Mindware is a ransomware operation active since March 2022, likely a rebrand of SFile, with attacks across healthcare and other sectors. It leverages Reflective DLL Injection, encrypts targeted files, and uses a public leaks site to pressure victims, including a proof-of-decryption step via a .onion contact URL. #Mindware #SFile #Escal #ROT13
Keypoints
- Mindware appears to be a rebrand or close variant of the SFile ransomware lineage, with activity beginning in early 2022 and targeting multiple sectors including Healthcare, Finance, Engineering, and Manufacturing.
- The group uses a distinctive Reflective DLL Injection technique, aligning with SFile’s behavior, and relies on API resolution from memory rather than traditional on-disk loading.
- Mindware payloads are per-target configurations that encrypt internal, removable, and remote drives across 200+ file types while excluding a long list of system and user files/directories.
- The malware kills most running processes to protect the encryption stage, while allowing a predefined set of processes to continue running (defense evasion).
- Mindware hints at a double-extortion model via a public leaks site and onion contact method, pressuring victims to pay to avoid data exposure.
- There are strong overlaps with SFile in code and behavior, suggesting Mindware may be a rebrand or reuse of SFile’s source/builder.
MITRE Techniques
- [T1055] Process Injection – Mindware uses Reflective DLL Injection to load code from memory, bypassing normal loading. “Mindware uses Reflective DLL Injection, a technique in which the shellcode dynamically retrieves handles to key API functions like LoadLibraryA() and GetProcAddress() by locating function addresses through the Export Address Table loaded by the host process.”‘
- [T1027.002] Obfuscated Files or Information: Software Packing – The loader uses ROT13-based hashing to locate modules, avoiding direct module name searches. “The technique, which has also been noted in other ransomware families such as BlackMatter, avoids searching for module names directly and instead checks for hashes precalculated with a ROT13 algorithm.”‘
- [T1486] Data Encrypted for Impact – The ransomware encrypts files on internal, removable, and remote drives, targeting 200+ file types. “The ransomware checks for and then encrypts internal, removable and remote drive types.”‘
- [T1562.001] Impair Defenses – Mindware kills other processes to protect the encryption process, listing allowed processes that may continue running. “to protect itself and prevent other running processes from interfering with the encryption process, Mindware kills all other processes, with the exception of the following:”‘
- [T1110] Brute Force – SFile (and by relation Mindware through its lineage) is known to use RDP bruteforce as an entry vector. “SFile is known to use RDP bruteforce as an entry vector into an organization.”‘
- [TA0010] Exfiltration – Mindware uses data leaks as pressure, including an onion contact method and leaks site, discouraging negotiations and threatening public data exposure. “Mindware attempts to discourage victims from contacting ‘recovery companies’, negotiators or authorities, threatening to immediately leak data should they do so. Victims are provided with a .onion URL … Victims that refuse to pay are listed on the Mindware ransomware public leaks site.”‘
Indicators of Compromise
- [Domain] Mindware Onion Address – dfpc7yvle5kxmgg6sbcp5ytggy3oeob676bjgwcwhyr2pwcrmbvoilqd.onion
- [SHA1] Mindware Samples – ae974e5c37936ac8f25cfea0225850be61666874, e9b52a4934b4a7194bcbbe27ddc5b723113f11fe, and 3 more hashes
- [SHA256] Mindware Samples – c306254b44d825e008babbafbe7b07e20de638045f1089f2405bf24e7ce9c0dc, 00309d22ab53011bd74f4b20e144aa00bf8bb243799a2b48f9f515971c3c5a92, and 3 more hashes