Introduction
CiphBit is a crypto-ransomware first detected in April 2023. It utilizes a double-extortion model, encrypting files and threatening to leak stolen data via a Tor-hosted portal if ransom demands are not met. The malware appends encrypted files with a vector including a unique victim ID, the attacker’s email address (onionmail.org), and a four-character random extension—making file identification and recovery especially difficult. Victims span various sectors including banking, manufacturing, healthcare, logistics, and professional services across North America and Europe. The group is classified as a data broker due to its evolving extortion methods involving free leaks and selective leaks to pressure victims. Recent high-profile victims include iptelecom GmbH (Germany) and Therma Seal Insulation Systems (USA), reaffirming its cross-industry reach and impact.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.