{
	"id": "71a8907c-753c-4a15-9172-e6951b780e64",
	"created_at": "2026-04-06T00:17:46.242179Z",
	"updated_at": "2026-04-10T03:21:12.208141Z",
	"deleted_at": null,
	"sha1_hash": "87bc1bd503bfe5a8d6f79b305268a734a9c9e345",
	"title": "From the Front Lines | Another Rebrand? Mindware and SFile Ransomware Technical Breakdown",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3477636,
	"plain_text": "From the Front Lines | Another Rebrand? Mindware and SFile\r\nRansomware Technical Breakdown\r\nBy Niranjan Jayanand\r\nPublished: 2022-06-06 · Archived: 2026-04-05 22:47:22 UTC\r\nResearchers have recently noted the emergence of a new ransomware operator calling itself ‘Mindware’. The gang\r\nis thought to be responsible for a number of attacks beginning around March to April 2022, with suggestions that\r\nthe malware was used to attack a not-for-profit mental health provider. Aside from targeting organizations in the\r\nHealthcare sector,  Mindware has posted data on its leaks site belonging to organizations in sectors such as\r\nFinance, Engineering and Manufacturing. Mindware has a number of overlaps with an earlier ransomware strain\r\nknown as SFile (aka SFile2, Escal). In this post, we review how Mindware differs from other ransomware\r\nfamilies, note its similarities to SFile, and provide technical indicators to aid threat hunters and detection teams.\r\nOverview\r\nAccording to one source, the Mindware gang first became active in March 2022. By April, the group was\r\npracticing double extortion and operating its own leaks site. Mindware received further attention in April when it\r\nwas noted by a different researcher to have attacked a mental health provider.\r\nMindware samples use a distinctive Reflective DLL injection technique. This, along with other indicators\r\ndescribed below, show strong overlaps with SFile ransomware samples. Although we do not yet have specifics as\r\nto how Mindware attacks are initiated, SFile is known to use RDP bruteforce as an entry vector into an\r\norganization.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/\r\nPage 1 of 9\n\nEach Mindware payload is configured for a specific target. Upon infection and successful execution, the payload\r\ndrops a hardcoded ransomware note containing a combination of instructions and threats.\r\nMindware ransom note\r\nIn common with a move made by other ransomware groups recently, Mindware attempts to discourage victims\r\nfrom contacting ‘recovery companies’, negotiators or authorities, threatening to immediately leak data should they\r\ndo so. Victims are provided with a .onion URL as a means to make contact with the attackers and to decrypt two\r\n“random files” as proof that the operators possess a decryption key. Victims that refuse to pay are listed on the\r\nMindware ransomware public leaks site.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/\r\nPage 2 of 9\n\nMindware public leaks site\r\nMindware Technical Analysis\r\nAs noted above, Mindware uses Reflective DLL Injection, a technique in which the shellcode dynamically\r\nretrieves handles to key API functions like LoadLibraryA() and GetProcAddress() by locating function addresses\r\nthrough the Export Address Table loaded by the host process.\r\nThis allows the shellcode to be position-independent by building its own import table and parsing through when\r\nexecuted in memory. This means a PE file could be loaded in the form of shellcode or a DLL entirely from\r\nmemory.\r\nThe technique, which has also been noted in other ransomware families such as BlackMatter, avoids searching for\r\nmodule names directly and instead checks for hashes precalculated with a ROT13 algorithm.