CYFIRMA Research and Advisory Team has found Vgod Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
The ransomware specifically targets Windows systems using advanced encryption techniques, appending a unique file extension to encrypted files. It employs sophisticated evasion and persistence mechanisms, making detection and removal challenging. This threat highlights the critical need for proactive cybersecurity measures and a robust incident response strategy to safeguard data integrity and prevent potential breaches.
Target Technologies: Windows
Encrypted file extension: .Vgod
Observed First: 2025-02-05
Observed First By: CYFIRMA
Threat actor Communication mode: Mail
Researchers at CYFIRMA have recently observed a ransomware strain identified as Vgod.
The ransomware once entered into the victim’s system encrypts files on a victim’s system, appending the “.Vgod” extension to the original filenames. It leaves behind a ransom note titled “Decryption Instructions.txt,” containing instructions for file recovery. The ransomware is also seen changing the desktop wallpaper.
Screenshot of files encrypted by Vgod Ransomware
Once the ransomware encrypts the file it changes the wallpaper as below.
Below is the ransom note Decryption Instructions.txt
The ransom note explicitly states that files have been encrypted and sensitive data exfiltrated to the attacker’s storage, indicating a double extortion model. It also suggests that the ransomware targets both individuals and organizations, threatening data exposure and financial extortion.
| MITRE ATTACK TECHNIQUES | ||
| Tactic | ID | Technique/ Sub Technique |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1106 | Native API |
| Execution | T1129 | Shared Modules |
| Persistence | T1542.003 | Pre-OS Boot: Bootkit |
| Persistence | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Privilege Escalation | T1055 | Process Injection |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
| Privilege Escalation | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Defense Evasion | T1014 | Rootkit |
| Defense Evasion | T1027.002 | Obfuscated Files or Information: Software Packing |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1055 | Process Injection |
| Defense Evasion | T1112 | Modify Registry |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Defense Evasion | T1542.003 | Pre-OS Boot: Bootkit |
| Defense Evasion | T1548 | Abuse Elevation Control Mechanism |
| Defense Evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| Defense Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Credential Access | T1003 | OS Credential Dumping |
| Credential Access | T1552.001 | Unsecured Credentials: Credentials In Files |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1018 | Remote System Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery |
| Collection | T1005 | Data from Local System |
| Collection | T1074 | Data Staged |
| Collection | T1114 | Email Collection |
| Collection | T1560 | Archive Collected Data |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1095 | Non-Application Layer Protocol |
| Command and Control | T1573 | Encrypted Channel |
| Impact | T1486 | Data Encrypted for Impact |
| Impact | T1496 | Resource Hijacking |
Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.
| SHA 256 | Remark |
| 241c3b02a8e7d5a2b9c99574c28200df2a0f8c8bd7ba4d262e6aa8ed1211ba1f | Block |
STRATEGIC RECOMMENDATION
MANAGEMENT RECOMMENDATION
TACTICAL RECOMMENDATION
