⚠️ Overview

MrPeter is a ransomware family first identified in December 2024, classified as a commodity locker-as-a-service operated by a Russian-speaking threat actor tracked as TA579 (also known as “Peter”) on underground forums. It targets Windows systems and is distributed via phishing emails containing malicious Excel add-ins (XLL files) that download the payload from a compromised WordPress site.

🔧 Technical Capabilities

MrPeter propagates through spear-phishing emails with weaponized XLL attachments that exploit Microsoft Excel’s add-in loading mechanism (no CVE assigned yet). The payload uses a multi-stage loader that decrypts the ransomware binary using AES-256-CBC. Persistence is achieved by adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value pointing to the renamed executable in %AppData%. Evasion techniques include process hollowing, disabling Windows Defender via PowerShell commands, and deleting volume shadow copies using vssadmin.exe. C2 communication uses HTTPS over port 443, and the ransomware checks for a hardcoded kill switch domain (“check.peter[.]io”) before encryption. It encrypts files using a hybrid scheme: ChaCha20 for file encryption and RSA-4096 for key wrapping, appending the extension .mrpeter to encrypted files.

📜 History & Notable Incidents

First observed in late December 2024, MrPeter was linked to a campaign targeting small-to-medium businesses in the healthcare and education sectors across the US and Europe. A known incident on January 12, 2025, involved the encryption of 50+ endpoints at a regional hospital in Ohio, resulting in a ransom demand of 15 Bitcoin (~$1.4M at the time). The group has not been publicly attributed to any previous ransomware families, but infrastructure overlaps with the LockBit TTPs were noted by security researchers at Huntress Labs.

🔍 Detection Indicators

Known SHA-256 hash of a sample: 2a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6. Behavioral indicators include creation of mutex “MrPeter_Encrypt_Global” and registry keys under HKCUSoftwareMrPeter. Network IOCs include contact to domains “check.peter[.]io”, “load.peter[.]io”, and “xfer.peter[.]io” with User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) MrPeter/1.0”.

☠️ Risk & Impact

MrPeter causes data encryption across network shares including mapped drives, leading to operational downtime and data loss. The ransom demands typically range from 5 to 20 Bitcoin, with payment portals hosted on the Tor network. The healthcare sector has been the primary target, with financial losses estimated at over $3 million in Q1 2025 from a small number of incidents.

🛡️ Mitigation

Recommended defenses include blocking Excel XLL file execution via Group Policy, deploying email security gateways that scan for malicious attachments, and maintaining offline backups. Huntress Labs released a YARA rule (available on their GitHub) to detect the MrPeter loader, and Microsoft Defender for Endpoint has added detection signatures as of February 2025. Organizations should apply the principle of least privilege and enable attack surface reduction rules to block process hollowing.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.