{
	"id": "7f0825f6-19c1-47b3-be19-af11ae4d2a74",
	"created_at": "2026-04-06T00:17:57.58937Z",
	"updated_at": "2026-04-10T03:21:58.43657Z",
	"deleted_at": null,
	"sha1_hash": "9e2153deb353cd95d6a815518482096176f79f16",
	"title": "Ransomware Groups to Watch: Emerging Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2401742,
	"plain_text": "Ransomware Groups to Watch: Emerging Threats\r\nBy Doel Santos, Ruchna Nigam\r\nPublished: 2021-08-24 · Archived: 2026-04-05 16:12:12 UTC\r\nExecutive Summary\r\nAs part of Unit 42’s commitment to stop ransomware attacks, we conduct ransomware hunting operations to\r\nensure our customers are protected against new and evolving ransomware variants. We monitor the activity of\r\nexisting groups, search for dark web leak sites and fresh onion sites, identify up-and-coming players and study\r\ntactics, techniques and procedures. During our operations, we have observed four emerging ransomware groups\r\nthat are currently affecting organizations and show signs of having the potential to become more prevalent in the\r\nfuture:\r\nAvosLocker is ransomware as a service (RaaS) that started operations in late June, using a blue beetle logo\r\nto identify itself in communications with victims and “press releases” aimed at recruiting new affiliates.\r\nAvosLocker was observed promoting its RaaS program and looking for affiliates on dark web discussion\r\nforums and other forums. Like many of its competitors, AvosLocker offers technical support to help\r\nvictims recover after they’ve been attacked with encryption software that the group claims is “fail-proof,”\r\nhas low detection rates and is capable of handling large files. This ransomware also has an extortion site,\r\nwhich claims to have impacted six organizations in the following countries: the U.S., the U.K., the U.A.E.,\r\nBelgium, Spain and Lebanon. We have observed initial ransom demands ranging from $50,000 to $75,000.\r\nHive Ransomware is double-extortion ransomware that started operations in June. Since then, Hive has\r\nimpacted 28 organizations that are now listed on the group’s extortion site, including a European airline\r\ncompany and three U.S.-based organizations. Hive uses all tools available in the extortion toolset to create\r\npressure on the victim, including the date of initial compromise, countdown, the date the leak was actually\r\ndisclosed on their site, and even the option to share the disclosed leak on social media.\r\nHelloKitty is not a new ransomware group; it can be tracked as early as 2020, mainly targeting Windows\r\nsystems. However, in July, we observed a Linux variant of HelloKitty targeting VMware’s ESXi\r\nhypervisor, which is widely used in cloud and on-premises data centers. We also observed two clusters of\r\nactivity. Across the observed samples, some threat actors preferred email communications, while others\r\nused TOR chats for communication with the victims. The observed variants impacted five organizations in\r\nItaly, Australia, Germany, the Netherlands and the U.S. The highest ransom demand observed from this\r\ngroup was $10 million, but at the time of writing, the threat actors have only received three transactions\r\nthat sum up to about $1.48 million.\r\nLockBit 2.0 (previously known as ABCD ransomware) is a three-year-old RaaS operator that has been\r\nlinked to some high-profile attacks lately following the June launch of a slick marketing campaign to\r\nrecruit new affiliates. It claims to offer the fastest encryption on the ransomware market. LockBit 2.0 has\r\nimpacted multiple industries – 52 victims are listed on the group’s leak site. Its victims include\r\norganizations in the U.S., Mexico, Belgium, Argentina, Malaysia, Australia, Brazil, Switzerland, Germany,\r\nItaly, Austria, Romania and the U.K.\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 1 of 18\n\nHere, we share information we've gathered from our observations of the behavior of these ransomware groups to\r\nhelp organizations defend against them.\r\nPalo Alto Networks Next-Generation Firewall customers are protected from these threats with Threat Prevention\r\nand WildFire security subscriptions. Customers are also protected with Cortex XDR and can use AutoFocus for\r\ntracking related entities.