Sha256
1 totalc00a2d757349bfff4d7e0665446101d2ab46a1734308cb3704f93d20dc7aac23
Obscura, also referred to as Obscura Locker, is a ransomware family first observed in late August to early September 2025.
Profile source: Mallory opens in a new tabObscura
Obscura, also referred to as Obscura Locker, is a ransomware family first observed in late August to early September 2025. It encrypts victim files using AES and RSA and appends the .obscura extension. The ransom note is named README-OBSCURA.txt and states that the victim network has been encrypted and that data from devices across the network, including NAS systems, has been stolen, indicating double-extortion behavior. The note threatens publication of stolen data if the victim does not respond within about 240 hours and provides victim contact details via a TOX ID beginning with AE55FC0EB1C25A5B081650108F9081E23 and the Tor site obscurad3aphckihv7wptdxvdnl5emma6t3vikcf3c5oiiqndq6y6xad.onion. Reported delivery vectors include exposed or insecure RDP, phishing or spam emails with malicious attachments, exploit-based delivery, deceptive downloads, malvertising, fake updates, botnets, web injects, and trojanized installers. Technically, Obscura deletes shadow copies using "cmd.exe /c vssadmin delete shadows /all /quiet", terminates processes that may interfere with encryption, and excludes various system, boot, firmware, configuration, and already-encrypted file types from encryption. The malware has been reported to use a BYOVD (Bring Your Own Vulnerable Driver) technique to evade or bypass security protections, and separate reporting cites an Obscura incident in late August 2025 as an example of ransomware bundling defense-evasion capability with the payload. An analyzed sample was identified as a Go binary. Reported associated filenames include a.exe and r49hz.exe. Published hashes for one sample are SHA-256 1942510d3b5691819636067ec89b7b7bb18f784d819060d687fc0248dbed5047, SHA-1 2f859eeaa01238ed704fe504470186904dc59629, and MD5 e8c19bf10d044fe448a60e3fa0f60d58. A notable implementation flaw has been reported in Obscura’s encryption process: files larger than 1 GB may become permanently unrecoverable because the malware fails to write the encrypted temporary key to the file footer, meaning data may remain undecryptable regardless of ransom payment.
Ransomware.live
Ransomware.live
c00a2d757349bfff4d7e0665446101d2ab46a1734308cb3704f93d20dc7aac237521730C07CF45D363A627F32B3102F3F7FA72F36C2C5F9EAB0C7FBA4668527F62A90EF333E6MITRE ATT&CK
Reporting
We implemented all capabilities as Volatility 3 plugins and evaluated them against malware seen in recent incidents, such as the BRICKSTORM backdoor, Obscura ransomware, and Pantegana RAT...
An example is Obscura, whose encryption bug renders files over 1 GB permanently unrecoverable regardless of payment.
Obscura Locker Ransomware ... Этот крипто-вымогатель шифрует данные пользователей с помощью комбинации алгоритмов AES+RSA ... Используется техника BYOVD (Bring Your Own Verificant Driver) для обхода средств защиты.
...and in an incident involving a lesser-known ransomware family called Obscura in late August 2025.
A security flaw in the encryption process associated with the Obscura ransomware has been found to render large files unrecoverable.
This is the case with a recently discovered ransomware variant called Obscura.
This is the case with a recently discovered ransomware variant called Obscura.
Coveware has published a technical analysis of the new Obscura ransomware.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.