{
	"id": "3155179e-96c7-4217-9feb-c3017542e0fc",
	"created_at": "2026-04-06T00:17:58.847841Z",
	"updated_at": "2026-04-10T03:20:35.329877Z",
	"deleted_at": null,
	"sha1_hash": "328c422ae731c190af0503d6e90ae2c046226509",
	"title": "Ransomware in the CIS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2556087,
	"plain_text": "Ransomware in the CIS\r\nBy Fedor Sinitsyn\r\nPublished: 2021-10-07 · Archived: 2026-04-05 12:39:01 UTC\r\nIntroduction\r\nThese days, when speaking of cyberthreats, most people have in mind ransomware, specifically cryptomalware. In\r\n2020–2021, with the outbreak of the pandemic and the emergence of several major cybercriminal groups (Maze,\r\nREvil, Conti, DarkSide, Avaddon), an entire criminal ecosystem took shape, leading to a mounting worldwide\r\nwave of attacks on large organizations with pockets deep enough to pay a ransom in the hundreds of thousands,\r\neven millions, of US dollars.\r\nThis year, after a series of high-profile ransomware incidents, such as the attacks on Colonial Pipeline (the\r\noperator of the largest fuel pipeline in the US), JBS and Kaseya, and the heightened scrutiny from the US and\r\nother authorities that followed, the ransomware market has undergone some major changes: some groups have\r\nshut up shop, others have rebranded.\r\nMost of the groups you might read about in the news today tend to operate outside the Commonwealth of\r\nIndependent States (CIS). That said, companies in this region still cannot relax, since they are the target of dozens\r\nof lesser-known groups.\r\nThis roundup spotlights the ransomware Trojan families that most actively attacked businesses in the CIS in H1\r\n2021, and their technical characteristics.\r\nStatistics\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 1 of 23\n\nNumber of business users in the CIS who encountered ransomware, January–July 2021 (download)\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 2 of 23\n\nUnique business users whose devices were attacked by ransomware Trojans as a percentage of all unique users of\r\nKaspersky products in the country, January–July 2021 (download)\r\nRansomware families at a glance\r\nBigBobRoss/TheDMR\r\nThis ransomware became active at the back end of 2018 and remains current. According to our data, its main\r\nvector of distribution is cracking RDP passwords.\r\nWhen launched, BigBobRoss shows the operator technical information, including the key for subsequent file\r\ndecryption. The malware also sends a message with this information via Telegram.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 3 of 23\n\nTechnical file created by BigBobRoss\r\nAfter encryption, the contents of the folders look as follows: the cybercriminals’ e-mail address and the victim’s\r\nID are added to the beginning of each file, followed by the original name and extension, and then the extension\r\nadded by the ransomware.\r\nEncrypted files and a note from the attackers\r\nAdditionally, a note with the attackers’ details is added to each folder.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 4 of 23\n\nNote left by the ransomware\r\nFor encryption, the program uses the AES symmetric algorithm with a 128-bit key in ECB mode (simple\r\nsubstitution mode) from the CryptoPP cryptographic library.\r\nThe PDB retains information about the name of the project. The developer may be Russian-speaking, but it is\r\nimpossible to say for sure, since the name could just be an attempt to muddy the waters.\r\nPDB info of the executable file\r\nCrysis/Dharma\r\nCrysis is an old piece of cryptomalware known since 2016. It is known to be deactivated and then revived.\r\nCurrently, it is still active. The Trojan’s code has remained unchanged for several years, and today it is distributed\r\nthrough a Ransomware-as-a-Service (RaaS) affiliate program.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 5 of 23\n\nCrysis is written in C/C ++ and compiled in MS Visual Studio. The malware encrypts files using the AES-256\r\nalgorithm in CBC mode. Upon launch, the Trojan generates a 256-bit AES key that is encrypted using the RSA-1024 algorithm, with the attacker’s public key contained in the Trojan’s body.\r\nEach file is encrypted using the aforementioned AES key, as well as the freshly generated 128-bit initialization\r\nvector (IV). Besides the encrypted content, the encrypted file stores the IV, the RSA-encrypted AES key, and\r\nauxiliary information, including the attacker’s label (a string value), the SHA1 hash of the used RSA public key,\r\nthe original file name, the encryption type (the part of the file to be encrypted is chosen differently for small and\r\nlarge files) and the checksum.\r\nCrysis ransom note\r\nThe typical Crysis attack vector is unauthorized RDP access. The attacker cracks the credentials (through a\r\ndictionary/brute-force attack or ready lists bought from other cybercriminals), connects remotely to the victim’s\r\ncomputer, and runs the Trojan manually.