Skip to content
Ransomware group

Obscura

Obscura, also referred to as Obscura Locker, is a ransomware family first observed in late August to early September 2025.

Profile source: Mallory opens in a new tab

Obscura

Family profile

Obscura, also referred to as Obscura Locker, is a ransomware family first observed in late August to early September 2025. It encrypts victim files using AES and RSA and appends the .obscura extension. The ransom note is named README-OBSCURA.txt and states that the victim network has been encrypted and that data from devices across the network, including NAS systems, has been stolen, indicating double-extortion behavior. The note threatens publication of stolen data if the victim does not respond within about 240 hours and provides victim contact details via a TOX ID beginning with AE55FC0EB1C25A5B081650108F9081E23 and the Tor site obscurad3aphckihv7wptdxvdnl5emma6t3vikcf3c5oiiqndq6y6xad.onion. Reported delivery vectors include exposed or insecure RDP, phishing or spam emails with malicious attachments, exploit-based delivery, deceptive downloads, malvertising, fake updates, botnets, web injects, and trojanized installers. Technically, Obscura deletes shadow copies using "cmd.exe /c vssadmin delete shadows /all /quiet", terminates processes that may interfere with encryption, and excludes various system, boot, firmware, configuration, and already-encrypted file types from encryption. The malware has been reported to use a BYOVD (Bring Your Own Vulnerable Driver) technique to evade or bypass security protections, and separate reporting cites an Obscura incident in late August 2025 as an example of ransomware bundling defense-evasion capability with the payload. An analyzed sample was identified as a Go binary. Reported associated filenames include a.exe and r49hz.exe. Published hashes for one sample are SHA-256 1942510d3b5691819636067ec89b7b7bb18f784d819060d687fc0248dbed5047, SHA-1 2f859eeaa01238ed704fe504470186904dc59629, and MD5 e8c19bf10d044fe448a60e3fa0f60d58. A notable implementation flaw has been reported in Obscura’s encryption process: files larger than 1 GB may become permanently unrecoverable because the malware fails to write the encrypted temporary key to the file footer, meaning data may remain undecryptable regardless of ransom payment.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Sha256

1 total
  • c00a2d757349bfff4d7e0665446101d2ab46a1734308cb3704f93d20dc7aac23

Tox

1 total
  • 7521730C07CF45D363A627F32B3102F3F7FA72F36C2C5F9EAB0C7FBA4668527F62A90EF333E6

MITRE ATT&CK

Obscura in ATT&CK

12 distinct techniques

Reporting

Research mentioning Obscura

May 13
Arxiv

[2605.14020] Memory Forensics Techniques for Automated Detection and Analysis of Go Malware

We implemented all capabilities as Volatility 3 plugins and evaluated them against malware seen in recent incidents, such as the BRICKSTORM backdoor, Obscura ransomware, and Pantegana RAT...

May 11
Checkpoint Research

The State of Ransomware - Q1 2026 - Check Point Research

An example is Obscura, whose encryption bug renders files over 1 GB permanently unrecoverable regardless of payment.

Apr 8
Id Ransomware

Шифровальщики-вымогатели The Digest "Crypto-Ransomware": Obscura

Obscura Locker Ransomware ... Этот крипто-вымогатель шифрует данные пользователей с помощью комбинации алгоритмов AES+RSA ... Используется техника BYOVD (Bring Your Own Verificant Driver) для обхода средств защиты.

Feb 10
The Hacker News

Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools

...and in an incident involving a lesser-known ransomware family called Obscura in late August 2025.

Jan 22
The Hacker News

New Osiris Ransomware Emerges as New Strain Using POORTRY Driver in BYOVD Attack

A security flaw in the encryption process associated with the Obscura ransomware has been found to render large files unrecoverable.

Nov 28
Bank Info Security

Ransomware Moves: Supply Chain Hits, Credential Harvesting

This is the case with a recently discovered ransomware variant called Obscura.

Nov 28
Govinfosecurity

Ransomware Moves: Supply Chain Hits, Credential Harvesting

This is the case with a recently discovered ransomware variant called Obscura.

Nov 25
Risky Biz Rss

Risky Bulletin: Sha1-Hulud npm worm returns, with destructive behavior

Coveware has published a technical analysis of the new Obscura ransomware.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.