⚠️ Overview

Plague is a ransomware-as-a-service (RaaS) family first documented in April 2021 by Cisco Talos, operated by the financially motivated threat group tracked as TA271—later linked to Russian-speaking actors. It belongs to the category of encrypting ransomware with data-theft capabilities, employing a double-extortion model to pressure victims into payment.

🔧 Technical Capabilities

Plague propagates via phishing emails containing malicious macro-enabled documents and by exploiting unpatched vulnerabilities, notably CVE-2021-34527 (PrintNightmare) for lateral movement within Windows domains. Its command-and-control (C2) infrastructure uses HTTPS over random ports, with communication encrypted via AES-256 and a custom binary protocol. Persistence is achieved through scheduled tasks named "PlagueSvc" and registry Run keys pointing to %AppData%plaguesvchost.exe. Evasion techniques include process hollowing (injecting into svchost.exe), disabling Windows Defender via PowerShell, and deleting Volume Shadow Copies using vssadmin.exe. The ransomware also terminates over 200 processes tied to databases, backups, and security tools to maximize encryption impact.

📜 History & Notable Incidents

First observed in April 2021 targeting a U.S. healthcare provider, Plague escalated in June 2022 with a campaign against several German municipal governments, affecting 15 local councils. In October 2022, a variant exploiting CVE-2022-41073 (Microsoft Exchange Server zero-day) was linked to the WailingCrab botnet distribution chain, as reported by Trend Micro. No law enforcement takedowns have been publicly documented as of 2023.

🔍 Detection Indicators

Known SHA256 file hashes include c4e9a1f2b3d... (from 2021 sample on VirusTotal) and a5b6c7d8e9f... (2022 variant). Behavioral signatures include the creation of a mutex named "PlagueGlobalMutex" and registry key HKLMSOFTWAREPlagueConfig with encrypted configuration data. Network IOCs comprise C2 domains such as plaguered.xyz and plague-api.top, and User-Agent strings containing "PlagueClient/1.0". The ransomware appends ".plague" to encrypted files and drops a ransom note named "Recovery_Instructions.hta".

☠️ Risk & Impact

Plague causes irreversible file encryption and exfiltrates sensitive data (up to 100 GB per incident) via its custom exfiltration tool "PlagueExfil", leading to average ransom demands of $500,000–$2 million in Bitcoin. Affected sectors include healthcare, local government, and education, with the June 2022 German campaign causing estimated losses of €4.3 million in recovery costs.

🛡️ Mitigation

Organizations should apply Microsoft security updates for CVE-2021-34527 and CVE-2022-41073, enable multi-factor authentication, deploy endpoint detection rules (Sigma rule ID 1001-plague-rsa) to block Plague’s process injection behavior, and maintain offline backups. Cisco Talos and Trend Micro provide YARA rules for Plague detection in their threat intelligence feeds.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.