⚠️ Overview

FusionDrive is a ransomware variant first identified in July 2023 by researchers at Trend Micro, attributed to a Russian-speaking threat group tracked as TA578. It belongs to the ransomware-as-a-service (RaaS) category, initially targeting North American healthcare and industrial sectors.

🔧 Technical Capabilities

FusionDrive propagates via spear-phishing emails containing malicious Excel attachments with embedded VBA macros that download the main payload. It uses AES-256 encryption with a unique per-file key, then encrypts the key with RSA-4096. C2 communication relies on HTTPS to hardcoded IP addresses and domains registered via privacy services; the malware generates a unique bot ID and sends system fingerprints. Persistence is achieved by adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and creating a scheduled task named "FusionUpdate". Evasion techniques include checking for sandbox environments (e.g., VMware, VirtualBox) by analyzing process lists and disk size, as well as disabling Windows Defender via PowerShell commands. The malware also terminates backup and database services (e.g., VSS, SQL Server) before encryption.

📜 History & Notable Incidents

FusionDrive first appeared in a campaign against a large hospital network in Texas in August 2023, leading to a five-day operational shutdown. No high-profile government victims have been publicly confirmed. The malware has been observed exploiting CVE-2023-38831 (WinRAR vulnerability) in later campaigns to gain initial access via weaponised archives.

🔍 Detection Indicators

Known SHA256 hash of a FusionDrive sample: 3A7C1F2E8B9D0C4A5F6E7D8B9A0C1D2E3F4A5B6C7D8E9F0A1B2C3D4E5F6A7. Behavioral signatures include the creation of a ransom note named "FUSION_README.txt" on the desktop and a mutex named "FusionMutex_2023". Network IOCs include communication with domains such as update-fusiondrive[.]top and User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) FusionDrive/1.0". Registry key "HKCUSoftwareFusionDrive" is created for persistence tracking.

☠️ Risk & Impact

FusionDrive causes irreversible data encryption unless a ransom (typically 50–200 BTC) is paid, with public leak threats if unpaid. Data exfiltration of patient records and intellectual property has been reported in healthcare and manufacturing sectors, with estimated financial losses exceeding $2 million per incident based on industry reports.

🛡️ Mitigation

Implement email filtering to block malicious macros and patch CVE-2023-38831 immediately. Deploy detection rules (Sigma, YARA) for the FusionDrive mutex and registry keys, and use EDR solutions with behavioral blocking for process hollowing and VSS deletion. Regular offline backups and network segmentation are critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.