Ethical Hacking News
Obscura ransomware variant poses significant concerns for businesses with their use of domain-wide propagation tactics and ability to spread across multiple hosts. Experts emphasize the importance of maintaining situational awareness through tools like Huntress' Tradecraft Tuesday.
The Obscura ransomware variant was first detected on August 29, 2025, and has several key characteristics that distinguish it from other variants. The malware blends in with the domain's infrastructure, making it difficult to detect. Obscura uses a Go binary executable, indicating its origin from a specific programming environment or community. The ransomware variant disables recovery on the endpoint and creates scheduled tasks to enable Remote Desktop Protocol access. The malware contains a ransom note in base64-encoded string format, warning victims of network encryption and data theft. Obscura utilizes advanced cryptography technology to make recovery difficult, including an embedded command that disables recovery and offers to negotiate a ransom price. The malware is designed to spread across multiple hosts by exploiting vulnerabilities in the infrastructure or using compromised credentials. Obscura features a file filtering mechanism that excludes certain file types from encryption. The malware employs two encryption strategies based on file size, and uses ChaCha20 key generation for encryption. The Obscura ransomware variant represents another addition to the growing list of newer ransomware variants, highlighting the ever-evolving nature of cybersecurity threats.
The cybersecurity landscape has recently been disrupted by the emergence of a new ransomware variant known as "Obscura." This particular strain of malware was first detected on August 29, 2025, and Huntress analysts have since identified several key characteristics that distinguish it from other variants.
One notable feature of Obscura is its apparent intent to blend in with the domain's infrastructure. The ransomware executable file was found on a domain controller, in a path that included the domain name, an attempt to remain undetected. Furthermore, the binary was discovered in a location shared by scripts and group policy objects (GPOs), which are automatically replicated across all domain controllers.
The Obscura ransomware variant has been observed to utilize a Go binary executable, indicating its origin from a specific programming environment or community. A key component of this malware is its use of an embedded command that disables recovery on the endpoint. In addition, it creates a scheduled task named "iJHcEkAG" and executes a command via cmd.exe to enable Remote Desktop Protocol access through the Windows firewall.
Observations have also revealed that Obscura contains a ransom note written in base64-encoded string format. The contents of this message warn the victim that their company has failed a simple penetration test, stating that their network has been completely encrypted by Obscura's software. This message also claims that all information on the network has been stolen and provides a deadline for response – approximately 240 hours.
The ransomware variant utilizes advanced cryptography technology to make recovery difficult. It includes information about how it infiltrated the network and offers to negotiate a ransom price with the victim. However, there is an important warning: recovery agencies, the police, and other services will not assist in recovering the stolen data due to laws imposing huge fines on companies for information leaks.
Another interesting aspect of Obscura is its use of file paths pointing towards encrypted files located within a "Locker" folder named veracrypt1. The presence of this Locker folder suggests that the malware is designed to spread across multiple hosts by exploiting vulnerabilities in the infrastructure or using compromised credentials. Furthermore, it gathers critical system information such as the number of CPU cores available on the system.
Observations also reveal that Obscura contains a series of processes for its termination, including the elimination of volume shadow copies, system APIs necessary for domain detection and daemon process creation, all requiring administrative privileges to execute.
The ransomware variant employs several strategies designed to maximize damage while preserving system functionality. A file filtering mechanism is implemented through the main_hasExcludedExtension() function, which performs case-insensitive extension matching against a hardcoded exclusion list of 15 predefined extensions, including various file types for system executables and libraries as well as boot and firmware components.
The Obscura ransomware variant also features an encryption strategy based on two functions: EncryptFull and EncryptPart. The decision between these functions is made by a simple file size check that compares each file against a 1 GB threshold. For files with sizes of 1 GB or smaller, it calls EncryptFull(), which encrypts the entire file from start to finish. For larger files, it calls EncryptPart(), which only encrypts the first 25% of the file using a hardcoded ratio.
The malware utilizes two encryption strategies involving the ChaCha20 key, generated through scalar multiplication between a private and public key pair. An ephemeral private key is used in conjunction with a peer public key to generate this shared secret, along with a random nonce.
Each encrypted file includes a 64-byte footer that contains:
* A hardcoded string (OBSCURA!)
* The peer's 32-byte public key
* The 24-byte random nonce
This footer can be used to rederive the ChaCha20 key later during decryption.
The Obscura ransomware variant represents another addition to the growing list of newer ransomware variants, such as Crux and Cephalus ransomware. This could be due to threat actors continually rebranding and rolling out new variants after law enforcement disruptions impact the ecosystem.
Organizations are advised to monitor their domain controllers closely and look for the addition of new files or modifications of existing ones, including Group Policy Objects (GPOs). Administrators should also monitor other endpoints such as servers and workstations for unusual or suspicious access. Maintaining situational awareness through tools like Huntress' Tradecraft Tuesday is essential to stay ahead in dealing with emerging ransomware threats.
The full implications of the Obscura ransomware variant's existence must be further analyzed, but one thing becomes clear: this new threat brings heightened concern about information security and highlights the ever-evolving nature of cybersecurity threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Obscura-Ransomware-Variant-A-New-Threat-Emerges-in-the-Cybersecurity-Landscape-ehn.shtml
https://www.bleepingcomputer.com/news/security/obscura-an-obscure-new-ransomware-variant/
Published: Wed Sep 24 10:18:57 2025 by llama3.2 3B Q4_K_M