\r\nAvosLocker\r\nAvosLocker is new ransomware that was first observed on July 4, 2021, and follows the RaaS model. The\r\nransomware operator of the same name, avos, advertised their affiliate program on Dread (Figure 1). Dread is a\r\nReddit-like dark web discussion forum featuring news and sub-dreads around darknet markets. The announcement\r\nof the program includes information about features of the ransomware and lets affiliates know that AvosLocker\r\noperators will take care of negotiation and extortion practices. The user Avos has also been observed trying to\r\nrecruit individuals on the Russian forum XSS.\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 2 of 18\n\nFigure 1. AvosLocker announcement in Dread.\r\nAvosLocker, when executed, first opens a Windows shell showing the progress of the encryption process. After\r\nencryption is complete, it then appends the\r\n.avos\r\nextension to the encrypted files and drops the ransom note\r\nGET_YOUR_FILES_BACK.TXT\r\nin every encrypted directory (Figure 2). We observed another AvosLocker sample that behaves exactly the same\r\nway as the initial observed sample, but also included a string called “Message from the agent” letting the victim\r\nknow their files were exfiltrated.\r\nFigure 2a. AvosLocker ransom note\r\nFigure 2b. Encrypted files.\r\nThe ransom note includes information and an ID used to identify victims, and instructs the victim to visit the\r\nAvosLocker TOR site (Figure 3).\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 3 of 18\n\nFigure 3. AvosLocker landing page.\r\nAfter submitting the ID, the victim will encounter a support chat and the request for ransom. From the available\r\ninstances observed, we have seen payment requests as low as $50,000 and as high as $75,000 in Monero (XMR).\r\nAs seen with other ransomware groups, AvosLocker increases the ransom price if the victim doesn’t pay in the\r\ndesignated time period, as shown in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 4 of 18\n\nFigure 4. AvosLocker support page.\r\nWhile exploring their site, we discovered that this group has already affected seven organizations: two law firms,\r\none in the U.K. and one in the U.S.; a logistics company in Spain; a real estate agency in Belgium; a holdings\r\ncompany in Turkey; a Syrian transportation organization and a city in the U.S. Some of the leaked data displayed\r\non their site include private organization documents and personal identifiable information.\r\nAvosLocker's first site post, on Jan. 1, 2021, was an announcement that the site was officially online (Figure 5).\r\nThe user avos also announced they started leaking data on multiple sub-dreads as well. We believe this was done\r\nto attract more affiliates and traffic to their site.\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 5 of 18\n\nFigure 5. AvosLocker leak site and multiple advertisements on Dread.\r\nHive Ransomware\r\nHive ransomware began operations in June 2021 and has already shown notable disregard for its victims’ welfare,\r\nattacking organizations including healthcare providers and mid-size organizations ill-equipped for managing a\r\nransomware attack. Hive published their first victim on their leak site, Hive Leaks, in late June (Figure 6). Since\r\nthen, 28 victims have been published on the Hive Leaks site, including a European airline company and three\r\nU.S.-based organizations, one each in hardware retail, manufacturing and law. The posts include the date and time\r\nthe victim was affected.\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 6 of 18\n\nFigure 6. Hive Leaks.\r\nWhen this ransomware is executed, it drops two batch scripts. The first script, hive.bat, tries to delete itself, and\r\nthe second script is in charge of deleting the shadow copies of the system (shadow.bat). Hive ransomware adds the\r\n[randomized characters].hive extension to the encrypted files and drops a ransom note titled\r\nHOW_TO_DECRYPT.txt containing instructions and guidelines to prevent data loss (Figure 7). The ransom note\r\nincludes a generated login credential for the victim to chat with what the threat actors claim is their “sales”\r\ndepartment. The TOR link directs the “customer” to a login page, and after the credentials are submitted, it opens\r\nup a chat room for communication between the operators and the victim (Figure 8).\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 7 of 18\n\nFigure 7. Hive ransom note.