{
	"id": "7bf6cf5f-6835-4c45-8e21-bf8278e96044",
	"created_at": "2026-04-06T01:29:56.71292Z",
	"updated_at": "2026-04-10T03:21:38.024201Z",
	"deleted_at": null,
	"sha1_hash": "25db12f00bee227eddb4db5d9293093e8be91bcf",
	"title": "Maktub ransomware: possibly rebranded as Iron",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 421121,
	"plain_text": "Maktub ransomware: possibly rebranded as Iron\r\nArchived: 2026-04-06 01:08:38 UTC\r\nIn this post, we'll take a quick look at a possible new ransomware variant, which appears to be the latest version of\r\nMaktub ransomware, also known as Maktub Locker.\r\nHasherazade from Malwarebytes has, as per usual, written an excellent blog on Maktub Locker in the past, if you\r\nwish to learn more: Maktub Locker – Beautiful And Dangerous\r\nUpdate - 2018-04-14: Read the conclusion at the end of this post to learn more about how Iron ransomware\r\nmimicked at least three different ransomware families.\r\nAnalysis\r\nA file was discovered, named ado64 with the following properties:\r\nMD5: 1e60050db59e3d977d2a928fff3d34a6\r\nSHA1: f51bab89b4e4510b973df8affc2d11a4476bd5be\r\nSHA256: 19ee6d4a89d7f95145660ca68bd133edf985cc5b5c559e7062be824c0bb9e770\r\nCompilation timestamp: 2018-04-05 03:47:19\r\nVirusTotal report:\r\n19ee6d4a89d7f95145660ca68bd133edf985cc5b5c559e7062be824c0bb9e770\r\nMaktub typically sports a graphically appealing lock screen, as well as payment portal, and promotes \"Maktub\r\nLocker\" extensively. \r\nInterestingly enough, this variant has removed all references to Maktub. The figures below represent lock screen\r\nand payment portal, when stepping through.\r\nhttps://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html\r\nPage 1 of 7\n\nFigure 1 - Lock screen/warning\r\nEmail address: recoverfile@mail2tor.com\r\nBitcoin address: 1cimKyzS64PRNEiG89iFU3qzckVuEQuUj\r\nRansomware note: !HELP_YOUR_FILES.HTML\r\nFigure 2 - Payment portal\r\nhttps://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html\r\nPage 2 of 7\n\nFigure 3 - Hello! (after entering the personal ID)\r\nThe text reads:\r\nWe’re very sorry that all of your personal files have been encrypted :( But there are good news – they\r\naren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is\r\nanywhere from 3 to 5 years. If you don’t make copies of important information, you could lose\r\neverything! Just imagine! In order to receive the program that will decrypt all of your files, you will\r\nneed to pay a certain amount. But let’s start with something else…\r\nFigure 4 - \"We are not lying\"\r\nFigure 5 - Ransomware cost\r\nhttps://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html\r\nPage 3 of 7\n\nFigure 6 - Where to pay\r\nFigure 7- Last but not least: how to buy Bitcoins\r\nIn previous versions of Maktub, you could decrypt 1 file for free, however, with the current rebranding, this option\r\nhas disappeared. Since the ransomware has rebranded, we'll name it \"Iron\" or \"Iron ransomware\", due to the name\r\nof the decrypter, IronUnlocker.