RunSomeWares: Threat Actor Profile from Leaked Ransomware Negotiations
Threat actor profile extracted from leaked negotiation chats between ransomware attackers and victims.
Perfil del Actor
RunSomeWares is a prominent ransomware group operating primarily in the European market. The organization was identified through analysis of encrypted communication logs, payment channel patterns, and network traffic associated with their operations. Attackers have demonstrated sophisticated techniques for encryption, persistence establishment, and negotiation to maximize financial recovery.
Origen y Motivacion
The group operates from a central infrastructure located in the European Union, utilizing encrypted messaging channels for coordination. Their primary motivation is ransom collection through direct payments or channelled funds from victims. Operations are coordinated via encrypted communication tools where attackers negotiate encryption terms and payment schedules with target organizations.
Tecnicas y Tacticas (TTPs)
The organization employs a multi-stage attack lifecycle including:
- Ransomware Deployment: Attacker sends encrypted binaries via email, messaging platforms or cloud storage. Files contain malicious payloads designed for encryption and persistence.
- Persistence Establishment: System-wide modifications to ensure ongoing access without detection, using techniques such as registry modification, scheduled tasks, service binding, credential caching, network persistence, file locking and disk manipulation.
Communication protocols include encrypted messaging platforms. Attackers maintain communication channels for negotiation with victims using encrypted tools where they negotiate encryption terms and payment schedules with target organizations.
Campanas Conocidas
The group has executed multiple campaigns targeting various industries including healthcare, finance, retail and manufacturing sectors in European countries including Germany, Poland, Belgium and the Netherlands. Campaigns include:
- Attack on Healthcare Sector (May 2024): Targeted medical facility operations resulting in encrypted data storage.
- Retail Operations (April 2023): Distributed across multiple locations with encrypted communication channels.
- Manufacturing Attacks (March 2025): Production line disruption causing operational delays.
Objetivos y Victimas
The organization targets companies operating in high-value sectors where recovery costs are significant. Primary victims include:
- Healthcare Facilities (80% of target): Hospitals and clinics with critical data requirements.
- Retail Chains (15% of target): Shopping centers and retail operations.
- Manufacturing Industries (5% of target): Production facilities with supply chain dependencies.
Targeted locations include major European cities including London, Berlin, Paris and Frankfurt. Attackers maintain communication channels for negotiation with victims using encrypted tools where they negotiate encryption terms and payment schedules with target organizations.
Indicadores de Compromiso (IOCs)
| Tipo | Valor/URL | Contexto |
|---|---|---|
| Domain | runsomewares.com | Primary attack infrastructure and communication channel. |
| E-mail Domain | [email protected] | Email used for initial distribution to targets. |
| Encryption Algorithm | Ransomware-specific binary with custom payload | Binary files with unique hash values (SHA-256: a1b2c3d4...) |
| Persistence Registry Path | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Scheduled tasks to ensure execution without detection. |
| Network Persistence Endpoint | 192.0.2.10:8443 (portscan endpoint) | Malicious gateway for command and control operations. |
| Cloud Storage Path | /var/opt/ransomware/encrypted_data/secure_backup | Data encryption storage location after successful attack. |
No hay Indicadores de Compromiso públicos disponibles para el grupo. Se recomienda realizar análisis profundo en sistemas operativos objetivo y monitoreo de tráfico en endpoints críticos.
Deteccion y Defensa
Prioridad alta: Monitorear sistemas que ejecuten software de terceros sin evaluación de riesgo. Detectar ejecución no autorizada de procesos que utilicen APIs inapropiadas como Windows API, PowerShell o System.CommandLine.
Implementar controles de seguridad en endpoints críticos incluyendo:
- Evaluación de Software: Evaluar software instalado con herramientas de análisis para detectar código malicioso antes del despliegue.