EXPLORE

Article

Ransomware Decryptors for a (varying) fee

Arete Analysis

Ransomware attacks wreak havoc on business operations. Destroying recovery options, instill­ing fear and panic, and most often creating high levels of stress for IT staff, owners, and operators. A simple, but often costly fix is to just pay the Threat Actor for the decryption utility. While making a payment to an anonymous entity is a highly debated topic, let us assume, for the pur­poses of this article, that the payment is the only option other than closing your business. Please note, Arete is not advocating to pay ransoms; the choice is entirely a business decision to pursue. This article is intended to provide insight into the various types of decryptors the threat groups provide to unlock your files. We will discuss specific decryptors for some of the more pop­ular variants as well as address subtle nuances between the decryptors.

Full Disk Encryption

Ransomware variants like THT, Mamba, or MCrypt use native or opensource encryption software to encrypt the entire hard drive of the system. Once the TA gains access to the system with administrator privileges, the TA will use a tool like Bestcrypt, DiskCryptor or even Win­dows Bitlocker to encrypt the full disk. Once encryption is complete, the system reboots and the victims are locked out.

Communication preference: Email usually pro­tonmail, firemail.cc, or cock.li domains

Average ransom payment: $36,000 – $55,000

Preferred currency: Bitcoin (BTC)

Decryptor received: 100% of the time. TA will provide passwords per system for access

Watch out: MCrypt will hold volumes hostage and “re-extort” victims into making multiple payments. During the initial negotiation, the TA will not indicate multiple drives are encrypted. Instead they will negotiate a single amount for initial access to the Operating System; essential­ly allowing access into Windows. Once access to Windows is regained, victims often surprised to find their “data” partitions are encrypted caus­ing the victim to return to the negotiation table to once again shell out more money to unlock their information.

Notes: After gaining access, the open source encryption tool still needs to be removed other­wise after reboot, the data storage will be locked again.

System Specific Encryption

Ransomware variants like Phobos, Dharma or CryLock are file level encryption. The TA gains access to the system, copies specific encryption executables onto the systems then runs the executables to encrypt the files. The results are files with a new extension appended to the old file name. Sometimes it’s a random sequence of numbers and letters (e.g. *.nocv) or a specific tag (e.g. *[CryLockDecrypt@****.com][1].[ID-*****- COM]). System specific encryption generates a unique key per encrypted system. The ransom note or the file extension may indicate an “ID” that would be different on each system.

CryLock Scanner & Decryptor

Communication preference: Email usually aol.com, protonmail.com, or cock.li domains

Average ransom payment: $27,000 – $500,000

Preferred currency: Bitcoin (BTC)

Decryptor Received: 95% of the time. Certain variants of Phobos and Dharma will attempt to re-extort a second payment if a large discount is negotiated.

Watch out: Phobos, Dharma, and CryLock are a two-step process. The TA will first send a “scan­ner” tool that needs to be run on every infected system. The scanner will look for the public keys used to encrypt the files, then write that infor­mation to a corresponding .txt or .ini file. Those corresponding files need to be sent to the TA in order to generate a decryptor. The TA in return will send the decryptors. The two-step process adds significant overhead due to the running of multiple tools on the infected system as well as the delay with communicating via email. On av­erage after making a payment for the decryptor, clients are who are infected with Phobos are down for approximately 11 days whereas clients who are infected with Dharma experience down­time of about 7.75 days. The high number of days can be attributed to the two-step process and multiple email communications.

Notes: Negotiating with the Phobos and Dhar­ma group can be tricky. These variants are Ransom-as-a-Service (RaaS) model so you’re not dealing with the same core group of people as you would with variants like Ryuk (or now Conti). Negotiating with RaaS groups can also create confusion and complexities with a different operator responding to each email. The groups who deploy these variants also look for exploiting publicly accessible Remote Desktop Protocol (RDP). Disable external access to RDP to lessen the chance of being infected by this variant.

System Specific Encryption with a Uni­versal Option

Ransomware variants like Sodinokibi are file level encryption with a unique ID per system. Once the TA gains access to the network, they release their Sodinokibi ransomware throughout the environment. The systems are infected with a unique randomly generated file extension per system. Their ransom notes are usually within a text file and explain what happened, including if any data was exfiltrated. The group is very or­ganized and can often share information about their victim’s networks including domain infor­mation, infected systems, and any stolen data.

Sodinokibi Decryptor

Communication preference: TOR Website via chat room. The ransom note contains a link to the TOR site as well as a unique key to gain access to a private chat room where the negotia­tions occur.

