Ransomware - Crimson Walrus

Crimson Walrus
Aliases
Crimson Walrus 2
TuskLocker
TuskLocker 2
Decryptor Available
No
Description

Crimson Walrus isn't ransomware. ConnectWise created it as a challenge for the IT Nation Secure 2022 CTF from June 6, 2022, to June 8, 2022, and emulates some real ransomware behaviors. For example, we observed no file encryption (although it does utilize RSA-2048 for encrypting some data). It does drop a ransom note with the flag to one of the challenges, and they even created an extortion page on the dark web to make it more realistic. The dark website even had five "victims" and certainly was cloned from the Babuk dark website. Apparently, they did so well that one cybersecurity company mistook it for a real ransomware group with five victims. There are a few aliases for Crimson Tusk, which is self-named on their dark web extortion site, but the source code path reveals it was named TuskLocker2. Thus, the aliases Crimsom Walrus 2, TuskLocker, and TuskLocker 2 came to be.

Ransomware Type
Simulator/Emulator
Country of Origin
United States
First Seen
Last Seen
Threat Actors
Type
Actor
Company
ConnectWise
Extortion Types
Pseudo-Extortion
Ransom Note Name
DECRYPT_YOUR_FILES.txt
Ransom Note Image
Samples (SHA-256)
58e969a3aec430698e3b9fa692edcdbcf9529262f5d298913b19ed9dc73c6aa5
References & Publications