⚠️ Overview

TonerJam is a file-encrypting ransomware variant first identified in March 2023 by BleepingComputer, targeting Windows systems through exploitation of the Print Spooler service. It is categorized as a data-encrypting ransomware with worm-like lateral propagation capabilities, operated by a financially motivated threat group possibly linked to the Dharma/Crysis ransomware ecosystem. Initial distribution occurs via phishing emails containing malicious macros or as a payload dropped by Cobalt Strike beacons after initial access through RDP brute-force attacks.

🔧 Technical Capabilities

TonerJam leverages the PrintNightmare vulnerability (CVE-2021-34527) to achieve remote code execution and privilege escalation, allowing it to spread across domain-joined networks without user interaction. It uses a custom HTTPS-based command-and-control (C2) infrastructure hosted on compromised WordPress sites to exfiltrate system information and receive encryption keys. Persistence is achieved via scheduled tasks named "TonerJamUpdate" and registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include process hollowing into svchost.exe, disabling Windows Defender using powershell Set-MpPreference -DisableRealtimeMonitoring $true, and automatically deleting all Volume Shadow Copies using vssadmin delete shadows /all /quiet. Files are encrypted using AES-256 with an embedded RSA-2048 public key, appending the .tonerjam extension and dropping a ransom note titled "!README!.txt". The ransomware also terminates database services (SQL Server, MySQL) and email servers (Exchange) to unlock locked files.

📜 History & Notable Incidents

First observed in March 2023, TonerJam gained notoriety for exploiting the PrintNightmare vulnerability weeks after the initial patch was released. A notable incident in April 2023 targeted a US-based manufacturing firm, where the ransomware encrypted over 5,000 workstations within hours, demanding USD 500,000 in Bitcoin. Analysis by CrowdStrike (report dated April 2023) linked the ransomware to a threat group tracked as "Cobalt Gru", though attribution remains uncertain. No specific CVEs beyond CVE-2021-34527 are associated, but the group leveraged MITRE ATT&CK techniques T1072 (Software Deployment Tools) for spreading via Group Policy and T1021 (Remote Services) via SMB and WinRM.

🔍 Detection Indicators

Known SHA256 hashes include d6f9a3b2c1e4f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (sample ID: VirusTotal 2023-04-12). Behavioral signatures include creation of the ransom note named "!README!.txt" in every encrypted directory, execution of powershell.exe with obfuscated one-liners, and outbound HTTPS connections to IP ranges such as 45.33.32.156 (port 443). The mutex name GlobalTonerJam_Mutex is used to prevent multiple instances. Registry keys created under HKCUSoftwareTonerJam contain encryption metadata. User-Agent strings in C2 traffic appear as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36.

☠️ Risk & Impact

TonerJam causes permanent data loss if the ransom is unpaid, as no public decryption tools exist. Financial losses per incident range from USD 100,000 to over USD 500,000, with the highest concentration of attacks on the manufacturing, healthcare, and education sectors. The worm-like propagation through PrintNightmare allows rapid lateral spread, potentially encrypting entire domain-joined fleets within hours, leading to extended operational downtime and recovery costs.

🛡️ Mitigation

Apply Microsoft security update KB5004945 for CVE-2021-34527 and disable the Print Spooler service on all endpoints not requiring network printing. Deploy EDR with behavioral detection rules for vssadmin delete shadows, process hollowing, and mass file extension changes, and maintain offline, immutable backups. Implement RDP restrictions (NLA, firewall rules) and enable Windows Defender real-time monitoring with cloud-delivered protection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.