{
	"id": "b8ade2a6-377a-493c-af37-ef86ef3b017e",
	"created_at": "2026-04-06T00:20:16.266008Z",
	"updated_at": "2026-04-10T03:26:36.599061Z",
	"deleted_at": null,
	"sha1_hash": "68ba702491f90762631cada22cecab3607cc4893",
	"title": "ShurL0ckr Ransomware as a Service Peddled on Dark Web, can Reportedly Bypass Cloud Applications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 750847,
	"plain_text": "ShurL0ckr Ransomware as a Service Peddled on Dark Web, can\r\nReportedly Bypass Cloud Applications\r\nArchived: 2026-04-05 22:01:09 UTC\r\nSecurity researchers uncovered a new ransomware named\r\nShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms\r\nof cloud platforms. Like Cerber and Satan, ShurL0ckr’s operators further monetize the ransomware by peddling it\r\nas a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission\r\nfrom each victim who pays the ransom.\r\nThe researchers’ analysis of ShurL0ckr indicates it can evade detection by cloud applications where it’s reported\r\nto proliferate. Like other ransomware, phishing and drive-by downloads are their likeliest infection vectors.\r\nShurL0ckr’s discovery was part of a larger problem: cybercriminals abusing legitimate platforms and services.\r\nThe researchers noted that 44% of businesses using cloud applications were in some way affected by malware. In\r\nfact, they found at least three enterprise software-as-a-service (SaaS) applications infected with malware. The\r\nresearchers also found malicious scripts and executables, as well as Trojanized Office documents and image files,\r\nto be the most commonly used entry point.\r\n[RELATED NEWS: Security Flaw in Google Apps Script can Let Hackers Deliver Malware via SaaS\r\nPlatform]\r\nIndeed, ransomware isn’t going away any time soon. In fact, it’s projected to be a cybercriminal mainstay, along\r\nwith digital extortion, as organizations increasingly incorporate emerging technologies to conduct business.\r\nHow exactly does RaaS figure into this? It lowers barriers to entry. Typically, a developer will write the malware,\r\nbuild its infrastructure, then make it accessible to others regardless of their technical knowhow. This business\r\nmodel continued to boom into 2017, as evidenced by the 2,502% growth in ransomware’s economy in the dark\r\nweb. A lifetime license to WannaCry ransomware, for instance, was sold for just $50 in the Middle Eastern and\r\nNorth African underground two days after its outbreak in May last year.\r\nIndeed, RaaS thrived in 2017—with the likes of Satan promising easy buck and FrozrLock guaranteeing\r\n“unlimited builds” to Karmen, Nemes1s RaaS, PadCrypt, and Fatboy, touting premium customer service.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications\r\nPage 1 of 3\n\nShurL0ckr exemplifies how outsourcing malware puts threats into more cybercriminal hands, resulting in ever-increasing builds of similar malware in the wild with varying degrees of capabilities, and constantly fine-tuned to\r\nevade traditional security mechanisms.\r\nGiven ShurL0ckr’s nature, the ransomware can be customized — from the ransom demand and encryption\r\ncapabilities to how it’s delivered, which makes defense in depth significant. Here are some best practices users\r\nand organizations can adopt to mitigate threats like ShurL0ckr:\r\nRegularly back up files and ensure their integrity and accessibility\r\nKeep the system, its applications, and the network updated; employ virtual patching for end-of-life and\r\nlegacy systems\r\nSecure or restrict the use of tools typically reserved for system administrators to prevent their abuse\r\nIncorporate multilayered security mechanisms such as data categorization, network segmentation,\r\napplication control/whitelisting, and behavior monitoring\r\nEnable the firewall, sandbox, and deploy intrusion detection and prevention systems\r\nNurture cybersecurity awareness: Beware of social engineered email and develop proactive incident\r\nresponse and remediation strategies to mitigate further exposure\r\nTrend Micro Solutions\r\nEnterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by\r\nthese threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email\r\nInspector and InterScan™ Web Security prevent ransomware from ever reaching end users.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications\r\nPage 2 of 3\n\nAt the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine\r\nlearning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this\r\nthreat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro\r\nDeep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud. \r\nTrend Micro’s Cloud App Security (CAS) can help enhance the security of Office 365 apps and other cloud\r\nservices such as Google Drive by using cutting-edge sandbox malware analysis for ransomware and other\r\nadvanced threats.\r\nThese solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat\r\ndefense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints.\r\nSmart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud\r\nSecurity, User Protection, and Network Defense.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructure\r\nComplexity and Visibility Gaps in Power Automate\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2\r\nAzure Control Plane Threat Detection With TrendAI Vision One™\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026\r\nRansomware Spotlight: DragonForce\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision One\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutions\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dar\r\nk-web-can-reportedly-bypass-cloud-applications\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications"
	],
	"report_names": [
		"shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications"
	],
	"threat_actors": [
		{
			"id": "6608b798-f92b-42af-a93f-d72800eeb3a3",
			"created_at": "2023-11-30T02:00:07.292Z",
			"updated_at": "2026-04-10T02:00:03.482199Z",
			"deleted_at": null,
			"main_name": "DragonForce",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonForce",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758",
			"created_at": "2025-07-24T02:05:00.538379Z",
			"updated_at": "2026-04-10T02:00:03.657424Z",
			"deleted_at": null,
			"main_name": "GOLD FLAME",
			"aliases": [
				"DragonForce"
			],
			"source_name": "Secureworks:GOLD FLAME",
			"tools": [
				"ADFind",
				"AnyDesk",
				"Cobalt Strike",
				"FileSeek",
				"Mimikatz",
				"SoftPerfect Network Scanner",
				"SystemBC",
				"socks.exe"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434816,
	"ts_updated_at": 1775791596,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/68ba702491f90762631cada22cecab3607cc4893.pdf",
		"text": "https://archive.orkl.eu/68ba702491f90762631cada22cecab3607cc4893.txt",
		"img": "https://archive.orkl.eu/68ba702491f90762631cada22cecab3607cc4893.jpg"
	}
}