Threat Intelligence Report September 2 - September 8 2025

Obscura Ransomware

Red Piranha assesses Obscura as a new, financially motivated ransomware operation. It aims to halt day-to-day work, leverage the risk of reputational and regulatory harm via alleged data theft, and drive fast negotiations under time pressure. Organisations should be prepared for firm deadlines and extortionate messaging.

Obscura is a newly identified Go‑based ransomware.

Key points:

• Deployed from the domain controller’s NETLOGON share via scheduled tasks (e.g., SystemUpdate), resulting in rapid enterprise‑wide propagation.
• Requires administrative privileges; exits if not elevated.
• Disables recovery (vssadmin delete shadows) and kills security/backup/database processes prior to encryption.
• Implements XChaCha20 file encryption with Curve25519 (X25519) key exchange; appends a 64‑byte footer containing the string "OBSCURA!", a 32‑byte public key, and a 24‑byte nonce.
• Excludes core system and boot files from encryption to maintain OS stability.

Detailed TTPs

Initial Access

• Status: Unknown (insufficient telemetry).
• Likely techniques (contextual):
  • T1078 – Valid Accounts (use of domain context and DC staging suggests pre-existing privileged access).
  • T1133 – External Remote Services (later RDP enablement hints at remote-access reliance, but initial vector remains unconfirmed).

Detections/alerts: failed/successful logons to admin groups; anomalous DC logons; first-seen admin from unusual source IPs.

Execution

• T1053.005 – Scheduled Task/Job: Scheduled Task
  • Observed: Enterprise-wide scheduled task “SystemUpdate” executed the payload from NETLOGON.
• T1059.003 – Command Shell
  • Observed: cmd.exe used as the container for follow-on commands (e.g., VSS deletion, firewall change).
• T1480.001 – Execution Guardrails: Environmental Keying
  • Observed: DAEMON environment variable gates encryption vs. prep stages.

Artifacts/commands:

• Task names: SystemUpdate (multiple hosts).
• cmd.exe /c ... wrappers for host-prep commands.

Detections/alerts: new scheduled tasks on multiple hosts; task creation from DC context; command interpreter spawned by task scheduler.

Persistence

• T1053.005 – Scheduled Task/Job: Scheduled Task
  • Observed: Scheduled tasking provided reliable re-execution across the estate.

Detections/alerts: persistence baselining; new/modified tasks post-logon; tasks pointing to SYSVOL/NETLOGON paths.

Privilege Escalation

• Status: Not observed (hard requirement on admin, no built-in elevation).
• Guardrail: Binary exits if not running with administrative rights (token membership check).

Detections/alerts: processes exiting with explicit “not admin” logic; programs relaunching only under elevated tokens.

Defence Evasion

• T1036.003 – Masquerading: Rename System Utilities / Domain-Themed Naming
  • Observed: Binary named to mimic the domain to blend with DC assets.
• T1562.001 – Impair Defences: Disable or Modify Tools
  • Observed: Large process kill list targeting EDR/AV/backup/DB/monitoring/virtualisation agents.
• T1490 – Inhibit System Recovery
  • Observed: VSS snapshot removal: vssadmin delete shadows /all /quiet.
• T1562.004 – Impair Defences: Disable or Modify System Firewall
  • Observed: Task “iJHcEkAG” enabling RDP through Windows Firewall:
    cmd.exe /C netsh firewall set service type=remotedesktop mode=enable > \Windows\Temp\... 2>&1
• T1027 – Obfuscated/Compressed Files and Information
  • Observed: Ransom note stored base64-encoded within the binary (decoded at runtime).

Detections/alerts:

• Sudden termination of multiple security/backup processes; VSS deletions; firewall rule changes enabling RDP; first-seen executables with domain-like names under SYSVOL.

Discovery

• T1082 – System Information Discovery
  • Observed: CPU core count via system APIs; host role checks.
• T1083 – File and Directory Discovery
  • Observed: Enumeration of all storage devices and capacities to plan encryption coverage.
• (Windows domain awareness) Domain role checks via system APIs to print role-specific messages.

