{ "id": "54ab089d-f3f9-4021-819f-0323552eef61", "created_at": "2026-04-06T00:09:39.24069Z", "updated_at": "2026-04-10T13:12:48.054472Z", "deleted_at": null, "sha1_hash": "db62e5b6318018aa00b26e84624555cdb5cbc844", "title": "Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 76000, "plain_text": "Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware\r\nBy About the Author\r\nArchived: 2026-04-05 16:17:14 UTC\r\nSymantec’s Threat Hunter Team has additional technical information to share on the new ALPHV/BlackCat\r\nransomware that was first published about last week, and which we have been tracking for several weeks.\r\nSymantec, a division of Broadcom Software, tracks this ransomware as Ransom.Noberus and our researchers first\r\nspotted it on a victim organization on November 18, 2021, with three variants of Noberus deployed by the\r\nattackers over the course of that attack. This would appear to show that this ransomware was active earlier than\r\nwas previously reported, with MalwareHunterTeam having told BleepingComputer they first saw this ransomware\r\non November 21.\r\nNoberus is an interesting ransomware because it is coded in Rust, and this is the first time we have seen a\r\nprofessional ransomware strain that has been used in real-world attacks coded in this programming language.\r\nNoberus appears to carry out the now-typical double extortion ransomware attacks where they first steal\r\ninformation from victim networks before encrypting files. Noberus adds the .sykffle extension to encrypted files.\r\nThis blog contains information about the attack chain we observed in one victim organization, as well as technical\r\ndetails about the operation of this ransomware.\r\nThe first suspicious activity observed by Symantec occurred on a victim’s network on November 3, approximately\r\ntwo weeks before Noberus was deployed. During this time, suspicious network activity was observed. Later on\r\nNovember 18, shortly before Noberus was deployed, ConnectWise was also executed. A few hours later, Noberus\r\nwas deployed, indicating that the attackers may have leveraged access to ConnectWise to deploy their payload.\r\nWhile it is a legitimate tool, ConnectWise has frequently been exploited by ransomware attackers in recent times\r\nto gain access to victim networks.\r\nAnatomy of an attack\r\nOn November 3, suspicious Server Message Block (SMB) requests occurred on the earliest machine to get\r\ninfected on the victim network. This was followed by remote Local Security Authority (LSA) registry dump\r\nattempts from a remote machine on the network. This suggests the attackers may have compromised another\r\nmachine on the network where we didn't have visibility, or they could also have added a new machine to the\r\ndomain from which they were launching attacks to dump credentials.\r\nOn the same day, PsExec was also executed from a remote machine to launch a command prompt. The attackers\r\nused this to disable a restricted remote administration feature known as ‘RestrictedAdmin mode’ via the Windows\r\nregistry. This effectively disables safeguards guarding against 'pass the hash' attacks targeting Remote Desktop\r\nProtocol (RDP), allowing the attackers to attempt to gain higher administrative privileges.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware\r\nPage 1 of 6\n\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0\r\nThe next activity occurred on November 18 when PsExec was used to run multiple PowerShell commands to\r\neffectively disable Windows Defender. Specifically, the PowerShell command used added *.exe to an exclusion\r\nlist for AV scanning, and this command was executed across the entire organization.\r\nLater on November 18, the first instance of Noberus ransomware was deployed via PsExec.\r\nIn order for Noberus to execute properly, it requires a specific ‘access-token’. This acts as a unique key, which is\r\nused to distinguish the victim when visiting the Noberus operators’ Tor site. The following similar commands\r\nwere observed being executed:\r\nCSIDL_WINDOWS\\temp\\psexec.exe -accepteula \\\\[REDACTED] -u [REDACTED] -p [REDACTED] -s -d\r\n-f -c [REDACTED].exe --access-token [REDACTED] --no-prop-servers \\\\[REDACTED] --propagated\r\n[REDACTED].exe --access-token [REDACTED] --no-net\r\nIn the above, PsExec is launched with the following specific command line arguments:\r\ns – Run under the System account\r\nd – Run as a non-interactive process (don’t wait for the process to terminate)\r\nf, c – Copy Noberus file to the remote machine\r\nFor the second command above, the ‘no-net’ command line argument instructs Noberus not to process network\r\nshares during propagation. See the Technical Details below for a full list of support command line arguments and\r\ntheir description.