In recent weeks, security teams worldwide have grappled with a new ransomware strain that has shattered expectations for speed and sophistication.
First detected in late September 2025, this variant encrypts critical data within seconds of execution, leaving little time for intervention.
Organizations across manufacturing, healthcare, and finance sectors have reported system-wide outages as attackers deploy large-scale campaigns that weaponize remote desktop protocol (RDP) exploits and phishing-laden spear-phishing emails.
Initial forensic analysis indicates the malware propagates via a custom loader that leverages unsecured RDP sessions and hides within packed DLL modules, enabling rapid lateral movement across networks.
As the ransomware spread, forensic investigators noted unusual callbacks to command-and-control servers hosted on bullet-proof infrastructures.
These C2 domains appear to utilize fast-flux DNS rotation, complicating takedown efforts. Encrypted communications use ChaCha20 streams tethered to unique session tokens, ensuring each attack instance remains isolated.
Victims report payload sizes under 100 KB—remarkably small for contemporary ransomware—suggesting extreme code optimization.
Early incident response teams struggled to decrypt locked volumes before data destruction routines triggered, wiping backup snapshots and volume shadow copies across Windows hosts.
Fortinet researchers identified this strain after observing a cluster of high-severity alerts triggered by anomalous DLL loads and abnormal file renaming patterns on customer networks.
Investigators from Fortinet’s FortiGuard Labs found the malware’s polymorphic engine reintroduces minor code alterations upon each compilation, thwarting signature-based detection in antivirus products.
Dynamic analysis revealed that the encryption routine forks a child process that drops a loader stub into memory, then patches in-shell encryption code to prioritize speed over obfuscation.
Within hours of discovery, threat intelligence teams confirmed the emergence of new ransom notes demanding payouts in Monero, with amounts tailored per victim based on automated asset valuations.
.webp)
Cryptographic keys are generated using a hybrid RSA-EC scheme, blending 3072-bit RSA for key exchange with elliptic-curve ChaCha20 for file encryption.
The result is rapid file locking coupled with near-unbreakable key exchange.
Infection Mechanism: In-Memory Execution and Loader Hand-Off
A deeper look at this strain’s infection mechanism reveals a two-stage in-memory execution chain designed for stealth and speed.
The initial dropper masquerades as a legitimate MSI installer and uses Windows Management Instrumentation (WMI) to invoke the secondary payload directly in kernel memory.
Upon execution, the following code snippet illustrates how the loader allocates memory, writes the decryption stub, and transfers execution:-
LPVOID exec_mem = VirtualAlloc(NULL, shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
RtlCopyMemory(exec_mem, encryptedShellcode, shellcodeSize);
DWORD oldProtect;
VirtualProtect(exec_mem, shellcodeSize, PAGE_EXECUTE_READ, &oldProtect);
((void(*)())exec_mem)();This technique bypasses disk writes entirely, leaving minimal artifacts on the host filesystem. Once the loader is active, it resolves API addresses at runtime rather than relying on imports, further evading static analysis.
After decrypting its main module, the ransomware immediately scans local drives and network shares for files matching predefined extensions, spawning parallel threads to maximize multicore encryption throughput.
By orchestrating these operations fully in memory, the malware undermines traditional endpoint-based detection tools and accelerates encryption speeds to under 30 seconds for 10 GB of data on modern CPUs.
This in-memory hand-off also grants the malware robust persistence: the loader injects a tiny stub into the LSASS process and registers a scheduled task that triggers the payload at system startup.
Combined with registry run-keys and WMI event subscriptions, victims face significant challenges during remediation, often requiring full system rebuilds to guarantee eradication.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
