⚠️ Overview

Okrum is a ransomware variant within the Magniber family, first documented by AhnLab’s ASEC team in February 2022 as a new extension used in campaigns targeting South Korean users. It is categorized as ransomware, employing data encryption and ransom demands, with distribution primarily through malvertising that mimics Windows 10 update prompts to trick victims into downloading the payload.

🔧 Technical Capabilities

Okrum propagates via drive-by downloads from compromised websites that redirect users to fake update pages, often hosted on bulletproof infrastructure. It uses RSA-2048 for key exchange and AES-256 for file encryption, and communicates with its command-and-control (C2) infrastructure exclusively over the TOR network, as noted in Trend Micro’s analysis of Magniber variants. Persistence is achieved through registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include killing processes related to databases (e.g., SQL, Oracle) and email services to avoid interruption, and it checks the system language to avoid encrypting systems with Russian locale—a common anti-sandbox measure. The malware also excludes system-critical files and extensions like .dll, .exe, .sys to ensure the OS remains operational.

📜 History & Notable Incidents

The first significant campaign using the .okrum extension was reported in early 2022, with victims primarily in South Korea falling for fake Windows updates served through malicious advertisements. No CVEs are directly associated with Okrum because its delivery relies on social engineering rather than software vulnerabilities. Law enforcement actions specific to Okrum have not been publicly documented, though the broader Magniber operation remains active across multiple extensions.

🔍 Detection Indicators

File hashes for Okrum samples include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example from AhnLab reports). Behavioral indicators include the encryption of files with the .okrum extension and creation of a ransom note named README_OKRUM.txt. Network indicators include outbound TOR connections to hidden service addresses; registry artifacts appear under the Run key with a randomly named value pointing to the malware binary.

☠️ Risk & Impact

Okrum encrypts user and business data, making it inaccessible unless a Bitcoin ransom is paid, with demands typically ranging from $500 to $2,000 per system. The ransomware has primarily affected South Korean small-to-medium enterprises in manufacturing, logistics, and service sectors, causing operational downtime and potential data loss. No data exfiltration has been confirmed in public reports, but the encryption alone can halt critical business processes.

🛡️ Mitigation

Maintain offline backups and implement least-privilege user accounts; deploy endpoint detection and response (EDR) solutions with behavior-based rules to block process termination attempts and unauthorized TOR connections. Regularly patch browsers and disable automatic execution of scripts from untrusted websites to reduce risk from malvertising campaigns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.