation to separate important processes and systems from the wider access\r\nnetwork.\r\nIncrease both your awareness and the awareness of the members of your organization on how ransomware\r\nspreads (i.e., through spammed emails and attachments)\r\nMonitor and audit network traffic for any suspicious behaviors or anomalies.\r\nTrend Micro solutions\r\nTrend Micro solutions such as the Smart Protection Suiteproducts and Trend Micro™ Worry-Free™ Business\r\nSecurity Servicesopen on a new tab solutions, which have behavior monitoringopen on a new tab capabilities, can\r\nprotect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well\r\nas blocking all related malicious URLs. Our XGen™ securityopen on a new tab provides a cross-generational\r\nblend of threat defense techniques against a full range of threats for data centersopen on a new tab, cloud\r\nenvironmentsopen on a new tab, networksopen on a new tab, and endpointsopen on a new tab. It infuses high-fidelity machine learningopen on a new tab (ML) with other detection technologies and global threat intelligence\r\nfor comprehensive protection from advanced malware.\r\nSource: https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html\r\nhttps://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html"
	],
	"report_names": [
		"new-in-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434027,
	"ts_updated_at": 1775791248,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/186141abfa2484766fa265e74dd9bec7caaff639.pdf",
		"text": "https://archive.orkl.eu/186141abfa2484766fa265e74dd9bec7caaff639.txt",
		"img": "https://archive.orkl.eu/186141abfa2484766fa265e74dd9bec7caaff639.jpg"
	}
}