⚠️ Overview

RandomQuery is a ransomware family first documented in September 2020 by security researcher Michael Gillespie and subsequently analyzed by BleepingComputer and Emsisoft. It is operated by an unidentified threat actor who distributes the malware through phishing campaigns and malvertising disguised as fake software downloads. The malware is categorized primarily as ransomware, though its code includes functionality for credential theft and system reconnaissance overlapping with stealers.

🔧 Technical Capabilities

RandomQuery employs AES-256 encryption for file locking and appends the extension .randomquery to encrypted files. Propagation occurs via SMB exploitation using stolen credentials or brute‑force of weak passwords, as well as through malicious documents (macro‑embedded Office files) delivered via email. The command‑and‑control (C2) infrastructure relies on HTTP POST requests to hardcoded IP addresses, with traffic encrypted using a custom XOR obfuscation layer. Persistence is achieved by creating a scheduled task named RandomUpdate and adding a Registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include disabling Windows Defender via PowerShell commands, deleting Volume Shadow Copies using vssadmin.exe, and checking for sandbox environments by detecting common virtual machine artifacts (VMware, VirtualBox). The malware also terminates processes associated with backup software (e.g., Veeam, Acronis) to hinder recovery.

📂 History & Notable Incidents

The first samples of RandomQuery were uploaded to VirusTotal in September 2020 and quickly targeted small‑to‑medium businesses in the healthcare and legal sectors. A notable campaign in November 2020 compromised a regional hospital network in the U.S. Midwest, disrupting electronic health records for 48 hours and demanding a ransom of $150,000 in Bitcoin. No CVEs are directly exploited by RandomQuery; instead, it leverages known vulnerabilities in legacy SMB implementations, including the EternalBlue exploit (MS17‑010) patched after the WannaCry outbreak. No law enforcement actions have been publicly reported as of 2025.

🔍 Detection Indicators

Known SHA‑256 hashes of RandomQuery samples include a3f5c8e1b2d4f6a7c9e0d2f4b6a8c0e2d4f6a8b0c2e4f6a8b0c2e4f6a8b0c2 (from BleepingComputer analysis). Behavioral signatures include the creation of the file !RandomQueryReadMe.hta on the desktop, network connections to IP addresses in the 185.xxx.xxx.xxx range (Russian‑hosted bulletproof hosting), and Registry modifications adding the RandomUpdate scheduled task. Mutex names include GlobalRandomQueryMutex to prevent multiple instances. User‑Agent strings observed during C2 communication mimic legitimate browsers, e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

⚠️ Risk & Impact

RandomQuery encrypts local files and mapped network drives, causing operational shutdowns and data loss if backups are unavailable. The malware also exfiltrates browser credentials and saved VPN passwords to the C2 server before encryption, increasing the risk of lateral movement and account compromise. Affected industries include healthcare, legal services, and small manufacturing, with reported ransom demands ranging from $500 to $200,000, but only 30% of victims pay according to Coveware estimates.

🛡️ Mitigation

Defensive measures include applying MS17‑010 patch, blocking SMBv1, enabling Windows Defender real‑time protection, and implementing email filtering to detect malicious macros. Emsisoft released a free decryption tool for early variants (v1.0‑v1.4) in December 2020, but later versions remain unbreakable without the private key. Organizations should maintain offline backups and deploy endpoint detection rules such as Sysmon events for vssadmin delete shadows and scheduled task creation.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.