SingularityWare Active

Ransomware group first observed in 2024. Uses MegaSync for deployment.
PDF Report Back to Groups
1
Total Victims
2024-09-01
First Seen
2026-03-06
Last Seen
18
Known TTPs
43.5d
Avg Delay
0
Negotiations
ONION URLS
p3g7fcpibrj5byyuxnbw5tjz662sqfvqsuoxatz4ka47jjyukuwrlepp.onion
TOOLS
MegaSync Atera 7-Zip SharpDPAPI PsExec
FILE EXTENSIONS
.666
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
2026-03-06 Empire Global United States Retail Published
Technique ID Technique Name Tactic
T1039 Data from Network Shared Drive Collection
T1074.001 Local Data Staging Collection
T1219 Remote Access Software Command and Control
T1003.001 LSASS Memory Credential Access
T1552.001 Credentials In Files Credential Access
T1036.005 Match Legitimate Name or Location Defense Evasion
T1055 Process Injection Defense Evasion
T1562.001 Disable or Modify Tools Defense Evasion
T1016 System Network Configuration Discovery Discovery
T1049 System Network Connections Discovery Discovery
T1087 Account Discovery Discovery
T1204.001 Malicious Link Execution
T1204.002 Malicious File Execution
T1531 Account Access Removal Impact
T1561.001 Disk Wipe Impact
T1195.002 Compromise Software Supply Chain Initial Access
T1080 Taint Shared Content Lateral Movement
T1547.009 Shortcut Modification Persistence
SingularityWare_rule_1 Elastic Security 
rule SingularityWare_ransomware_1 {
    meta:
        description = "Detects SingularityWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "6387d159e226d86283ba28a3663c29638e367a53560f87065e4545429746b4d9"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $s1 = ".singularityware" nocase
        $r2 = /README\..{3,10}/i
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r4 = /[A-Za-z0-9]{56}\.onion/
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s6 = ".singularityware" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}
SingularityWare_rule_2 Elastic Security 
rule SingularityWare_ransomware_2 {
    meta:
        description = "Detects SingularityWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "e99152b882d9f15137c9defa02ef1bb7302e695fb01523fbb84cf40633ca8ddd"

    strings:
        $s0 = "RECOVER" nocase
        $h1 = { AF 05 6D 45 27 A7 7C ED 7C FE 63 80 18 FD 02 D5 BF 66 00 01 7A 4E 57 18 }
        $s2 = "README" nocase
        $h3 = { F8 5A 67 02 54 5D EC 2F 80 B7 97 AB 09 E8 C2 B0 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}
SingularityWare_rule_3 Malpedia 
rule SingularityWare_ransomware_3 {
    meta:
        description = "Detects SingularityWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "4e92d72e37d8add715243a3c08d2fc16e307be1ae1865b421526249a6dddc371"

    strings:
        $s0 = "AES-256" nocase
        $r1 = /README\..{3,10}/i
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /README\..{3,10}/i
        $r4 = /README\..{3,10}/i
        $r5 = /[A-Za-z0-9]{56}\.onion/
        $s6 = "RSA-2048" nocase
        $h7 = { BE F3 31 95 E8 42 5D 7F 88 2C }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

No IoCs

No ransom notes