\r\nMindware and SFile samples require kernel32.dll and ntdll.dll. The APIs are searched for using a combination of\r\nthe PEB (Process Environment Block) of the module and the EAT (Export Address Table) and enumerating all\r\nfunction names.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/\r\nPage 3 of 9\n\nhttps://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/\r\nPage 4 of 9\n\nROT13 Algorithm\r\nAs  noted, the same technique is characteristic of SFile ransomware samples, first seen in 2020 and active through\r\n2021. Interestingly, SFile attacks seem to have been on hiatus over the last 9 months or so, and the emergence of\r\nMindware samples with strong overlaps is indicative, as other researchers have noted, of a possible rebrand.\r\nBoth SFile and Mindware ransomware payloads accept the following parameters:\r\n --enable-shares -\u003e encrypt network shares\r\n --kill-susp -\u003e Triggers process termination\r\nThe ransomware checks for and then encrypts internal, removable and remote drive types.\r\nMindware and SFile payloads check for different drive types\r\nOver 200 file types are targeted for encryption, denoted by a hardcoded list of file extensions. However, the\r\nfollowing files are specifically excluded from encryption:\r\nautorun.inf\r\ndesktop.ini\r\nntuser.ini\r\nboot.ini\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/\r\nPage 5 of 9\n\niconcache.db\r\nthumbs.db\r\nbootfont.bin\r\nntuser.dat\r\nbootmgr\r\nbootsect.bak\r\nntuser.dat.log\r\nmessage_to_\u003c\u003credacted\u003e\u003e.txt\r\n! cynet ransom protection(don’t delete)\r\nSimilarly, files in the following locations are also excluded from encryption:\r\n%windir% \\all users\\microsoft\\ \\cache2\\\r\n\\google\\ \\All Users\\Microsoft\\ :\\$RECYCLE.BIN\\\r\n\\Program Files\\Internet Explorer\\ \\far manager\\ \\mozilla\\\r\n\\Roaming\\Microsoft\\ \\windows\\system32\\ :\\system volume information\\\r\n\\ida 7.0\\ \\tor browser\\ \\Local\\Microsoft\\\r\n\\windows\\syswow64\\ \\Program Files\\Microsoft Games\\ \\ida 6.8\\\r\n\\windows.old\\ \\Local Settings\\Microsoft\\ \\windows\\system\\\r\n\\inetpub\\logs\\ \\Default\\Extensions\\ \\intel\\\r\n\\LocalLow\\Microsoft\\ \\windows\\winsxs\\ :\\boot\\\r\n\\Temporary Internet Files\\ \\msocache\\ \\Common\\Microsoft\\\r\n\\System\\msadc\\ :\\drivers\\ \\Temp\\\r\n\\perflogs\\ \\Sophos\\ \\Common Files\\\r\n:\\wsus\\ $windows.~bt \\ProgramData\\Microsoft\\\r\n\\Symantec\\ \\WindowsPowerShell\\ \\cache\\\r\n$windows.~ws \\Application Data\\Microsoft\\ \\Leaked\\\r\n\\Mozilla Firefox\\\r\nIn order to protect itself and prevent other running processes from interfering with the encryption process,\r\nMindware kills all other processes, with the exception of the following:\r\nexplorer.exe powershell.exe rundll32.exe\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/\r\nPage 6 of 9\n\nvmnetdhcp.exe vmware-authd.exe vmware-hostd.exe\r\nvmware-tray.exe vmware-usbarbitrator.exe vmware-usbarbitrator32.exe\r\nvmware-usbarbitrator64.exe webroot_updater.exe werfault.exe\r\nwindowsupdate.exe\r\nList of processes that Mindware and SFile allow to run\r\nSFile and Mindware samples are PEs typically around 250-300KB in size.\r\nAnalysis of the SFile payloads shows that SFile ransomware was mostly used against U.S organizations in\r\nManufacturing, Mechanical, and Automobile sectors.\r\nSHA1 – SFile Samples Targeted Sector/Industry\r\n28f73b38ace67b48e525d165e7a16f3b51cec0c0 Automotive Engineering\r\nbdb0c0282b303843e971fbcd6d2888d834da204c Other Personal Services\r\n5ffac9dff916d69cd66e91ec6228d8d92c5e6b37 Investment\r\n6960beedbf4c927b75747ba08fe4e2fa418d4d9b Manufacturing\r\n665572b84702c4c77f59868c5fe4d0b621f2e62a Insurance\r\na67686b5ce1d970a7920b47097d20dee927f0a4d Retail\r\n14e4557ea8d69d289c2432066d860b60a6698548\r\nSample has hardcoded org name as CCCR [parent\r\norganization could not be determined]\r\n0f20e5ccdbbed4cc3668577286ca66039c410f95 Engineering\r\nMindware samples also show a strong preference for businesses in similar industries.