Average ransom payment: $170,000

Preferred currency: Monero (XMR)

Decryptor received: 100% of the time. Sodin offers a general decryptor which requires the victim to collect the file extensions from all of their infected systems. This can be very tedious once the payment is made, the victim can input any number of file extensions into the input box on the TOR site to generate a decryptor. Sodin will keep that private room open for 30 days after payment allowing victims to return if they find any extensions not previously found. A lesser known secret with Sodin, if you ask nicely for a universal decryptor, the operator may create the decryptor for you; providing a single decryptor that can be used across your network. The uni­versal decryptor certainly saves a lot of time with decrypting files and minimizing the number of times having to launch the TOR browser.

Watch out: Earlier this year, Sodin changed their code base for their encryption payloads causing instability on certain Windows Operating Sys­tems within the master boot files. Using certain security tools after a Sodin outbreak can cause systems to hang during reboot. Sodin encryption is one of the more aggressive encryptions.

Be sure to create a snapshot or backup the files prior to installing any new software or perform­ing live forensics on critical systems.

Notes: Sodin has made headlines throughout 2020 for following Maze with exfiltrating data as well as being the first ransomware group to only accept Monero for payments.

System Specific Encryption with a Uni­versal Option

 Ransomware variants like Sodinokibi are file level encryption with a unique ID per system. Once the TA gains access to the network, they release their Sodinokibi ransomware throughout the environment. The systems are infected with a unique randomly generated file extension per system. Their ransom notes are usually within a text file and explain what happened, including if any data was exfiltrated. The group is very or­ganized and can often share information about their victim’s networks including domain infor­mation, infected systems, and any stolen data.

Sodinokibi Decryptor

Communication preference: TOR Website via chat room. The ransom note contains a link to the TOR site as well as a unique key to gain access to a private chat room where the negotia­tions occur.

Average ransom payment: $170,000

Preferred currency: Monero (XMR)

Decryptor received: 100% of the time. Sodin offers a general decryptor which requires the victim to collect the file extensions from all of their infected systems. This can be very tedious once the payment is made, the victim can input any number of file extensions into the input box on the TOR site to generate a decryptor. Sodin will keep that private room open for 30 days after payment allowing victims to return if they find any extensions not previously found. A lesser known secret with Sodin, if you ask nicely for a universal decryptor, the operator may create the decryptor for you; providing a single decryptor that can be used across your network. The uni­versal decryptor certainly saves a lot of time with decrypting files and minimizing the number of times having to launch the TOR browser.

Watch out: Earlier this year, Sodin changed their code base for their encryption payloads causing instability on certain Windows Operating Sys­tems within the master boot files. Using certain security tools after a Sodin outbreak can cause systems to hang during reboot. Sodin encryption is one of the more aggressive encryptions.

Be sure to create a snapshot or backup the files prior to installing any new software or perform­ing live forensics on critical systems.

Notes: Sodin has made headlines throughout 2020 for following Maze with exfiltrating data as well as being the first ransomware group to only accept Monero for payments. eir.co

Universal Encryption

Ransomware variants like Ryuk, WastedLocker, and Dopplepaymer are also file level encryption. These groups will gain access to the network and perform reconnaissance to identify the victim, understand their business, identify critical sys­tems, and delete backups to force their victims into making a payment. The groups can have access to the network for a few hours or upwards of over a month. Ryuk is commonly associated with precursor trojans such as Trickbot and Emo­tet. Arete has observed Ryuk deployed as quickly as 6 hours after a Trickbot infection. Ryuk infec­tions result with *.ryk appended to the file name. Comparatively, the deployment of WastedLocker is much more calculated with the TA staying on the network for an average of 2 weeks from ini­tial infection to ransomware deployment. Wast­ed infections result with *.abcwasted appended to the file name where “abc” is a 3 letter abbrevi­ation relating directly to the victims name.

WastedLocker Decryptor

Communication preference: Email usually pro­tonmail.com domains or TOR Website

Average ransom payment: Ryuk $598,000; WastedLocker $2,400,000; Dopplepaymer $304,000

Preferred currency: Bitcoin (BTC)

Decryptor received: 100% of the time. The de­cryptor received is universal. It is typically a 32-bit executable that will work on any windows OS version. While these groups are known for a high ransom price, their decryptor is probably the simplest to run.

Watch out: WastedLocker is extremely difficult to negotiate. In fact, if negotiation is attempted, they may threaten to increase the ransom by ap­proximately 5% of the ransom per day until it is paid. They are also very slow to respond to email and even post their business hours of UTC 5am- 8am and 5pm-8pm.

Notes: Dopplepaymer has been linked to gain­ing access to large environments and deploying cryptomining malware before launching their ransomware attack.

