{
	"id": "e6d5dbc4-6e05-4a3c-9d27-fb22cc46fee7",
	"created_at": "2026-04-06T00:21:31.010877Z",
	"updated_at": "2026-04-10T13:11:35.919095Z",
	"deleted_at": null,
	"sha1_hash": "e560b5bdc73d1834759c0514b303e8a40eb906cf",
	"title": "Ransomware Roundup: LockBit, BlueSky, and More | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 754134,
	"plain_text": "Ransomware Roundup: LockBit, BlueSky, and More | FortiGuard\r\nLabs\r\nBy FortiGuard Labs\r\nPublished: 2022-07-19 · Archived: 2026-04-05 13:44:49 UTC\r\nOver the past few weeks, FortiGuard Labs has observed several new ransomware variants of interest that have\r\nbeen gaining traction within the OSINT community along with activity from our datasets. This isn’t new. This\r\nsame thing has been going on, week in and week out, for years, with very little changing.\r\nUnfortunately, ransomware is here to stay. Ransomware infections continue to cause significant impact to\r\norganizations, including—but not limited to—disruptions to operations, theft of confidential information,\r\nmonetary loss due to ransom payout, and more. It’s why we feel it's imperative that we increase our efforts to raise\r\nawareness about existing and emerging ransomware variants.\r\nThis new Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware\r\nlandscape, along with the Fortinet solutions that protect against these variants.\r\nThis latest edition of the Ransomware Roundup covers the LockBit, BlueSky, Deno, RedAlert, Dark Web Hacker,\r\nHive, and Again ransomware.\r\nLockBit Ransomware\r\nLockBit is a ransomware strain that targets both Windows and Linux. It has been in the wild since December\r\n2019. This ransomware employs a Ransomware-as-a-Service (RaaS) model. Ransomware operators develop\r\nLockBit ransomware and all the necessary tools and infrastructure to support it, such as leak sites and ransom\r\npayment portals. They offer these solutions, along with user support, to their affiliates (criminals who pay a fee to\r\nuse their technology). Support is provided via TOX (a RaaS framework). They also offer additional services, such\r\nas ransom negotiation, for affiliates.\r\nLockBit affiliates carry out the actual attacks that infect and deploy ransomware to targets and, in return, receive\r\n20% of the ransom paid by victims. While rules prohibit affiliates from encrypting files in critical infrastructure\r\nenvironments, such as nuclear power plants or gas and oil industries, affiliates are allowed to steal data without\r\nencrypting critical files and or the infrastructure of these organizations. In addition, former Soviet countries\r\n(Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Russia, Tajikistan,\r\nTurkmenistan, Uzbekistan, Ukraine, and Estonia) are off-limits from attack.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants\r\nPage 1 of 9\n\nFigure 1. Affiliate rules for LockBit 3.0 on its Tor site\r\nPrior to file encryption, data on victim machines is exfiltrated using “StealBit,” an information stealer tool\r\ndeveloped by the LockBit gang. Files encrypted by the ransomware typically have a “.lockbit” file extension. The\r\nransomware also leaves a ransom note in Restore-My-Files.txt.\r\nSome variants of LockBit also replace desktop wallpaper with a message to let victims know that they are a victim\r\nof the ransomware, asking them to check the ransom note for how to reach out to the LockBit threat actor.\r\nLockBit employs a double-extortion tactic that demands victims pay their ransom in Bitcoin to recover affected\r\nfiles and not have stolen information leaked to the public.\r\nLockBit 3.0 debuted in March 2022 as a successor to LockBit 2.0. The ransomware made the news again at the\r\nend of June because the ransomware gang introduced a “bug bounty” program with rewards of between $1000 and\r\n$1,000,000 (USD) for detecting flaws and weaknesses in its portfolio.