{
	"id": "0fe88f96-a98a-4c60-9033-275732b90c68",
	"created_at": "2026-04-06T01:29:59.578154Z",
	"updated_at": "2026-04-10T03:23:51.490114Z",
	"deleted_at": null,
	"sha1_hash": "5cee052071ca9c28f62d2795852f4069789fce4d",
	"title": "Not so nice after all - afrodita ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1509836,
	"plain_text": "Not so nice after all - afrodita ransomware\r\nBy f0wL\r\nPublished: 2020-01-09 · Archived: 2026-04-06 00:20:06 UTC\r\nThu 09 January 2020 in Ransomware\r\nA new Ransomware strain spread by malicious Office documents targeted at Croatian systems - let's check it out\r\nThis strain was first discovered by Korben Dallas on Twitter on the 9th of January. As I already mentioned the\r\nMalware is delivered via a Malspam/Maldoc attack crafted for Users / Companies from Croatia. Researchers that\r\nwere involved in the initial analysis: @KorbenD_Intel, @James_inthe_box, @Malwageddon, @pollo290987 and\r\nI (@f0wlsec). Thank you for your contributions!\r\nA general disclaimer as always: downloading and running the samples linked below will lead to the encryption\r\nof your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/\r\nsources might be illegal depending on where you live.\r\nAfrodita @ AnyRun | VirusTotal | HybridAnalysis --\u003e sha256\r\n9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b\r\nhttps://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html\r\nPage 1 of 9\n\nHere you can see three images extracted from the malicious Excel Docs. Funny how they didn't even bother to\r\nthink of a fake company name for the second Logo :D\r\nAfrodita uses a sleep routine for Sandbox evasion. In my Tests it took 30-60mins until the system was infected.\r\nAfter unpacking the sample with UPX, Detect it easy returns the following:\r\nIt was likely build with a very new Version of Visual Studio (2019)\r\nBelow you can see a screenshot of PEBear from the Imports-Tab.\r\nhttps://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html\r\nPage 2 of 9\n\nThe extracted strings tell us quite a lot in this case. It looks like the internal name of the Project is Afrodita and it\r\nutilizes the CryptoPP Library. There are some references to .key files, but I haven't found a path or file on a\r\ninfected machine yet. README_RECOVERY .txt is will be the filename of the Ransomnote. It's contents are\r\nembeded in the binary's .data section with Base64 encoding. Lastly Afrodita.dll is the rewritten file that is\r\ndownloaded as a payload (originally notnice.jpg or verynice.jpg). It's executed via rundll32.exe\r\nAfrodita.dll,Sura.\r\nThe following filetypes will be encrypted by Afrodita:\r\n.TXT, .ZIP, .DAT, .JPE, .JPG, .PNG, .JPEG, .GIF, .BMP, .EXIF, .MP4, .RAR, .M4A, .WMA, .AVI, .WMV, .MK\r\nThe Ransomware encrypts the first 512 Bytes of the File Header which will render most filetypes useless. It does\r\nnot leave any Signature in the data of the files and neither does it append a custom extension to the filename.\r\nhttps://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html\r\nPage 3 of 9\n\nAnother IOC: It creates the following Mutex: 835821AM3218SAZ\r\nUpdate 10.01.2020:\r\nhttps://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html\r\nPage 4 of 9\n\nThe criminals obviously failed to properly display the key / victim ID in the Ransomnote. This was also a problem\r\nbecause the screwed encoding killed this Blogs Atom RSS Feed :D To resolve this issue I removed the malformed\r\nsection from this page. If you want to have a look at the original note plus a couple of encrypted jpegs, download\r\nthe zip file.