Obscura, an obscure new ransomware variant

Authors: Harlan Carvey, Lindsey O’Donnell-Welch, Anna Pham, Alden Schmidt

On 29 August 2025, Huntress analysts encountered a beforehand unseen ransomware variant known as “Obscura.” This title was taken from the ransom word (README_Obscura.txt), which additionally made a number of references to Obscura in its contents.

Whereas researching this ransomware variant, analysts didn’t discover any public references to a ransomware variant named Obscura. 

The ransomware executable was first seen being executed throughout a number of hosts on the sufferer group. This community had a restricted deployment of the Huntress agent, which impacted each detection and response, inhibiting the SOC’s skill to reply successfully. This additionally restricted our visibility into sure facets of the assault, together with the preliminary entry vector. 

Nonetheless, what we have been in a position to see was that the ransomware executable was discovered on the area controller, within the path:

C:WINDOWSsysvolsysvol[domain].localscripts

Within the incident noticed by the Huntress SOC, the ransomware executable file was named for the area through which it was discovered, in an obvious try and mix in (for that reason, we aren’t publicly figuring out the title of this executable). The executable is a Go binary (together with a Go construct ID), and accommodates quite a few file paths, similar to:

/run/media/veracrypt1/Backups/Obscura/Locker/home windows/locker/

/run/media/veracrypt1/Locker Deps/go1.15.linux-amd64/go/src/os/exec

The situation of the binary on the area controller was shared because the NETLOGON folder, which makes scripts and group coverage objects (GPOs) out there to customers. As well as, the folder contents are robotically replicated throughout all area controllers, to take care of consistency. Nonetheless, this additionally meant that the ransomware executable was robotically deployed all through the infrastructure.

A scheduled job named SystemUpdate was created on a number of hosts all through the community, together with the area controller, to execute the ransomware binary from the NETLOGON share.

On one of many person’s machines, the risk actor created a scheduled job named “iJHcEkAG”. The duty runs the command cmd.exe /C netsh firewall set service sort = remotedesktop mode = allow > WindowsTempSJYfXB 2>&1 to allow Distant Desktop Protocol entry by way of the Home windows firewall.

When launched, the ransomware executable runs the next embedded command in an try and disable restoration on the endpoint:

cmd.exe /c vssadmin delete shadows /all /quiet

The ransom word itself is contained within the ransomware binary as a base64-encoded string.

Ransom word contents:

Good day! Your organization has failed a easy penetration check.

>> Your community has been utterly encrypted by our software program.

Our ransomware virus makes use of superior cryptography expertise that may make it very tough so that you can get better your info.

>> All info has been stolen.

Now we have stolen all info from all gadgets in your community, together with NAS. The information contains however isn't restricted to: worker passport particulars, inner documentation, monetary paperwork, and so forth.

>> You've about 240 hours to reply.

If there is no such thing as a response, all stolen info can be distributed.

We're ready so that you can determine to jot down to us, and we can be comfortable to barter a ransom worth with you. By paying the ransom, additionally, you will obtain:

1) a report on how we infiltrated your community

2) directions + software program that decrypts all recordsdata

3) our help in restoration, if wanted.

>> They won't enable you to; they're your enemies.

Restoration companies, the police, and different companies will NOT HELP you. Companies need your cash, however they have no idea find out how to negotiate. 

For those who suppose you'll be able to restore your infrastructure from exterior backups that we didn't entry, we warn you:

1) The legal guidelines of any nation impose large fines on corporations for info leaks.

2) Enjoying towards us is not going to work in your favor. We'll gladly wipe each one in all your servers and computer systems.

Whenever you write to us, we anticipate to listen to from you who you might be and what your relationship to the corporate is.

Your ID: [REDACTED]

TOX: [REDACTED]

Weblog: hxxp://xxx[.]onion/

Obscura. 2025.

Technical Evaluation

When the binary is launched, it would test the standing of an atmosphere variable known as DAEMON. If the worth is 1, the binary will drop the ransom word and proceed with encryption. If it’s not current or has the worth 0, it would run a collection of capabilities to arrange the field for encryption. 

The main_run() operate executes in daemon mode with DAEMON=1 set. It retrieves the risk actor’s 32-byte public key by decoding a hardcoded base64 string embedded throughout the executable, then performs system reconnaissance by enumerating all storage gadgets and calculating their capacities to create a complete map of all out there drives and their storage sizes for encryption.

The main_windows_api_IsRunAsAdmin() operate performs a Home windows privilege test utilizing two sequential Home windows API calls to find out if the present course of possesses administrative rights.

The operate first calls AllocateAndInitializeSid() to create a Safety Identifier for the native Directors group utilizing SECURITY_BUILTIN_DOMAIN_RID (32) because the authority, DOMAIN_ALIAS_RID_ADMINS (544) because the subauthority, and an authority depend of two.

Following profitable SID creation, the operate calls CheckTokenMembership() to confirm if the present course of token belongs to the Directors group, returning a boolean worth indicating administrative standing. If both API name fails, the operate returns descriptive error messages similar to “AllocateAndInitializeSid failed: %v” or “CheckTokenMembership failed: %v”.

When the privilege test determines the method lacks administrative rights, the ransomware prints “[!!!] person not admin. exit [!!!]” and instantly terminates execution.

This represents a tough requirement with no bypass mechanism, because the ransomware requires administrative privileges to terminate system processes, delete quantity shadow copies  (cmd.exe /c vssadmin delete shadows /all /quiet), and entry system APIs mandatory for area detection and daemon course of creation.