\r\nIn all the samples of Noberus that we have access to, the victim’s administrative credentials are embedded as part\r\nof the configuration block, showing that this attack was specifically targeted at this victim.\r\nOnce Noberus is executed, the ransomware first deletes any available shadow copies, which is typical in\r\nransomware attacks, in order to stop the organization from restoring encrypted files.\r\ncmd /c vssadmin.exe delete shadows /all /quiet\r\nNoberus then runs commands to collect system information via WMIC, in order to collect Universally Unique\r\nIdentifiers (UUIDs) from each machine. These are then used to generate the ‘access token’ that makes up part of\r\nthe unique Tor address victims are instructed to visit.\r\nNavigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}\"\r\nWe also saw a fsutil command being executed by Noberus. Fsutil performs tasks that are related to file allocation\r\ntable (FAT) and NTFS file systems. In this incident, the attacker is specifically modifying the SymLink Evaluation\r\nbehavior to modify the type of symbolic links that can be created on the system. Symbolic links create a file in\r\nyour directory that acts as a shortcut to another file or folder.\r\ncmd /c fsutil behavior set SymlinkEvaluation R2L:1\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware\r\nPage 2 of 6\n\ncmd /c fsutil behavior set SymlinkEvaluation R2R:1\r\nThis is used to follow various types of shortcuts (local and remote), likely to ensure Noberus can follow these\r\nshortcuts and perform encryption.\r\nAs part of the propagation mechanism, Noberus attempts to mount hidden partitions. It then attempts to spread via\r\nthe ‘net use’ command. The embedded administrative credentials are used as part of this mechanism along with\r\nPsExec, which is embedded in a compressed form within Noberus.\r\nDuring the attack, the attackers were also seen modifying the maximum limit of concurrent requests machines\r\ncould make via PsExec.\r\ncmd /c reg add\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters /v\r\nMaxMpxCt /d 65535 /t REG_DWORD /f\r\nThis was likely to aid in the propagation of Noberus across the network.\r\nAt this stage, Noberus proceeds to terminate a set of pre-defined processes and begin the encryption process.\r\nAt some point during the attack the organization became aware of the infection and deployed remediation\r\nsoftware. However, despite this, it appears the attackers were able to return and deploy another variant of their\r\nransomware to other systems on the network. In total, three variants of this ransomware were identified during this\r\nintrusion, leading to at least 261 machines on the network becoming infected with Noberus.\r\nRansom.Noberus: Technical Details\r\nA technical analysis of Noberus itself found that a lot of its behavior is consistent with the activity we saw on the\r\nvictim network.\r\nThe first step it takes after being deployed on victim networks is to remove shadow copies:\r\ncmd /c vssadmin.exe delete shadows /all /quiet\r\nIt then issues a command to collect Universally Unique Identifiers (UUIDs) from infected machines.\r\ncmd /c wmic csproduct get UUID\r\nThe UUID and parameter ‘access token’ are then used to generate \"ACCESS_KEY\".\r\nNavigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}\"\r\nNoberus then enables the remote-to-local and remote-to-remote symbolic link evaluations.\r\ncmd /c fsutil behavior set SymlinkEvaluation R2L:1\r\ncmd /c fsutil behavior set SymlinkEvaluation R2R:1\r\nIt then attempts to mount a hidden partition, by issuing the following commands:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware\r\nPage 3 of 6\n\nEnumerates volumes by\r\nFindFirstVolume\r\nFindNextVolume\r\nFindVolumeClose\r\nThen gets the pathname by:\r\nGetVolumePathNamesForVolumeName\r\nIf the volume does not have a pathname, Noberus mounts it with:\r\nSetVolumeMountPoint.\r\nNoberus then cleans up the Recycle Bin and attempts to propagate via network share.\r\nIt looks for available shares by using the ‘net use’ command or NetShareEnum function. Embedded administrative\r\ncredentials may then be used for propagation via network share.\r\nNoberus also attempts to propagate via PsExec.\r\nlocker::core::windows::psexec\r\nThe PsExec module is embedded in the Noberus code (see Figure 1). It is compressed with zlib (Figure 2).\r\nThe decompressed PsExec file is a legitimate Microsoft-signed clean file (Figure 3).\r\nOnce it has gained access to a machine, Noberus then proceeds to kill the following processes and services:\r\n\"encsvc\",\"thebat\",\"mydesktopqos\",\"xfssvccon\",\"firefox\",\"infopath\",\"winword\",\"steam\",\"synctime\",\r\n\"notepad\",\"ocomm\",\"onenote\",\"mspub\",\"thunderbird\",\"agntsvc\",\"sql\",\"excel\",\"powerpnt\",\r\n\"outlook\",\"wordpad\",\"dbeng50\",\"isqlplussvc\",\"sqbcoreservice\",\"oracle\",\"ocautoupds\",\r\n\"dbsnmp\",\"msaccess\",\"tbirdconfig\",\"ocssd\",\"mydesktopservice\",\"visio\", \"sql*\",\r\n\"mepocs\",\"memtas\",\"veeam\",\"svc$\",\"backup\",\"sql\",\"vss\",\"msexchange\"\r\nIt also excludes certain directories, filenames, and file extensions from the encryption process, such as:\r\n\"system volume information\",\"intel\",\"$windows.