\r\nWe noticed that the login credentials provided by the ransom note were for a specific victim. With this in mind, we\r\nthen hunted for additional samples and found two more victims that were affected but not yet listed on the leak\r\nsite at the time of writing. After logging in, the victim will see a chat where they can talk to the operators and get\r\ntheir decryptors (Figure 8).\r\nFigure 8. Hive chat (left) and login page (right).\r\nWe don’t yet have information on how Hive ransomware is being delivered, but ransomware operators are known\r\nfor buying access to certain networks, brute-forcing credentials or spear-phishing for initial access.\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 8 of 18\n\nHelloKitty: Linux Edition\r\nHelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems.\r\nThe malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The\r\nransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or\r\n.kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final\r\nransomware code is only loaded in memory, most likely to evade detection by security solutions.\r\nIn July 2021, we came across a Linux (ELF) sample with the name funny_linux.elf containing a ransom note with\r\nverbiage that directly matched ransom notes seen in later samples of HelloKitty for Windows. This led to the\r\ndiscovery of other samples of this Linux strain of the HelloKitty ransomware, dating as far back as October 2020.\r\nHowever, starting in March, the samples began targeting ESXi, a target of choice for recent Linux ransomware\r\nvariants.\r\nOddly enough, the preferred mode of communication shared by attackers in the ransom notes across the different\r\nsamples is a mix between TOR URLs and victim-specific Protonmail email addresses. This could indicate\r\ndifferent campaigns or even entirely different threat actors making use of the same malware codebase. Since the\r\nsamples we found contained victim-specific ransom notes, we were able to get an idea of the ransomware’s\r\ntargets. We observed six organizations impacted by Hello Kitty, including Italian and Dutch pharmaceutical\r\norganizations, a Germany-based manufacturer, an Australian industrial automation solutions organization, and a\r\nmedical office and a stock broker in the U.S. One sample, oddly enough, didn’t contain any contact information in\r\nits ransom note.\r\nWe also observed that the ransom demanded by the operator varies depending on the impacted organization; we\r\nsaw demands as high as $10 million and as low as $950,000 in Monero (Figure 9). The operators behind\r\nHelloKitty are also open to using bitcoin (BTC), but they charge higher for bitcoin transactions due to its\r\nassociated fees. We were able to look up the BTC wallet address they provided for victims\r\n(bc1ql5f3m75qx3ueu2pz5eeveyqsw6pdjs3ufk8r20) and confirm that three transactions were made to that address,\r\nsumming up to $1,477,872.41.\r\nFigure 9 HelloKitty chats.\r\nThe samples found primarily made use of different combinations of the arguments described in Table 1.\r\nArgument Description Value(s)\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 9 of 18\n\nv Verbose mode 0 or 1\r\nd Run the process as a daemon 0 or 1\r\ne\r\nWhen the flag is set, the ransomware only encrypts files with the\r\nextensions .vmdk, .vmx, .vmsd and .vmsn\r\nIt is not set by default, which means that all files under the start path\r\nthat don’t match certain ransomware-specific file extensions will be\r\nencrypted\r\n0 or 1\r\nk\r\nWhen this flag is set, the ransomware tries to kill VMs running on the\r\nhost using the esxcli tool. \r\nIt is not set by default\r\n0 or 1\r\nm Mode\r\n5 (default) or 10 or\r\n20 or 25 or 33 or 50\r\nc (Unsure of purpose)\r\nTable 1. Arguments accepted by the Linux HelloKitty ransomware.\r\nThe following esxcli commands are executed to kill running VMs, when the k flag is set:\r\nesxcli vm process list\r\nesxcli vm process kill -t=soft -w=%d %(PID)\r\nesxcli vm process kill -t=force -w=%d %(PID)\r\nThe malware samples log their output to a work.log file in their execution path.\r\nFinally, the ransomware makes use of the Elliptic Curve Digital Signature Algorithm (ECDSA) for encrypting\r\nfiles using functions from the shared library libcrypto.so for encryption. The encrypted file is saved with the\r\nextension .crypt. Each encrypted file has a corresponding file with the extension .README_TO_RESTORE\r\ncontaining the ransom note. Additional details can be found in the appendix of this report.