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants\r\nPage 2 of 9\n\nFigure 2. Bug bounty program advertised on LockBit Tor site\r\nFortinet Protections\r\nFortinet customers running the latest (AV) definitions are protected by the following signature(s):\r\nW32/Filecoder.LOCKBIT!tr\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants\r\nPage 3 of 9\n\nW32/Filecoder_Lockbit.A!tr\r\nW64/Lockbit.A!tr\r\nW64/Lockbit.A!tr.ransom\r\nW32/Lockbit.B!t\r\nW64/Lockbit.B!tr\r\nW32/Lockbit.D!tr.ransom\r\nW32/Lockbit.E!tr.ransom\r\nW32/Lockbit.D!tr.ransom\r\nW32/Lockbit.E!tr.ransom\r\nW32/Filecoder_Lockbit.E!tr\r\nW32/Filecoder_Lockbit.E!tr.ransom\r\nW32/LockBit.2513!tr.ransom\r\nW32/LockBit.29EA!tr.ransom\r\nW32/LockBit.29FC!tr.ransom\r\nW32/Lockbit.2D74!tr.ransom\r\nW32/LockBit.921B!tr.ransom\r\nW32/Lockbit.A467!tr\r\nW32/Lockbit.BF6C!tr\r\nW32/Lockbit.C2F8!tr.ransom\r\nW32/Lockbit.FSWW!tr\r\nW32/Lockbit.GCZ!tr\r\nW32/Lockbit.NVBZVOW!tr\r\nW32/Lockbit.VHO!tr\r\nW32/Lockbit.VHO!tr.ransom\r\nW32/Ransom_Win32_LOCKBIT.ENC\r\nHTML/Lockbit.FCBE!tr.ransom\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants\r\nPage 4 of 9\n\nBlueSky Ransomware\r\nBlueSky is a recently discovered ransomware variant, with some BlueSky ransomware samples distributed online\r\nas “MarketShere.exe” and “SecurityUpdate.exe.” BlueSky encrypts files on a compromised machine and then\r\nadds a “.bluesky” file extension. It then drops a ransom note in “# DECRYPT FILES BLUESKY #.txt“and “#\r\nDECRYPT FILES BLUESKY #.html,” in which victims are asked to visit a BlueSky TOR site and follow\r\nprovided instructions.\r\nFigure 1. BlueSky ransom message in a text file\r\nFigure 2. Bluesky Ransom Message (HTML)\r\nFortinet Protections\r\nFortinet customers running the latest (AV) definitions are protected by the following signature(s):\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants\r\nPage 5 of 9\n\nW32/Conti.F!tr.ransom\r\nW64/GenKryptik.FSFZ! tr\r\nDeno Ransomware\r\nDeno is a new ransomware variant that encrypts files on a compromised machine and adds a “.DENO” file\r\nextension to targeted files. It then drops a ransom note in “readme.txt” which provides two ProtonMail email\r\naddresses for victims to contact the attacker to recover affected files. Interestingly enough, there is no information\r\non how much this will cost and if payment is what the threat actor is ultimately after.\r\nFigure 3. Readme.TXT for DENO ransomware\r\nFortinet Protections\r\nFortinet customers running the latest (AV) definitions are protected by the following signature(s):\r\nW32/Filecoder.OLQ!tr\r\nMSIL/Agent.MDO!tr.ransom\r\nMalicious_Behavior.SB\r\nW32/PossibleThreat\r\nRedAlert\r\nRedAlert, also known as N13V, is a new ransomware discovered in early July. It affects Windows and Linux\r\nVMWare (ESXi) servers. It encrypts files on the compromised machine and steals data from it. One reported file\r\nextension that this ransomware variant adds to affected files is “.crypt658”, but this may change depending on the\r\nvictim.\r\nThis ransomware uses a double-extortion tactic, which demands a ransom payment to recover affected files and\r\nprevents the release of stolen data to its data leak site for anyone to download. To pressure victims into paying a\r\nransom, the authors also ask the victim to contact the attacker within 72 hours, or else the threat actor will publish\r\npart of the stolen data to their leak site. Additional threats include launching Distributed Denial of Service (DDoS)\r\nattacks against the victim and making phone calls to the victim’s employees as a shame tactic.\r\nFortinet Protections\r\nFortinet customers running the latest (AV) definitions are protected by the following signature(s):\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants\r\nPage 6 of 9\n\nELF/RedAlert.A!tr.ransom\r\nDark Web Hacker\r\nDark Web Hacker is another recently discovered ransomware. It encrypts files on a compromised machine and\r\nappends \".