{
	"id": "7c4d9209-4b73-4aaf-97ad-fc424144c4f1",
	"created_at": "2026-04-06T00:10:19.153577Z",
	"updated_at": "2026-04-10T13:11:46.049114Z",
	"deleted_at": null,
	"sha1_hash": "839ec8c15b3d73e56700e7b215a84e6a41874e51",
	"title": "Ransomware Roundup - Gwisin, Kriptor, Cuba, and More | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 612818,
	"plain_text": "Ransomware Roundup - Gwisin, Kriptor, Cuba, and More |\r\nFortiGuard Labs\r\nPublished: 2022-08-18 · Archived: 2026-04-05 12:41:31 UTC\r\nOn a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining\r\ntraction within the OSINT community and within our datasets. The Ransomware Roundup report aims to provide\r\nreaders with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against\r\nthose variants.\r\nThis latest edition of the Ransomware Roundup covers the DarkyLock, Gwisin, vvyu, Kriptor, and Cuba\r\nransomware families.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Microsoft Windows Users\r\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\r\nSeverity level: High\r\nDarkyLock ransomware\r\nDarkyLock is a Babuk variant that appears to be new for 2022. Should this variant execute on a victim’s system,\r\nfiles will be encrypted and changed to have a “.darky” file extension.\r\nFigure 1. Files encrypted by DarkyLock ransomware.\r\nLocations where files are encrypted will also have a ransom note deposited in them named “Restore-My-Files.txt”.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nPage 1 of 10\n\nFigure 2. DarkyLock ransom note.\r\nThe ransom note demands 0.005BTC (approximately $120.00USD) to decrypt the files on an affected system. At\r\nthe time of writing, there have been no transactions observed using the Bitcoin wallet mentioned in the ransom\r\nnote.\r\nAn interesting string appears in the DarkyLock executable that references LockBit 3.0, also known as Lockbit\r\nBlack ransomware.\r\nFigure 3. Interesting string contained within the DarkyLock executable.\r\nIt’s currently unknown why the reference to LockBit 3.0 is includes “colorful” language. \r\nFortinet Protections\r\nFortinet customers running the latest (AV) definitions are protected against known DarkyLock ransomware\r\nvariants by the following signatures:\r\nW32/FilecoderProt.F183!tr.ransom\r\nW32/CoinMiner.NBH!tr\r\nGwisin ransomware\r\nGwisin is ransomware variant that was reportedly used to target companies in South Korea. It encrypts files on\r\ncompromised machines and adds a file extension named after the target company to the affected files.\r\nIn order to become infected, an MSI (Windows installer) file is delivered to the target machine. Contained within\r\nthat is a Windows DLL file that requires a specific set of criteria to be met via the installer package to execute,\r\nmaking it difficult to detect in an environment. It is likely that the circumstances for installation are unique to each\r\nvictim organization.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nPage 2 of 10\n\nFigure 4. Some of the variables that need to be satisfied by the MSI installer.\r\nFortinet Protections\r\nFortinet customers running the latest (AV) definitions are protected against known Gwisin ransomware variants by\r\nthe following signature:\r\nW32/PossibleThreat\r\nvvyu ransomware\r\nvvyu is a variant of the STOP/DJVU ransomware family designed to encrypt files on a victim’s machine. Should\r\nthe ransomware be successful in running, a ransom note will be deposited in every location where files are\r\nencrypted.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nPage 3 of 10\n\nFigure 5. vvyu ransom note\r\nIt demands a price of $980USD to have software provided to decrypt the affected files on the system, although a\r\ndiscount is promised for payment within the first 72 hours. Support e-mail addresses and a unique ID are also\r\nprovided for contact with the operators. Files encrypted by vvyu will have a “.vvyu” file extension appended to\r\nthem.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nPage 4 of 10\n\nFigure 6. Files encrypted by vvyu ransomware.