\r\nPhobos/Eking\r\nThis ransomware has been around since 2017. At the conceptual level (code structure, approaches used by the\r\ndevelopers), Phobos is similar to Crysis in many ways. This suggests that either the Trojans share the same\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 6 of 23\n\ndeveloper, or the authors of Phobos are familiar with how Crysis works. However, we found no direct borrowing\r\nof code; in other words, these are different families of Trojans assembled from different sources.\r\nLike most modern ransomware, Phobos is distributed through a RaaS affiliate program. The main vector of\r\ninfection is unauthorized RDP access.\r\nPhobos is written in C/C++ and compiled in MS Visual Studio. It uses the AES-256-CBC algorithm to encrypt the\r\nvictim’s files, while the AES key is encrypted using the RSA-1024 public key contained in the body of the\r\nmalware.\r\nPhobos ransom note\r\nCryakl/CryLock\r\nCryakl is probably the oldest ransomware featured in this post. The first version was detected back in April 2014.\r\nHowever, it seems that in modern versions of this Trojan, not a single line of code is left over from that time.\r\nCryakl has been rewritten many times, and changes are introduced with each new version, often significant ones.\r\nIt is distributed through an affiliate program. Currently, its most common attack vector is via RDP. For the\r\nattacker’s convenience, the Trojan supports a graphical interface. The operator configures the necessary settings\r\nmanually in the program window.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 7 of 23\n\nCryakl settings window\r\nCryakl is written in Delphi. The modern version of Cryakl uses a custom symmetric cipher to encrypt the victim’s\r\nfiles, and the RSA algorithm to encrypt the key.\r\nAn interesting feature of the current versions of Cryakl, not seen in other ransomware, is advanced processing of\r\narchive file formats.\r\nArchives can be large, and encrypting them in their entirety takes a long time. And if only an arbitrary piece of a\r\nfile is encrypted, it is possible to recover some of the content without decryption.\r\nCryakl features specialized procedures for handling the ZIP, 7z, TAR, CAB and RAR (old versions and RAR5)\r\nformats. It parses each of these formats and encrypts only the critical parts of the archive, delivering high\r\nperformance and preventing data recovery without decryption.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 8 of 23\n\nPart of the procedure for analyzing the ZIP format\r\nCryakl ransom note\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 9 of 23\n\nCryptConsole\r\nCryptConsole was first spotted in January 2017 and is still encountered today. It is written in C# and uses .NET\r\nlibraries for encryption. The main vector of distribution is cracking RDP passwords.\r\nCryptConsole note\r\nFor encryption, two key and IV pairs are generated. These are written to a text file, along with a size parameter\r\nthat reflects how much of the user’s file is to be encrypted, and placed on the desktop. The name of this text file is\r\na 40-character string that matches the user’s unique identifier (Personal ID in the note). It is assumed that the\r\nmalware operator, having gained access via RDP, runs the ransomware and saves this file for themselves, then\r\ndeletes it from the victim’s device. It may prove possible to recover the file, but there is no guarantee.\r\nInterestingly, the size of the encrypted part of the file (the size parameter) is a random value in the range\r\n[5485760, 10485760].\r\nFile with keys left by the ransomware\r\nThe encryption scheme is also curious. As mentioned above, the ransomware generates two random pairs: key+IV\r\nand key2+IV2. The file size is then compared to the previously generated random size value. If the file is greater\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 10 of 23\n\nthan size, only the part of the file that is less than or equal to this value is encrypted, before which a buffer with\r\nsize bytes of random data is written to the file.\r\nGenerating the key/IV pairs, ID, and size\r\nEncryption is performed using the symmetric AES algorithm. First, a size bytes chunk of the file is encrypted\r\nusing key and IV, then the encrypted buffer is reversed and encrypted again, this time using key2 and IV2. This is\r\nhow the dual encryption scheme works.\r\nDual encryption scheme for small files\r\nLarge files, as mentioned before, are first filled with size bytes of arbitrary data. Only after that is the encrypted\r\ndata appended.\r\nDual encryption scheme with arbitrary data writing\r\nFonix/XINOF\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 11 of 23\n\nFonix ransomware appeared in the summer of 2020. In January 2021, its creators announced the closure of the\r\nproject and even published the master key, which we used to build a decryptor for victims of this Trojan.\r\nHowever, that was not the end of the Fonix story. A few months later (in June 2021), we detected attacks by a new\r\nversion of Fonix, which doesn’t use the old master key.