RussianDelphiRansomware

Delphi-compiled ransomware targeting Russian-speaking cybercrime. C2: shopping-na-divane.ru and shoptorgvlg.ru (/system/logs/tool/inst.php). Developer/operator email: Johnmen.24@aol.com. Uses FGIntRSA (Delphi RSA library) for key encryption. File encryption markers: {ENCRYPTSTART}/{ENCRYPTENDED}. Pre-2000 timestamp manipulation.

Threat Profile
Type Ransomware
Programming LanguageDelphi
C2 ProtocolHTTP
First Seen2024
Targets Kuresel
Purpose / Capabilities
  • File Encryption/Ransomware
No C2 servers have been identified for this family yet.

Research Reports (1)

Critical

RussianDelphiRansomware 0442cfab -- shopping-na-divane.ru shoptorgvlg.ru inst.php C2 Plaintext Johnmen.24@aol.com Email IOC FGIntRSA RSA ENCRYPTSTART ENCRYPTENDED Delphi | Kritik

Russian Delphi ransomware 0442cfab .Ransomware extension 379KB. C2: shopping-na-divane.ru + shoptorgvlg.ru /inst.php. Email: Johnmen.24@aol.com. FGIntRSA RSA. ENCRYPTSTART/ENCRYPTENDED markers.

Read Report →