Full Report
This blog dives into the technical anatomy of Midnight, its lineage from Babuk, and the critical indicators of infection. Most importantly, it offers a practical guide to decrypting affected files, empowering victims with a rare opportunity to reclaim their data without paying a ransom.
Analysis Summary
# Tool/Technique: Midnight Ransomware
## Overview
Midnight is a new ransomware strain identified by Gen researchers that inherits significant structural elements from the older Babuk ransomware family. Its primary purpose is to encrypt victim files and demand a ransom for their decryption. Uniquely, flaws introduced in its reworked cryptographic scheme unintentionally allow for file decryption without payment.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Inferred from decryptor versions for 32-bit and 64-bit Windows and Babuk lineage targeting Windows/ESXI/NAS)
- Capabilities: File encryption using ChaCha20 (content) and RSA (key wrapping), intermittent encryption, mechanism to prevent multiple instances via mutex, optional logging.
- First Seen: Prior to October 27, 2025 (Date of article publication).
## MITRE ATT&CK Mapping
*Note: Specific ATT&CK mappings for Midnight are not explicitly detailed in the article, but based on ransomware behavior:*
- [TA0011 - Command and Control]
- [T1071 - Application Layer Protocol] (If C2 communication occurs)
- [TA0040 - Impact]
- [T1486 - Data Encrypted for Impact]
- [T1486.001 - Encrypt File Content]
- [TA0003 - Persistence]
- [T1543 - Create or Modify System Process] (If it employs services or startup entries, though mutex is noted)
## Functionality
### Core Capabilities
- **File Encryption:** Uses ChaCha20 for content encryption.
- **Key Management:** The ChaCha20 key is encrypted using RSA and appended to the end of each encrypted file, along with its SHA256 hash.
- **Intermittent Encryption:** Employs a refined, granular file size-based logic to encrypt only portions of files, optimizing speed, a technique inherited from Babuk.
- **Persistence Prevention:** Utilizes a mutex named `Mutexisfunnylocal` to ensure only one instance runs.
- **Ransom Note:** Drops a note named `How To Restore Your Files.txt` in affected directories.
### Advanced Features
- **Cryptographic Flaw:** The rework of the cryptographic scheme (compared to Babuk) introduced exploitable weaknesses allowing for the creation of a working decryptor.
- **Extension Handling:** Can append the extension string (`.Midnight` or `.endpoint`) directly to the *end of the file content* instead of renaming the physical file (when using the `/e` command-line argument).
- **Targeted Encryption:** Allows targeting specific paths via the `--paths=PATHS` argument.
- **Network Scope:** Can be configured to encrypt network-mounted volumes (using the `/n` argument).
- **Targeted File Types (Initial):** Focused on high-value files like databases (`.mdf`, `.bak`, `.sql`) and archives (`.rar`). Later variants encrypt nearly all file types except executables (`.exe`, `.dll`, `.msi`).
## Indicators of Compromise
- File Hashes:
- SHA256:
- `dd9de77c6e17093b0b2150b3f0c66e8526369ba68fb7b9a5758ff9274d85342e`
- `3d9a71cfec82fef531227465f40d9106e671ef162fa3ab21119e2ee08612e0aa`
- `300c46bf17e8bd0cd5ac800a33e1d27ef9001aecef1f98965414bf9c33af19e0`
- `1e58448808006de410ddb31a4d6ff8292aa70168f69f2b7e08144d6090d5084d`
- `aa8a043fd3d64fc96864cf5361bbb82012cc4b2e1a909c747038edcf2b4369e7`
- File Names:
- Encrypted File Extensions: `.Midnight`, `.endpoint`
- Ransom Note: `How To Restore Your Files.txt`
- Log Files: `Report.Midnight`, `debug.endpoint`
- Registry Keys: *Not specified in the summary text.*
- Network Indicators: *No explicit C2 indicators (IPs/Domains) were provided in the summary text.*
- Behavioral Indicators:
- Creation of mutex: `Mutexisfunnylocal`.
- Appending extension string directly to file content (hex view).
## Associated Threat Actors
- Unknown (Attributed to a new evolution utilizing the leaked Babuk source code).
## Detection Methods
- Signature-based detection: Based on the provided SHA256 hashes.
- Behavioral detection: Monitoring for the creation of the `Mutexisfunnylocal` mutex or the execution of file renaming/apprending logic associated with encryption.
- YARA rules: *Not provided in the summary text.*
## Mitigation Strategies
- **Prevention:** Maintain strong backups of critical data.
- **Recovery:** Utilize the publicly available decryptor tools (64-bit or 32-bit provided by Norton/Avast) to restore files without paying the ransom, leveraging the cryptographic flaws.
- **Hardening:** Be wary of ransomware inspired by Babuk, as they may inherit complex but potentially flawed structures.
## Related Tools/Techniques
- **Babuk Ransomware:** Midnight is a direct lineage/evolution of Babuk, inheriting core structural elements.
- **Ransomware-as-a-Service (RaaS):** Babuk operated on a RaaS model, suggesting Midnight may follow a similar operational structure.