{ "id": "aa9e2052-8f3a-48a5-b8b7-5c8cdde2ca68", "created_at": "2026-04-06T01:31:49.972604Z", "updated_at": "2026-04-10T13:12:40.025206Z", "deleted_at": null, "sha1_hash": "e5072675a32f56de310b431c2ef8f72944776c33", "title": "WastedLocker explained: How this targeted ransomware extorts millions from victims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52459, "plain_text": "WastedLocker explained: How this targeted ransomware extorts\r\nmillions from victims\r\nBy Lucian Constantin\r\nPublished: 2020-09-22 · Archived: 2026-04-06 00:07:17 UTC\r\nWastedLocker definition\r\nWastedLocker is a ransomware program that started hitting businesses and other organizations in May 2020 and is\r\nknown for its high ransom demands reaching millions of dollars per victim. It is the creation of a group of highly\r\nskilled cybercriminals that have been operating for over a decade despite being criminally indicted in the US.\r\nEvil Corp and the Dridex botnet\r\nThe group behind WastedLocker calls itself as Evil Corp and some of the individuals associated with it have a\r\nlong history in the cybercrime world. The group is best known for operating the Dridex malware and botnet since\r\n2011 but has also been responsible for creating and distributing ransomware programs over the years.\r\nDridex, also known as Cridex or Bugat, started out as a Trojan program designed to steal online banking\r\ncredentials from victims by injecting fake login pages into their browsers. In December 2019, the US Department\r\nof Justice indicted two Russian nationals named Maksim Yakubets and Igor Turashev for creating and operating\r\nthe Dridex malware together with other individuals.\r\nYakubets has also been named in separate complaints in connection with older money heists that date back to\r\n2009 and involved the infamous Zeus banking trojan. The source code of the Zeus trojan was leaked online in\r\n2010 and served as a basis and inspiration for many other banking Trojans, including Dridex. Both Yakubets and\r\nTurashev are on the FBI’s Cyber’s Most Wanted list and US authorities are offering up to $5 million for\r\ninformation leading to Yakubets’ arrest. The Department of Treasury has also imposed sanctions against the Evil\r\nCorp group.\r\nOver the years, Dridex evolved from a banking Trojan into a malware distribution platform and its creators\r\ncollaborated with other infamous cybercriminal groups including Carbanak/FIN7 and TA505. According to a\r\nreport from security firm NCC Group, in late 2017 Dridex operations were scaled back and the group almost\r\nexclusively focused on the distribution of ransomware starting with BitPaymer. The gang even had a partnership\r\nwith the group behind the TrickBot Trojan, which was used to deploy BitPaymer for a short period before starting\r\npushing Ryuk, one of the most successful targeted ransomware programs to date.\r\nBitPaymer targeted primarily companies from the US and a few in Western Europe, but in 2019 a fork dubbed\r\nDoppelPaymer appeared. According to NCC, DoppelPaymer followed a ransomware-as-a-service model that’s\r\ndifferent from BitPaymer’s. While there’s been some overlap in activity with Evil Corp, the group’s links to this\r\nthreat are not very clear.\r\nhttps://www.csoonline.com/article/3574907/wastedlocker-explained-how-this-targeted-ransomware-extorts-millions-from-victims.html\r\nPage 1 of 4\n\n“After the unsealing of indictments by the US Department of Justice and actions against Evil Corp as a group by\r\nthe US Treasury Department, we detected a short period of inactivity from Evil Corp until January 2020,” NCC\r\nsaid in its report. “However, since January 2020 activity has resumed as usual, with victims appearing in the same\r\nregions as before. It is possible, however, that this was primarily a strategic move to suggest to the public that Evil\r\nCorp was still active as, from around the middle of March 2020, we failed to observe much activity from them in\r\nterms of BitPaymer deployments. Of course, this period coincided with the lockdowns due to the COVID-19\r\npandemic.”\r\nWastedLocker replaces BitPaymer\r\nWastedLocker is an entirely new ransomware program from Evil Corp that started infecting organizations in May.\r\nIt does not share code with BitPaymer but exhibits other similarities in the ransom note and per-victim\r\ncustomization. The lack of Evil Corp activity between March and May might be explained by the group working\r\non developing this new threat as well as other components that make up its toolset.