~ws\",\"application data\",\"$recycle.bin\",\r\n\"mozilla\",\"program files (x86)\",\"program\r\nfiles\",\"$windows.~bt\",\"public\",\"msocache\",\"windows\",\"default\",\"all users\", \"tor browser\",\r\n\"programdata\",\"boot\",\"config.msi\",\"google\",\"perflogs\",\"appdata\", \"windows.old\",\r\n\"desktop.ini\",\"autorun.inf\",\"ntldr\",\"bootsect.bak\",\"thumbs.db\",\"boot.ini\",\"ntuser.dat\",\r\n\"iconcache.db\",\"bootfont.bin\",\"ntuser.ini\",\"ntuser.dat.log\",\"themepack\",\"nls\",\"diagpkg\",\r\n\"msi\",\"lnk\",\"exe\",\"cab\",\"scr\",\"bat\",\"drv\",\"rtp\",\"msp\",\"prf\",\"msc\", \"ico\", \"key\",\"ocx\",\"diagcab\",\"diagcfg\",\r\n\"pdb\",\"wpx\",\"hlp\",\"icns\",\"rom\",\"dll\",\"msstyles\",\"mod\",\"ps1\",\"ics\",\"hta\",\"bin\",\"cmd\",\"ani\",\r\n\"386\",\"lock\",\"cur\",\"idx\",\"sys\",\"com\",\"deskthemepack\",\"shs\",\"ldf\",\"theme\",\"mpa\",\"nomedia\",\r\n\"spl\",\"cpl\",\"adv\",\"icl\",\"msu\"\r\nNoberus then proceeds to encrypt files using either AES or ChaCha20 encryption.\r\nThe private key for encrypted machines appears to be generated randomly. It appears that Noberus generates a\r\nrandom number using BCryptGenRandom and calculates each byte with the string shown in Figure 4.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware\r\nPage 4 of 6\n\nFiles that have been encrypted have .sykffle appended to the end of their filename, in the following format:\r\n[original filename].[extension].sykffle\r\nNoberus then creates a ransomware note, creating a .txt and a .png file that are displayed to victims, with the\r\nfollowing filenames:\r\nRECOVER-sykffle-FILES.txt\r\nRECOVER-sykffle-FILES.txt.png\r\nThe text file tells victims the following:\r\n\u003e Introduction\r\nImportant files on your system was ENCRYPTED and now they have \"sykffle\" extension.\r\nIn order to recover your files you need to follow instructions below.\r\n\u003e\u003e Sensitive Data\r\nSensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate.\r\nData includes:\r\n- Employees personal data, CVs, DL, SSN.\r\n- Complete network map including credentials for local and remote services.\r\n- Financial information including clients’ data, bills, budgets, annual reports, bank statements.\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format\r\n- And more...\r\nPrivate preview is published here:\r\nhttp://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd[.]onion/[REDACTED]\r\n\u003e\u003e CAUTION\r\nDO NOT MODIFY FILES YOURSELF.\r\nDO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.\r\nYOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.\r\nYOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.\r\n\u003e\u003e Recovery procedure\r\nFollow these simple steps to get in touch and recover your data:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware\r\nPage 5 of 6\n\n1) Download and install Tor Browser from: https://torproject.org/\r\n2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd[.]onion/?access-key=\r\n[REDACTED]\r\nSignificance of this new ransomware\r\nThis is a sophisticated new ransomware with no apparent weaknesses in its encryption process, meaning unless\r\nvictims have comprehensive backups they will be obliged to pay the ransom to recover their files. The fact it is\r\nwritten in Rust is interesting, as while Rust is not typically seen being used by malware developers, it is growing\r\nin popularity and it shows that ransomware developers too are not afraid to innovate in this area.\r\nWhile the reported number of victims of this ransomware so far appears to be small, the sophistication of Noberus\r\nitself and the level of determination shown by the attackers in the attack we did observe indicates it is likely we\r\nwill see more of this ransomware in the future. It is also reported that the developers behind this ransomware are\r\nactively seeking affiliates on Russian-speaking hacking forums, meaning the number of malicious actors\r\ndeploying this ransomware is likely to grow.\r\nProtection\r\nFile-based\r\nRansom.Noberus\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware" ], "report_names": [ "noberus-blackcat-alphv-rust-ransomware" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434179, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db62e5b6318018aa00b26e84624555cdb5cbc844.pdf", "text": "https://archive.orkl.eu/db62e5b6318018aa00b26e84624555cdb5cbc844.txt", "img": "https://archive.orkl.eu/db62e5b6318018aa00b26e84624555cdb5cbc844.jpg" } }