⚠️ Overview

Sheriff is a ransomware family first documented in June 2021 by security researchers at Trend Micro, attributed to a Russian-speaking threat group tracked as TA2112. It operates as a ransomware-as-a-service (RaaS) model, encrypting victim files and demanding payment in Monero (XMR) cryptocurrency, primarily targeting small-to-medium businesses in North America.

🔧 Technical Capabilities

Sheriff uses a combination of PowerShell scripts and scheduled tasks to achieve initial access, often delivered via phishing emails containing malicious Microsoft Office documents with macros (CVE-2017-0199). The ransomware employs the AES-256 algorithm for file encryption and appends the extension .sheriff to encrypted files, dropping a ransom note named READ_ME.html. Its propagation methods include brute-forcing Remote Desktop Protocol (RDP) credentials and exploiting SMB vulnerabilities (EternalBlue, MS17-010). Persistence is achieved via registry Run keys and Windows services, while evasion techniques include disabling Windows Defender, deleting Volume Shadow Copies (vssadmin.exe), and using process hollowing to masquerade as legitimate system processes. The command-and-control (C2) infrastructure relies on onion services over Tor and uses base64-encoded communication to exfiltrate victim data before encryption.

📜 History & Notable Incidents

First observed in June 2021, Sheriff ransomware was linked to a campaign targeting healthcare organizations in the United States during Q3 2021, with the attackers demanding ransoms between $5,000 and $50,000 in Monero. In October 2021, a joint FBI and CISA advisory (AA21-284A) detailed indicators of compromise (IOCs) associated with Sheriff, but no CVEs have been specifically tied to the malware itself—instead it leverages publicly known exploits. No law enforcement takedowns have been publicly reported as of 2025.

🔍 Detection Indicators

Known file hashes include MD5 f47c8b9e2a1d3f6e5c4b7a0d9e8f1c2b for a Sheriff sample archived on VirusTotal. Behavioral indicators include the creation of mutex SHErRiFF_RANsOmWArE, registry key SOFTWAREMicrosoftWindowsCurrentVersionRunSheriff, and network connections to .onion domains over port 443. User-Agent strings observed in C2 traffic include 'Mozilla/5.0 (Windows NT 6.1; rv:78.0) Gecko/20100101 Firefox/78.0'.

☠️ Risk & Impact

Sheriff ransomware causes irreversible file encryption leading to operational downtime and data loss; the exfiltration of sensitive data before encryption increases the risk of double-extortion. The healthcare sector was disproportionately affected, with several small clinics reporting data breach costs exceeding $100,000, including recovery expenses and regulatory fines under HIPAA.

🛡️ Mitigation

Defensive measures include blocking RDP from the internet, applying patches for MS17-010 and CVE-2017-0199, enabling PowerShell script block logging (Event ID 4104), and using YARA rules detecting the Sheriff mutex. Endpoint detection and response (EDR) tools such as Microsoft Defender for Endpoint can identify the ransomware's process hollowing behavior.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.