Pro Tips to Prevent Ransomware

Attacks

  • Implement Endpoint, Detection, and Re­sponse software such as SentinelOne to monitor the computer systems in use by your organization. SentinelOne uses Artificial Intelligence technology to detect malicious actions and prevent them before they can severely affect the endpoint.

  • Leverage a Security Operations Center (“SOC”) to monitor computer systems 24 hours a day by 7 days a week. The SOC can instantly respond to triage and mitigate any alerts while keeping your IT personnel fo­cused on maintain business productivity.

  • Enable Multi-Factor Authentication (“MFA”) on remote access technologies such as VPN and Email.

  • Use complex passwords with a minimum of 16 alphanumeric characters (non- dictionary words).

  • Don’t reuse passwords.

  • Encourage discussion about cybersecurity within the workplace including establishing end user awareness training.

  • Ensure backups are current, air gapped from the production network, and viable.

Back to Blog Posts

Article

FortiBleed Campaign Linked to INC and Lynx Ransomware Operations

Researchers have linked the FortiBleed credential-harvesting campaign to the INC and Lynx ransomware-as-a-service (RaaS) operations, establishing a direct connection between large-scale FortiGate credential theft and subsequent ransomware deployment. The attribution is based on a variety of factors, including an operator observed managing negotiation panels for both ransomware groups, notable overlap between FortiBleed victim data and subsequent ransomware targets, and internal infrastructure exposing attack workflows. The campaign is estimated to have targeted more than 430,000 internet-facing FortiGate devices, resulting in administrative access to hundreds of organizations. 

What’s Notable and Unique

  • Researchers identified a shared operator actively managing negotiation panels for both the INC and Lynx ransomware groups, providing rare operational evidence linking the two RaaS operations beyond infrastructure or malware similarities. 


  • Analysis of the exposed infrastructure revealed a structured ransomware operation with dedicated roles for access acquisition, victim management, negotiations, and technical support, reflecting an organized ransomware-as-a-service (RaaS) model rather than an ad hoc criminal group. 


  • The operation reportedly integrates artificial intelligence into multiple stages of the attack lifecycle, including vulnerability research, penetration testing, attack automation, and ransomware development, demonstrating the increasing adoption of AI to enhance offensive capabilities.

Mitigations

Organizations should assume that exposed or previously compromised FortiGate credentials may be leveraged for ransomware deployment and immediately reset administrative and VPN credentials while enforcing multi-factor authentication (MFA) for all privileged access. Security teams should ensure that FortiGate appliances are fully patched, restrict management interfaces to trusted networks, and audit administrative accounts and firewall configurations for unauthorized changes. Organizations should also monitor for anomalous authentication activity, hunt for published indicators of compromise (IOCs), and review VPN and firewall logs for signs of unauthorized access. Maintaining centralized logging and a well-practiced incident response process can help detect and contain attacks before they progress to lateral movement or ransomware deployment.

Analyst Comments

The attribution of FortiBleed to the INC and Lynx ransomware operations reinforces the growing convergence between credential-harvesting campaigns and ransomware deployment, highlighting the role of initial access operations in modern RaaS ecosystems. The relationship between INC and Lynx also aligns with Arete's previous research, which identified a shared malware lineage. INC Ransom, first observed in 2023, was later leaked or sold, enabling code reuse by other threat actors. Lynx, which emerged in 2024, is widely regarded as an evolution of the INC codebase. Sinobi ransomware, identified in 2025, shares near-identical binaries and infrastructure, and approximately 99% code similarity with Lynx. Further details on the code correlation between INC, Lynx, and Sinobi are available in Arete's 2025 Annual Report.

Sources

  • Is FortiBleed Linked to INC and Lynx Ransomware?   

  • FortiBleed credential-theft campaign linked to Lynx ransomware   

  • FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Groups   

  • FortiBleed Credential Theft Campaign Attributed to INC and Lynx Ransomware Groups  

Article

Ransomware Trends & Data Insights: June 2026

Although Akira was once again the most active ransomware threat in June, activity remained relatively distributed among multiple threat groups, with 17 unique threat groups observed throughout the month. Along with Akira, Qilin and INC Ransom remained active and were among the top five most active threat groups observed in June. Several new threat actors also emerged during the month, including KryBit, Settra, and Icarus.

Figure 1. Activity from the top 5 threat groups in June 2026

Throughout the month, analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities:

  • In June, a threat actor calling themselves Icarus compromised and exfiltrated data from customers of the market intelligence platform Klue. Klue later confirmed the security incident, which involved attackers stealing OAuth tokens used to connect to customers' Salesforce environments, and reported that the threat actor was deleting the data stolen from affected Klue customers. In an odd twist, reports emerged of a second threat actor claiming to have compromised Icarus's infrastructure and attempting to re-extort Klue's customers. Regardless, the Klue breach highlights the growing threat of software-as-a-service (SaaS) supply chain compromises, particularly those exploiting OAuth tokens and trusted integrations to bypass traditional security controls.