\r\nFortinet Protections\r\nFortinet Customers running the latest (AV) definitions are protected against known vvyu ransomware variants by\r\nthe following signature:\r\nW32/Stealer.3389!tr\r\nKriptor ransomware\r\nAt first glance, the ransom note and screen from Kriptor appear very similar to those of the infamous WannaCry\r\nransom attack from 2017. There’s even a reference to it, “Wannacry@Kozisis,” in a WannaCry-like ransom\r\nscreen. Unlike Wannacry, however, there is no mechanism for self-propagation to spread to other machines.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nPage 5 of 10\n\nAs with Wannacry and other ransomware families, Kriptor will encrypt files of interest on a victim machine and\r\ndemand a ransom of $300USD worth of Bitcoin (0.012BTC) to be sent to a wallet controlled by the malware\r\nauthors. At the time of this writing, there have been no transactions observed using the Bitcoin wallet mentioned\r\nin the ransom note.\r\nFigure 7. Kriptor ransom note.\r\nFiles will be encrypted and appended with a “.Kriptor” file extension. A running clock will count down from 72\r\nhours, after which point the malware authors threaten to double the ransom and/or prevent decryption permanently\r\nfrom that point onwards.\r\nFigure 8. Files encrypted by Kriptor ransomware.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nPage 6 of 10\n\nFigure 9. File properties for Kriptor ransomware show further callbacks to WannaCry.\r\nFortinet Protections\r\nFortinet customers running the latest (AV) definitions are protected against known Kriptor ransomware variants by\r\nthe following signature:\r\nW32/Filecoder.OAE!tr.ransom\r\nCuba ransomware\r\nThe Cuba ransomware family has been observed since 2019. They use the now ubiquitous “double extortion”\r\nmethod of threatening to release a victim’s data on the Internet if they do not pay the requested ransom.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nPage 7 of 10\n\nFigure 10. Cuba ransomware TOR site.\r\nOnce the ransomware has executed, a ransom note will be deposited in any directory where files have been\r\nencrypted. The ransom note will be named “!! READ ME !!.txt” and contain a unique ID to contact the\r\nransomware controllers to pay. The primary contact channel is Tox (a peer-to-peer instant messaging protocol)\r\nwith a backup e-mail address if a victim cannot make contact. Files encrypted by Cuba will have a “.cuba” file\r\nextension appended.\r\nFigure 11. The ransom note for Cuba ransomware.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nPage 8 of 10\n\nFigure 12. Files encrypted by Cuba ransomware.\r\nFortinet Protections\r\nFortinet customers running the latest (AV) definitions are protected against known Cuba ransomware variants by\r\nthe following signatures:\r\nW32/Filecoder.OAE!tr.ransom\r\nW32/GenKryptik.EMOA!tr\r\nW32/Kryptik.HGXH!tr\r\nW32/Filecoder.OAE!tr.ransom\r\nW32/Injector.EQGY!tr\r\nJS/Agent.5646!tr\r\nW32/GenKryptik.FSCS!tr\r\nBest practices include not paying a ransom\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nPage 9 of 10\n\nOrganizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom,\r\npartly because payment does not guarantee files will be recovered. Ransom payments may also embolden\r\nadversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or\r\nfund illicit activities that could potentially be illegal, according to a U.S. Department of Treasury's Office of\r\nForeign Assets Control (OFAC) advisory. The FBI has a Ransomware Complaint page, where victims can submit\r\nsamples of ransomware activity via the Internet Crimes Complaint Center (IC3).\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more"
	],
	"report_names": [
		"ransomware-roundup-gwisin-kriptor-cuba-and-more"
	],
	"threat_actors": [],
	"ts_created_at": 1775434219,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/839ec8c15b3d73e56700e7b215a84e6a41874e51.pdf",
		"text": "https://archive.orkl.eu/839ec8c15b3d73e56700e7b215a84e6a41874e51.txt",
		"img": "https://archive.orkl.eu/839ec8c15b3d73e56700e7b215a84e6a41874e51.jpg"
	}
}