\r\n Iron encrypts a whopping total of 374 extensions, these are as follows:\r\n.001, .1cd, .3fr, .8ba, .8bc, .8be, .8bf, .8bi8, .8bl, .8bs, .8bx, .8by, .8li, .DayZProfile, .abk, .ade, .adpb,\r\n.adr, .aip, .amxx, .ape, .api, .apk, .arch00, .aro, .arw, .asa, .ascx, .ashx, .asmx, .asp, .asr, .asset, .bar,\r\n.bay, .bc6, .bc7, .bi8, .bic, .big, .bin, .bkf, .bkp, .blob, .blp, .bml, .bp2, .bp3, .bpl, .bsa, .bsp, .cab, .cap,\r\n.cas, .ccd, .cch, .cer, .cfg, .cfr, .cgf, .chk, .class, .clr, .cms, .cod, .col, .con, .cpp, .cr2, .crt, .crw, .csi, .cso,\r\n.css, .csv, .ctt, .cty, .cwf, .d3dbsp, .dal, .dap, .das, .db0, .dbb, .dbf, .dbx, .dcp, .dcr, .dcu, .ddc, .ddcx,\r\n.dem, .der, .desc, .dev, .dex, .dic, .dif, .dii, .disk, .dmg, .dmp, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd,\r\n.dxg, .elf, .epk, .eql, .erf, .esm, .f90, .fcd, .fla, .flp, .for, .forge, .fos, .fpk, .fpp, .fsh, .gam, .gdb, .gho, .grf,\r\n.h3m, .h4r, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .img, .indd, .ipa, .iso, .isu, .isz, .itdb, .itl,\r\n.itm, .iwd, .iwi, .jar, .jav, .java, .jpe, .kdc, .kmz, .layout, .lbf, .lbi, .lcd, .lcf, .ldb, .ldf, .lgp, .litemod, .lng,\r\n.lrf, .ltm, .ltx, .lvl, .m3u, .m4a, .map, .mbx, .mcd, .mcgame, .mcmeta, .md0, .md1, .md2, .md3, .mdb,\r\n.mdbackup, .mddata, .mdf, .mdl, .mdn, .mds, .mef, .menu, .mm6, .mm7, .mm8, .moz, .mpq, .mpqge,\r\n.mrwref, .mxp, .ncf, .nds, .nrg, .nri, .nrw, .ntl, .odb, .odf, .odp, .ods, .odt, .orf, .owl, .oxt, .p12, .p7b, .p7c,\r\n.pab, .pbp, .pef, .pem, .pfx, .pkb, .pkh, .pkpass, .plc, .pli, .pot, .potm, .potx, .ppf, .ppsm, .pptm, .prc, .prt,\r\nhttps://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html\r\nPage 4 of 7\n\n.psa, .pst, .ptx, .pwf, .pxp, .qbb, .qdf, .qel, .qic, .qpx, .qtr, .r3d, .raf, .re4, .res, .rgn, .rgss3a, .rim, .rofl,\r\n.rrt, .rsrc, .rsw, .rte, .rw2, .rwl, .sad, .sav, .sc2save, .scm, .scx, .sdb, .sdc, .sds, .sdt, .shw, .sid, .sidd,\r\n.sidn, .sie, .sis, .slm, .slt, .snp, .snx, .spr, .sql, .sr2, .srf, .srw, .std, .stt, .sud, .sum, .svg, .svr, .swd, .syncdb,\r\n.t01, .t03, .t05, .t12, .t13, .tar.gz, .tax, .tcx, .thmx, .tlz, .tor, .torrent, .tpu, .tpx, .ttarch2, .tur, .txd, .txf,\r\n.uax, .udf, .umx, .unity3d, .unr, .uop, .upk, .upoi, .url, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vcd, .vdf,\r\n.ver, .vfs0, .vhd, .vmf, .vmt, .vpk, .vpp_pc, .vsi, .vtf, .w3g, .w3x, .wad, .war, .wb2, .wdgt, .wks, .wmdb,\r\n.wmo, .wotreplay, .wpd, .wpl, .wps, .wtd, .wtf, .x3f, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xlsb, .xltx, .xlv,\r\n.xlwx, .xpi, .xpt, .yab, .yps, .z02, .z04, .zap, .zipx, .zoo, .ztmp\r\nIron doesn't spare gamers, as it will also encrypt Steam files (.vdf), World of Tanks replays (.wotreplay). DayZ\r\n(.DayZProfile), and possibly others.\r\nFolders containing the following words are exempt from encryption:\r\nWindows, windows, Microsoft, Mozilla Firefox, Opera, Internet Explorer, Temp, Local, LocalLow,\r\n$Recycle.bin, boot, i386, st_v2, intel, recycle, 360rec, 360sec, 360sand, internet explorer, msbuild\r\nInterestingly enough, 360sec, 360rec, and 360sand is developed by Qihoo 360, an internet security company\r\nbased in China, and is an antivirus (360 Total Security is one example).  