{
	"id": "60031571-5099-43e2-a6e7-061f88884b3e",
	"created_at": "2026-04-06T00:15:51.018302Z",
	"updated_at": "2026-04-10T03:29:38.071496Z",
	"deleted_at": null,
	"sha1_hash": "a17e060b4b0ad6346c35e6e6e0155abf2bd4a8a7",
	"title": "Ransomware Spotlight: Water Ouroboros | Trend Micro (GB)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 172350,
	"plain_text": "Ransomware Spotlight: Water Ouroboros | Trend Micro (GB)\r\nArchived: 2026-04-05 13:35:47 UTC\r\nTechnical Details\r\nThe ransomware accepts the following arguments:\r\nArgument Details\r\nc {username}:{password}\r\nA required argument that specifies the username and password to access the\r\ncontact page\r\n-a, -attach, --attach Enables logging\r\n-A, -no-aggressive, --no-aggressive\r\nDisables the deletion of backups and recovery\r\n-E, -no-extension, --no-extension Disables appending of extension to files\r\n-m, -min-size, --min-size Specifies the minimum file size for encryption (in bytes)\r\n{File or Path to encrypt} Encrypts a specific file or directory\r\nTable 1. The arguments accepted by the Water Ouroboros ransomware\r\nIt encrypts fixed, removable, and network drives. It also executes the following commands:\r\nwmic.exe shadowcopy delete\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nwbadmin.exe delete systemstatebackup -keepVersions:3\r\nwbadmin.exe delete systemstatebackup\r\nbcdedit.exe /set {default} recoveryenabled No\r\nvssadmin.exe delete shadows /all /quiet\r\nwbadmin.exe delete catalog-quiet\r\nnotepad.exe {Drive}:\\Contact Us.txt\r\nDuring encryption, Water Ouroboros appends the following extension to the file name of the encrypted files:\r\n{original filename}.{original extension}.locked\r\nThe ransomware contains a list of strings or extensions to determine which files to avoid for encryption:\r\n386\r\nadv\r\nani\r\nbat\r\nbin\r\ncab\r\ncmd\r\ncom\r\ncpl\r\ncur\r\ndeskthemepack\r\ndiagcab\r\ndiagcfg\r\ndiagpkg\r\ndll\r\nhttps://www.trendmicro.com/vinfo/in/security/news/ransomware-spotlight/ransomware-spotlight-water-ouroboros\r\nPage 1 of 8\n\ndrv\r\nexe\r\nhlp\r\nhta\r\nicl\r\nicns\r\nico\r\nics\r\nidx\r\nkey\r\nldf\r\nlnk\r\nlock\r\nmod\r\nmpa\r\nmsc\r\nmsi\r\nmsp\r\nmsstyles\r\nmsu\r\nnls\r\nnomedia\r\nocx\r\npdb\r\nprf\r\nps1\r\nrom\r\nrtp\r\nscr\r\nshs\r\nspl\r\nsys\r\ntheme\r\nthemepack\r\nwpxF\r\nCertain variants avoid encrypting files with the specified strings or extensions in their file path.\r\nThe following are the ransom notes dropped during infection:\r\n{Encrypted Directory}\\Contact Us.txt\r\n{Drive}:\\Contact Us.txt\r\nFigure 1. The Water Ouroboros ransom note\r\nDuring the encryption routine, it generates and exports the encryption keys and generates the ransom note. It directs the\r\nvictim to a password-protected Onion domain (TOR website):\r\nhttps://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd[.]onion/\r\nIt also warns the victim of the impending disclosure of their stolen data on the Hive Leaks site:\r\nhttps://hiveleakdbtnp76ulyhi52eag6c6tyc.onion/\r\nFrom the function App_ExportKey(), it uses standard Go crypto functions to generate RSA keys. A key file is then exported.\r\nIt generates a random key for the encryption process using the RTLGenRandom API, which is initially saved in memory.\r\nThis key is then used to encrypt the files via a custom encryption implementation.\r\nhttps://www.trendmicro.com/vinfo/in/security/news/ransomware-spotlight/ransomware-spotlight-water-ouroboros\r\nPage 2 of 8\n\nThe key is subsequently encrypted via GoLang’s implementation of RSA, using a list of public keys embedded in the binary.\r\nThe encrypted key is then saved as .key on the encrypted drive.\r\nFinally, the generated key is wiped from memory, ensuring that the encrypted key is the only copy available for decryption.\r\nInfection chain and techniques\r\nInitial Access\r\nWater Ouroboros exploits public-facing Oracle WebLogic application using known vulnerabilities (CVE-2019-2725,\r\nCVE-2017-10271, CVE-2019-2729).\r\nIt comes bundled in a software installer package (Drive-by Compromise).\r\nExecution\r\nWater Ouroboros performs remote command execution on the compromised server.