\r\nLockBit 2.0\r\nLockBit is another ransomware group that follows the RaaS model. According to their website, this ransomware\r\naffiliate program has been active since September 2019. While LockBit has been known for some time, we\r\nincluded this group in this blog because of their recent evolution to LockBit 2.0. In June 2021, the operators\r\nbehind this ransomware revamped their site and rebranded as LockBit 2.0.\r\nSince June 2021, they have compromised 52 organizations in accounting ,automotive, consulting, engineering,\r\nfinance, high tech, hospitality, insurance, law enforcement,l egal services, manufacturing, non-profit energy, retail,\r\ntransportation and logistics industries, utilities in the following countries: Argentina, Australia, Austria, Belgium,\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 10 of 18\n\nBrazil, Germany, Italy, Malaysia, Mexico, Romania, Switzerland, the U.K. and the U.S. All the posts by the threat\r\nactors on their leak site include a countdown until confidential information is released to the public, which creates\r\nadditional pressure on the victim (Figure 10).\r\nFigure 10. Affiliation program description (left) and leak site (right).\r\nThe threat actors behind this ransomware claim that their current variant is the fastest encryption software in\r\noperation. To attract more affiliates, they include a table comparing different ransomware families, including their\r\nprevious variant (Figure 11).\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 11 of 18\n\nFigure 11. Encryption speeds comparison released by LockBit.\r\nWhen LockBit is executed, it starts encrypting files and appends the .lockbit extension. Additionally, the\r\nransomware changes the icon of the encrypted file to the LockBit 2.0 logo (Figure 12.b). After encryption is\r\ncomplete, LockBit then drops the ransom note titled, Restore-My-Files.txt (Figure 12.a).\r\nFigure 12a. Ransom Note.\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 12 of 18\n\nFigure 12b. Encrypted files.\r\nSimilar to REvil, LockBit 2.0 ransomware modifies the victim’s desktop wallpaper if the encryption process is\r\nsuccessful, making the victim aware of their compromise. The wallpaper also includes an advertisement aimed at\r\nencouraging insider threats that all organizations could fall prey to. (Figure 13).\r\nFigure 13. Modified LockBit 2.0 wallpaper.\r\nThe advertisement states that the threat actors are interested in methods of access, such as RDP, VPN and\r\ncorporate email credentials. In exchange, they offer a cut of paid ransom.\r\nIf the victim wants to communicate with Lockbit operators to get their data back, the operators include a\r\n“Decryption ID” and a TOR link (and their clearnet mirror: decoding[.]at) on the ransom note. This information\r\nallows the user to log in and start the negotiation process (Figure 14).\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 13 of 18\n\nFigure 14. Support site login (left) and LockBit Support chat (right).\r\nConclusion\r\nWith major ransomware groups such as REvil and Darkside lying low or rebranding to evade law enforcement\r\nheat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims.\r\nHere, we shared information on some of the observed malicious activity of the ransomware groups trying to\r\nbecome the next key players. While LockBit and HelloKitty have been previously active, their recent evolution\r\nmakes them a good example of how old groups can re-emerge and remain persistent threats. Unit 42 will continue\r\nto monitor these ransomware families – and new ones that may emerge in the future.\r\nPalo Alto Networks customers are protected against these ransomware families with Cortex XDR or the Next-Generation Firewall with Threat Prevention and WildFire security subscriptions. Customers can use AutoFocus for\r\ntracking related entities using the AvosLocker, Hive, LockBit and HelloKitty tags, respectively. Full visualization\r\nof the techniques observed can be seen in the Unit 42 ATOM viewer.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and systematically disrupt malicious cyber actors. Visit the Cyber Threat Alliance for more information.