\r\nAlso this Malware family isn't as new as I originally thought. According to Michael Gillespie the\r\nMalwareHunterTeam found the first Maldoc in Late November. A few days later Checkpoint research found it as\r\nwell:\r\nToday Michael also asked if anyone was able to parse the main-public.key because the format seems off. I\r\nextracted it from the binary:\r\nhttps://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html\r\nPage 5 of 9\n\nA quick look into the CryptoPP Wiki revealed that the key was in raw (uncooked) ASN.1 format (you can identify\r\nit by hex 30 82). Using an online ASN.1 decoder (Link) yields us the public key:\r\nhttps://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html\r\nPage 6 of 9\n\n-----BEGIN RSA PUBLIC KEY-----\r\nMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxs2xkeHRygZBupFc2+Z//dLnMbWR/NiXQBmP\r\n10Q7nbG/5jaDcik+eGDh2zz6XYr2Ur+sS1yD4/1XQeIZ/zjcjC43H090nUlELTtq9ED8LqevnrOaMQFy\r\nUIhQU+plY5eJd6KuW2dCdv8n0uBDAzBQRnpjJr0AmnkEzRGD5XCoYtrR061kBAerXQjBxhQSnsMWxE2R\r\nexcq38tgf/szXPaoSD1vsSmIwXbc3nTkadYPfjLu6aWWYmikWIi3z+RoUOm7OhmaOu+azPCPBjHc93cB\r\nKsLnxzSHiKRFN4cd0Tu+uvehGl1+v3CK0Zj+nr5OfeNjMGYQj80t0+AqnDQkzwdA/wIBEQ==\r\n-----END RSA PUBLIC KEY-----\r\nMITRE ATT\u0026CK\r\nT1179 --\u003e Hooking --\u003e Persistence\r\nT1179 --\u003e Hooking --\u003e Privilege Escalation\r\nT1045 --\u003e Software Packing --\u003e Defense Evasion\r\nT1179 --\u003e Hooking --\u003e Credential Access\r\nT1114 --\u003e Email Collection --\u003e Collection\r\nIOCs\r\nAfrodita\r\nnotnice.jpg --\u003e SHA256: 9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b\r\n SSDEEP: 6144:EXrm0zIiAhjC7Cqa5ZhiIJDQ13Xdksm1Cx2tJk:EbNQaCq6iIJcdksmJtJ\r\nPayload Servers\r\nhxxp://riskpartner[.]hr/wp-content/notnice.jpg\r\nhxxp://content-delivery[.]in/verynice.jpg\r\nE-Mail Addresses / Contact\r\nafroditateam@tutanota.com\r\nafroditasupport@mail2tor.com\r\nhttps://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html\r\nPage 7 of 9\n\nhxxps://t[.]me/RecoverySupport\r\nRansomnote\r\n~~~ Greetings ~~~\r\n[+] What has happened? [+]\r\nYour files are encrypted, and currently unavailable. You are free to check.\r\nEvery file is recoverable by following our instructions below.\r\nEncryption algorithms used: AES256(CBC) + RSA2048 (military/government grade).\r\n[+] Guarantees? [+]\r\nThis is our daily job. We are not here to lie to you - as you are 1 of 10000's.\r\nOur only interest is in us getting payed and you getting your files back.\r\nIf we were not able to decrypt the data, other people in same situation as you\r\nwouldn't trust us and that would be bad for our buissness --\r\nSo it's not in our interest.\r\nTo prove our ability to decrypt your data you have 1 file free decryption.\r\nIf you don't want to pay the fee for bringing files back that's okey,\r\nbut remeber that you will lose a lot of time - and time is money.\r\nDon't waste your time and money trying to recover files using some file\r\nrecovery \"experts\", we have your private key - only we can get the files back.\r\nWith our service you can go back to original state in less then 30 minutes.\r\n[+] Service [+]\r\nIf you decided to use our service please follow instructions below.\r\nContact us:\r\nInstall Telegram(available for Windows,Android,iOS) and contact us on chat:\r\nTelegram contact: https://t.me/RecoverySupport\r\nAlso available at email afroditateam@tutanota.com cc: afroditasupport@mail2tor.com\r\nMake sure you are talking with us and not impostor by requiring free 1 file decryption to make sure w\r\nhttps://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html\r\nPage 8 of 9\n\n[Removed victim ID because it breaks the RSS Feed :D]\r\nTitle Image by Robert Drózd, modified\r\nSource: https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html\r\nhttps://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html\r\nPage 9 of 9\n\nA quick look into the CryptoPP https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html Wiki revealed that the key was in raw (uncooked) ASN.1 format (you can identify\nit by hex 30 82). Using an online ASN.1 decoder (Link) yields us the public key:\n   Page 6 of 9  \n\n  https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html \n[Removed victim ID because it breaks the RSS Feed :D]\nTitle Image by Robert Drózd, modified \nSource: https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html   \n   Page 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html"
	],
	"report_names": [
		"not-so-nice-after-all-afrodita-ransomware.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438999,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5cee052071ca9c28f62d2795852f4069789fce4d.pdf",
		"text": "https://archive.orkl.eu/5cee052071ca9c28f62d2795852f4069789fce4d.txt",
		"img": "https://archive.orkl.eu/5cee052071ca9c28f62d2795852f4069789fce4d.jpg"
	}
}