\r\nIt downloads and executes crack software and key generators on multiple endpoints.\r\nPersistence\r\nWater Ouroboros uses a compromised admin account to maintain access to the target’s machine.\r\nIt disables security services by modifying the registry.\r\nPrivilege\r\nWater Ouroboros employs credential dumping via registry hives to access sensitive OS credentials.\r\nLateral Movement\r\nWater Ouroboros uses Remote Desktop Protocol (RDP) and Server Message Block (SMB) to access other systems\r\nwithin the network.\r\nDiscovery\r\nWater Ouroboros discovers networks and accounts using tools like AdFind.\r\nIt performs credential discovery via PassView or Registry Hive Dumping.\r\nExfiltration\r\nWater Ouroboros transfers files over the C\u0026C channel to external IP addresses.\r\nIt uses storage software tools for exfiltration.\r\nDefense Evasion\r\nWater Ouroboros disables security tools and services.\r\nPCHunter and ProcessHacker are disabled via a valid account RDP or Remote Access Tools (RATs).\r\nCredential Dumping\r\nWater Ouroboros dumps credentials using HackTool PassView or Registry Hive.\r\nCollection\r\nWater Ouroboros transfers malicious tools and scripts to compromised systems.\r\nCommand and Control\r\nWater Ouroboros communicates with C\u0026C servers using web protocols.\r\nIt uses the SharpRhino RAT.\r\nhttps://www.trendmicro.com/vinfo/in/security/news/ransomware-spotlight/ransomware-spotlight-water-ouroboros\r\nPage 3 of 8\n\nImpact\r\nWater Ouroboros encrypts data.\r\nIt drops ransom notes to notify the user of file encryption and potential data leaks.\r\nIt inhibits system recovery by deleting volume shadow copies and disabling recovery measures.\r\nMITRE tactics and techniques\r\nInitial\r\nAccess\r\nExecution\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nExfiltration\r\nCommand\r\nand Control\r\nImp\r\nT1190 -\r\nExploit\r\nPublic-Facing\r\nApplication\r\nWater\r\nOuroboros\r\nexploits\r\nOracle\r\nWeblogic\r\nRemote\r\nCommand\r\nExecution\r\nresulting in\r\noutbound\r\nnetwork\r\ntraffic to a\r\nremote host.\r\nT1189 -\r\nDrive-by\r\nCompromise\r\nUser\r\ndownloads\r\ncracked\r\nsoftware,\r\nindicating\r\npotential\r\nmalware\r\ninfection\r\nthrough\r\nuntrusted\r\nsources.\r\nT1078 -\r\nValid\r\nAccounts\r\nWater\r\nOuroboros\r\nmaintains\r\nmalicious\r\nactivity\r\nusing a\r\nT1059.003\r\n- Command\r\nand\r\nScripting\r\nInterpreter:\r\nWindows\r\nCommand\r\nShell\r\nWater\r\nOuroboros\r\nemploys the\r\ncommand\r\nline to\r\nexecute and\r\ndecompress\r\nan archive\r\nfile\r\ncontaining\r\na\r\nransomware\r\nbinary.\r\nT1562.001\r\n- Impair\r\nDefenses:\r\nDisable or\r\nModify\r\nTools\r\nWater\r\nOuroboros\r\nmodifies\r\nthe\r\nregistry to\r\ndisable the\r\nQualys\r\nagent\r\nsecurity\r\nservice.\r\nT1003.002\r\n- OS\r\nCredential\r\nDumping:\r\nSecurity\r\nAccount\r\nManager\r\n(SAM)\r\nWater\r\nOuroboros\r\nperforms\r\ncredential\r\ndumping\r\nvia the\r\nRegistry\r\nhive using\r\nthe reg\r\ncommand\r\nto save the\r\nSAM\r\ndatabase.\r\nT1595.002 -\r\nActive\r\nScanning:\r\nVulnerability\r\nScanning\r\nWater\r\nOuroboros\r\nconducts\r\nvulnerability\r\nscanning from\r\nspecific IP\r\naddresses,\r\nindicating\r\npreparation\r\nfor\r\nexploitation.\r\nT1087 -\r\nAccount\r\nDiscovery\r\nWater\r\nOuroboros\r\nused AdFind\r\ntool to\r\nperform\r\naccount,\r\nremote\r\nsystem, and\r\ngroup\r\ndiscovery.\r\nT1018 -\r\nRemote\r\nSystem\r\nDiscovery\r\nWater\r\nOuroboros\r\ncontinues\r\nusing AdFind\r\nto discover\r\nother\r\ncomputers on\r\nthe network.\r\nT1021.001 -\r\nRemote\r\nServices:\r\nRemote\r\nDesktop\r\nProtocol\r\nWater\r\nOuroboros\r\nuses RDP for\r\nremote access\r\nand lateral\r\nmovement.\r\nT1021.002 -\r\nRemote\r\nServices:\r\nSMB/Windows\r\nAdmin Shares\r\nWater\r\nOuroboros\r\nuses SMB to\r\ntransfer files\r\nor remotely\r\naccess systems,\r\nindicating\r\nlateral\r\nmovement.\r\nT1041 -\r\nExfiltration\r\nOver\r\nCommand\r\nand Control\r\nChannel\r\nWater\r\nOuroboros\r\nperforms\r\nsuspected\r\ndata\r\nexfiltration\r\nover an\r\noutbound\r\nSMB\r\nconnection.\r\nT1105 -\r\nIngress Tool\r\nTransfer\r\nWater\r\nOuroboros\r\ntransfers and\r\nuses scripts\r\nand discovery\r\ntools on the\r\ncompromised\r\nsystem.