OracleData Active

Ransomware group first observed in 2021. Uses TrickBot for deployment.
PDF Report Back to Groups
0
Total Victims
2021-01-01
First Seen
2026-03-20
Last Seen
0
Known TTPs
41.9d
Avg Delay
0
Negotiations
ONION URLS
lvfvga3pybiuzkrzy4dlczj2kvndu52m6kkdddvjegchpnwlsia632ma.onion
TOOLS
TrickBot QBot WinSCP ScreenConnect Cobalt Strike
FILE EXTENSIONS
.doom
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded

No TTPs data

OracleData_rule_1 Elastic Security 
rule OracleData_ransomware_1 {
    meta:
        description = "Detects OracleData ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "6213d92ade9221d221c3b27d8c6d2104fefc33cae7021cbb3796fc9594555195"

    strings:
        $s0 = "README" nocase
        $h1 = { B6 27 C1 26 1B DF DC 18 E8 C }
        $r2 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}
OracleData_rule_2 Florian Roth 
rule OracleData_ransomware_2 {
    meta:
        description = "Detects OracleData ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "0bd3681d2762482db1eee99d20fab70ca503593431a48226738d1a3187171671"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = "PAYMENT" nocase
        $s3 = "PAYMENT" nocase
        $h4 = { B2 CA 01 F7 D6 2F 73 8A 84 75 A6 42 41 DD DB 2F }
        $s5 = "BITCOIN" nocase
        $h6 = { 7D CC 82 85 12 45 52 38 86 09 5F CA B7 96 E4 18 5B }
        $s7 = "BITCOIN" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}
OracleData_rule_3 RansomwareMonitor 
rule OracleData_ransomware_3 {
    meta:
        description = "Detects OracleData ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "e0e66c23f45f05e17508610ca607af120f4dab438c5ee42e25fe7b3365af66fc"

    strings:
        $s0 = ".onion" nocase
        $s1 = "README" nocase
        $h2 = { 10 30 14 D5 BC 4D ED 6E F7 2C CF D1 88 7D 9F 60 4A 59 FE 55 4D }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}
TypeValueDescriptionCopy
sha256 6de5cd299d556f513e3e1a80f43f5a4aa826f0c8d1247e27d68eae57be8e39a1 Infrastructure linked to OracleData
md5 ba86ab11c8440064798f27cee74fdc2e Malware sample hash - OracleData campaign
sha256 8da43db3eacb1699394652367a6248a96b0e16b2f825b096e366e6ea088539d7 Ransomware binary hash observed in OracleData attacks
email admin884@cock.li Associated with OracleData ransomware
ip 170.2.22.69 C2 server IP observed in OracleData attacks
btc bc1qbd21176f2n0vytiosfd0vis0229xn56oq9xevh Infrastructure linked to OracleData
ip 94.35.78.179 Associated with OracleData ransomware
sha1 8293207d055f2d1714f3a053ea54eba460febb90 Dropper hash - OracleData campaign
btc bc1q60pmv0qo0twtawxztis3ago3ad9rx6jqm3za53 Associated with OracleData ransomware
sha1 8e0bbd5143c556a2c8a59f843cf57822cc96a385 Dropper hash observed in OracleData attacks
md5 fa9f64c93b9c7fb151a3c7a0aecea05c Malware sample hash observed in OracleData attacks
md5 5b2887b4974c1667b8567543430c1f55 Malware sample hash - OracleData campaign
ip 182.236.73.71 Associated with OracleData ransomware
ip 114.116.161.163 Infrastructure linked to OracleData
btc bc1q6jlk6vo36zqymp6a2evsbr5juiwotewi47o7i6 Bitcoin ransom address - OracleData campaign

No ransom notes