Hypnos Inactive
Ransomware group first observed in 2025. Uses SharpDPAPI for deployment.0
Total Victims
2025-11-01
First Seen
2025-01-25
Last Seen
6
Known TTPs
38.4d
Avg Delay
0
Negotiations
ONION URLS
wmrtxkymyg7mg6oaav6w4eykmbjwowdh5xlzbrdgfbltra5kmnlwdo76.onion
TOOLS
SharpDPAPI
IcedID
Chisel
ADFind
FILE EXTENSIONS
.gone
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
| Date | Victim Name | Country | Sector | Status |
|---|---|---|---|---|
| No victims recorded | ||||
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1071.001 | Web Protocols | Command and Control |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1016 | System Network Configuration Discovery | Discovery |
| T1018 | Remote System Discovery | Discovery |
| T1195.002 | Compromise Software Supply Chain | Initial Access |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
Hypnos_rule_1
Malpedia
rule Hypnos_ransomware_1 {
meta:
description = "Detects Hypnos ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "1325e6683ed5422edae75e7fb51b24cf4633738b1dd159af36ff5348498cafb7"
strings:
$r0 = /README\..{3,10}/i
$s1 = "ChaCha20" nocase
$s2 = "README" nocase
$r3 = /README\..{3,10}/i
$h4 = { 14 53 1F 4A 2C 8B 06 0A 1 }
$s5 = ".onion" nocase
$r6 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Hypnos_rule_2
VirusTotal
rule Hypnos_ransomware_2 {
meta:
description = "Detects Hypnos ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "2ad004bf84f1a65919a7c562a037ee8bbb09b4d88233f19e830943752db56f7a"
strings:
$s0 = "Hypnos" nocase
$h1 = { 13 A8 80 C6 D6 CC 2A F9 DC 66 31 09 B3 30 A0 41 48 1 }
$r2 = /[A-Za-z0-9]{56}\.onion/
$s3 = ".hypnos" nocase
$h4 = { CE 98 24 F9 23 D2 29 35 34 81 74 A }
$h5 = { FE 1D C5 92 0D 2D 2D 24 34 6B 5A E6 4C 8 }
$s6 = "Do not rename" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}No IoCs
No ransom notes