\r\nIf you think you may have been impacted by any of these ransomware families, please email unit42-\r\ninvestigations@paloaltonetworks.com or call (866) 486-4842 – (866) 4-UNIT42 – for U.S. toll-free; (31-20) 299-\r\n3130 in EMEA; or (65) 6983-8730 in JAPAC. The Unit 42 Incident Response team is available 24/7/365. You can\r\nalso take preventative steps by requesting a Ransomware Readiness Assessment.\r\nIndicators of Compromise\r\nAvosLocker\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 14 of 18\n\n43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856\r\nfb544e1f74ce02937c3a3657be8d125d5953996115f65697b7d39e237020706f\r\n3984968230c96d52d78af1905ea1b224e7de36776a6af398a0462321f3c22020\r\n01792043e07a0db52664c5878b253531b293754dc6fd6a8426899c1a66ddd61f\r\nHive Ransomware\r\nA0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749\r\n1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff\r\nFdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf\r\n88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1\r\nHello Kitty (Linux)\r\n16a0054a277d8c26beb97850ac3e86dd0736ae6661db912b8782b4eb08cfd36e\r\n556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed\r\n9f82f22c137688d0b3e7912d415605d2bbc56478311fd0b3dc265f8d0006aa8c\r\n8f3db63f70fad912a3d5994e80ad9a6d1db6c38d119b38bc04890dfba4c4a2b2\r\nbedf30bbcefc54bc48432674255856f47c0ba2ec46e913d078a53e66ac9dcff8\r\nCa607e431062ee49a21d69d722750e5edbd8ffabcb54fa92b231814101756041\r\nb4f90cff1e3900a3906c3b74f307498760462d719c31d008fc01937f5400fb85\r\nLockbit 2.0\r\nF32e9fb8b1ea73f0a71f3edaebb7f2b242e72d2a4826d6b2744ad3d830671202\r\n4de287e0b05e138ab942d71d1d4d2ad5fb7d46a336a446f619091bdace4f2d0a\r\nF3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae\r\nEa028ec3efaab9a3ce49379fef714bef0b120661dcbb55fcfab5c4f720598477\r\nBcdb59232137e570d4afb3c635f8df19ceb03e3f57fe558f4fc69a0be778c6ab\r\n4efcd774d9d224137c5840e9a2d0f9e56c976e8e7a49158e3c15135dd9fbae9c\r\n00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8\r\nE32dc551a721b43da44a068f38928d3e363435ce0e4d2e0479c0dfdb27563c82\r\n16a707a3965ebd71ebc831b68863b855b2c8d60aef8efdef1e0c0a6cc28e9bc7\r\nBc0b54c19949f407da972f0bedf7f429c0fe25181564d1fb6d053b989925898f\r\nAcad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c\r\n0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049\r\nBcbb1e388759eea5c1fbb4f35c29b6f66f3f4ca4c715bab35c8fc56dcf3fa621\r\n717585e9605ac2a971b7c7537e6e311bab9db02ecc6451e0efada9b2ff38b474\r\n73406e0e7882addf0f810d3bc0e386fd5fd2dd441c895095f4125bb236ae7345\r\n90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446\r\n4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd\r\n21879b5a8a84c5fe5e009c85744caf74b817c57203020bf919037d7ccb6b6a58\r\n56fd91787c641c2329a86813497d0e6ff219c81a4d61ac10fedef9cd68c3baed\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 15 of 18\n\n9dd6cc25b2f920b825e15682a4d06435a42b281674ba6e99c8e2b2222c9d638f\r\n23984141a918be3345296bb6bf50d8d356229cb832c726833499fbb950037d00\r\n91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631\r\n1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592\r\n1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770\r\n69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997\r\n26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739\r\nCa57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75\r\n5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db\r\n410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677\r\n0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76\r\n286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f\r\nE3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877\r\n0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335\r\n1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18\r\nFfbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d\r\n76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78\r\nfaa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869\r\n12a435aa3fe7fc3fa531b9e02ee63b907f343b4aa7acc137105e48eb7b32075a\r\ne32dc551a721b43da44a068f38928d3e363435ce0e4d2e0479c0dfdb27563c82\r\nbc0b54c19949f407da972f0bedf7f429c0fe25181564d1fb6d053b989925898f\r\n14b3827e821ee2d719d20c265d873e7e1471df40df1089175adbbe31a83fc0eb\r\nacad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c\r\nbcbb1e388759eea5c1fbb4f35c29b6f66f3f4ca4c715bab35c8fc56dcf3fa621\r\nd089d57b8b2b32ee9816338e96680127babc5d08a03150740a8459