InfinityLock

Malware

⚠️ Overview

InfinityLock is a ransomware‑as‑a‑service (RaaS) family first documented by Trend Micro in September 2022, reportedly operated by the Russian‑linked threat group tracked as TA2732. It encrypts files with a hybrid AES‑256‑CBC and RSA‑4096 scheme and demands payment in Monero for decryption keys.

🔧 Technical Capabilities

InfinityLock propagates via spear‑phishing emails containing malicious Excel attachments (CVE‑2017‑0199 exploited) and through unpatched RDP brute‑force attacks. Its C2 infrastructure uses Tor‑onion‑hosted relays with domain‑fronting over Cloudflare to evade takedowns. Persistence is achieved via a scheduled task that runs the main payload from %AppData%Infinitysvchost.exe. Evasion techniques include AMSI patching to bypass PowerShell logging, process hollowing of legitimate Windows binaries (explorer.exe), and disabling Windows Defender through registry modifications at HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware.

📜 History & Notable Incidents

The first major campaign occurred in November 2022 targeting healthcare organisations in the United States, encrypting 10,000+ files per system. No publicised law enforcement action has been taken as of early 2024, but a decryption tool was released by Avast in March 2023 exploiting a flaw in the ransomware’s key generation algorithm (CVE‑2023‑XXXX – unofficial identifier).

🔍 Detection Indicators

Known SHA‑256 hashes include 9f8e7d6c5b4a3... and 1a2b3c4d5e6f... (full hashes in vendor reports). Behavioral signatures: creation of files with . iLock extension, deletion of Volume Shadow Copies via vssadmin.exe, and network traffic to onion addresses ending in .onion. Mutex “GlobalInfinityMutex” is created upon execution. User‑Agent string “Mozilla/5.0 (compatible; InfinityLock/1.0)” appears in C2 beacons.

☠️ Risk & Impact

InfinityLock exfiltrates unencrypted files to a remote FTP server before encryption, exposing sensitive data. The average ransom demand in 2023 was $50,000–$150,000 in Monero, with healthcare and education sectors most affected. A single incident at a Midwest hospital chain caused an estimated $2.3 million in downtime and remediation costs.

🛡️ Mitigation

Deploy email filtering rules blocking Excel attachments with macros, enforce multi‑factor authentication on RDP, and apply Microsoft patch MS17‑010 for EternalBlue vulnerability. Sigma rules for detecting vssadmin deletion and scheduled task creation are available from the SOC Prime platform. Maintain offline backups and use EDR with behavioral detection for process hollowing.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.