Sharpdepositorcrypter

SharpDepositorCrypter, also known as OMCLoader, is a form of malware that was primarily utilized by the BlackBasta ransomware group during most of 2022. The malware originated as a loader for a .NET infostealer named SharpDepositor, which may explain its name found in PDB strings of early samples. However, it has since evolved into a more complex loader and is no longer restricted to .NET payloads. The initial versions of SharpDepositorCrypter encrypted their payload using RC4 and base64 encoding, but newer iterations have switched to using AES encryption. Throughout 2022, SharpDepositorCrypter served as the primary loader for BlackBasta ransomware, significantly contributing to the group's cyber-attacks. However, its usage began to decline in 2023. BlackBasta started to increasingly employ other crypters such as Quixotic, Quicksand, Dave, and Tron for their operations. This shift in strategy might be due to the evolution of cybersecurity measures or a strategic decision within the BlackBasta group. To differentiate between the different versions of this malware, we are currently tracking the earlier RC4-based samples as SharpDepositorCrypter, and the AES-based versions under the name OMCLoader. This distinction helps us understand the evolution of the malware and provides better insight into the tactics, techniques, and procedures (TTPs) used by threat actors like BlackBasta. It remains crucial to stay updated with these developments to effectively mitigate the risks posed by such evolving cyber threats.