This, as well as the fact that the Iron\r\nransomware also includes resources in Chinese Simplified, alludes this variant may be developed by a Chinese\r\nspeaker.\r\nThe ransomware will additionally delete the original files after encryption, and will also empty the recycle bin. It\r\ndoes not remove Shadow Volume Copies or Restore Points.\r\nIron embeds a public RSA key as follows:\r\n-----BEGIN RSA PUBLIC KEY-----\r\nMIGJAoGBAIOYf0KqEOGaxdLmMLypMyZ1q/K+r6DuCdYpwZfs0EPug3ye7UjZa0QMOP5/OySr\r\nl/uBJtkmEghEtUEo/zfcBJ7332O1ytJ7/ebIUv+ZcN1Rlswzdv7uZxYRC8u1HvrgBvAz4Atb\r\nzx+FbFVqLB0gGixYTqbjqANq21AR6r91+oJtAgMBAAE=\r\n-----END RSA PUBLIC KEY-----\r\nThe Iron ransomware will determine the user's WAN IP and also send a POST request to its C2\r\nserver, http://y5mogzal2w25p6bn[.]ml.\r\nFigure 8 - Traffic\r\nhttps://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html\r\nPage 5 of 7\n\nIt appears Iron will create a new, random GUID, and use it as a mutex, in order to not infect the machine twice.\r\nThe following values will be sent to the C2:\r\nEncryption key;\r\nRandk (seed);\r\nGUID (mutex);\r\nStart (whether ransom successfully started);\r\nMarket (unknown).\r\nThe C2 server will then respond with another set of values, and generate a unique Bitcoin address, which means\r\nthat victims may pay twice to different addresses. Rule of thumb: do not pay the ransomware.\r\nOf note is an email address in the response: oldblackjack@outlook.com.\r\nIron will additionally save certain values, such as the GUID, in HKCU\\Software\\CryptoA:\r\nFigure 9 - Registry values (click to enhance)\r\nEncrypted files will have the .encry extension appended. It is likely not possible to restore data.\r\nConclusion\r\nIt is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired\r\nby the latter, by copying the design for the payment portal for example.\r\nWe know the Iron ransomware has mimicked at least three ransomware families:\r\nMaktub (payment portal design)\r\nDMA Locker (Iron Unlocker, decryption tool)\r\nSatan (exclusion list)\r\nFrom the screenshots above, it is obvious the portal design has been copy pasted from Maktub.\r\nAs for copying from DMA Locker, see this tweet:\r\nAnd, last but not least, it uses the exact same exclusion list (folders and its content that will not be encrypted) from\r\nSatan:\r\nJust to clarify, there isn't specific code overlap, as the crypto is quite different to Satan. However, there\r\nare similarities in a number of things, such as the exclusion list. https://t.co/OHkFimJ3g7\r\npic.twitter.com/ub6hOnucgn\r\n— Bart (@bartblaze) April 11, 2018\r\nhttps://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html\r\nPage 6 of 7\n\nCode is indeed quite unique, and Iron seems like a totally new ransomware, and may even be a \"side project\" by\r\nthe creators of the Satan ransomware. However, at this point, there is no sure way of telling who's behind Iron.\r\nTime may be able to tell.\r\nDecryption is impossible without the author's private key, however, it is possible to restore files using Shadow\r\nVolume Copies, or alternatively Shadow Explorer. If that doesn't work, you may try using a data recovery program\r\nsuch as PhotoRec or Recuva.