Ransomware With an Identity Crisis Targets Small Businesses, Individuals

TZW is the latest version of Adhubllka, which has been active since 2019 but has gone largely unreported due to its lower ransom demands.

Researchers have identified a new strain of
ransomware
that dates back to 2019 and targets individuals and small businesses, demanding small ransoms from each client rather than the often million-dollar sums that typical ransomware actors ask.
TZW is the latest strain of the Adhubllka ransomware family, which first appeared in January 2020 but already was active the year before, researchers from security and operations analytics firm Netenrich revealed in a blog post published this week.
Even more important than the discovery of the strain is the process that researchers undertook to identify it correctly. Over the years, many of the samples of Adhubllka have been misclassified and/or mistagged into some other ransomware family, says Rakesh Krishnan, senior threat analyst at Netenrich.
This would confuse threat hunters/security researchers while doing an incident report, he says. Indeed, researchers report that multiple engines had previously detected TZW but found traces of other malware, such as CryptoLocker, in the sample.
Further, other names had already been assigned to the same piece, including ReadMe, MMM, MME,
GlobeImposter2.0
, which all actually belong to the Adhubllka ransomware family. All this confusion required further digging into the genealogy of the ransomware strain to identify it with proper attribution, Krishnan says.
This research also sheds light on the tracing of a family of ransomware to its origin using [threat actors] communication channels and other means, including contact emails, ransom notes, and execution method, which all played a vital role in analysis, he adds.
Adhubllka first
gained more attention
in January 2020, but had been highly active the previous year, the researchers noted. Threat group TA547 used Adhubllka variants in their campaigns targeting various sectors of Australia in 2020.
A key reason it was so tricky for researchers to identify TZW as a spinoff of Adhubllka is because of the small ransom demands the group typically makes — $800 to $1,600. At that low level, victims often pay attackers and the attackers continue to fly under the radar.
This ransomware, like others, is being delivered via
phishing
campaigns, but the uniqueness lies as they only target individuals and small-sized companies, hence they wont make a big news on the media channel, Krishnan says. However, this doesnt mean [Adhubllka] wont grow bigger in coming time, as they had already made necessary updates on their infrastructure.
In fact, in the future, the researchers anticipate that this ransomware may be rebranded with other names; other groups may also use it to launch their own ransomware campaigns.
However, as long as the threat actor does not change their mode of communication, we will be able to trace all such cases back to the Adhubllka family, Krishnan says.
Indeed, the key that researchers used to tie the latest campaign to Adhubllka was to track previously linked Tor domains used by the actor, with the team uncovering clues from within the ransom note dropped to victims to trace it back to the source.
In the note, the threat actor asks victims to communicate via a Tor-based victim portal to obtain decryption keys following ransom payment. The note indicated that the group changed its communication channel from v2 Tor Onion URLs to v3 Tor URL, because the Tor community deprecated v2 Onion domains, according to the post.
Further, an additional sentence in the note — the server with your decryptor is in a closed network Tor — was only seen in two new Adhubllka variants: TZW and U2K, according to the researchers, which further narrowed down attribution.
Other clues that pointed clearly to the latest variant of Adhubllka were the campaigns use of the email address [email protected], reported widely as belonging to the ransomware group, and its link to the MD5 variant sample of Adhubllka spotted in 2019.
The research overall demonstrates how
ransomware
is carefully crafted to throw threat hunters off the trail of cybercriminals, reinforcing the importance of defending against attacks by setting up an endpoint security solution, Krishnan says.
However, when a ransomware is newly formed/coded, it can only be thwarted by basic security education, like not to click on malicious links delivered via email, he says.
Indeed, the most important protections for organizations lie in
preventing ransomware
from entering an environment in the first place, which means looking for behavior anomalies, privilege escalation, and the introduction of suspicious removable media into an environment, Krishnan adds.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ransomware With an Identity Crisis Targets Small Businesses, Individuals