cs-137

Also known as: cs-137

Cs‑137 is a newly observed ransomware strain that first appeared in January 2025. It employs the ChaCha20 cipher for encryption and appends obfuscated filenames with a random 10-character alphanumeric identifier while preserving the original file extension. In its current testing phase, it drops a ransom note with a randomized filename (e.g. ABCDEF-README.txt) and sets a randomly named image file as the desktop wallpaper. The note references a Tor-based extortion portal—though access is not yet active, indicating the operation’s early development stage. The strategy suggests single-extortion behavior, focused on disrupting access rather than data theft or leak threats.

Introduction

Cs‑137 is a newly observed ransomware strain that first appeared in January 2025. It employs the ChaCha20 cipher for encryption and appends obfuscated filenames with a random 10-character alphanumeric identifier while preserving the original file extension. In its current testing phase, it drops a ransom note with a randomized filename (e.g. ABCDEF-README.txt) and sets a randomly named image file as the desktop wallpaper. The note references a Tor-based extortion portal—though access is not yet active, indicating the operation’s early development stage. The strategy suggests single-extortion behavior, focused on disrupting access rather than data theft or leak threats.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • DesktopNow:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.