c29ab3ba78\r\n32f8eed5b2ada44b51cb251bce22355604d8cafef77e33bce769469926dc8cd7\r\n92ec3373b528e0040fae1c34b6edc8d623d03eac84267bd3ed408fe547b9c944\r\nf32e9fb8b1ea73f0a71f3edaebb7f2b242e72d2a4826d6b2744ad3d830671202\r\nf3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae\r\nd52f0647e519edcea013530a23e9e5bf871cf3bd8acb30e5c870ccc8c7b89a09\r\nea028ec3efaab9a3ce49379fef714bef0b120661dcbb55fcfab5c4f720598477\r\nbcdb59232137e570d4afb3c635f8df19ceb03e3f57fe558f4fc69a0be778c6ab\r\n1008af117f3f9f5c2d7f634c7c88fdb2af0dc2a8d01be203f0d69897559d3e05\r\n60b5aa993eaef3342252f8cb3f4c9d7c6272ebf2180a27bac8db516af32e8393\r\n459e6ff44674568233b2b2fbfd56e1456e5d72147fe919c063b5fc87d8fb3365\r\n0bbd59147cf0893d16829d705dcb6bed82487efc77c78fb17c1f2dcffa08875e\r\na8dfd303f2ff18416ccb88a8156298892689767121206b137a92ece8577e7403\r\nebe038b29b9f535f975ac7e6c256b7b0597ff93710c2328e8c43a63c750b441d\r\nb0ae47c915e7ed46e7badb3ed3888debf505c0a9f0a88e1ee18757df74cecb5f\r\n0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9\r\n3dcb5aa76118a5af24c3e01290d2ad0f71adcc21d3e2b337210bbeb97f73881a\r\nade83273f178c3dd5f82c22f42015dcf1aa1a2c961b6e4bf80068b7b5986cc2f\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 16 of 18\n\nb2b29c358242d49da3c9ef237695e02817b3e5b3fbb75fa94b5762e2a4210f8f\r\nd2ab5785e0dcf9c7657d960b7b7e86f1373408226a95946400f98e5957faf631\r\naa727a827c9e978520f5703e9100b52551b97cfc1e15e683cf27ce5212035548\r\n5b9e6d9275e9523aa3945be891745442a07b936ee5236e23934250ba3844f65f\r\n3e3801d5441c63661aca495f3e540ff77c669437924aff64dc340f594fbb185a\r\n99d781a0e9ac3dfaa7f9958cc62051f47ba116835e75b5d61835ff63afc98571\r\ne2e140d6d84e377c313006ae8d0848583f74a1ee7aad0fcd758a1888f9b04694\r\nb2f1ec9408272cc125b96a4f3b7c06c23742d69845e9b6a24f7eafad4da72faa\r\ne7a81e3c2bd77a237a3b75806197cb18db5cbf06fda246739bb3904ac117d013\r\ne15903faaad61d6d6499148c596d8051a51c80973cc1190336769b84a1eca1c8\r\n743ecc953dcd83a48140c82d8a7dcac1af28e0839aed16628ddfc9454bec8dfa\r\n626a4fa1f52623e89b3011c37c2d3ca4069dc5a4d3f5c4f74d4579c2d3d50356\r\n8013232fb7c254269c1029f91a915b80ed7ded53043d239a4be9a0b1fe37fa2c\r\n953bdc65d1d3316ffb2761da09a3b8587228bd40095d72eae95fc373488732cc\r\ne82315985f8eab415f6fabab7f805f0a76db6ca58b851070c946142f0ba29cbd\r\nfab378dbd88af235421174b73ad06d1e5f2c614c70b9bab318602f51da544d5e\r\na718c499a7a3c505828f5253862c9b2f3c40e2d80132de96e5cc19e3c161730b\r\nb735c0169ecdddba6676c6c490199358f6ab7cc9724391fee2482676a3efc6e5\r\na7591e4a248c04547579f014c94d7d30aa16a01bb2a25b77df36e30a198df108\r\n98900768d564c6962981edde2759889fdda11bb1113c851468e5c40ddafe1d4d\r\n6d26226f99724c18faf355a4e07b74bad72f5837e0de8c8361f7d9a18525b5ae\r\n5f99cdba09aa3e03e531fc34bc5fcee96f61ec0b83b575911d79573da7109906\r\ncd2287122277237a9c507ce9ba5f114ddd48faa1b3f87b33ed1a8b19f65c8a14\r\n93b0c6576c73b48dcb47f6572a31defc1304fd3c4464d50592195fa64edbcafe\r\n34e6f4317e223d712a9464cd2e6ba9e6d7915eac75a8c06648813ea1d7a80b80\r\n36446a57a54aba2517efca37eedd77c89dfc06e056369eac32397e8679660ff7\r\nf17ca8f7527669a35eee12edb7050a81ef91e3f0ea7b3935ddf554a6f731e374\r\n4edbf2358a9820e030136dc76126c20cc38159df0d8d7b13d30b1c9351e8b277\r\n0906a0b27f59b6db2a2451a0e0aabf292818e32ddd5404d08bf49c601a466744\r\n0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d\r\nDomains\r\nDecoding[.]at\r\nbigblog[.]at\r\nlockbit-decryptor[.]com\r\nlockbit-decryptor[.]top\r\nAppendix (Hello Kitty)\r\nExtensions that are ignored for encryption:\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 17 of 18\n\n.crypt\r\n.README_TO_RESTORE\r\n.tmp_\r\n.a\r\n.so\r\n.la\r\nDirectories ignored for encryption:\r\n/bin\r\n/boot\r\n/dev\r\n/etc\r\n/lib\r\n/lib32\r\n/lib64\r\n/lost+found\r\n/proc\r\n/run\r\n/sbin\r\n/usr/bin\r\n/usr/include\r\n/usr/lib\r\n/usr/lib32\r\n/usr/lib64\r\n/usr/sbin\r\n/sys\r\n/usr/libexec\r\n/usr/share\r\n/var/lib\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nhttps://unit42.paloaltonetworks.com/emerging-ransomware-groups/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/emerging-ransomware-groups/"
	],
	"report_names": [
		"emerging-ransomware-groups"
	],
	"threat_actors": [],
	"ts_created_at": 1775434677,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e2153deb353cd95d6a815518482096176f79f16.pdf",
		"text": "https://archive.orkl.eu/9e2153deb353cd95d6a815518482096176f79f16.txt",
		"img": "https://archive.orkl.eu/9e2153deb353cd95d6a815518482096176f79f16.jpg"
	}
}