\r\nResearchers have recently seen the group deploying a variant of the Gozi malware, which might replace Dridex at\r\nsome point in the future as the persistent backdoor inside victim networks, along with a customized Cobalt Strike\r\nloader, which could be a potential replacement for the Empire PowerShell framework the group was known to use.\r\nBoth CobaltStrike and PowerShell Empire are post-exploitation frameworks designed for penetration testers that\r\nhave also become popular with hacker groups and cybercriminals over the years. The main developers of\r\nPowerShell Empire decided to abandon the project a few months ago.\r\nEvil Corp “has access to highly skilled exploit and software developers capable of bypassing network defenses on\r\nall different levels,” NCC warns. “The group seems to put a lot of effort into bypassing endpoint protection\r\nproducts; this observation is based on the fact that when a certain version of their malware is detected on victim\r\nnetworks the group is back with an undetected version and able to continue after just a short time. This shows the\r\nimportance of victims fully understanding each incident that happens. That is, detection or blocking of a single\r\nelement from the more advanced criminal actors does not mean they have been defeated.”\r\nOne of the more prominent victims of WastedLocker to date was Garmin, a US tech company that manufactures\r\nconsumer wearables and GPS navigation products used in aviation, maritime, fitness and other markets. The\r\ncompany was hit with WastedLocker in July and had many of its services disrupted worldwide as a result,\r\nincluding some used by pilots. The ransom demand was reportedly $10 million and the company eventually\r\nobtained a decryption key from the attackers, although it’s not clear how much they paid for it.\r\nLike other gangs behind targeted and manually operated ransomware attacks, Evil Corp customizes its malicious\r\nprogram and ransoms for each victim depending on their size and business profile. The WastedLocker ransom\r\ndemands seen so far have ranged between $500,000 and $10 million, making them some of the largest in the\r\nthreat landscape.\r\nLike with BitPaymer, the vast majority of WastedLocker victims have been U.S. organizations. The gang puts a lot\r\nof effort into locating and destroying its victims’ backups, but so far it has not adopted fail-over techniques like\r\nstealing data and extorting victims under the threat of releasing it online or putting it up for auction, like some\r\nother ransomware gangs have done recently.\r\nhttps://www.csoonline.com/article/3574907/wastedlocker-explained-how-this-targeted-ransomware-extorts-millions-from-victims.html\r\nPage 2 of 4\n\n“In general, we can state that if this gang has found an entrance into your network it will be impossible to stop\r\nthem from encrypting at least part of your files,” researchers from Malwarebytes said in an analysis. “The only\r\nthing that can help you salvage your files in such a case is if you have either roll-back technology or a form of off-line backups. With online, or otherwise connected backups you run the chance of your backup files being\r\nencrypted as well, which makes the whole point of having them moot.”\r\nHow does WastedLocker work?\r\nAccording to reports from Symantec, Malwarebytes and other security firms, the infection chain for\r\nWastedLocker starts with a JavaScript-based attack framework called SocGholish that is distributed as a fake\r\nbrowser update by alerts displayed on legitimate but compromised websites. Hacked news websites are a common\r\nvector. The SocGholish framework is delivered as a ZIP file and, if opened and run, it starts an attack chain that\r\ninvolves downloading and executing PowerShell scripts and the Cobalt Strike backdoor. Evil Corp used this same\r\ndistribution technique and framework in the past to deploy the Dridex Trojan, so it’s been part of its arsenal for a\r\nlong time.\r\nOnce the hackers gain access to a computer on the network of an organization they perform reconnaissance and\r\nstart deploying various living-off-the-land tools to steal credentials, escalate privileges and move laterally to other\r\nmachines. The attackers’ goal is to identify and gain access to high-value systems such as file servers, database\r\nservers and even virtual machines running in the cloud before deploying a victim-tailored WastedLocker binary on\r\nthem.