There is a new kid on the block, and it's nasty.
A ransomware operation dubbed the '0mega' has been making rounds by targeting businesses and organizations around the world through double-extortion attacks. Successful attacks lead to Ransom demands counting up to millions of dollars.
0mega (spelled with a zero), was initially launched in May 2022, and has claimed numerous victims.
When it was first found, there weren't enough information to provide about the campaign.
But what's certain, 0mega uses an encryption method, in which it adds a .0mega
extension to whatever files it managed to encrypt.
The hackers then generate ransom messages with the filename DECRYPT-FILES.txt
.
Some notes also contain threats about how the 0mega ransomware group may announce business partners and trade associations about the attack, if victims fail or refuse to pay the ransom.
To do this, the ransom note can contain a link to a Tor payment negotiation site with a dedicated “support” chat feature.
Victims of the 0mega ransomware can use the feature to contact the ransomware gang.
But before they can do this, victims must log in into a dedicated dark web website.
To do this, they must first upload the ransom note they received, using the Tor browser. The ransom note the hackers send to victims contain a unique Base64-encoded blob used by the site to identify the victim.
Like almost notorious ransomware gangs that target huge companies and organizations and demand huge amounts of money, 0mega also runs a dedicated data leak site that the threat actors use to publish stolen data if a ransom is not paid.
When it was first discovered, researchers found that the 0mega’s leak site hosts some 152 GB of data stolen from victims.
Given that this campaign is still in its early stages, researchers predict that future attacks are likely to increase, and this website can host even more leaks.