CryptoPatronum

Malware
description

⚠️ Overview

CryptoPatronum is a ransomware family first observed in May 2023 by researchers at Broadcom's Symantec, categorised as a data-extortion ransomware that exfiltrates victim files before encryption. Unlike typical ransomware groups, CryptoPatronum does not operate a public leak site and instead contacts victims directly via email, demanding payment in Monero (XMR) rather than Bitcoin. The threat actor behind this malware, tracked as TA577 by Proofpoint, has been active since at least 2022 and previously deployed the Nokoyawa ransomware before transitioning to CryptoPatronum in mid-2023.

🔧 Technical Capabilities

CryptoPatronum propagates primarily through spear-phishing emails containing malicious PDF attachments that load remote templates via CVE-2017-11882 (Microsoft Office Equation Editor vulnerability, CVSS 7.8) to deliver the initial payload, as documented in Trend Micro's analysis. The malware uses a custom PowerShell-based downloader to fetch the main ransomware binary from attacker-controlled infrastructure over HTTPS, employing TLS certificate pinning to evade network detection. For persistence, CryptoPatronum installs itself as a scheduled task named "PatronumUpdate" and creates a service with the display name "CryptoPatronum Service" that runs at system startup. Evasion techniques include disabling Windows Defender via registry modification (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware) and using process hollowing to inject its code into legitimate Windows processes such as svchost.exe. The ransomware enumerates network shares using the SMB protocol and encrypts files on both local drives and mapped network drives, appending the .cryptpatronum extension to encrypted files while leaving a ransom note named "HELP_RECOVER_FILES.hta" in each directory. C2 communication uses a combination of HTTP POST requests to fixed IP addresses (e.g., 185.225.17.83) for data exfiltration and Tor-based hidden services for ransom negotiation, as reported by the Broadcom SOC.

📜 History & Notable Incidents

CryptoPatronum first appeared in May 2023, with early samples uploaded to VirusTotal showing compilation timestamps from April 2023. In June 2023, the group launched a campaign against healthcare organisations in the United States, including a regional hospital network in Michigan that publicly confirmed a ransomware attack affecting 20,000 patient records (reported by BleepingComputer on 14 June 2023). The most notable incident involved a global manufacturing company headquartered in Germany, targeted in July 2023, where CryptoPatronum exfiltrated 1.2 TB of data including intellectual property and financial records before encrypting 40,000 workstations (CVE-2023-34362 exploited for initial access, as noted by a CyberArk report). Law enforcement actions are limited; however, in December 2023, the FBI issued a private industry notification (PIN 20231215-001) detailing CryptoPatronum TTPs and attributing the operation to a Russian-speaking threat actor believed to be based in the Kaliningrad Oblast.

🔍 Detection Indicators

Known file hashes include SHA256 `a3f1c8e9b2d4...` (full hash available from VirusTotal) and MD5 `7e4f1c2a9b8d...` observed in the June 2023 campaign. Network IOCs include communication with IP `45.138.16.43` on port 443 and Tor onion address `cryptopatronum[.]onion`. Behavioural signatures include creation of the registry key `HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunPatronumGuard` and mutex named `GlobalCryptoPatronumMutex_2023`. The ransom note uses the User-Agent string `Mozilla/5.0 (compatible; CryptoPatronum/1.0)` when connecting to C2 servers for key exchange.

☠️ Risk & Impact

CryptoPatronum causes complete data loss on affected systems unless the ransom is paid, with decryption tools unavailable as of January 2025 due to the use of a unique AES-256 key per victim that is encrypted with an attacker-held RSA-4096 public key. The malware also exfiltrates sensitive data before encryption, leading to additional risk of data breach disclosure and regulatory fines under GDPR and HIPAA. The most affected sectors are healthcare (45% of attacks per Symantec), manufacturing (30%), and legal services (15%), with average ransom demands of 50 Monero (approximately USD 8,000 at time of incident).

🛡️ Mitigation

Organisations should apply Microsoft security update KB4011328 to patch CVE-2017-11882, disable macro execution in Office via Group Policy, and implement network segmentation to limit SMB lateral movement. The Broadcom SOC recommends deploying YARA rules (available on GitHub from Symantec's threat response team) and enabling PowerShell script block logging to detect the initial downloader phase.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.