\r\nT1071.001 -\r\nApplication\r\nLayer\r\nProtocol:\r\nWeb\r\nProtocols\r\nWater\r\nOuroboros\r\nemploys\r\nHTTP/HTTPS\r\nprotocols to\r\nmake requests\r\nto various\r\nC\u0026C servers.\r\nT148\r\nEncr\r\nImpa\r\nThe\r\nperp\r\nexec\r\nrans\r\nbina\r\nencry\r\non th\r\nT149\r\nInhib\r\nReco\r\nWate\r\nOuro\r\ndelet\r\nshad\r\nand\r\nboot\r\nreco\r\nmeas\r\nhind\r\nreco\r\nT110\r\nServ\r\nWate\r\nOuro\r\nexec\r\nProc\r\nto st\r\nserv\r\npote\r\nevad\r\ndetec\r\nhttps://www.trendmicro.com/vinfo/in/security/news/ransomware-spotlight/ransomware-spotlight-water-ouroboros\r\nPage 4 of 8\n\nInitial\r\nAccess\r\nExecution\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nExfiltration\r\nCommand\r\nand Control\r\nImp\r\ncompromised\r\naccount.\r\nT1069.002 -\r\nPermission\r\nGroups\r\nDiscovery:\r\nDomain\r\nTrusts\r\nWater\r\nOuroboros\r\nfurther uses\r\nAdFind to\r\nenumerate\r\ndomain trusts\r\nand\r\norganizational\r\nunits.\r\nSummary of malware, tools, and exploits used\r\nSecurity teams can look for the presence of the following tools and exploits that are typically used in Water Ouroboros\r\nattacks:\r\nATTACK TOOL MITRE TTP\r\nSharpRhino\r\nStorage Software Exfiltration\r\nPCHunter Discovery, Defense Evasion\r\nProcessHacker Discovery, Defense Evasion\r\nAdFind Lateral Movement\r\nTop affected countries, industries, and business sizes\r\nThe US bore the overwhelming impact of Water Ouroboros attacks, experiencing nearly ten times as many incidents (136)\r\nas the next most-targeted country, Canada. The UK, France, Germany, and Italy also ranked among the group's primary\r\ntargets.\r\nopen on a new tab\r\nFigure 6. The distribution of countries (top 10) targeted by the Water Ouroboros Sources: Water Ouroboros leak site data and\r\nTrend open-source intelligence (OSINT) research (Oct. 2023- Feb. 2025)\r\nhttps://www.trendmicro.com/vinfo/in/security/news/ransomware-spotlight/ransomware-spotlight-water-ouroboros\r\nPage 5 of 8\n\nCompanies in the construction, IT, manufacturing, and healthcare industries experienced the highest number of attacks.\r\nHowever, Water Ouroboros targeted a wide range of sectors, demonstrating a broad and diverse attack strategy.\r\nopen on a new tab\r\nFigure 7. A breakdown of the top 10 industries targeted by Water Ouroboros ransomware attacks Sources: Water Ouroboros\r\nleak site data and OSINT research (Oct. 2023- Feb. 2025)\r\nThe threat actor launched attacks against organizations of all sizes but appeared to prefer targeting small and medium-sized\r\nbusinesses (1–200 and 201–1,000 employees, respectively), likely due to their limited cybersecurity resources.\r\nopen on a new tab\r\nFigure 8. A breakdown of the sizes of the organizations targeted by Water Ouroboros ransomware attacks Sources: Water\r\nOuroboros leak site data and OSINT research (Oct. 2023- Feb. 2025)\r\nTrend Vision One™\r\nhttps://www.trendmicro.com/vinfo/in/security/news/ransomware-spotlight/ransomware-spotlight-water-ouroboros\r\nPage 6 of 8\n\nTrend Vision One™open on a new tab is a cybersecurity platform that simplifies security and helps enterprises detect and\r\nstop threats faster by consolidating multiple security capabilities, enabling greater command of the enterprise’s attack\r\nsurface, and providing complete visibility into its cyber risk posture. The cloud-based platform leverages AI and threat\r\nintelligence from 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk\r\ninsights, earlier threat detection, and automated risk and threat response options in a single solution.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and Threat\r\nInsights within Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them\r\nto prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their\r\ntechniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks,\r\nand effectively respond to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nHunters International (Hive Ransomware Rebranding)\r\nNew Ransomware-as-a-Service Group: Hunters International seen in multiple LAR Companies\r\nSharpRhino – New Hunters International RAT\r\nTrend Vision One Threat Insights App\r\nHunting queries\r\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post\r\nwith data in their environment.