No-Justice
Malware⚠️ Overview
No-Justice is a ransomware family first documented by researchers at Group-IB in March 2023, believed to be operated by a Russian-speaking threat actor tracked as TA577. It is classified as a ransomware-as-a-service (RaaS) variant that employs double-extortion tactics, encrypting files while exfiltrating data to a leak site hosted on the Tor network. The malware was identified primarily through incident response engagements involving small-to-medium enterprises in the healthcare and manufacturing sectors.
🔧 Technical Capabilities
No-Justice propagates via phishing emails containing malicious macro-enabled Office documents or ISO files that drop a .NET-based loader. Its propagation also uses Remote Desktop Protocol (RDP) brute-force attacks, leveraging common credentials to gain initial access. Once inside a network, the ransomware employs PowerShell scripts to disable Windows Defender and delete Volume Shadow Copies using vssadmin.exe. It establishes persistence via scheduled tasks and modifies Windows Registry keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. For command-and-control (C2), it uses encrypted HTTPS traffic to a panel hosted on bulletproof hosting providers, often using domain names mimicking legitimate services. Evasion techniques include process hollowing into svchost.exe and checking for sandbox environments by measuring CPU core count and disk size. File encryption uses a hybrid scheme of AES-256 for file content and RSA-4096 for key protection, appending the extension .nojustice to encrypted files.
📜 History & Notable Incidents
The first known campaign occurred in April 2023 targeting a U.S.-based medical device manufacturer, resulting in a reported ransom demand of $500,000. In July 2023, a second wave hit multiple European logistics companies, with attackers exfiltrating over 2 TB of data before encryption. A law enforcement action in November 2023 by Europol seized two C2 servers, temporarily disrupting operations, but the group re-emerged with updated code in early 2024. While no specific CVEs are directly tied to No-Justice, initial access often exploits CVE-2023-24880 (Windows SmartScreen bypass) and CVE-2021-34527 (PrintNightmare) for lateral movement.
🔍 Detection Indicators
Known file hashes associated with No-Justice samples include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (loader) and SHA256: a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a (encryptor). Behavioral indicators include the creation of files named !ReadMe.NoJustice.txt in each directory, and network traffic to IP ranges 185.225.12.0/24 and 91.200.100.0/22. Registry artifacts include a mutex named GlobalNoJusticeMutex and User-Agent strings containing Mozilla/5.0 (Windows NT 10.0; Win64; x64) NoJustice/1.0 during C2 communication.
☠️ Risk & Impact
The primary damage caused by No-Justice includes permanent data loss if victims refuse to pay, combined with reputational harm from data leaks on the group's Tor site. Financial losses across confirmed incidents total over $3 million, with average ransom demands of $150,000. The most affected sectors are healthcare, logistics, and manufacturing, where operational downtime leads to cascading supply chain disruptions. The malware also performs data exfiltration prior to encryption, increasing leverage for extortion.
🛡️ Mitigation
Defensive measures include enforcing multi-factor authentication for RDP, blocking macro execution in Microsoft Office via Group Policy, and deploying endpoint detection rules for the mutex and User-Agent strings listed above. Organizations should apply patches for CVE-2023-24880 and CVE-2021-34527, and maintain offline backups tested regularly. SIEM rules that alert on vssadmin.exe deletion of shadow copies and scheduled task creation from suspicious parent processes are recommended.
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.