[4 random characters}” to target files and the end of the file name. It also leaves a ransom note in\r\n“read_it.txt” containing an attacker’s contact email address and Bitcoin address. Ransom demand is $3,000 worth\r\nof Bitcoin.\r\nFigure 4. Ransom note\r\nThe ransomware also replaces any desktop wallpaper with its own wallpaper that includes a Bitcoin QR code to\r\n“help” victims to pay a ransom.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants\r\nPage 7 of 9\n\nThe ransomware also deletes shadow copies, which makes file recovery difficult.\r\nFortinet Protections\r\nFortinet Customers running the latest (AV) definitions are protected by the following signature:\r\nMSIL/Filecoder.AGP!tr\r\nHive\r\nHive ransomware is another Ransomware-as-a-Service (RaaS) that attempts to encrypt files on victims’ machines,\r\nsteal data, and demand a payment to recover affected files and prevent stolen data from being published to their\r\ndata leak site, called “HiveLeaks,\" on the DarkWeb. This ransomware notoriously affected Costa Rica's public\r\nhealth system, which was reportedly disrupted by the ransomware.\r\nThe latest iterations are written in the Rust programing language. Older variants are written in Go.  \r\nDecryptor Tool Now Available\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants\r\nPage 8 of 9\n\nOn July 13th\r\n, security researcher @reecDeep released a v5 keystream decryptor tool for Hive ransomware.  The\r\ntool can be found on @reecDeep’s Github page.\r\nFortinet Protections\r\nFortiGuard Labs previously released a Threat Signal for Hive ransomware report. For additional information on\r\nHive ransomware, please visit this link.\r\nFortinet Customers running the latest (AV) definitions are protected by the following signature:\r\nW64/Filecoder_Hive.A!tr.ransom\r\nW64/Filecoder_Hive.A!tr\r\nWhat is ‘Again’ ransomware?\r\nThe Again ransomware is another new ransomware variant that seems to have its origins in Babuk. It appears to\r\nshare the same source code as Babuk (which had its entire source code leaked in 2021) and can safely be\r\nconsidered a fork of that variant. The Again ransomware seeks out files to encrypt and appends “.again” to the\r\nfilename, rendering them inoperable.\r\nVictims are presented with a text file entitled “How To Restore Your Files.txt.\" It contains information on\r\ncontacting the bad actor(s) behind the ransomware using a predefined TOR website. On this site, the page has a\r\nsubmit message page to the ransom actor, who will likely seek something in return from the victim in exchange\r\nfor their files.\r\nFortinet Protections\r\nFortinet Customers running the latest (AV) definitions are protected by the following signature:\r\nW64/Filecoder_Rook.B!tr.ransom\r\nBest practices include not paying a ransom\r\nVictims of ransomware are cautioned against paying ransom by organizations such as CISA, NCSC, the FBI, and\r\nHHS, partly because payment does not guarantee files will be recovered. Ransom payments may also embolden\r\nadversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or\r\nfund illicit activities that could potentially be illegal, according to a U.S. Department of Treasury's Office of\r\nForeign Assets Control (OFAC) advisory. The FBI has a Ransomware Complaint page, where victims can submit\r\nsamples of ransomware activity via the Internet Crimes Complaint Center (IC3).\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants"
	],
	"report_names": [
		"ransomware-roundup-new-variants"
	],
	"threat_actors": [
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-10T02:00:04.752608Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434891,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e560b5bdc73d1834759c0514b303e8a40eb906cf.pdf",
		"text": "https://archive.orkl.eu/e560b5bdc73d1834759c0514b303e8a40eb906cf.txt",
		"img": "https://archive.orkl.eu/e560b5bdc73d1834759c0514b303e8a40eb906cf.jpg"
	}
}