⚠️ Overview

Shakti is a ransomware family first documented in August 2022 by Cyble researchers, attributed to a financially motivated threat actor dubbed “Shakti Ransomware Group.” It is classified as a file-encrypting ransomware, typically delivered via spear-phishing emails and exploited remote desktop protocol (RDP) vulnerabilities.

🔧 Technical Capabilities

Shakti uses AES-256 encryption with a unique per-file key generated via Microsoft’s Cryptographic API (CryptGenRandom). It appends the .shakti extension to encrypted files and drops a ransom note named “README.txt.” Propagation occurs through SMB worm-like behavior—scanning local network shares and copying itself using administrative credentials. The malware establishes C2 communication over HTTPS, exfiltrating system information before encryption. Persistence is achieved via a scheduled task named “ShaktiUpdate” and modification of the Windows Boot Configuration Data (BCD) to disable recovery options. Evasion techniques include process hollowing (injecting into svchost.exe) and disabling Windows Defender via PowerShell commands (Set-MpPreference). MITRE ATT&CK techniques observed include T1486 (Data Encrypted for Impact), T1059.001 (PowerShell), and T1075 (Pass the Hash).

📜 History & Notable Incidents

Shakti first emerged targeting Indian manufacturing and healthcare sectors in late 2022, as reported by the Indian Computer Emergency Response Team (CERT-In). A major campaign in December 2022 hit over 50 organizations across Southeast Asia, leveraging CVE-2021-34527 (PrintNightmare) for initial access. No law enforcement actions have been publicly documented against the group as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 3a4f7b8c... (full hash available in Cyble’s advisory). Behavioral indicators: creation of %TEMP%Shakti_encrypt.log, registry key HKCUSoftwareShakti, and mutex name “ShaktiMutexV2.” Network IOCs include outbound connections to IP 185.220.101.x on port 443 and User-Agent string “ShaktiRansomware/1.0.”

☠️ Risk & Impact

Shakti causes irreversible file encryption, leading to operational downtime for manufacturing lines and patient record access in healthcare. Financial losses from ransom demands (averaging 10–50 BTC) and remediation costs have exceeded $2 million per incident, per incident response reports. The affected sectors are primarily manufacturing, healthcare, and education.

🛡️ Mitigation

Organizations should disable SMBv1, enforce multi-factor authentication for RDP, and apply patches for CVE-2021-34527 and CVE-2023-24932. Recommended detection rules include Sigma rule “shakti_ransomware_behavior” and YARA rule “Shakti_Ransomware_2022” available on GitHub. Regular offline backups and endpoint detection response (EDR) tools like Microsoft Defender for Endpoint can block execution.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.