Threat Intelligence Report November 25 - December 1 2025

Benzona Ransomware

Benzona is a newly emerged double-extortion ransomware group first observed in late November 2025. On 26 November 2025, the group simultaneously listed at least five victims on its Tor leak site, including multiple Romanian automotive dealerships (Suzuki, Mazda, Dacia in Ploiești) and a healthcare nonprofit in Côte d’Ivoire. This coordinated disclosure strongly suggests a shared entry vector or common third-party/supplier access across several related environments. Once inside a network, Benzona deploys a Windows ransomware payload that encrypts data and appends the extension .benzona to victim files (e.g. report.pdf → report.pdf.benzona). A ransom note named RECOVERY_INFO.txt is dropped into affected directories to initiate the extortion phase.

The note tells victims their files have been encrypted and data exfiltrated, warns that manual recovery attempts may cause “irreversible data loss,” and gives a 72-hour deadline to contact the operators via a Tor-based negotiation portal. A separate “News public” Onion URL is used as a leak blog where victims and stolen data are published if negotiations fail or payment is refused. In one documented incident, the actors demanded around USD 90,000 with a leak deadline four days after the breach. No free decryptor exists at the time of writing, and paying remains high-risk: as with other groups, there is no guarantee decryption or deletion of stolen data will actually occur.

Benzona follows a classic double-extortion model – enterprise environments are disrupted via encryption while large volumes of sensitive data (internal documents, financial records, emails, client data, etc.) are stolen to maximise pressure. Early victimology points to corporate targets in automotive, manufacturing, and healthcare, with at least ~200 GB of data claimed stolen in the Poliserv case alone. AV telemetry shows detections such as Ransom:Win32/Avaddon.P!MSR, hinting at code reuse or lineage from older ransomware families like Avaddon. The group operates a dedicated Tor leak site, a separate Tor chat portal for negotiations, and publishes a PGP key and Tox ID as alternative secure contact channels – behaviour consistent with a mature, well-organised ransomware operation.

Detailed TTPs (Short)

Initial Access

• Likely a mix of spear-phishing, exposed services (RDP/VPN/web apps) and/or compromised third-party platforms, which explains multiple related victims hit in one wave.
• Suspected use of valid credentials from an earlier compromise or password reuse.
   

Execution & Encryption

• Windows payload (~9–10 MB) runs on hosts, then enumerates local disks and shares.
• Encrypts data and appends .benzona, drops RECOVERY_INFO.txt with Tor links and a 72-hour deadline.
• Probably stops AV/backup services and deletes shadow copies before or during encryption.
   

Lateral Movement & Privilege Escalation

• Likely credential dumping on key servers (LSASS / SAM) and use of domain/admin accounts.
• Movement via RDP, SMB, and admin shares rather than noisy exploits.
   

Defence Evasion

• Packed/obfuscated binary to evade signatures.
• Attempts to disable security tools, logging and backup agents to slow detection and recovery.
   

Collection & Exfiltration

• Targets file servers and business shares; bundles large data sets into archives (tens–hundreds of GB).
• Exfiltrates over encrypted channels (HTTPS) to attacker infrastructure and/or cloud storage before triggering encryption.
   

Command-and-Control & Impact

• Uses Tor for negotiation and leak site; PGP/Tox as backup channels.
• Impact is classic double extortion: operational outage via encryption + regulatory and reputational damage via data theft and public leaks.

MITRE ATT&CK TTP Matrix

Indicators of Compromise (IoCs)

Ransomware Artefacts

• File extension: .benzona (added to all encrypted files, strong indicator of infection)
• Ransom note: RECOVERY_INFO.txt dropped in encrypted directories containing victim ID and Tor URLs\

Malware Hashes

• SHA-256: 09f7432834ce15e701aa7fcc84a9c2441c1c7e0a9cb66a6211845be73d2597cc
• MD5: 6e2189ab11f130ead644b1d5bd00f1ac

Onion Infrastructure

• Leak site:
   benzona6x5ggng3hx52h4mak5sgx5vukrdlrrd3of54g2uppqog2joyd.onion

• Negotiation / support portal:
   rwsu75mtgj5oiz3alkfpnxnopcbiqed6wllyoffpuruuu6my6imjzuqd.onion

Network IOC

• IP address: 179.43.139.126 (Switzerland) – observed in association with Benzona infrastructure. Treat any communication to/from this IP as highly suspicious.
   

Communication Handles

• Tox ID:
  7308E8CFE8AA18D718B5EF44C34A2E5E2C90B7FDB150FA2EC31E995F5F4B23044A98802A4DF0
• PGP public key:
   RSA 2048-bit key published on the Benzona leak site (fingerprint and full block available there) for encrypted communications and authenticity verification.

Known Victim Domains (Late Nov 2025)

• suzuki-ploiesti.ro
• dacia-ploiesti.ro
• mazda-ploiesti.ro
• poliserv.ro
• sevci.org

These domains confirm active Benzona compromise; organisations with operational or third-party ties to them should consider increased monitoring and threat hunting for Benzona-like behaviours.

Mitigations – Crystal Eye 5.5

1. Harden External Access
   • Enforce MFA on VPN/RDP/portals, restrict admin access by IP, and aggressively patch internet-facing services. Block legacy protocols at Crystal Eye 5.5 perimeter.
2. Control Privileged & Vendor Accounts
   • Apply least-privilege, rotate admin and MSP/vendor credentials, and alert in CE SIEM on new privileged accounts or abnormal logins.
3. Secure Backups & Recovery
   • Maintain offline/segregated backups, no direct RDP/SMB from user LANs. Monitor and block shadow-copy deletion and destructive PowerShell patterns.
4. Contain Ransomware Execution
   • Use CEASR to block unknown binaries from user-writeable paths and restrict remote admin tools. Detect mass file changes and suspicious archive creation on servers.
5. Monitor Exfiltration & Tor
   • On CE SWG/IDS, detect large outbound uploads, unusual destinations, and Tor/Onion traffic. Block known Benzona IPs and Onion addresses.
6. Prepare a Benzona IR Playbook
   • Pre-define SOAR actions for .benzona / RECOVERY_INFO.txt (isolate host, push IOCs, rotate keys), then re-image, restore from clean backups and treat all accessible data as potentially breached.

Ransomware Victims Worldwide

The United States remained the clear epicentre of ransomware activity, accounting for 40.56% of all identified victims. This outsized concentration shows that, once again, the U.S. is bearing the brunt of targeting, reflecting both its large enterprise surface area and high visibility of public disclosures.

Canada emerged as the second most impacted country with a combined 10% share of reported victims, putting it firmly in the high-risk bracket alongside the US. Together, North America (US + Canada) represented over half of all observed ransomware victims, underlining how strongly threat actors continue to focus on this region.

A notable mid-tier layer included Australia (3.89%), Romania (3.33%), and Germany (2.78%), followed by Spain, Brazil, France, and India (each 2.22%). These figures show that while no single country in this band approaches U.S.-level exposure, several mature and emerging economies are consistently appearing as repeat victims.

Below this, a broader spread of activity was observed across New Zealand and the United Kingdom (each 1.67%), as well as Singapore, Switzerland, and Mexico (each 1.11%). A long tail of countries, including Vietnam, Egypt, the Netherlands, the United Arab Emirates, Portugal, Iraq, Colombia, Thailand, and Japan (each 0.56%), appeared at low individual volumes but collectively highlight that ransomware remains a global, not regional, problem, with opportunistic targeting reaching into diverse geographies.