Threat Research

Decrypted: MafiaWare666 Ransomware – Avast Threat Labs

Securonix

Avast released a MafiaWare666 ransomware decryptor tool for variants such as JCrypt and BrutusptCrypt. The ransomware encrypts files in user folders using AES, adds new extensions, and Avast’s decryptor guides victims through recovering their data, sometimes leveraging a vulnerability to decrypt without paying. Hashtags: #MafiaWare666 #JCrypt

Keypoints

  • MafiaWare666 is a ransomware strain written in C# that uses AES for file encryption and reportedly contains no obfuscation or anti-analysis techniques, with a vulnerability that can allow decryptions without paying in some variants.
  • It targets common user folders (Desktop, Music, Videos, Pictures, Documents) and encrypts a long list of file extensions, resulting in new extensions such as .MafiaWare666, .jcrypt, .brutusptCrypt, .bmcrypt, .cyberone, and .l33ch.
  • Ransom notes instruct victims to contact the attacker and pay in Bitcoin, with prices typically between $50–$300, though some older samples demand up to one Bitcoin.
  • Avast provides a decryptor tool with a step-by-step wizard to search locations, select files, and initiate decryption, including a password-cracking step.
  • The decryptor’s password-cracking process uses all known MafiaWare666 passwords to determine the correct one before decrypting files.
  • IoCs for MafiaWare666 are published on GitHub (Avast Threat Research), including file hashes for various extension variants (.MafiaWare666, .jcrypt, .brutusptCrypt, .bmcrypt, .cyberone).

MITRE Techniques

  • [T1083] File and Directory Discovery – The ransomware searches special folder locations (Desktop, Music, Videos, Pictures and Documents) and encrypts files with the following extensions. Quote: “…searches special folder locations (Desktop, Music, Videos, Pictures and Documents) and encrypts files with the following extensions:”
  • [T1486] Data Encrypted for Impact – Encrypts files using the AES encryption. Quote: “…encrypts files using the AES encryption.”
  • [T1110] Brute Force – The password cracking process uses all known MafiaWare666 passwords to determine the right one. Quote: “…password cracking process uses all known MafiaWare666 passwords to determine the right one.”

Indicators of Compromise

  • [Hash] MafiaWare666 file variant hashes – 6e91c9b5d052842093c6c292ec8224755d376aba6172d94faa241d8b192cb265, 73d8e7baa073997d060ecf826b533263cf857a89b36a5fea809b7dbfc70b2d25, and 1 other hash (8324172e89866ed7122a9518bdc07e07ec2d173462dbbe2ff030fb408bc18123)
  • [Hash] .jcrypt hashes – 89ebe17b6dbb9dac780a4e2fe38da0261fa671cc79f4fe07cb9d26d9c0e447d2, 979962e2d9f64ee15854e6df908627c90ab85a0a346c11656df46d3130459dc9
  • [Hash] .brutusptCrypt hash – 8c1a97f84caa9d58940d936a1c79c1c8d5fb791e1b3cac9fda22d195d3aeaea9
  • [Hash] .bmcrypt hash – 5d4ba2e6cc18dc509e73f3ceeea82a83ca252d07444a6b669947d31f60c6dfb8
  • [Hash] .cyberone hash – ee376851cb318f77b9c8b715a09c5c0ce11043f679bb39fa5b5d67242c1c3bb9
  • [URL] IoCs repository – https://github.com/avast/ioc/tree/master/MafiaWare666

Read more: https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint