The LostTrust ransomware operation is a new multi-extortion threat that emerged in September 2023. Our analysis of LostTrust malware payloads indicates that the family is an evolution of SFile and Mindware, and that all three follow similar operations and tradecraft to MetaEncryptor. Similarities between the LostTrust leaks sites and the earlier MetaEncryptor leaks sites are also apparent, while aspects of SFile encryptor previously observed with MetaEncryptor campaigns are still in use with the LostTrust payloads we analyzed.
In this analysis, we provide a high-level technical outline of where these ransomware families and their operations overlap. We will examine LostTrust payload behavior as well as compare artifacts to the SFile and Mindware families.
LostTrust Ransom Demands
LostTrust victims are presented with a ransom note that attempts to portray the gang as providing a service, a fake veneer that is commonly adopted by cybercriminals perpetrating intrusions. An excerpt from a LostTrust ransom note illustrates this approach:
However, clients usually considered the found vulnerabilities to be minor and poorly
paid for our services.
So we decided to change our business model. Now you understand how important it is
to allocate a good budget for IT security.
This is serious business for us and we really don’t want to ruin your privacy,
reputation and a company.
We just want to get paid for our work whist finding vulnerabilities in various networks.
LostTrust ransom note
The LostTrust leaks site contains information claiming that the gang are “young people who identify themselves as specialists in the field of network security”. Thinly-veiled threats that stolen data will be made available to interested parties if the gang do not receive payment are followed by a warning that notification of the victim’s breach will be widely publicized.
LostTrust Execution Details
In order to prevent existing processes on the victim device inhibiting encryption or data exfiltration, LostTrust ransomware payloads attempt to discover and terminate a plethora of services and processes. Critical services associated with the processes belonging to Microsoft Exchange, MSSQL, SharePoint, Tomcat, postgresql and others are terminated if identified.
The ransomware initiates numerous, hidden CMD.EXE sessions in order to carry out these tasks. The hidden CMD.EXE windows subsequently host the observed WMIC, NET, SC, taskkill, VSSADMIN and wevtutil commands.
In addition to process discovery and termination, the ransomware attempts to remove VSS (Volume Shadow Copies) via VSSADMIN, as well as clearing out all Windows Event Logs via wevtutil.exe.
LostTrust payload execution output is streamed to a visible command window, allowing for clear observation of the various encryption stages.
LostTrust output
The full list of observed commands is as follows:
“C:WindowsSystem32cmd.exe” /c wevtutil cl Application
“C:WindowsSystem32cmd.exe” /c wevtutil cl security
“C:WindowsSystem32cmd.exe” /c wevtutil cl setup
“C:WindowsSystem32cmd.exe” /c wevtutil cl system
“C:WindowsSystem32cmd.exe” /c vssadmin.exe delete shadows /all /quiet
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%Firebird%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%MSSQL%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SQL%'” CALL STOPSERVIC
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%Exchange%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%wsbex%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%postgresql%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%BACKP%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%tomcat%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SharePoint%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SBS%'” CALL STOPSERVICE
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%Firebird%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%MSSQL%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SQL%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%Exchange%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%wsbex%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%postgresql%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%BACKP%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%tomcat%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SharePoint%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c WMIC SERVICE WHERE “caption LIKE ‘%SBS%'” CALL ChangeStartMode ‘Disabled’
“C:WindowsSystem32cmd.exe” /c sc config FirebirdServerDefaultInstance start= disabled
“C:WindowsSystem32cmd.exe” /c taskkill /IM fb_inet_server.exe /F
“C:WindowsSystem32cmd.exe” /c net stop FirebirdServerDefaultInstance
“C:WindowsSystem32cmd.exe” /c C:Windowssystem32net1 stop FirebirdServerDefaultInstance
“C:WindowsSystem32cmd.exe” /c taskkill /IM sqlservr.exe /F
“C:WindowsSystem32cmd.exe” /c sc config MSSQLSERVER start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSSQL$SQLEXPRESS start= disabled