\r\nTake note of ID ransomware, if a decryptor should ever become available. Additionally, it may identify other\r\nfamilies of ransomware if you are ever affected. Another service to take note of in this regard is NoMoreRansom.\r\nFor preventing ransomware, have a look here:\r\nIn short: create backups!\r\nQuestions, comments, feedback or help: leave a comment below or contact me on Twitter.\r\nIndicators:\r\nIndicator type Indicator\r\nemail oldblackjack@outlook.com\r\ndomain y5mogzal2w25p6bn.ml\r\nFileHash-SHA256 19ee6d4a89d7f95145660ca68bd133edf985cc5b5c559e7062be824c0bb9e770\r\nURL http://y5mogzal2w25p6bn.ml\r\nURL http://y5mogzal2w25p6bn.ml/receive\r\nFileHash-MD5 1e60050db59e3d977d2a928fff3d34a6\r\nFileHash-SHA1 f51bab89b4e4510b973df8affc2d11a4476bd5be\r\nemail recoverfile@mail2tor.com\r\nOn AlienVault:\r\nSource: https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html\r\nhttps://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html\r\nPage 7 of 7\n\nof the decrypter, Iron encrypts IronUnlocker. a whopping total of 374 extensions, these are as follows:   \n.001, .1cd, .3fr, .8ba, .8bc, .8be, .8bf, .8bi8, .8bl, .8bs, .8bx, .8by, .8li, .DayZProfile, .abk, .ade, .adpb,\n.adr, .aip, .amxx, .ape, .api, .apk, .arch00, .aro, .arw, .asa, .ascx, .ashx, .asmx, .asp, .asr, .asset, .bar,\n.bay, .bc6, .bc7, .bi8, .bic, .big, .bin, .bkf, .bkp, .blob, .blp, .bml, .bp2, .bp3, .bpl, .bsa, .bsp, .cab, .cap,\n.cas, .ccd, .cch, .cer, .cfg, .cfr, .cgf, .chk, .class, .clr, .cms, .cod, .col, .con, .cpp, .cr2, .crt, .crw, .csi, .cso,\n.css, .csv, .ctt, .cty, .cwf, .d3dbsp, .dal, .dap, .das, .db0, .dbb, .dbf, .dbx, .dcp, .dcr, .dcu, .ddc, .ddcx,\n.dem, .der, .desc, .dev, .dex, .dic, .dif, .dii, .disk, .dmg, .dmp, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd,\n.dxg, .elf, .epk, .eql, .erf, .esm, .f90, .fcd, .fla, .flp, .for, .forge, .fos, .fpk, .fpp, .fsh, .gam, .gdb, .gho, .grf,\n.h3m, .h4r, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .img, .indd, .ipa, .iso, .isu, .isz, .itdb, .itl,\n.itm, .iwd, .iwi, .jar, .jav, .java, .jpe, .kdc, .kmz, .layout, .lbf, .lbi, .lcd, .lcf, .ldb, .ldf, .lgp, .litemod, .lng,\n.lrf, .ltm, .ltx, .lvl, .m3u, .m4a, .map, .mbx, .mcd, .mcgame, .mcmeta, .md0, .md1, .md2, .md3, .mdb,\n.mdbackup, .mddata, .mdf, .mdl, .mdn, .mds, .mef, .menu, .mm6, .mm7, .mm8, .moz, .mpq, .mpqge,\n.mrwref, .mxp, .ncf, .nds, .nrg, .nri, .nrw, .ntl, .odb, .odf, .odp, .ods, .odt, .orf, .owl, .oxt, .p12, .p7b, .p7c,\n.pab, .pbp, .pef, .pem, .pfx, .pkb, .pkh, .pkpass, .plc, .pli, .pot, .potm, .potx, .ppf, .ppsm, .pptm, .prc, .prt,\n   Page 4 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html"
	],
	"report_names": [
		"maktub-ransomware-possibly-rebranded-as.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438996,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25db12f00bee227eddb4db5d9293093e8be91bcf.pdf",
		"text": "https://archive.orkl.eu/25db12f00bee227eddb4db5d9293093e8be91bcf.txt",
		"img": "https://archive.orkl.eu/25db12f00bee227eddb4db5d9293093e8be91bcf.jpg"
	}
}