HellfireBlack Active

Ransomware group first observed in 2020. Uses TrickBot for deployment.
PDF Report Back to Groups
2
Total Victims
2020-06-01
First Seen
2026-03-07
Last Seen
0
Known TTPs
10.5d
Avg Delay
0
Negotiations
ONION URLS
nthnccbyydpetrkp6yh6muz3phimeucx644opectu4wrlsoyywqhxsbe.onion
TOOLS
TrickBot TDSSKiller nltest PowerShell Empire FileZilla
FILE EXTENSIONS
.rip
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
2026-03-07 Shield Services United States Agriculture Published
2026-03-06 Shield Group United States Healthcare Negotiating

No TTPs data

HellfireBlack_rule_1 RansomwareMonitor 
rule HellfireBlack_ransomware_1 {
    meta:
        description = "Detects HellfireBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c4ea1e65824434962ba7d2094979329147565b70a2608401db6e97a61bcd7790"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s1 = "!!!" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h3 = { 49 FE 41 80 DE 8C CD A1 CB 77 56 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}
HellfireBlack_rule_2 VirusTotal 
rule HellfireBlack_ransomware_2 {
    meta:
        description = "Detects HellfireBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "7f0beb9b4ab706cbadf0f595ab4bc75d423cc17e84708c127c8a561d321205e6"

    strings:
        $h0 = { EC 39 44 0E 9C 3F AB 83 0D D1 C7 20 27 C9 20 35 50 14 1C 7 }
        $s1 = "PAYMENT" nocase
        $s2 = "Do not modify" nocase
        $h3 = { 08 79 90 95 60 73 A2 5B A1 7A 2F 68 AF 30 54 28 83 83 32 E9 C2 6 }
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}
TypeValueDescriptionCopy
tox DB63DF4E0A7AD1ACA96DD63007DFD25AFE9672E81EE4EC1ABBF1DC56C780A5B64603B2E2CECC Infrastructure linked to HellfireBlack
tox EDAC3B7EB328C9BEDEAC633FA5CBD60A0FDEFD2FD9ADDCB5FBC0E866C0F49AAFAAE6959A4C3B Tox messenger ID observed in HellfireBlack attacks
email payment299@protonmail.com Infrastructure linked to HellfireBlack
btc bc1qtoixp9asir5wrc8yovh1149wueyvy1qef0af8j Bitcoin ransom address observed in HellfireBlack attacks
sha1 82afdcbf4b2b3be99ee0c9546fe21e8ac0f7e622 Dropper hash observed in HellfireBlack attacks
md5 99130e981be46b2e4e1209f5fe4a0b5b Associated with HellfireBlack ransomware
sha256 57eceef617b84b69e346bb23fb2b3849b878be4c217ea9c151adccb8621f476c Ransomware binary hash observed in HellfireBlack attacks
email help634@airmail.cc Contact email - HellfireBlack campaign
sha1 fd2f4f28c38c6b6f7a6f798ebf60c9bff9ba2812 Dropper hash observed in HellfireBlack attacks
md5 dd39db54f97f8fac935346bc74272f62 Associated with HellfireBlack ransomware
btc bc1qxk8x74dozuf6nvzzy1o3uwhzq2litp4v4aoi3g Bitcoin ransom address observed in HellfireBlack attacks

No ransom notes