CitadelRage Active
Ransomware group first observed in 2019. Uses net.exe for deployment.1
Total Victims
2019-06-01
First Seen
2026-03-06
Last Seen
24
Known TTPs
28.0d
Avg Delay
0
Negotiations
ONION URLS
2zokqspv5a7gbrcqzdm7invzrv5upxrzl3ddeeizwhxcyf4kqzfh27me.onion
TOOLS
net.exe
Cobalt Strike
SystemBC
7-Zip
FILE EXTENSIONS
.oops
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
| Date | Victim Name | Country | Sector | Status |
|---|---|---|---|---|
| 2026-03-06 | Emerald Global | Germany | Legal | Published |
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1039 | Data from Network Shared Drive | Collection |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1572 | Protocol Tunneling | Command and Control |
| T1003.001 | LSASS Memory | Credential Access |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1070.004 | File Deletion | Defense Evasion |
| T1140 | Deobfuscate/Decode Files | Defense Evasion |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1049 | System Network Connections Discovery | Discovery |
| T1082 | System Information Discovery | Discovery |
| T1491.001 | Internal Defacement | Impact |
| T1531 | Account Access Removal | Impact |
| T1561.001 | Disk Wipe | Impact |
| T1078 | Valid Accounts | Initial Access |
| T1566.002 | Spearphishing Link | Initial Access |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1080 | Taint Shared Content | Lateral Movement |
| T1098 | Account Manipulation | Persistence |
| T1136.001 | Local Account | Persistence |
| T1547.001 | Registry Run Keys | Persistence |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1134 | Access Token Manipulation | Privilege Escalation |
CitadelRage_rule_1
Malpedia
rule CitadelRage_ransomware_1 {
meta:
description = "Detects CitadelRage ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "dcf4d55dcaa12642edf2c49edd9a7a811dbdd5eedb2360abf4921cb86c0d34d4"
strings:
$s0 = "DECRYPT" nocase
$h1 = { 29 32 9A A4 0D 4E 54 8D F4 62 AC BD 24 47 04 9B AA BD 0E BD B7 D }
$h2 = { E7 C5 1F A8 AD BD D4 B9 76 BE B7 71 2 }
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h4 = { B3 AA 98 AB 30 1D 14 EF 7F 91 08 76 26 E2 97 1D A5 90 7A 22 29 93 }
$h5 = { 39 5B FD A4 D4 36 03 00 C1 7E BD CE BC EB 2 }
$h6 = { 2B CF 31 4A 26 59 27 93 9A 62 0B 54 6B B2 96 1 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}No IoCs
No ransom notes