\r\nThis version of Fonix mimics the Crysis and Phobos Trojans, using the same extensions and naming scheme for\r\nencrypted files.\r\nIf the files affected by earlier versions of Fonix had names like picture.jpg.Email=[actor@mail.tld]ID=\r\n[B49D8EF5].XINOF, now they are indistinguishable from the names of the files encrypted by Crysis\r\n(picture.jpg.id-523E8573.[actor@mail.tld].harma) or Phobos (picture.jpg.ID-70AB2875.[actor@mail.tld].eking).\r\nThe path to the project’s PDB file, preserved in the Trojan sample, likewise speaks of deliberate masking: the line\r\n“DharmaVersion” points unambiguously to the Dharma family (an alternative name for the Crysis ransomware).\r\nPDB path\r\nFonix is written in C++ using the CryptoPP library and compiled into a 64-bit executable file in MS Visual Studio.\r\nIt is distributed using the RaaS scheme, with the main method of delivery to the victim’s system being via spam\r\nwith a malicious attachment.\r\nAfter each infection, the ransomware sends a notification to its operator via Telegram, which, incidentally, is\r\nnothing new and was first seen several years ago.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 12 of 23\n\nSending a notification in Telegram\r\nUpon infecting the host, Fonix also checks the victim’s geolocation by IP and, if launched in Iran, ceases its\r\nactivity without encryption.\r\nCountry check in Fonix\r\nTo encrypt user files, it uses the ChaCha or Salsa algorithms (depending on the file size). The ChaCha/Salsa keys\r\nare encrypted by RSA with a session public key generated when the Trojan is launched. The session private key is\r\nencrypted by RSA using the public master key contained in the body of the malware.\r\nEarly versions of Fonix had their own design of ransom notes.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 13 of 23\n\nFonix ransom note (early version)\r\nIn modern samples, meanwhile, we see the look of some versions of Crysis’ and Phobos’ ransom notes being\r\ncopied.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 14 of 23\n\nFonix ransom note (modern version)\r\nLimbozar/VoidCrypt\r\nThis ransomware appeared in mid-2019. Some versions of it are also known as Limbo, Legion, Odveta and\r\nOuroboros. Limbozar is distributed through an affiliate program (RaaS). Currently, the main vector of distribution\r\nis unauthorized RDP access. Limbozar is written in C++, compiled in MS Visual Studio and uses the CryptoPP\r\nlibrary to implement cryptographic functions.\r\nThe cryptographic scheme has changed several times throughout the family’s history. When launched, modern\r\nversions of Limbozar generate an RSA-2048 session key pair, followed by a 256-bit key and a 96-bit initialization\r\nvector for the AES algorithm in GCM mode. The private RSA session key is encrypted with the AES algorithm\r\nand saved locally. Next, the key+IV pair for AES is encrypted with one of the several public RSA master keys\r\ncontained in the Trojan’s body, and is also saved to the local drive.\r\nAfter this preparatory phase, Limbozar searches for the victim’s files and encrypts them with the AES-GCM\r\nalgorithm, generating for each file a unique key+IV pair, which, in turn, it encrypts with the RSA session public\r\nkey.\r\nAfter encryption, the malware leaves the cybercriminals’ demands in the Decrypt-info.txt files.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 15 of 23\n\nLimbozar ransom note\r\nUpon full encryption, Limbozar also sends a notification about the new victim to its C\u0026C server using a POST\r\nrequest. To implement network communication, the SFML library (libsfml-network) is used.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 16 of 23\n\nNotification about a new Limbozar infection\r\nThanos/Hakbit\r\nThanos became active in late April 2020, although information about it first appeared in January when it was\r\npresented as RaaS on a hacker forum. The ransomware is written in C#. According to our information, its main\r\nvector of distribution is cracking RDP passwords.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 17 of 23\n\nDesktop wallpaper of an infected machine displaying a ransom note\r\nSince the distribution model is RaaS, the ransomware is distributed through a builder, enabling the customization\r\nof the Trojan itself and a decryptor for it.\r\nThere are many different settings in the builder: both basic (extension of encrypted files, name and content of\r\nransom note, payment address) and more advanced (code obfuscation, self-delete, disabling Windows Defender,\r\nbypassing the Antimalware Scan Interface (AMSI), unlocking files occupied by other processes, protecting the\r\nransomware process, preventing sleep, execution delay, fast encryption mode for large files, setting extensions of\r\nthe files to be encrypted, selecting a victim notification method). The leaked constructor can be found online.