Umbra Inactive

Ransomware group first observed in 2024. Uses ngrok for deployment.
PDF Report Back to Groups
0
Total Victims
2024-01-01
First Seen
2025-11-11
Last Seen
18
Known TTPs
40.6d
Avg Delay
0
Negotiations
ONION URLS
obt3o6hnekn5o66c6jw7pdpsis7xmateyc46neo6mxv3qlolkauo4e66.onion
TOOLS
ngrok QBot ConnectWise Brute Ratel nltest
FILE EXTENSIONS
.pay
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded
Technique ID Technique Name Tactic
T1074.001 Local Data Staging Collection
T1560.001 Archive via Utility Collection
T1219 Remote Access Software Command and Control
T1572 Protocol Tunneling Command and Control
T1555.003 Credentials from Web Browsers Credential Access
T1558.003 Kerberoasting Credential Access
T1027 Obfuscated Files or Information Defense Evasion
T1055 Process Injection Defense Evasion
T1070.004 File Deletion Defense Evasion
T1218.011 Rundll32 Defense Evasion
T1087 Account Discovery Discovery
T1059.001 PowerShell Execution
T1041 Exfiltration Over C2 Channel Exfiltration
T1133 External Remote Services Initial Access
T1566.002 Spearphishing Link Initial Access
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1098 Account Manipulation Persistence
T1068 Exploitation for Privilege Escalation Privilege Escalation
Umbra_rule_1 CISA 
rule Umbra_ransomware_1 {
    meta:
        description = "Detects Umbra ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b921d4ce19e4ca9f53c13064432af9c0f1d712dfb90d43afe074dcf0b7f2c1de"

    strings:
        $h0 = { 71 90 5D 5B 58 23 6B C2 B5 BF C3 FB 00 A7 14 E3 E7 18 }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $h2 = { F3 F1 D2 11 15 7B 46 DE 17 CA E8 B }
        $s3 = "::::" nocase
        $s4 = "Do not modify" nocase
        $h5 = { 0A C4 D4 1D F1 BB DC 26 D1 F0 48 DE C2 B8 F3 }
        $h6 = { CB BE 15 F2 F5 03 DA 0F E2 2E 9B 0 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}
TypeValueDescriptionCopy
btc bc1qkhchadhyu34adstb2x9prrutrsr2j45q8qvcsg Associated with Umbra ransomware
md5 22e8eb3f711fabbc20258380f4571dad Malware sample hash observed in Umbra attacks
md5 1ee4c356dfd9b037e8fc0765d99beb9f Associated with Umbra ransomware
md5 01f9dd9861d17c3df3a2315d48a17a10 Malware sample hash - Umbra campaign
email contact510@airmail.cc Contact email observed in Umbra attacks
btc bc1qs5dmyh31eytgv1zjf2eqf53zgostocrsp9off7 Bitcoin ransom address - Umbra campaign
email contact97@cock.li Contact email - Umbra campaign
sha1 86e82ee2aac0d3e72b3f76d2dd3bebc8fcb32555 Dropper hash observed in Umbra attacks
email recover403@firemail.cc Associated with Umbra ransomware
sha256 f46b85fbbe5fa0a2bf386c203c5e72f9a2bdb236a039bd3cdab8fbe3378a2e7a Ransomware binary hash observed in Umbra attacks
sha256 0e7b29c7a96e0ac61245d418ba7701c2b071e76587482b3556f1090d34e469bc Ransomware binary hash observed in Umbra attacks
sha256 303e3e31539d343b37ab015aacba8fe78f32346da6fc360f0f722524003eee95 Infrastructure linked to Umbra
md5 4026d69c2711b92df184402038886d0c Infrastructure linked to Umbra

No ransom notes