Threat Research

Ransomware Roundup – Shinra and Limpopo Ransomware | Fortinet Blog

Fortinet

FortiGuard Labs’ Ransomware Roundup analyzes Shinra and Limpopo ransomware, highlighting how they encrypt data, hinder recovery, and evade defenses, with Fortinet protections and recommended mitigations. It also covers affected platforms (Windows and ESXi), victim geography, and relevant IOCs. #Shinra #Limpopo #getsession

Keypoints

  • The Shinra ransomware both steals data and encrypts files, and it deletes Volume Shadow Copies to impede recovery.
  • Shinra shows startup-folder persistence by copying itself as a 32-hex-character .exe into the current user’s Startup folder.
  • Shinra terminates a long list of processes to hinder defenses, and it changes the desktop wallpaper and certain registry keys (including a ransom notice).
  • It uses wevtutil.exe to enumerate and clear Windows event logs, and it uses bcdedit commands to affect boot behavior and recovery settings, restarting with elevated privileges.
  • Shinra encrypts many file types (notably excluding several system and specific extensions) and appends a .SHINRA2–style extension to encrypted files; some variants show other extensions.
  • The Limpopo ransomware targets ESXi environments, encrypts a wide set of VM-related extensions, and leaves a ransom note directing victims to a getsession.org URL, with several country-specific notes observed.
  • Fortinet provides detections (e.g., W32/Filecoder.* and Linux/Filecoder_Babyk.R) and recommends updated AV/IPS signatures, phishing training, robust backups, cloud security (SASE), EDR, Zero Trust, and incident readiness services.

MITRE Techniques

  • [T1547.001] Boot or Logon Autostart Execution – The Shinra ransomware copies itself to the startup folder so it starts on logon. – “The Shinra ransomware sample copies itself to the current user’s startup folder in the start menu as <ID>.exe, where <ID> is 32 hex characters.”
  • [T1562.001] Impair Defenses – It terminates processes whose names contain a large list to hinder security tools. – “It then terminates processes whose names contain any of the following strings:”
  • [T1112] Modify Registry – It sets registry keys for wallpaper and legal notices to discourage recovery and to display info. – “The ransomware replaces the desktop wallpaper by changing the following registry setting: HKCUControl PanelDesktopWallpaper to point to C:ProgramData<ID>.bmp”
  • [T1070.001] Clear Windows Event Logs – It uses wevtutil.exe to enumerate and clear Windows logs. – “It also uses wevtutil.exe to enumerate and clear Windows logs.”
  • [T1490] Inhibit System Recovery – It deletes shadow copies via COM-based commands to prevent recovery. – “The Shinra ransomware uses COM to run the following commands to delete shadow copies, making file recovery difficult:”
  • [T1082] System Information Discovery – It checks OS version to ensure targeting (min Windows version). – “The ransomware checks to make sure it’s running inside a targeted operating system by: Using the “VerifyVersionInfo” API to ensure the Windows version is at least 6.0 (Windows Vista/Server 2008)”
  • [T1548.001] Use Elevation Privileges – It restarts itself with administrator privileges (“runas admin”). – “The ransomware then restarts itself using “runas admin” to ensure that it is running with administrator privileges.”
  • [T1486] Data Encrypted for Impact – It encrypts files and appends a new extension (e.g., “.LIMPOPO” for Limpopo, “.SHINRA2” for Shinra). – “Once files have been encrypted, a “.LIMPOPO” extension is added to the filename.”
  • [T1059.003] Windows Command Shell – The ransomware uses COM to execute shell commands (e.g., to delete shadow copies). – “The Shinra ransomware uses COM to run the following commands to delete shadow copies, making file recovery difficult:”

Indicators of Compromise

  • [File Hash] Shinra File IOCs – 31eec61ed6866e0b4b3d6b26a3a7d65fed040df61062dd468a1f5be8cc709de7, d60d4624425b2f58dd9e37c40046f776e0d78cb031488a12c435239dd0da40ef, 941a95c85a4b37bff4571d49eb918a5094a032ac1416bded3a3cd3427ecf984c, 399d586f033ec625a1f7524c86a1483808ff07e920f93e82e70cc5138feee72e
  • [File Hash] Limpopo File IOCs – 031971b9ccb57c1a7cf25bbd58533a6b1b1e760b2f080cb2be5e2522c0d90053, 58ba94be5c2c7d740b6192fea1cc829756da955bb0f2fcf478ab8355bf33a31a
  • [Domain] Command-and-control / ransom notes – getsession.org (referenced in ransom notes and Victim communications)
  • [Email] Ransom contact addresses – ethan@[removed].info and similar variants (appear in ransom notes/screenshots)
  • [File Extension] Shinra encryption extensions – .SHINRA2 (and variants like .SHINRA3, .SHINRA7, .SHINRA9) and for Limpopo – .LIMPOPO
  • [Domain] getsession.org in ransom notes (observed in Limpopo/SOCOTRA context) – used as the instruction URL

Read more: https://feeds.fortinet.com/~/899480156/0/fortinet/blog/threat-research~Ransomware-Roundup-%e2%80%93-Shinra-and-Limpopo-Ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint