{
	"id": "c00ec107-07fc-481f-bfdf-90caa210c198",
	"created_at": "2026-04-06T01:30:01.761887Z",
	"updated_at": "2026-04-10T13:12:34.251431Z",
	"deleted_at": null,
	"sha1_hash": "a8bab067b2f8ecf2c10808898cbd36d557d50b9d",
	"title": "This is Spartacus: new ransomware on the block",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 408135,
	"plain_text": "This is Spartacus: new ransomware on the block\r\nArchived: 2026-04-06 01:16:53 UTC\r\nIn this blog post, we'll analyse Spartacus, one of many new ransomware families popping up in 2018.\r\nAnalysis\r\nThis instance of Spartacus ransomware has the following properties:\r\nMD5; 25dee2e70c931f3fa832a5b189117ce8\r\nSHA1; a01294ffd541229718948e17f791694efb596123\r\nSHA256; ef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3\r\nCompilation timestamp: 2018-01-19 20:36:44\r\nVirusTotal report:\r\nef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3\r\nFigure 1 - Spartacus ransomware message\r\nThe message reads:\r\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us\r\nthe e-mail:\r\nMastersRecovery@protonmail.com and send personal ID KEY:\r\nIn case of no answer in 24 hours us to theese e-mail: MastersRecovery@cock.li\r\nThe user may send up to 5 files for free decryption, as \"guarantee\". There's also a warning message at the end of the\r\nransomware screen:\r\nDo not rename encrypted files.\r\nDo not try decrypt your data using party software, it may cause permanent data loss.\r\nDecryption of your files with the help of thrid parties may cause increased price (they add their fee to our) or you\r\ncan become a victim of a scam.\r\nSpartacus will encrypt files, regardless of extension, in the following folders:\r\nFigure 2 - Target folders to encrypt\r\nGenerating the key:\r\nhttps://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html\r\nPage 1 of 3\n\nFigure 3 - KeyGenerator\r\nAs far as I'm aware, Spartacus is the first ransomware who explicitly asks you to send the public key (ID KEY), rather than\r\njust sending an email, including the Bitcoin address straight away, or sending the key automatically.\r\nEncrypted files will get the extension appended as follows:\r\n.[MastersRecovery@protonmail.com].Spartacus \r\nFor example:\r\n Penguins.jpg.[MastersRecovery@protonmail.com].Spartacus\r\nIt will also drop the ransomware note, \"READ ME.txt\" in several locations, such as the user's Desktop:\r\nAll your data has been locked us. You want to return? Write email MastersRecovery@protonmail.com or\r\nMastersRecovery@cock.li Your personal ID KEY:\r\nDvQ9/mvfT3I7U847uKcI0QU3QLd+huv5NOYT2YhfiySde0vhmkzyTtRPlcu73BAJILIPdALjAIy5NLxBHckfyV2XS+GXdjlHMx2V/VEfj4BrZkLB3BQtEd\r\nInterestingly enough, Spartacus also embeds what appears to be a hardcoded and private RSA key:\r\nxA4fTMirLDPi4rnQUX1GNvHC41PZUR/fDIbHnNBtpY0w2Qc4H2HPaBsKepU33RPXN5EnwGqQ5lhFaNnLGnwYjo7w6OCkU+q0dRev14ndx44k1Q\r\nSpartacus will delete Shadow Volume Copies by issuing the following command:\r\ncmd.exe /c vssadmin.exe delete shadows /all /quiet\r\nA unique mutex of \"Test\" will be created in order to not run the ransomware twice, and Spartacus will also continuously\r\nkeep the ransomware screen or message from running in the foreground or on top, using the SetForegroundWindow\r\nfunction:\r\nFigure 4 - Ransom will stay on top and annoy the user\r\nRepeating, email addresses used are:\r\nMastersRecovery@protonmail.com\r\nMastersRecovery@cock.li\r\nDecryption may be possible if the ransomware is left running, by extracting the key from memory.\r\nConclusion\r\nSpartacus is again another ransomware family or variant popping up.\r\nFigure 5 - Meme\r\nMake sure to read the dedicated page on ransomware prevention to prevent Spartacus or any other  ransomware.\r\nhttps://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html\r\nPage 2 of 3\n\nIOCs\r\nSource: https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html\r\nhttps://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html"
	],
	"report_names": [
		"this-is-spartacus-new-ransomware-on.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439001,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8bab067b2f8ecf2c10808898cbd36d557d50b9d.pdf",
		"text": "https://archive.orkl.eu/a8bab067b2f8ecf2c10808898cbd36d557d50b9d.txt",
		"img": "https://archive.orkl.eu/a8bab067b2f8ecf2c10808898cbd36d557d50b9d.jpg"
	}
}