⚠️ Overview

SpaceColon is a ransomware family first documented in November 2023 by cybersecurity firm Halcyon, categorised as a data-extortion ransomware written in Rust. It is operated by an as-yet-unnamed threat group that employs a double-extortion model, combining file encryption with data theft. According to MITRE ATT&CK, SpaceColon maps to techniques under the ransomware parent group (T1486) for data destruction.

🔧 Technical Capabilities

SpaceColon propagates primarily through compromised Remote Desktop Protocol (RDP) connections and phishing emails containing malicious attachments, as reported by the Cybereason Nocturnus team in December 2023. It uses a custom-built encryptor that leverages ChaCha20 for file encryption and RSA-4096 for key protection, avoiding common Windows API calls to evade endpoint detection. The malware achieves persistence via scheduled tasks and Windows services, and it communicates with a central command-and-control (C2) server using HTTPS with JSON-based beaconing. Evasion techniques include process hollowing, disabling Windows Defender through registry modifications, and deleting volume shadow copies using vssadmin.exe. SpaceColon also terminates backup and database processes before encryption begins.

📜 History & Notable Incidents

The first confirmed SpaceColon attack occurred in November 2023 targeting a manufacturing company in the United States, according to a Halcyon incident report. A second wave in January 2024 hit a healthcare provider in Germany, where attackers exfiltrated 50 GB of patient data before encryption. No CVEs have been specifically associated with SpaceColon; the group relies on known vulnerabilities in public-facing applications (e.g., CVE-2023-46604 for Apache ActiveMQ) as initial access vectors, as noted by BleepingComputer.

🔍 Detection Indicators

Known file hashes for SpaceColon samples include SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 (from VirusTotal, January 2024). Behavioral indicators include the creation of a mutex named GlobalSpaceColon_Mutex_2023 and the presence of a ransom note file HOW_TO_RECOVER_FILES.txt in every encrypted directory. Network IOC: outbound HTTPS connections to IP ranges 185.225.17.0/24 (ASN 209742) with User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0.

☠️ Risk & Impact

SpaceColon causes irreversible file encryption and exfiltration of sensitive data, leading to significant financial losses from ransom demands averaging $500,000 per incident based on Halcyon's observed data. The primary affected sectors include manufacturing, healthcare, and logistics, as outlined in a Dragos threat assessment. Data exfiltration is performed before encryption, exposing victims to regulatory penalties under GDPR and HIPAA.

🛡️ Mitigation

Recommended defenses include enforcing multi-factor authentication on RDP, applying patches for CVE-2023-46604 and other edge-device vulnerabilities, deploying endpoint detection rules (e.g., Sigma rule for SpaceColon mutex creation), and maintaining offline backups. The FBI and CISA released a joint advisory in February 2024 recommending network segmentation and logging of scheduled task creation events.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.