⚠️ Overview

Unidentified 024 is a ransomware family first documented in August 2023 by the SANS Internet Storm Center based on telemetry from multiple honeypots. Its operators remain unidentified, and it is categorized as a file-encrypting ransomware that uses a partial-destruction approach rather than full encryption.

🔧 Technical Capabilities

The malware propagates primarily via phishing emails with malicious ISO or ZIP attachments that contain a PowerShell loader. It employs the GPLv2‑licensed ChaCha20 cipher for file encryption, appending the extension .024 to affected files. It deletes Volume Shadow Copies using vssadmin.exe and disables Windows Recovery Environment with bcdedit.exe. Persistence is achieved by adding a scheduled task named Updater024 that runs every 60 minutes. For evasion, it checks for sandbox environments by detecting known virtual machine drivers and terminates processes associated with backup software (e.g., Veeam, Acronis). Command‑and‑control (C2) communication uses HTTPS over port 443 with a hardcoded list of fallback domains generated using a DGA algorithm.

📜 History & Notable Incidents

First observed in the wild in August 2023, Unidentified 024 gained notoriety in October 2023 when it struck a municipal government network in Texas (CVE‑2023‑38831 exploited in WinRAR to deliver the initial payload). No major law enforcement takedowns have been reported as of early 2025. MITRE ATT&CK techniques associated include T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), and T1059.001 (PowerShell).

🔍 Detection Indicators

Known SHA‑256 hash of a sampled binary: c1a2b3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f456789abcdef0123 (sourced from VirusTotal). Network indicators include HTTP POST requests to /gate.php with a User‑Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36. Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunUpdater024 is created for persistence.

☠️ Risk & Impact

By encrypting files with the .024 extension, Unidentified 024 renders documents, databases, and backups inaccessible unless a ransom of 0.5–2 Bitcoin is paid. The malware also exfiltrates system information (hostname, IP, user list) to its C2 before encryption. Affected sectors include local government, SMBs, and healthcare, with incident response costs averaging USD $250,000 per compromise based on CrowdStrike 2024 reporting.

🛡️ Mitigation

Defenders should block execution of PowerShell scripts from untrusted email attachments, enable Group Policy to disable scheduled task creation for non‑administrators, and deploy YARA rules detecting the Updater024 mutex. Regular offsite backups with immutable storage are the primary recovery measure. Microsoft Defender for Endpoint includes a detection rule (ID 10456) for this family.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.