Vgod ransomware uses a hybrid cryptographic approach, leveraging AES-256 for file encryption and RSA-4096 for key protection, a methodology consistent with advanced ransomware families like Ryuk and LockBit. The ransomware employs multiple persistence mechanisms like “Bootkit installation” (T1542.003) to survive OS reboots, “Scheduled tasks” for periodic execution, and “Network propagation” via compromised RDP credentials. For example, document.pdf becomes document.pdf.Vgod. The malware also embeds unique victim identifiers and contact information within filenames, a tactic observed in God ransomware variants. First observed on February 5, 2025, by CYFIRMA researchers, this Windows-targeting malware combines file encryption with double extortion methods, threatening data leaks unless ransoms are paid. This attack aligns with 2024’s ransomware surge, where 63% of incidents involved double extortion tactics according to July 2024 ThreatDown reports. With ransomware groups increasingly targeting virtualization platforms, prioritizing patch management—especially for VMware ESXi vulnerabilities—is critical to preventing cross-platform attacks like those seen in ElDorado ransomware campaigns. CYFIRMA urges organizations to immediately implement application allowlisting to block unauthorized executables, enforce multi-factor authentication (MFA) for all remote access points, and maintain **frequent air-gapped backups for data protection. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Vgod’s infrastructure shares similarities with CyberVolk operations, using Russian-aligned servers and leaked Babuk ransomware code components. This new ransomware employs advanced encryption techniques and psychological pressure tactics. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. A new ransomware strain dubbed Vgod has emerged recently as a critical cybersecurity threat. Network defenders should stay vigilant for unusual svchost.exe memory allocations exceeding 500MB, suspicious PowerShell execution logs, and failed login attempts from Eastern European IP ranges. Vgod distinguishes itself by changing the desktop wallpaper to a ransom note (example below), ensuring victims cannot overlook the attack. While the ransomware do so by altering the desktop wallpapers of the targeted victims. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Feb 2025 07:25:09 +0000