Identifying ADHUBLLKA Ransomware: LOLKEK, BIT, OBZ, U2K, TZW Variants

MITRE Techniques

• [T1573] Encrypted Channel – The threat actor communicates via TOR-based portals to obtain decryption keys after payment. Quote: “The threat actor asks victims to communicate via a TOR-based victim portal to obtain decryption keys following ransom payment.”
• [T1090] Proxy – TOR-based communications and alternate channels are used to hide activity. Quote: “Alternate communication channel: https://yip.su/2QstD5”
• [T1486] Data Encrypted for Impact – All files are encrypted with “.MMM” extensions and contain “CRYPTO LOCKER” text. Quote: “All files will be encrypted with “.MMM” extensions appended to the affected files.”
• [T1055] Process Injection – The sample drops malicious components (AddInProcess32.exe) and initiates infection via process injection. Quote: “process injection or dropping a malicious executable (AddInProcess32.exe) in a victim environment and initializing the infection chain.”
• [T1036] Masquerading – The campaign rebrands and rotates between variants, effectively masquerading as new ransomware. Quote: “they may change the encryption scheme, ransom notes, or command-and-control (C2) communication channels and then, re-brand themselves as a “new” ransomware.”
• [T1573] Encrypted Channel (duplicate line for emphasis) – TOR-based operations and observed transitions from v2 to v3 TOR URLs. Quote: “The above ransom notes indicate that the group has changed their communication channel from v2 TOR Onion URLs to v3 TOR URL.”
• [T1091] Replication through Removable Media – The article maps this technique in the matrix; observed code reuse across variants implies propagation practices. Quote: “T1091: Replication through Removable Media”
• [T1560] Archive Collected Data – Included as part of the ATT&CK matrix listing in the article; context suggests collection/archival behavior around exfiltration. Quote: “T1560: Archive Collected Data”
• [T1158] Hidden Files and Directories – Encryption and file naming patterns imply attempts to conceal artifacts. Quote: “Hidden Files and Directories”
• [T1027] Obfuscated Files or Information – The presence of encrypted and gibberish content in encrypted files implies obfuscation. Quote: “Obfuscated Files or Information”
• [T1406.002] Software Packing – Packaging/packing of malicious components is implied by the multi-component infection chain. Quote: “Software Packing”
• [T1056] Input Capture – User or victim interactions during negotiation or ticket submission may represent input capture activity. Quote: “Input Capture”
• [T1124] System Time Discovery – Timelines and variant release dates hint at time-based analysis of infections. Quote: “System Time Discovery”
• [T1518.001] Security Software Discovery – The notes discuss deception and evasion tactics that can reveal security tools. Quote: “Security Software Discovery”
• [T1057] Process Discovery – Understanding running processes as part of infection and persistence. Quote: “Process Discovery”