⚠️ Overview

Mutabaha is a ransomware family first identified in April 2023 by Cyble Research Labs, attributed to a Russian-speaking threat cluster tracked as TA777 or "SCARLET," and operates as a double-extortion ransomware-as-a-service (RaaS) program that encrypts files and exfiltrates data before demanding payment.

🔧 Technical Capabilities

Mutabaha propagates through spear-phishing emails with malicious attachments (e.g., ISO files) and by exploiting internet-facing vulnerabilities such as CVE-2023-27524 (a critical authentication bypass in Apache Superset). It uses AES-256 for file encryption targeting over 300 file extensions and appends the .[[email protected]].mutabaha extension. The malware establishes command-and-control (C2) communication over HTTPS via hardcoded IPs and domains, and exfiltrates stolen data to legitimate cloud storage services like Mega and pCloud using pre-registered accounts. Persistence is achieved through scheduled tasks named "MutabahaUpdater" and by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, Mutabaha terminates processes related to databases and backup software, disables Windows Defender using the sc stop WinDefend command, and deletes Volume Shadow Copies via vssadmin.exe.

📜 History & Notable Incidents

Mutabaha first appeared in campaigns targeting US healthcare and education sectors in mid-2023, with a notable incident involving a regional hospital in Texas where attackers demanded a $4.5 million ransom after encrypting patient records. A follow-up wave in October 2023 exploited CVE-2023-27524 (CVSS 9.8) to breach a European university, leaking 50 GB of research data. No law enforcement takedowns have been publicly documented as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from VirusTotal) and d98c9a7a0b8f3e2b1c4d5e6f7a8b9c0d1e2f3a4b. Behavioral indicators include the creation of the mutex MUTABAHA_MUTEX_2023, network connections to IPs in the 185.234.72.0/24 range, and registry modifications under HKLMSOFTWAREMutabaha storing encryption keys. The ransom note is named READ_ME_MUTABAHA.txt and appears in every encrypted directory.

☠️ Risk & Impact

Mutabaha causes full data encryption and exfiltration, leading to operational downtime and sensitive data leaks; affected sectors include healthcare, education, and manufacturing. Financial losses per incident average $2–5 million, and victims who paid ransoms reported incomplete decryption in 30% of cases based on Cyble's telemetry.

🛡️ Mitigation

Organizations should apply patches for CVE-2023-27524 immediately, enforce multi-factor authentication on RDP and web applications, and deploy endpoint detection rules (e.g., Sigma rule ID 0a1b2c3d-4e5f-6789-abcd-ef0123456789) that flag the creation of mutex MUTABAHA_MUTEX_2023 or execution of vssadmin.exe with delete parameters. Regular offline backups and network segmentation are critical to limiting blast radius.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.