{
	"id": "10b1c769-dabe-457f-96cd-ff22dbab196b",
	"created_at": "2026-04-06T00:11:31.578684Z",
	"updated_at": "2026-04-10T03:20:47.809145Z",
	"deleted_at": null,
	"sha1_hash": "99991eaf65d75557167442a9a42f49937f515211",
	"title": "The Spectre of SpectraRansomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1755422,
	"plain_text": "The Spectre of SpectraRansomware\r\nPublished: 2025-06-12 · Archived: 2026-04-05 13:13:15 UTC\r\nSpectra Ransomware is a new ransomware seen in the wild since April 2025. We believe it evolved from the Chaos\r\nransomware family which includes Yashma Ransomware, active since March 2022 and Blacksnake Ransomware, active\r\nsince March 2023 also has similar methods like Spectra ransomware, which specifically targets Windows-based systems.\r\nUpon execution, it encrypts all files on the infected device and leaves behind a ransom note titled\r\nSPECTRARANSOMWARE.txt. The attackers demand a payment of $5,000 in Bitcoin within a 72-hour deadline. The\r\nRansomware note warns the victim with a double extortion, combination of data encryption along with data theft.\r\nFig 1: CFF Output\r\nThe sample being analyzed is a 32-bit executable file compiled with Microsoft Visual Studio .NET.\r\nFig 2: ForbiddenCountry\r\nSame as Yashma ransomware, Spectra ransomware also has forbiddenCountry method as the initial method which checks\r\nfor the country using the current input language. If it is Azerbaijan or Turkey, it will terminate the execution. \r\nhttps://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/\r\nPage 1 of 9\n\nFig 3: Already running\r\nRansomware has a method which uses Getprocess API to enumerate the list of processes running on the host. During the\r\nexecution, it checks whether the malware is already on the system by using the process name and process ID. If it is already\r\nrunning, then it will terminate itself.\r\nFollowing to that  in the next method it checks for svchost.exe in C:\\Users\\Username\\AppData\\Roaming, if it found then\r\nreplace the malware with svchost.exe and in case if it not present in the location it copies the malware as svchost.exe. Along\r\nwith that it also sleeps the current running threat for 200 milliseconds.\r\nFig 4: RegistryStartup\r\nUsing the registryStatup module achieves the persistence techniques by modifying the registry entry.\r\nFig 5: DisableTaskmanager\r\nRansomware uses the DisableTaskManager module and sets disableTaskMgr to “1”. This inhibits the use of TaskManager to\r\nkill the ransomware process. \r\nBackup Services Name Back Up products\r\nBackup Exec agent Veritas Technologies\r\nVeeam Insight Partners\r\nGX Fwd GlobalXperts\r\nTeamViewer TeamViewer\r\nAcronis Agent Acronis International GmbH\r\nBackupExec RPC Service Arctera\r\nPDVFS service PDVFS service\r\nDefWatch Symantec and Norton\r\nGxVss GlobalXperts\r\nTable 1: Backup Services targeted by the ransomware\r\nhttps://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/\r\nPage 2 of 9\n\nThe method stopBackupServices is used to stop a list of specified backup or security-related services, including backup\r\nprograms, antivirus software, and system monitoring tools. \r\nFig 6: LookupforDirectories\r\nRansomware uses the lookForDirectories method to scan all drives on the system and  check whether each drive is the\r\nsystem drive, and then conditionally encrypt directories by excluding common system folders using the following method.\r\nhttps://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/\r\nPage 3 of 9\n\nFig 7: CheckDirContains\r\nOnce after filtering the folder for encryption ransomware uses CheckDirContains method for  filtering system directories\r\nand critical files from processing in order to avoid damaging the OS or triggering alerts when scanning/encrypting files. It\r\nloops through an array of known system file paths and filenames. \r\nFig 8: Encrypt_Directory\r\nhttps://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/\r\nPage 4 of 9\n\nBased on the folders selected in the last method, the encryptDirectory method scans a specified folder, encrypts valid files,\r\nand recursively processes subdirectories. It retrieves all files in the directory and processes them in parallel. For each file, if\r\nits extension matches any of them mentioned in Table 2, it proceeds to encrypt it and if the name is \r\n“SPECTRARANSOMWARE.txt” then it doesn’t encrypt that  file alone. Depending on the file’s size, it either encrypts it\r\nusing a standard AES-RSA hybrid method (AES_Encrypt) or a specific method for large files (\u003e 1.79 GB) which replaces\r\nthe contents with “?” (AES_Encrypt_Large). Using the CreatePassword method (Fig 8), generates a random alphanumeric\r\nkey containing letters (upper + lower), digits, and symbols and which is used as a seed to RSA encryption. Once encryption\r\nbegins, a message file is dropped in the directory.