https://hexpysya.github.io/tags/ransomware/Recent content in Ransomware on bubka hacks stuffHugo -- gohugo.ioen-usMon, 13 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-bumblebee---gold-cabin/Mon, 13 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-bumblebee---gold-cabin/An employee at CompliantSecure received a phishing email from emkei.cz, downloaded a malicious ISO containing BumbleBee loader 23.dll, which established C2 to 3.68.97.124 and injected into ImagingDevices.exe, dumped LSASS credentials, laterally moved to DC01 via PsExec using markw credentials, staged AdFind and AnyDesk, created sql_admin backdoor account, moved to FileServer01 and Support01, exfiltrated archived share data, and deployed Conti ransomware dropping R3ADM3.txt ransom notes.https://hexpysya.github.io/blue_team/elk-black-basta/Thu, 09 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-black-basta/A finance employee opened a malicious Excel macro from a drive-by download, which executed a VBS dropper, loaded WindowsUpdaterFX.dll via regsvr32, established persistence, dropped Pancake.jpg.exe as a C2 backdoor, performed internal reconnaissance, laterally moved to a domain controller via PsExec using compromised credentials, exfiltrated client data to MEGA via rclone, deleted shadow copies, and deployed BlackBasta ransomware.https://hexpysya.github.io/blue_team/elk-revil/Tue, 07 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-revil/An administrator executed facebook assistant.exe on a Windows Server 2019 host, which dropped REvil ransomware (Sodinokibi), spawned a PowerShell process that deleted Volume Shadow Copies, and dropped ransom notes across multiple user profile directories.https://hexpysya.github.io/blue_team/splunk-nerisbot/Tue, 07 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-nerisbot/A victim host downloaded multiple malicious executables via HTTP, including Emotet, ransomware, and trojan payloads, detected through Suricata IDS alerts and confirmed malicious via VirusTotal.https://hexpysya.github.io/investigations/htb-lockpick3.0/Sun, 15 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-lockpick3.0/A ELF64 ransomware binary uses XOR string obfuscation keyed on a CLI passphrase, contacts a DigitalOcean C2 to register and retrieve an AES-256-CBC key and IV, recursively encrypts target files in /share/ renaming them to .24bes, exfiltrates the originals via HTTP PUT, zeroes and removes the source files, and installs a systemd service for persistence.https://hexpysya.github.io/investigations/cdef-bluesky-ransomware/Tue, 10 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-bluesky-ransomware/An attacker performed a port scan, exploited a Microsoft SQL Server via the sa account, enabled xp_cmdshell to drop and execute a base64-encoded payload, then deployed a multi-stage PowerShell toolkit to disable AV, dump NTLM hashes, perform lateral movement via SMB, and stage the BlueSky ransomware payload.