“C:WindowsSystem32cmd.exe” /c net stop MSSQLSERVER
“C:WindowsSystem32cmd.exe” /c C:Windowssystem32net1 stop MSSQLSERVER
“C:WindowsSystem32cmd.exe” /c net stop MSSQL$SQLEXPRESS
“C:WindowsSystem32cmd.exe” /c C:Windowssystem32net1 stop MSSQL$SQLEXPRESS
“C:WindowsSystem32cmd.exe” /c taskkill /IM pg_ctl.exe /F
“C:WindowsSystem32cmd.exe” /c sc config postgresql-9.0 start= disabled
“C:WindowsSystem32cmd.exe” /c net stop postgresql-9.0
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeAB start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeAntispamUpdate start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeEdgeSync start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeFDS start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeFBA start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeImap4 start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeIS start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeMailSubmission start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeMailboxAssistants start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeMailboxReplication start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeMonitoring start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangePop3 start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeProtectedServiceHost start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeRPC start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeSearch start= disable
“C:WindowsSystem32cmd.exe” /c sc config wsbexchange start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeSA start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeThrottling start= disabled
“C:WindowsSystem32cmd.exe” /c sc config MSExchangeTransportLogSearch start= disabled
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeAB
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeAntispamUpdate
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeEdgeSync
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeImap4
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeMailboxReplication
“C:WindowsSystem32cmd.exe” /c net stop MSExchangeProtectedServiceHost
Supported Command-line Arguments
LostTrust payloads support the following command-line arguments:
–enable-shares
enable discovery and encryption of accessible network volumes
–onlypath
Only encrypt files in the specified path.
Supported command-line arguments in LostTrust
The –enable-shares option has been seen in previous Sfile/Mindware samples. Notably, however, LostTrust does not include previously seen SFile or Mindware parameters such as –killsusp.
Encrypted files are modified with the “.losttrustencoded” file extension, and a LostTrust ransom note is written to each folder containing encrypted items as !!LostTrustEncoded.txt.
Files encrypted by LostTrust
Similarities to Mindware and SFile
We previously reported on the connection between Mindware and SFile, and LostTrust bears indications that it is an extension of this lineage. LostTrust payloads, like those deployed by MetaEncryptor before, are based on the SFile encryptor. As such, the payloads for LostTrust and MetaEncryptor behave in a similar fashion, and produce similar artifacts. This includes overlap of the extensions to include in the encryption process, as well as what to exclude.
LostTrust handles exclusions via pattern/string (like the predecessors). The full list of excluded patterns in observed LostTrust samples is:
$RECYCLE.BIN
all usersmicrosoft
All UsersMicrosoft
Application DataMicrosoft
boot
cache
cache2
Common Files
CommonMicrosoft
DefaultExtensions
drivers
far manager
google
ida 6.8
ida 7.0
inetpublogs
intel
Local SettingsMicrosoft
LocalMicrosoft
LocalLowMicrosoft
mozilla
msocache
perflogs
Program FilesInternet Explorer
Program FilesMicrosoft Games
ProgramDataMicrosoft
RoamingMicrosoft
Systemmsadc
Temp
Temporary Internet Files
tor browser
windows.old
windowssystem
windowssystem32
windowssyswow64
windowswinsxs
WindowsPowerShell
wsus
%windir%
$windows.~bt
$windows.~ws
autorun.inf
boot.ini
bootfont.bin
bootmgr
bootsect.bak
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
:system volume information
! cynet ransom protection(don’t delete)
!losttrustencoded.txt
Mindware encryption exclusions
Mindware encryption exclusions
Encryption inclusion/exclusion in LostTrust looks similar to its Mindware and SFile predecessors.
Victim Blog Site
The TOR-based blog site for LostTrust appears to be a direct facsimile of the MetaEncryptor blog. Formatting and contact information (TOX) all match up. While there are no direct victim overlaps between the LostTrust and MetaEncryptor sites, some victims listed on LostTrust have been previously listed on leaks sites such as Royal, LockBit 3, and Medusa.
MetaEncryptor and LostTrust blogs existing in parallel
At the time of writing, 53 victims are listed on the LostTrust blog and 13 on the MetaEncryptor blog. Both blog sites remain active, while the MetaEncryptor blog has also been updated recently.