\r\nHunters International Ransomware Detection\r\nmalName:*RUTHENS* AND LogType: detection\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabledopen on a new\r\ntab.\r\nRecommendations\r\nWater Ouroboros, a Ransomware-as-a-Service (RaaS) operation, demonstrates how threat actors can employ existing\r\nransomware infrastructures while introducing new capabilities to evade detection and enhance efficiency. Despite being a\r\nrelatively new group, Water Ouroboros has already targeted multiple industries worldwide, underscoring the persistent and\r\nevolving threat posed by ransomware operations.\r\nThe increasing reliance on vulnerability exploitation as an initial infection vector highlights the importance of timely\r\npatching and proactive security measures. Organizations should prioritize securing public-facing applications, as seen in\r\nWater Ouroboros’ exploitation of Oracle WebLogic vulnerabilities. Additionally, threat actors are placing greater emphasis\r\non data exfiltration rather than encryption, reinforcing the need for robust data security and incident response strategies.\r\nTo protect systems against Water Ouroboros and similar ransomware threats, organizations should implement a\r\ncomprehensive security strategy that systematically allocates resources to establish strong defenses. The following best\r\npractices can help mitigate ransomware risks:\r\nAudit and inventory\r\nTake an inventory of assets and data\r\nIdentify authorized and unauthorized devices and software\r\nMake an audit of event and incident logs\r\nConfigure and monitor\r\nhttps://www.trendmicro.com/vinfo/in/security/news/ransomware-spotlight/ransomware-spotlight-water-ouroboros\r\nPage 7 of 8\n\nManage hardware and software configurations\r\nGrant admin privileges and access only when necessary to an employee’s role\r\nMonitor network ports, protocols, and services \r\nActivate security configurations on network infrastructure devices such as firewalls and routers\r\nEstablish a software allow list that only executes legitimate applications\r\nPatch and update\r\nConduct regular vulnerability assessments\r\nPerform patching or virtual patching for operating systems and applications \r\nUpdate software and applications to their latest versions \r\nProtect and recover\r\nImplement data protection, backup, and recovery measures \r\nEnable multifactor authentication (MFA) \r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails \r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork \r\nDetect early signs of an attack such as the presence of suspicious tools in the system \r\nUse advanced detection technologies such as those powered by AI and machine learning\r\nTrain and test\r\nRegularly train and assess employees on security skills \r\nConduct red-team exercises and penetration tests\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/in/security/news/ransomware-spotlight/ransomware-spotlight-water-ouroboros\r\nhttps://www.trendmicro.com/vinfo/in/security/news/ransomware-spotlight/ransomware-spotlight-water-ouroboros\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/in/security/news/ransomware-spotlight/ransomware-spotlight-water-ouroboros"
	],
	"report_names": [
		"ransomware-spotlight-water-ouroboros"
	],
	"threat_actors": [
		{
			"id": "eb01bdec-5c18-4479-b343-cf58076dacf1",
			"created_at": "2024-08-10T02:02:56.273673Z",
			"updated_at": "2026-04-10T02:00:03.773129Z",
			"deleted_at": null,
			"main_name": "GOLD CRESCENT",
			"aliases": [
				"Hunters International",
				"World Leaks"
			],
			"source_name": "Secureworks:GOLD CRESCENT",
			"tools": [
				"Hunters International",
				"SharpRhino"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434551,
	"ts_updated_at": 1775791778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a17e060b4b0ad6346c35e6e6e0155abf2bd4a8a7.pdf",
		"text": "https://archive.orkl.eu/a17e060b4b0ad6346c35e6e6e0155abf2bd4a8a7.txt",
		"img": "https://archive.orkl.eu/a17e060b4b0ad6346c35e6e6e0155abf2bd4a8a7.jpg"
	}
}