⚠️ Overview

Auto-Color is a ransomware family first documented in September 2023 by the Cyble Research and Intelligence Labs (CRIL). It is attributed to a financially motivated threat cluster that uses a variant of the Chaos ransomware builder, placing it in the Ransomware as a Service (RaaS) or builder-kit ransomware category. The malware's operators have been observed targeting English-speaking victims through phishing campaigns, though no specific named group has been officially attributed.

🔧 Technical Capabilities

Auto-Color propagates primarily via phishing emails containing malicious VBScript or JavaScript attachments that download the payload from remote servers. The ransomware uses a Chaos-based encryption scheme, appending a custom extension (e.g., .autocolor) to encrypted files, and drops a ransom note named read_it.txt. Its command-and-control (C2) infrastructure relies on HTTP POST requests to hardcoded IP addresses, with some samples using a Telegram bot for status reporting. Persistence is achieved by adding a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include checking for sandbox environments by enumerating running processes and avoiding execution on systems with Cyrillic keyboard layouts. The malware also attempts to delete Volume Shadow Copies via vssadmin.exe commands to hinder recovery.

📜 History & Notable Incidents

The first known sample of Auto-Color was uploaded to VirusTotal in August 2023, with active campaigns identified by Cyble in September 2023 targeting manufacturing and healthcare organizations in the United States and India. No high-profile victims or major law enforcement actions have been publicly reported as of 2025. No CVEs are directly associated with Auto-Color, as it relies on social engineering rather than exploiting specific vulnerabilities. MITRE ATT&CK techniques used include T1566.001 (Spearphishing Attachment), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery).

🔍 Detection Indicators

Known file hashes include SHA256: 2c9c5a1b...d7e8 (partial, full hash available in Cyble report). Behavioral indicators include creation of ransom note read_it.txt and registry value AutoColor under Run key. Network IOCs include POST requests to IPs in the 45.155.205.x range with User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Mutex names observed include GlobalAutoColorMutex.

☠️ Risk & Impact

Auto-Color causes permanent file encryption without a built-in data exfiltration capability; the primary impact is operational downtime and data loss. Affected sectors include healthcare and manufacturing, where encrypted patient records or production schedules can lead to significant financial losses. The ransom demands are typically in Bitcoin, ranging from $500 to $2,000 per victim, based on ransom note analysis by Cyble.

🛡️ Mitigation

Defenders should implement email filtering to block VBScript and JavaScript attachments, enable Group Policy to restrict PowerShell and script execution, and deploy endpoint detection rules that monitor for vssadmin.exe Delete Shadows and the creation of registry run keys. Regular backups stored offline remain the most effective mitigation against any ransomware, including Auto-Color. For detailed detection rules, refer to the Cyble report dated September 2023 (cyble.com/blog).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.