HomeAnalysisSubmit Questions?

ransomware.email


Analysis

Relationships between Ransomware strains


🔙 Take me back!


There can be multiple reasons why different ransomware strains would use the same E-Mail addresses:



Phobos








Dharma


The following two E-mail addresses where first used in a Dharma Infection on the 6th of January 2020 (Source: Kaspersky Club, Extension: .harma). Two days later another sample turned up with a similar Ransomnote layout compared to Dharma or Phobos. In the Note the Malware was referred to as WannaScream or Darkcrypt. Below you can see two screenshots of the .hta Ransomnotes which look quite similar (I substituted the Dharma screenshot with an equivalent one because there is no sample available). Although Dharma is built with Win32/C++ and the Darkcrypt sample with .NET a connection between these two binaries is likely for two reasons: The Dharma sample did not spread nearly as wide as in previous campaigns, so they might have continued it with the new implementation for testing purposes. Secondly the realtion in behavior and appearance is apparent and the time frame before the E-Mail reuse is very small.