Comparison of LostTrust, Mindware and SFile Ransom Notes
LostTrust vs SFile ransom notes (head)
LostTrust vs. SFile ransom notes (tail): Contact Instructions
Ransom note construction is also similar across relevant Mindware and LostTrust malware samples.
Ransom note construction in Mindware
Ransom note construction in LostTrust
MetaEncryptor Strings and Artifacts
LostTrust, like SFile and Mindware, contains known references and functions around encryption staging.
MetaEncryptor references upon launch of LostTrust
MetaEncryptor references in SFile
The cross-references to MetaEncryptor encryption stage can be viewed within the LostTrust payload binaries as well.
Internal references to MetaEncryptor (LostTrust)
Debug Paths & String Artifacts
Throughout the timeline of SFile to LostTrust, we see some commonalities with regards to the included debug paths and string artifacts.
SFile
Mindware
LostTrust
C:fake_exe.pdb
D:fake.pdb
C:fake_exe.pdb
D:fake.pdb
C:fake_exe.pdb
D:coderansomware_winbindecoder.pdb
There is some variance among the email addresses provided in the ransom notes across these families as well. For example:
SFile
clark.rotband[@]mailfence[.]com
finbdodscokpd[@]privatemail[.]com
gnidhyg[@]protonmail[.]com
greemsy.jj[@]protonmail[.]ch
jj.greemsy[@]mailfence[.]com
johny1cashusa[@]protonmail[.]ch
johny2[@]mailfence[.]com
johny2recoveryusa[@]protonmail[.]com
johny3[@]mailfence[.]com
jorge.smith[@]mailfence[.]com
mally[@]mailfence[.]com
mallyrecovery[@]protonmail[.]ch
mandysales[@]mailfence[.]com
primethetime[@]protonmail[.]com
recoverfiles[@]ctemplar[.]com
recoverfilesquickly[@]ctemplar[.]com
salesmandy[@]protonmail[.]com
Mindware
cacaoocacaooohusl[@]onionmail[.]org
corpovigiligiurati[@]onionmail[.]org
corpovigiligiuratiii[@]mailfence[.]com
lifespire[@]mailfence[.]com
lifespire[@]onionmail[.]org
niss.brandon[@]mailfence[.]com
niss.brook[@]onionmail[.]org
pationatiforsa[@]mailfence[.]com
MetaEncryptor
hamfrelors[@]proton[.]me
hermond.glass[@]mailfence[.]com
SentinelOne Detects and Protects Against LostTrust Ransomware
SentinelOne Singularity detects and prevents malicious behaviors and artifacts associated with LostTrust ransomware.
Conclusion
In this analysis we have provided a technical outline of where these ransomware families and operations overlap. When LostTrust’s blog emerged in September 2023, many eyebrows were raised given the immediate similarities noticed between the LostTrust and MetaEncryptor sites. Our current observations and analysis indicate that “LostTrust” is an evolution of SFile and Mindware.
Organizations without SentinelOne are recommended to review the indicators provided below and throughout this post.
Indicators of Compromise
SFile
0f20e5ccdbbed4cc3668577286ca66039c410f95
14e4557ea8d69d289c2432066d860b60a6698548
28f73b38ace67b48e525d165e7a16f3b51cec0c0
5ffac9dff916d69cd66e91ec6228d8d92c5e6b37
665572b84702c4c77f59868c5fe4d0b621f2e62a
6960beedbf4c927b75747ba08fe4e2fa418d4d9b
8c507d26c2fec90707320ffb721ae626139bbf11
a67686b5ce1d970a7920b47097d20dee927f0a4d
bdb0c0282b303843e971fbcd6d2888d834da204c
Mindware
46ca0c5ad4911d125a245adb059dc0103f93019d
9bc1972a75bb88501d92901efc9970824e6ee3f5
ae974e5c37936ac8f25cfea0225850be61666874
e9b52a4934b4a7194bcbbe27ddc5b723113f11fe
f91d3c1c2b85727bd4d1b249cd93a30897c44caa
MetaEncryptor
e04760f670fab000c5ff01da39d4f4994011e581
LostTrust
09170b8fd03258b0deaa7b881c46180818b88381