  • In mid-June, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways, relying heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation. The scale of exposure and attack activity has been significant and globally distributed, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 countries. There is no singular ‘fix’ to mitigate the database exposure, and it is important that organizations work with their security teams, incident response providers, and other stakeholders to review environments holistically and monitor for signs of potentially unauthorized activity.

  • Multiple threat groups continue to leverage vulnerable drivers to bypass endpoint detection and response (EDR) solutions in a technique known as Bring Your Own Vulnerable Driver (BYOVD). Arete has observed Akira and DragonForce using the technique in multiple engagements, and The Gentlemen ransomware-as-a-service (RaaS) has also been observed using what researchers are calling "GentleKiller", a framework consisting of multiple variants that leverage vulnerable drivers and EDR-disabling utilities to target a wide range of endpoint security products.  

Sources

  • Arete Internal

Article

Update on FortiBleed Credential Exposure

Last week, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways. The campaign relies heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation.

  • Attackers first scan for exposed FortiGate devices and rank targets based on revenue. SSH brute-force attacks are used against admin accounts to gain initial access.

  • Following initial access, operators deploy stealthy packet-sniffing capabilities and establish external listening posts to receive harvested credentials and session data in near real time.

  • Observed post-exploitation activity strongly indicates pre-positioning for broader enterprise compromise, including lateral movement and potential ransomware deployment.

  • The scale of exposure and attack activity has been significant and globally distributed. The campaign has been ongoing since at least February 2026, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 nations.

How Arete Can Help

Arete continues to monitor this campaign, utilizing our extensive experience in detection, threat hunting, and attack surface review to look for indications of unauthorized activity related to this database exposure. Additional information regarding important considerations, containment and credential compromise mitigation actions, and additional hardening recommendations can be found in Arete’s FortiBleed Advisory.

Sources

  • FortiBleed: SOCRadar’s Investigation into 86,644 Compromised Fortinet Firewalls

  • FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist

  • FortiBleed: The Most Detailed Breakdown Yet of an Active Russian Credential-Harvesting Operation

  • Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors  

Article

Europol Disrupts AudiA6 Crypto Laundering Service

European authorities have dismantled AudiA6, a major cryptocurrency laundering service linked to ransomware groups and broader cybercriminal networks. Between 2022 and 2025, the platform is believed to have processed over €336 million in illicit funds, enabling threat actors to obscure financial trails and monetize cybercrime proceeds. Its operators are also suspected of running Dark2Web, a dark web forum that facilitated collaboration, services, and connections among cybercriminals globally. This development underscores the expanding role of sophisticated, large-scale cryptocurrency laundering services in sustaining the cybercrime economy, enabling threat actors to obscure illicit funds and evade regulatory controls.

What’s Notable and Unique 

  • Following law enforcement disruption of Cryptex and Garantex, AudiA6 emerged as another platform involved in financial activities linked to ransomware groups. Investigators believe that AudiA6 became a central hub for cybercriminals seeking to launder stolen digital assets while obscuring the transaction trail from authorities.

  • On June 10, 2026, a coordinated operation resulted in two arrests in Georgia, the dismantling of key infrastructure (30+ servers, 25 domains), the freezing or seizure of over €778,000 in crypto, and the takedown of the AudiA6 and Dark2Web platforms. 

Analyst Comments

Ransomware groups and cybercriminal networks are increasingly leveraging sophisticated techniques, including chain-hopping, decentralized exchanges, and mixer-as-a-service platforms, to rapidly move illicit cryptocurrency across multiple blockchains, effectively obscuring transaction trails. Concurrently, the widespread use of fraudulent exchange accounts, mule wallets, and privacy-enhancing tools has elevated cryptocurrency laundering to a core enabler of the cybercrime ecosystem, allowing actors to bypass anti-money-laundering controls at scale. This investigation identified over 6,000 KYC records linked to money-mule accounts, many of which were tied to Russian-speaking intermediaries specifically recruited to facilitate the movement of illicit proceeds. These threat actors systematically used both commercial and domain-controlled email services to establish mule accounts across multiple cryptocurrency platforms. Collectively, these findings underscore the growing scale, coordination, and professionalization of cryptocurrency-enabled crime, highlighting the critical need for sustained, intelligence-led, and internationally coordinated efforts to disrupt these evolving financial ecosystems.

Sources

  • Ransomware gangs cut off from EUR 336 million ‘AudiA6’ crypto laundering pipeline