After confirming administrative privileges, the ransomware gathers important system info by calling GetSystemInfo() by way of the Home windows API. It particularly extracts the dwNumberOfProcessors worth, which signifies the variety of CPU cores out there on the system and is used for optimizing the threading technique through the encryption part.

The system preparation part continues with aggressive course of termination concentrating on safety and database purposes that may intrude with the encryption course of.

The ransomware calls main_windows_api_KillProcesses(), which iterates by way of a predefined checklist of 120 goal processes. The ‘*’ present in some course of names is used to point a wildcard for the string matching.

When a course of title matches the goal sample above, the operate executes the termination sequence by calling OpenProcess(PROCESS_TERMINATE, FALSE, processID) to acquire a deal with to the goal course of with termination privileges.

If the deal with is efficiently obtained, it calls TerminateProcess(process_handle, 1) to forcefully terminate the method with exit code 1 and prints successful message displaying the method ID and title within the format “[+] killed pid %d (%s)”. If termination fails, the operate returns an error message stating “did not terminate course of” however continues to kill different goal processes.

The ransomware makes use of the Home windows API DsRoleGetPrimaryDomainInformation to find out the pc’s position in a site. That is carried out within the main_windows_api_GetPCRole() operate, which maps Home windows area roles to inner values.

Whatever the detected area position, every department executes the identical sequence of loading a role-specific string message and displaying corresponding standing messages earlier than instantly continuing to the daemon creation part.

These messages counsel meant community propagation capabilities that have been both by no means absolutely applied or characterize incomplete growth, because the precise code accommodates no lateral motion performance past the native encryption routine.

• Standalone PC: shows [+] detect standalone computer. indicating the system isn’t related to a site

• PC in Area: exhibits [+] detect computer in area. run switch to dc. suggesting switch to area controllers

• Backup Area Controller: exhibits [+] detect BDC. run switch to PDC., implying propagation to the first area controller

• Main Area Controller: shows [+] detect PDC. run switch to all computer in area. indicating unfold to all area computer systems

There are just a few encryption methods the binary chooses from: EncryptFull or EncryptPart. Each of these capabilities make use of the encryptFileRange() operate with totally different arguments.

The choice occurs with a easy file dimension test that compares every file towards a 1 GB threshold. For recordsdata which can be 1 GB or smaller, the ransomware binary calls EncryptFull(), which encrypts all the file from begin to end. For recordsdata bigger than 1 GB, it calls EncryptPart(), which solely encrypts the primary 25% of the file utilizing a hardcoded ratio.

They’ve a peer public key (Curve25519) and through encryption will generate an ephemeral personal key utilizing main_windows_api_generateEphemeralKeyPair().

These are used to generate the XChaCha20 key which is later used for file encryption. To perform this they use scalar multiplication (X25519) between the personal key and their public key to generate a 32 byte shared secret.

That shared secret together with a 24 byte random nonce are used because the parameters for the ChaCha file encryption.

Earlier than writing the encrypted file again to disk they append a 64 byte footer which is comprised of:

• OBSCURA!

• 32 byte public key

• 24 byte nonce

Since they’ve the peer personal key, they’ll use this footer to rederive the ChaCha20 key that was used to encrypt the file.

The Obscura ransomware implements a file filtering mechanism designed to maximise harm to person information whereas preserving system performance. 

The filtering system operates by way of the main_hasExcludedExtension() operate, which performs case-insensitive extension matching towards a hardcoded exclusion checklist. The operate extracts file extension and compares towards 15 predefined extensions:

System Executables and Libraries:

• .exe – Executable purposes

• .dll – Dynamic Hyperlink Libraries

• .msi – Microsoft Installer packages

• .sys – System driver recordsdata

Boot and Firmware Elements:

• .efi – UEFI firmware recordsdata

• .boot – Boot configuration recordsdata

• .iso – ISO disc picture recordsdata

• .rom – ROM firmware recordsdata

• .bin – Binary system recordsdata

System Configuration and Utilities:

• .ini – Configuration recordsdata

• .cfg – Configuration recordsdata

• .lnk – Home windows shortcut recordsdata

• .hosts – Community configuration recordsdata

• .swapfile – Home windows digital reminiscence recordsdata

Ransomware Self-Safety:

Obscura and different new ransomware variants

Obscura is one in all a number of newer ransomware variants that Huntress has seen popping up in current months, together with Crux ransomware and Cephalus ransomware. This might be on account of a number of elements. Risk actors regularly rebrand and roll out new ransomware variants after regulation enforcement disruptions influence the ecosystem.

Moreover, as our buyer base continues to develop, we proceed to realize extra visibility into extra ransomware variants.

Regardless, what was offered on this submit is only one means for deploying ransomware. Organizations ought to monitor their area controllers intently and search for the addition of recent recordsdata, in addition to the modification of current recordsdata, together with GPOs.

Directors also needs to monitor area controllers, in addition to different endpoints (servers, workstations) for uncommon or suspicious entry. 

Keep Situational Consciousness—Register for Tradecraft Tuesday

Tradecraft Tuesday gives cybersecurity professionals with an in-depth evaluation of the most recent risk actors, assault vectors, and mitigation methods.

Every weekly session options technical walkthroughs of current incidents, complete breakdowns of malware traits, and up-to-date indicators of compromise (IOCs).

Members acquire:

• Detailed briefings on rising risk campaigns and ransomware variants

• Proof-driven protection methodologies and remediation strategies

• Direct interplay with Huntress analysts for incident response insights

• Entry to actionable risk intelligence and detection steerage

Advance your defensive posture with real-time intelligence and technical training particularly designed for these liable for safeguarding their group’s atmosphere.

Register for Tradecraft Tuesday →

 

IOCs

Sponsored and written by Huntress Labs.