\r\nThe use of manual hacking and system administration or open-source penetration testing tools are part of a trend\r\nobserved over the past few years where cybercriminals, including ransomware gangs, are increasingly adopting\r\nattack techniques that in the past used to be associated with cyberespionage activity by state-sponsored groups.\r\nThis trend poses a serious problem for smaller organizations who do not have the IT budgets and resources to\r\ndeploy defenses against advanced persistent threats but are a frequent target for ransomware gangs and other\r\nfinancially motivated cybercriminals.\r\nWastedLocker uses a combination of AES and RSA cryptography in its file encryption routine that is similar to\r\nother targeted ransomware programs. Every file is encrypted with a unique 256-bit AES key that’s generated on\r\nthe fly. Those AES keys together with other information about the encrypted files are then encrypted with a 4096-\r\nbit public RSA key that is hardcoded in the WastedLocker binary. The attackers retain the private part of the RSA\r\nkey pair which is needed to recover the AES keys and decrypt individual files.\r\nAccording to an analysis by Kaspersky Lab, the encryption routine is strong and properly implemented, so victims\r\ncannot recover their files without the attackers’ private RSA key. Since this is a manually deployed ransomware\r\nthreat that’s customized for every target, the attackers generate unique RSA key pairs for each victim. This means\r\na private key received by one organization after paying the ransom won’t work to decrypt files from another\r\nimpacted organization.\r\nSome aspects of WastedLocker make it stand apart. The ransomware has a mechanism that allows attackers to\r\nprioritize certain directories during the encryption routine. This is likely used to ensure that the most important\r\nhttps://www.csoonline.com/article/3574907/wastedlocker-explained-how-this-targeted-ransomware-extorts-millions-from-victims.html\r\nPage 3 of 4\n\nand valuable files are encrypted first in case the encryption process, which can take some time, is detected by\r\nsystem administrators and is halted while in progress.\r\nThe malware attaches a file extension made from the victim’s name and the word “wasted” to every encrypted\r\nfile, for example, original_file_name.garminwasted for the Garmin attack. It also generates a text file with the\r\nransom note for every file, meaning every directory will contain hundreds or thousands of copies of the ransom\r\nnote.\r\nWastedLocker is designed to delete shadow copies — the default backups made by the Windows OS — and tries\r\nto encrypt files over the network, including remote backups. It uses privilege escalation techniques such as DLL\r\nhijacking to obtain system privileges and installs a service that performs the encryption routing. This service is\r\nstopped when the encryption process is complete.\r\n“The attackers behind this threat appear to be skilled and experienced, capable of penetrating some of the most\r\nwell protected corporations, stealing credentials, and moving with ease across their networks,” the Symantec\r\nresearchers said. “As such, WastedLocker is a highly dangerous piece of ransomware. A successful attack could\r\ncripple the victim’s network, leading to significant disruption to their operations and a costly clean-up operation.”\r\nSource: https://www.csoonline.com/article/3574907/wastedlocker-explained-how-this-targeted-ransomware-extorts-millions-from-victims.html\r\nhttps://www.csoonline.com/article/3574907/wastedlocker-explained-how-this-targeted-ransomware-extorts-millions-from-victims.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.csoonline.com/article/3574907/wastedlocker-explained-how-this-targeted-ransomware-extorts-millions-from-victims.html" ], "report_names": [ "wastedlocker-explained-how-this-targeted-ransomware-extorts-millions-from-victims.html" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439109, "ts_updated_at": 1775826760, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5072675a32f56de310b431c2ef8f72944776c33.pdf", "text": "https://archive.orkl.eu/e5072675a32f56de310b431c2ef8f72944776c33.txt", "img": "https://archive.orkl.eu/e5072675a32f56de310b431c2ef8f72944776c33.jpg" } }