Ransomware - Head Mare

Head Mare
Aliases
Mare Head
Decryptor Available
No
Description

The Head Mare group is a hacktivist group that targets individuals and organizations in Russia and Russia-aligned countries, specifically Belarus. They appeared at the end of 2023 via a new Twitter/X account they used as a data leak site (DLS). From there, they published screenshots and other images of proof of breaches, and through that, we could account for some of their alleged victims, displayed below. It wasn't until September 2024 that Securelist (Kaspersky) published research of their findings from the group. This was the first known well-published research of Head Mare.

Some of their research corroborated what was already known: They first appeared via Twitter and published screenshots of their victim machines, mainly attacking Russia. However, most of their research unveiled the group's tactics, techniques, and procedures (TTPs), including the ransomware they used in their attacks. Head Mare doesn't have their own ransomware; they leverage already-known encryptors from LockBit and Babuk. According to Kaspersky researchers, the Head Mare operators use LockBit 3.0's encryptor - also known as LockBit Black - for Windows Machines, and they use the Babuk ESXi encryptor for hypervisors.

Their encryption methods are uniquely unorthodox. Kaspersky's research highlighted a specific encryption event in which the group used two LockBit subvariants sequentially. They first encrypt the targeted files with LockBitLite, which encrypts the file contents but doesn't alter the file names or free space. Then, the group encrypted the output with LockBitHard, which encrypts the file contents, encrypts the file name, and wipes free space. There's likely one of two reasons for doing this. The first is to ensure that if there was a flaw in the encryption mechanism, there were safeguards against decryption with two levels of encryption. However, considering both ransomware variants are from the same family, this is unlikely (i.e., if one has a flaw, the other likely does too). The second is for a similar reason, but the intent from the attacker's point of view is to wipe the machine, making it unavailable to recover. Since Head Mare is a hacktivist group, this seems more likely instead of encryption in depth. The final anecdote for the encryption event is that, even though they utilized the leak builders, the operators didn't tweak them much. Even the LockBit Black ransom notes are unchanged from their leaked statuses.

Preceding a ransomware attack, the operators utilize phishing attacks with ZIP folders attached. Once a prospective victim attempts to view the archive, an embedded malware exploits CVE-2023-38831. This exploit allows attacks to execute arbitrary code when viewing an archive using WinRAR version 6.23 or older. After exploitation, the attackers use PhantomDL and PhantomCore for initial discovery, network enumeration, and command and control (C2) establishment. From there, they can deliver more malware since persistence has been established with prior set registry settings. The C2 framework they use is Silver, an open-sourced alternative to Cobalt Strike. Finally, the Head Mare group uses ngrok and rsockstun for network pivoting and XenAllPasswordPro and Mimikatz for credential harvesting before deploying ransomware.

Ransomware Type
Crypto-Ransomware
Data Broker
First Seen
Threat Actors
Type
Actor
Hacktivist
Head Mare
Extortion Types
Blackmail
Direct Extortion
Free Data Leaks
Communication
Medium
Identifier
File Extension
<file name>.<file extension>.Bb4RyY6Mf
<file name>.<file extension>.FihqnBxYm
<file name>.babyk
Ransom Note Name
<encrypted file extension>.README.txt
README_TO_RESTORE.txt
Samples (SHA-256)
2d3db0ff10edd28ee75b7cf39fcf42e9dd51a6867eb5962e8dc1a51d6a5bac50
311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86
4c218953296131d0a8e67d70aeea8fa5ae04fd52f43f8f917145f2ee19f30271
664b68f2d9f553cc1acfb370bcfa2ccf5de78a11697365cf8646704646e89a38
dc47d49d63737d12d92fbc74907cd3277739c6c4f00aaa7c7eb561e7342ed65e
Industry Sector Country Extortion Date Amount (USD)
DefenseRussia
Oil & GasRussia
Information TechnologyRussia
ElectronicsRussia
DefenseRussia
DefenseRussia
TelecommunicationsRussia
Information TechnologyRussia
Distribution & LogisticsRussia
Professional ServicesRussia
Construction & ArchitectureRussia
References & Publications