New ‘Obscura’ Ransomware Emerges as Stealthy Threat
▼ Summary
– Huntress analysts discovered a new ransomware variant called “Obscura” on August 29, 2025, which was deployed via a domain controller’s NETLOGON share to propagate across the network.
– The ransomware is a Go binary that requires administrative privileges to run and performs system reconnaissance before encrypting files based on size, using either full or partial encryption.
– Obscura aggressively terminates over 120 security, backup, and database-related processes to avoid detection and interference during its encryption process.
– It appends a unique 64-byte footer containing a public key and nonce to encrypted files but excludes specific system file extensions to maintain system operability.
– The ransomware incident was linked to a scheduled task named “SystemUpdate” and included a ransom note claiming data theft and demanding payment for decryption.
A newly identified ransomware strain, dubbed “Obscura,” represents a significant and stealthy threat to corporate networks. Discovered in late August 2025, this malware leverages domain infrastructure for widespread deployment, demonstrating a sophisticated understanding of network administration. Its operational methods highlight critical vulnerabilities that organizations must address to bolster their cybersecurity posture.
The ransomware’s name originates from its ransom note, `README_Obscura.txt`. Initial investigations revealed no prior public records of a threat by this name, marking it as a novel variant. In the observed incident, the malicious executable was strategically placed on the domain controller within the `C:\WINDOWS\sysvol\sysvol\[domain].local\scripts\` path. This location, which serves as the NETLOGON share, is particularly dangerous because its contents are automatically replicated across all domain controllers in an environment. Consequently, the ransomware was distributed throughout the victim’s infrastructure without requiring additional action from the attackers. The binary was cleverly named to match the domain, aiding its disguise, and analysis confirmed it was written in the Go programming language.
To automate execution, a scheduled task named `SystemUpdate` was created on numerous hosts, including the domain controller, designed to launch the ransomware from the NETLOGON share. On one user machine, a separate, cryptically named task, “iJHcEkAG,” was set up to enable Remote Desktop Protocol access through the Windows firewall. Upon execution, the ransomware immediately attempts to disable recovery mechanisms by running the command `cmd.exe /c vssadmin delete shadows /all /quiet`, which deletes all Volume Shadow Copies.
The ransom note, embedded within the binary as a base64-encoded string, adopts an aggressive tone. It falsely claims the attack is a “penetration test” and states that all data has been encrypted and exfiltrated, including sensitive information from network-attached storage devices. The note gives victims approximately 240 hours to respond, threatening to publish the stolen data if no contact is made. It discourages seeking help from recovery agencies or law enforcement and promises a decryption tool, a report on the network breach, and recovery assistance in exchange for payment.
From a technical perspective, the ransomware checks for an environment variable called `DAEMON`. If set to 1, it proceeds to drop the ransom note and begin encryption. A critical step involves a privilege check to confirm the process is running with administrative rights, a hard requirement for its disruptive actions. It then performs system reconnaissance, gathering the number of CPU cores to optimize its encryption threads.
An aggressive process termination routine follows, targeting a list of over 120 security, backup, database, and management applications, such as `WinDefend`, `Veeam`, `MSSQL`, and `Splunkd`, to prevent interference. The malware also checks the computer’s domain role, displaying messages that suggest intended propagation capabilities, though these network-spreading functions appear unimplemented in the current variant.
The encryption strategy is adaptive. Files 1 GB or smaller are fully encrypted (`EncryptFull`), while larger files have only their first 25% encrypted (`EncryptPart`). The malware uses Curve25519 for key exchange and the XChaCha20 stream cipher for encryption. Each encrypted file is appended with a 64-byte footer containing a magic string, the public key, and the nonce, allowing the attackers to decrypt the data.
To avoid crippling the operating system, the ransomware employs a file extension exclusion list. It deliberately skips encrypting files with extensions like `.exe`, `.dll`, `.sys`, and `.efi`, along with configuration files and its own `.obscura` extension.
The emergence of Obscura is part of a broader trend of new ransomware families appearing in the threat landscape. This continuous evolution underscores the necessity for organizations to maintain rigorous monitoring of their domain controllers, scrutinize any new or modified files in sysvol shares and Group Policy Objects, and vigilantly watch for unusual access patterns on all endpoints.
(Source: Bleeping Computer)