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/\r\nPage 7 of 9\n\nSHA1 – Mindware Samples Targeted Sector/Industry\r\nae974e5c37936ac8f25cfea0225850be61666874 Engineering\r\ne9b52a4934b4a7194bcbbe27ddc5b723113f11fe Healthcare\r\n9bc1972a75bb88501d92901efc9970824e6ee3f5 Manufacturing\r\nf91d3c1c2b85727bd4d1b249cd93a30897c44caa Finance\r\n46ca0c5ad4911d125a245adb059dc0103f93019d Engineering\r\nHow To Protect Against Mindware and SFile Ransomware\r\nThe SentinelOne Singularity platform detects and prevents execution of Mindware and SFile ransomware strains.\r\nFor organizations not currently protected by SentinelOne, please see the list of Indicators of Compromise at the\r\nend of this post and the technical indicators described above.\r\nConclusion\r\nIndications suggest Mindware is likely a rebrand of SFile, or at least that the same source code or builder for SFile\r\nis available to Mindware operators. While neither strain has achieved the notoriety of some of the more well-known ransomware strains that have been circulating recently, it may be that flying under the radar and hitting\r\nselective targets without attracting too much public attention is exactly what the gang are aiming for.\r\nWe hope that the information in this post serves to enable security teams to ensure that they have adequate\r\nresources to detect and prevent this threat. The SentinelOne Singularity platform detects and protects against\r\nSFile, Mindware and all other known ransomware threats. For more information about ransomware protection, see\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/\r\nPage 8 of 9\n\nhere. To learn more about how SentinelOne can help protect your organization from ransomware and other threats,\r\ncontact us or request a free demo.\r\nIndicators of Compromise\r\nMindware Onion Address\r\nhttps[:]//dfpc7yvle5kxmgg6sbcp5ytggy3oeob676bjgwcwhyr2pwcrmbvoilqd[.]onion/\r\nMindware Samples, SHA1\r\nae974e5c37936ac8f25cfea0225850be61666874\r\ne9b52a4934b4a7194bcbbe27ddc5b723113f11fe\r\n9bc1972a75bb88501d92901efc9970824e6ee3f5\r\nf91d3c1c2b85727bd4d1b249cd93a30897c44caa\r\n46ca0c5ad4911d125a245adb059dc0103f93019d\r\nMindware Samples, SHA256\r\nc306254b44d825e008babbafbe7b07e20de638045f1089f2405bf24e7ce9c0dc\r\n00309d22ab53011bd74f4b20e144aa00bf8bb243799a2b48f9f515971c3c5a92\r\n32c818f61944d9f44605c17ca8ba3ff4bd3b2799ed31222975b3c812f9d1126c\r\n81828762ebe7ea99b672c8ac07dc3c311487a5a246db494c7643915f6c673562\r\nd1a0a2dc26603b2e764ee9ab90f3f55a2f11a43e402dd72f4a32a19b0ac414b5\r\nMITRE ATT\u0026CK\r\nTA0005 – Defense Evasion\r\nT1485 – Data Destruction\r\nT1486 – Data Encrypted for Impact\r\nT1027.002 – Obfuscated Files or Information: Software Packing\r\nT1007 – System Service Discovery\r\nT1059 – Command and Scripting Interpreter\r\nT1112 – Modify Registry\r\nTA0010 – Exfiltration\r\nT1018 – Remote System Discovery\r\nT1082 – System Information Discovery\r\nSource: https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/"
	],
	"report_names": [
		"from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown"
	],
	"threat_actors": [],
	"ts_created_at": 1775434666,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/87bc1bd503bfe5a8d6f79b305268a734a9c9e345.pdf",
		"text": "https://archive.orkl.eu/87bc1bd503bfe5a8d6f79b305268a734a9c9e345.txt",
		"img": "https://archive.orkl.eu/87bc1bd503bfe5a8d6f79b305268a734a9c9e345.jpg"
	}
}