\r\nMost likely, it was uploaded by the operator who bought it. For protection, it features a built-in HWID check,\r\nsuggesting it was assembled for the specific device of the operator.\r\nThe decryptor can decrypt files using the user ID, which is an RSA-encrypted key for a symmetric encryption\r\nalgorithm (different versions have different symmetric algorithms).\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 18 of 23\n\nDecryptor for Thanos\r\nThe ransomware can employ a range of encryption schemes. In various samples of the ransomware, we came\r\nacross the following:\r\nOne key for all files; Salsa20 encryption\r\nDifferent keys for all files; Salsa20 encryption\r\nOne key for all files passed through PBKDF2 function; AES-256 CBC encryption\r\nOne key for all files passed through PBKDF2 function (1000 iterations for small files and 50,000 iterations\r\nfor large (\u003e15 MB) files), then AES-256 CBC encryption\r\nAn illustration of one of the encryption schemes (static key + PBKDF2 + AES-256 CBC) and the code\r\nobfuscation method are given below. The obfuscation is rather weak, which makes it possible to recover the\r\noriginal code.\r\nOne of the blocks of code used for encryption\r\nThe ransom note does not differ much. As usual, the purpose is to leave contact details and intimidate the user.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 19 of 23\n\nThanos ransom note\r\nThanos implements a rather flexible attack scheme, allowing the operator to independently select the\r\nransomware’s features and generate it to suit their specific needs.\r\nXMRLocker\r\nXMRLocker was first noticed in early August 2020. It is written in C# and uses .NET libraries for encryption.\r\nEncryption is performed using a generated password of random length of 65–101 characters. A fixed alphabet,\r\nwhich includes English upper- and lower-case letters plus some special characters, is used to generate the\r\npassword.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 20 of 23\n\nPassword generation in XMRLocker\r\nEncryption uses the AES algorithm with a key length of 256 bits in CFB mode and with PKCS7 padding. The pre-generated password is passed through the PBKDF2 function with 50,000 iterations, and the result is converted to a\r\nkey and IV for further encryption. PBKDF2 uses a 32-byte random salt, which gets written to the beginning of\r\neach file. A single key is generated for all files. It is saved in a text file named HWID, which is sent to the C\u0026C\r\nserver hosted on Tor network and then deleted.\r\nEncryption function\r\nAfter encryption, the machine is shut down. Upon next startup, the user is greeted with a mocking description of\r\nwhat has happened and the cybercriminals’ details.\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 21 of 23\n\nMessage after startup\r\nThe ransomware note, as usual, contains contact details and an ID. The only surprising element is the words “files\r\nencrypted with Base-64 algorithm,” since this is not an encryption algorithm and is not used at all by this\r\nransomware.\r\nNote left by the ransomware\r\nTakeaways\r\nBoth well-known and relatively new business-oriented ransomware is present in the CIS. Many of these threats\r\nare actively developing, and some, since being discovered, have been shut down only to reappear on the market.\r\nCybercriminals use various encryption techniques, some of them quite curious, such as dual encryption in\r\nCryptConsole and archive processing in Cryakl.\r\nAlthough there are different vectors of malware distribution, most of the current crop of ransomware threats\r\ntargeting businesses in the CIS penetrate the victim’s network via RDP. To counter this, it is important to create\r\nstrong passwords for domain accounts and change them regularly. It is also advised to block RDP access from the\r\ninternet and use a VPN to connect to the corporate network instead.\r\nIoC\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 22 of 23\n\nFonix:\r\n78c2e00d02a4ebd7924b91d70172cb18\r\n4a02e768265eb3dc9fdafa8ece81b468\r\n36339f59f433e35a9f52928bc90d6892\r\nCryakl:\r\n23755a33694adc76023dd0b7607bc03d\r\nCrysis:\r\n8e156f89489cfb4094a0e662b64a2fb8\r\nLimbozar:\r\n91332f289d3e577b57d878b55c5cf18a\r\nPhobos:\r\n1fd2cad966f90f5a434c80aa9c2e987b\r\nCryptConsole:\r\n94291aaa1134e8f404778adc46cb4700\r\nBigBobRoss:\r\n8080443b933790f6d26935da7460671c\r\nXMRLocker:\r\nf0959600e81b2fbdcb7bb43948466bf8\r\nThanos:\r\n177b612600f7e9c2be2dbda96718ffc4\r\nd5128657902961b2b02447b84ff6345f\r\n4096e6730b117ae60dc3e5d4fd31acda\r\nSource: https://securelist.com/cis-ransomware/104452/\r\nhttps://securelist.com/cis-ransomware/104452/\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/cis-ransomware/104452/"
	],
	"report_names": [
		"104452"
	],
	"threat_actors": [],
	"ts_created_at": 1775434678,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/328c422ae731c190af0503d6e90ae2c046226509.pdf",
		"text": "https://archive.orkl.eu/328c422ae731c190af0503d6e90ae2c046226509.txt",
		"img": "https://archive.orkl.eu/328c422ae731c190af0503d6e90ae2c046226509.jpg"
	}
}