Adhubllka

Malware updated 4 months ago (2024-05-04T19:18:41.746Z)
Download STIX
Preview STIX
Adhubllka is a malware that has been active since at least 2019, but it gained more attention in January 2020. It has been used by threat group TA547 in campaigns targeting various sectors of Australia in 2020. Over the years, many samples of Adhubllka have been misclassified or mistagged into other ransomware families, according to Rakesh Krishnan, senior threat analyst at Netenrich. This confusion has been compounded by the fact that other names, including ReadMe, MMM, MME, and GlobeImposter2.0, have been assigned to the same piece of malware, all of which actually belong to the Adhubllka ransomware family. Two new variants of Adhubllka, TZW and U2K, were identified by researchers from security and operations analytics firm Netenrich. These variants were distinguishable by a unique sentence in their ransom note: "the server with your decryptor is in a closed network Tor." Other clues included the campaign's use of an email address reported widely as belonging to the ransomware group, and its link to the MD5 variant sample of Adhubllka spotted in 2019. Researchers tracked previously linked Tor domains used by the actor, uncovering clues within the ransom note dropped to victims to trace it back to the source. Despite its activity, identifying TZW as a spinoff of Adhubllka was challenging due to the relatively small ransom demands typically made by the group, ranging from $800 to $1,600. However, researchers anticipate that this ransomware may grow bigger over time, as updates have been made on its infrastructure. In the future, this ransomware may be rebranded with other names, and other groups may also use it to launch their own ransomware campaigns.
Description last updated: 2024-05-04T18:29:05.352Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Readme
2
The malware "readme" is a malicious software designed to infiltrate systems, often through deceptive downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Recently, new variants of this malware have been identified b
Tzw
2
TZW is a new strain of the Adhubllka ransomware family, which was first identified in January 2020 but had already been active since the previous year. This revelation came from researchers at Netenrich, a security and operations analytics firm, in a blog post published this week. TZW's identificati
U2k
2
U2K is a malicious software (malware) that poses significant threats to computer systems and devices. It infiltrates through suspicious downloads, emails, or websites, often unbeknownst to the user, and can cause substantial damage by stealing personal information, disrupting operations, or holding
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Tor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
Adhubllka AdhubllkaUnspecified
2
None
Source Document References
Information about the Adhubllka Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
Ransomware With an Identity Crisis Targets Small Businesses, Individuals
CERT-EU
a year ago
Small-scale ransomware attacks persist
InfoSecurity-magazine
a year ago
New Study Sheds Light on ADHUBLLKA Ransomware Network
DARKReading
a year ago
Ransomware With an Identity Crisis Targets Small Businesses, Individuals