Midnight Active
Ransomware group first observed in 2023. Uses TDSSKiller for deployment.1
Total Victims
2023-04-01
First Seen
2026-03-07
Last Seen
0
Known TTPs
32.6d
Avg Delay
0
Negotiations
ONION URLS
cwr54mk4l74feotvg2phz5pmlazyr3x6wdr3fp4av7gskd3brlkft2ef.onion
TOOLS
TDSSKiller
TrickBot
net.exe
TeamViewer
Rclone
FILE EXTENSIONS
.crypt
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
| Date | Victim Name | Country | Sector | Status |
|---|---|---|---|---|
| 2026-03-07 | Premier Solutions | Switzerland | Pharmaceuticals | Published |
No TTPs data
Midnight_rule_1
RansomwareMonitor
rule Midnight_ransomware_1 {
meta:
description = "Detects Midnight ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "471a20f04108df9745472463dcfafb281448cb69c9687ecf2f0563bbef82a74e"
strings:
$s0 = "Do not modify" nocase
$s1 = ".onion" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Midnight_rule_2
VirusTotal
rule Midnight_ransomware_2 {
meta:
description = "Detects Midnight ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c93a01d6afe2c8145d59a604094022f9fd226e3a2d01f4c2ddd78fdb35b5493c"
strings:
$h0 = { A4 4E 45 56 15 E8 8A C9 29 19 5C B4 }
$s1 = "RECOVER" nocase
$h2 = { 7E 3B C9 A7 CF 83 1B E3 2 }
$s3 = "ENCRYPTED" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Midnight_rule_3
Malpedia
rule Midnight_ransomware_3 {
meta:
description = "Detects Midnight ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b744b99feccb165b517e2bf84aa23efd981adf66cf49b8a67aeb0ee371e1bc8d"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s1 = "::::" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h3 = { B8 72 5F F4 BF 0E FA B1 A5 9D FA FB 37 A1 36 D0 B4 60 52 }
$r4 = /README\..{3,10}/i
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h6 = { 89 AC 18 07 04 3A 28 FB C5 9C 39 4A D0 C6 25 C6 91 0C 4B }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}No ransom notes