Detections/alerts: unusual volume enumeration by non-backup processes; frequent device/volume queries; domain-role API usage by non-system binaries.

Lateral Movement / Distribution

• T1021.002 – Remote Services: SMB/Windows Admin Shares (distribution vector via domain share)
  • Observed: Payload placed in C:\WINDOWS\sysvol\sysvol\[domain].local\scripts\ (NETLOGON) — replicated across DCs.
• T1053.005 – Scheduled Task (Domain-wide)
  • Observed: Tasking leveraged to fan-out execution to multiple endpoints.

Detections/alerts: new binaries in SYSVOL\scripts; unexpected replication of non-script executables; scheduled task creation sourced from DCs.

Command-and-Control

• Status: Not evidenced (no standalone C2 channel observed in telemetry).
• Operator comms (extortion phase): [claimed] Contact via TOX and onion site in the ransom note.

Detections/alerts: Tor/TOX egress attempts from servers; first-seen outbound to Tor nodes.

Collection & Exfiltration

• Status: [claimed] data theft in note; not directly evidenced in observed host activity.

Detections/alerts: server-side transfers to cloud storage/Tor; large anomalous SMB reads from file servers; egress volume spikes.

Impact

• T1486 – Data Encrypted for Impact
  • Observed: File encryption across enumerated storage; ransomware note dropped to C:\README-OBSCURA.txt; encrypted files marked with .obscura and a per-file footer (identifier + public key + nonce).
• T1489 – Service Stop
  • Observed: Stopping/killing databases, backup agents, logging, and security services prior to encryption.

MITRE ATT&CK Mapping

IOCs

[company name].exe à Ransomware executable (placed on DC NETLOGON share)

SHA256: c00a2d757349bfff4d7e0665446101d2ab46a1734308cb3704f93d20dc7aac23

README_Obscura.txt

C:\WINDOWS\sysvol\sysvol\[domain].local\scripts\ à Threat actor ops folder

http://obscurad3aphckihv7wptdxvdnl5emma6t3vikcf3c5oiiqndq6y6xad.onion/

Detection & Mitigation

• Identity & Exposure

Enforce MFA on RDP/VPN/SSO; remove direct internet‑exposed RDP; restrict DC admin access.

• Endpoint (CE‑EDR / CE‑XDR)

Alert on execution from NETLOGON paths; creation of enterprise‑wide scheduled tasks; vssadmin shadow deletions; bulk process kills of EDR/backup/DB services; base64 decode routines writing to C:\README-OBSCURA.txt.

• Network (CE‑NGFW / CE‑SOAR)

Monitor SMB traffic to NETLOGON shares; alert on unusual replication artifacts; restrict Tor/MEGA access from servers.

• Backup & Recovery

Maintain immutable/offline backups; monitor VSS states; routinely test restores.

• Hardening & Monitoring

Audit DCs for new/modified GPOs and scripts; baseline scheduled tasks; monitor for netsh firewall modifications enabling RDP.

Ransomware Victims Worldwide

The United States remains the overwhelming leader in ransomware victimisation, representing 60.55% of all reported cases this week. This concentration underscores its persistent attractiveness for threat actors due to its large digital footprint, high-value enterprises, and critical infrastructure sectors.

Canada followed with 5.5%, reflecting a steady rise in incidents, while Germany logged 4.59%, highlighting sustained pressure on Europe’s largest economy. Australia accounted for 2.75%, maintaining its status as a notable Asia-Pacific target.

A mid-tier group of nations—including Spain, Mexico, France, Ireland, India, and the United Kingdom—each reported 1.83% of incidents. These figures illustrate the consistent focus on Western and emerging economies with highly interconnected supply chains.

The long tail of countries, each registering 0.92%, reflects ransomware’s global reach. This includes Vietnam, Colombia, Austria, Argentina, Switzerland, Belgium, Thailand, Taiwan, China, South Korea, Singapore, Turkey, Egypt, Japan, Sri Lanka, and Denmark. While these numbers are individually small, collectively they demonstrate ransomware’s opportunistic spread across regions with varying levels of cybersecurity maturity.