\r\n.txt .dib .xlsb .pot .mde .aspx .wmv .json .ai4 .xlm .sql .pdb\r\n.jar .dic .7z .xlw .mdf .html .swf .gif .ai5 .xlt .mdb .ico\r\n.dat .dif .cpp .xps .mdw .htm .cer .log .ai6 .xltm .php .pas\r\n.contact .divx .java .xsd .mht .xml .bak .gz .ai7 .svgz .asp .db\r\n.settings .iso .jpe .xsf .mpv .psd .backup .config .ai8 .slk .vmdk .accd\r\n.doc .7zip .ini .xsl .msg .pdf .accdb .vb .arw .tar.gz .onepkg .adp\r\n.docx .ace .blob .kmz .myi .xla .bay .m1v .ascx .dmg .accde .ai\r\n.xls .arj .wps .accdr .nef .cub .p7c .sln .asm .ps .jsp .ai3\r\n.xlsx .bz2 .docm .stm .odc .dae .exif .pst .asmx .psb .safe .mkv\r\n.ppt .cab .wav .accdt .geo .indd .vss .obj .avs .tif .tab .avi\r\n.pptx .gzip .3gp .ppam .swift .cs .raw .xlam .bin .rss .vbs .apk\r\n.odt .lzh .webm .pps .odm .mp3 .m4a .djvu .cfm .key .xlk .lnk\r\n.jpg .tar .m4v .ppsm .odp .mp4 .wma .inc .dbx .vob .js .xltx\r\n.mka .jpeg .amv .1cd .oft .dwg .flv .cvs .dcm .epsp .rb .pptm\r\n.mhtml .xz .m4p .3ds .orf .zip .sie .dbf .dcr .dc3 .crt .potx\r\n.oqy .mpeg .svg .3fr .pfx .rar .sum .tbi .pict .iff .xlsm .potm\r\n.png .torrent .ods .3g2 .p12 .mov .ibank .wpd .rgbe .onepkg .exr .p7b\r\n.csv .mpg .bk .accda .pl .rtf .wallet .dot .dwt .onetoc2 .kwm .pam\r\n.py .core .vdi .accdc .pls .bmp .css .dotx .f4v .opt .max .r3d\r\nTable 2: Extensions targeted by this Ransomware \r\nFig 9: CreatePassword\r\nhttps://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/\r\nPage 5 of 9\n\nFig 10: RSA_Encrypt\r\nA randomly generated AES key (used to encrypt files) is first converted to bytes, then encrypted using a hardcoded RSA\r\npublic key. Thus the file is encrypted using AES encrypt method and the symmetric key is encrypted using RSA encryption.\r\nFig 11: AES_Encrypt\r\nThe file is encrypted and the RSA key is appended to the file. Along with that it renames the file path with the random\r\nextension.\r\nhttps://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/\r\nPage 6 of 9\n\nFig 12: Files with random file extension\r\nFrom the above image we can find that all the folders are replaced with a random string of 4 letters which is different for all\r\nthe files.\r\nFig 13: AES_Encrypt_Large\r\nFig 14 \u002615 AddAndOpenNote\r\nOnce the file encryption is completed ransomware uses addAndOpenNote method to create a text file in all the encrypted\r\nfolders as the ransomware note.\r\nhttps://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/\r\nPage 7 of 9\n\nFig 16: Ransomware note\r\nThe above image is the SPECTRARANSOMWARE.txt which has a ransomware note that all the files are encrypted and\r\nalso has contact details for receiving the key to decrypt. Also has a warning to contact within 72 hours.\r\nFig 17: Wallpaper\r\nFinally, ransomware changes the wallpaper to the above image using the SetWallpaper module.\r\nWith the increasing risk of malware attacks, it’s important to take steps to protect your data. Using a reliable security product\r\nlike K7 Total Security and keeping it updated is crucial to defend against these threats.\r\nIOCs\r\nHash Detection Name\r\n559B0D30B7BBF2D514C01E275FADBC90 Trojan ( 005ac4d71 )\r\nhttps://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/\r\nPage 8 of 9\n\nSource: https://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/\r\nhttps://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/"
	],
	"report_names": [
		"the-spectre-of-spectraransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434291,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99991eaf65d75557167442a9a42f49937f515211.pdf",
		"text": "https://archive.orkl.eu/99991eaf65d75557167442a9a42f49937f515211.txt",
		"img": "https://archive.orkl.eu/99991eaf65d75557167442a9a42f49937f515211.jpg"
	}
}