LostTrust is a new multi-extortion ransomware that evolved from SFile and Mindware, sharing tradecraft with MetaEncryptor and producing similar artifacts and leak-site behavior. It Encrypts files with a distinctive .losttrustencoded extension, attempts to disrupt defenses, and uses a TOR-based victim blog to hint at data leaks if payment isn’t made. #LostTrust #SFile #Mindware #MetaEncryptor
Keypoints
- LostTrust is a new multi-extortion threat that appears to be an evolution of SFile and Mindware with overlaps to MetaEncryptor.
- Execution involves terminating a wide range of services (e.g., Exchange, MSSQL, SharePoint, Tomcat, PostgreSQL) to prevent encryption or data exfiltration from being blocked.
- It uses hidden CMD.EXE sessions to run commands (WMIC, NET, SC, taskkill, VSSADMIN, wevtutil) for discovery, termination, and cleanup.
- Shadow copies are deleted and Windows Event Logs cleared, via VSSADMIN and wevtutil.exe respectively, to hinder recovery and for stealth.
- Files are encrypted with a “.losttrustencoded” extension and a ransom note “!!LostTrustEncoded.txt” is written in each folder; the tool supports an –enable-shares option for network volumes.
- The threat actor maintains a TOR-based victim blog, mirrors of MetaEncryptor, and cross-references to Mindware/SFile-era notes; victims are publicly listed on the blogs.
MITRE Techniques
- [T1059.003] Windows Command Shell – LostTrust initiates numerous hidden CMD.EXE sessions to carry out tasks, including running WMIC, NET, SC, taskkill, VSSADMIN and wevtutil commands. Quote: ‘The ransomware initiates numerous, hidden CMD.EXE sessions in order to carry out these tasks.’
- [T1047] Windows Management Instrumentation – The payload uses WMIC as part of its command set to stop and modify services. Quote: ‘The hidden CMD.EXE windows subsequently host the observed WMIC, NET, SC, taskkill, VSSADMIN and wevtutil commands.’
- [T1569.002] Service Execution – It stops and disables a broad set of services (e.g., MSSQL, Exchange) and changes start modes via WMIC/SC. Quote: ‘WMIC SERVICE WHERE “caption LIKE ‘%Exchange%’” CALL STOPSERVICE’
- [T1490.001] Inhibit System Recovery: Delete Shadow Copies – It removes VSS shadow copies to hinder recovery. Quote: ‘C:WindowsSystem32cmd.exe” /c vssadmin.exe delete shadows /all /quiet’
- [T1070.001] Clear Windows Event Logs – It clears event logs to cover tracks. Quote: ‘wevtutil cl Application’ and related commands to purge logs.
- [T1486] Data Encrypted for Impact – Encrypted files use the “.losttrustencoded” extension and a ransom note is written. Quote: ‘Encrypted files are modified with the “.losttrustencoded” file extension, and a LostTrust ransom note is written to each folder containing encrypted items as “!!LostTrustEncoded.txt”.’
- [T1057] Process Discovery – The malware attempts to discover and terminate a wide range of processes to ensure encryption and data exfiltration proceed unimpeded. Quote: ‘The ransomware payloads attempt to discover and terminate a plethora of services and processes.’
Indicators of Compromise
- [Hash] SFile context – 0f20e5ccdbbed4cc3668577286ca66039c410f95, 14e4557ea8d69d289c2432066d860b60a6698548, and 7 more hashes
- [Hash] Mindware context – 46ca0c5ad4911d125a245adb059dc0103f93019d, 9bc1972a75bb88501d92901efc9970824e6ee3f5, and 3 more hashes
- [Hash] MetaEncryptor context – e04760f670fab000c5ff01da39d4f4994011e581
- [Hash] LostTrust context – 09170b8fd03258b0deaa7b881c46180818b88381
- [Email] SFile ransom note contacts – [email protected], [email protected], and 5 more emails
- [Email] Mindware contact addresses – [email protected], [email protected], [email protected], [email protected], and 0 more
- [Email] MetaEncryptor contact addresses – [email protected], [email protected], and 0 more