Ransomware Tracker (Entry #213): BlackSkull

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/0mid16B

0mid16B is a Singaporean national living in Thailand who was arrested in February 2025. It was not a "group," as the individual who ran the operation often claimed. He would use an alias and then change his name on forums and marketplaces to mask his identity. However, many researchers, primarily Group-IB and DataBreaches.net, knew this was the same individual based on his writing style and format of posts. Over the few years he was active, he went by Chaoscc, DESORDEN, ALTDOS, GHOSTR, 0mid16B, and CrowdStrike gave him the name Chaotic Spider. After his arrest, which was cordinated by several law enforcement agencies in Southeast Asia in conjunction with Group-IB, we learned his name was Chingwei, and he cooperated with law enforcement once he was caught. We chose the 0mid16B name for this entry because it was the most recent one used and stood out the most. However, most of his attacks occurred under the DESORDEN name.

According to Group-IB and public accounts of Chingwei, the timeline of his aliases was as follows:

• Chaoscc/ALTDOS: May 2020 - September 2021
• DESORDEN: September 2021 - September 2023
• GHOSTR: October 2023 - August 2024
• 0mid16B: August 2024 - February 2025

Chingwei was financially motivated and mostly breached member countries of the Association of Southeast Asian Nations (ASEAN), particularly Malaysia, Singapore, and Thailand. However, he began attacking more Western countries after losing reputation on hacker forums from being banned for multi-accounting, which is when someone gets caught using additional accounts after getting banned on forums. Since reputation is all you have on anonymous hacking forums, losing that is a death blow. He used the name GHOSTR when he got banned for multi-accounting. After that, he changed his name to 0mid16B, changed his writing style (primarily), and began attacking countries outside of ASEAN to mask his identity better. That is, until he was arrested.

He used unorthodox extortion methods during his tenure to obtain his ill-gotten gains. He would directly extort victims, and if they didn't pay, he would leak part of the stolen data on hacking forums and use middlemen to sell the data to other groups. He claims the data were usually purchased by Chinese-based scam groups out of Malaysia, Cambodia, and Laos. Some other methods were attacking the victim multiple times, especially conglomerates with various subsidiaries, disclosing the breaches to regulators and the media, denial of service attacks, contacting customers and clients about the breach, website defacing, and forcing the victim companies to disclose the breach to the media and government (forced disclosure).

Even his communication methods were dissimilar to those of most other ransomware groups. He mostly used Matrix to communicate with victims but also employed Telegram, Teamviewer, Jabber, email, and TOX. Chingwei also used several hacking forums to communicate with victims and sell stolen data: BreachForums, CRACKED, CryptBB, DarkForums, RaidForums, and Sinisterly, with possibly more we couldn't uncover. During his stint as 0mid16B, he also used Twitter/X to perform disclosures. This was part of his effort to mask his identity, which obviously didn't work out well.

Finally, since this is a ransomware tracker, it's worth noting that, according to Chingwei, he did "not use ransomware in most of their attacks." His phrasing implies that some did use ransomware, and he did have a few forum posts discussing the Chaos and Yashma ransomware builders, which he wasn't a fan of. As part of his efforts to communicate with media and researchers, he often communicated with the authors of DataBreaches.net, which, as you can see by our references, is where a lot of this research comes from. He told them that he had used AES-256 encryption for some databases he encountered, which is up for interpretation if that was a ransomware encryptor or if he would encrypt these databases using local encryption methods.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/wagner-0

WAGNER ransomware claims to be the "official virus of PMC Wagner on employment." PMC stands for Private Military Company, and Wagner is a PMC backed by the Russian government. They are more commonly referred to as the Wagner Group. On February 24, 2022, Russia invaded Ukraine, and Russia's president, Vladimir Putin, called it a special military operation (SMO). In addition to Russian military forces, the Wagner Group was intertwined in this invasion. Several months after Ukraine defiantly thwarted the invasion to a grinding stalemate, primarily on Ukraine's Eastern front, Wagner's leader, Yevgeny Prigozhin, published video after video of the situation in the frontlines, Eventually, he persistently complained about the lack of ammunition and casualties because of it, which he blamed on Russia's leadership, mainly the Minister of Defence, Sergei Shoigu, and Chief of the General Staff, Valery Gerasimov.

On Friday, June 23, 2022, Prigozhin threatened a rebellion against Russian leadership and began a march on Moscow with members of the Wagner Group. Two days later, this ransomware was created (based on the compilation timestamp) using the Chaos v4.0 builder while the march toward Moscow was ongoing. Given that it was created during the rebellion and the first upload of the only known sample came from Russia, it's logical to assume it was designed to sow further Chaos (no pun intended) from the Ukranian point of view. Encrypting someone's files and enticing them to "go to war against Shoigu" aren't the most effective ways to recruit Russian nationals to rise up against their own government. However, this is all conjecture and educated guesses based on the limited information about this ransomware.

Aside from the backstory, the technical information is more straightforward. The encryption information and behaviors are already understood because the executable is built using Chaos v4.0. We know it's the Chaos v4.0 builder instead of any other version because the functions match what an executable would have if built from this version; they match one-to-one. Therefore, the encryption algorithm uses AES-256-CBC to encrypt the files and RSA-1024 to encrypt the AES symmetric key. Any files over 2 MB are overwritten and can not be recovered. It's worth noting that Truesec created a decryptor for Chaos-created ransomware for files less than 2 MB.

Based on all the information provided, it's safe to assume that the threat actor had no intention of decrypting files or collecting a ransom. As such, we've labeled the extortion type as 'pseudo-extortion.'

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/hakuna-matata

Hakuna Matata is a Swahili phrase meaning "there are no worries" (Hakuna = there are no; Matata = worries). It's popularized by the Disney movie The Lion King, performed by Timon and Pumbaa. However, native speakers of Swahili in countries such as Tanzania, Kenya, Uganda, and other neighboring countries seldom use this phrase in everyday conversation. It's more or less reserved for tourists because of The Lion King. In this context, Hakuna Matata is a ransomware builder that produces encryptors with AES-256-CBC and RSA-2048. The builder allows users to create a custom ransom note file name (default = Readme.txt) and message, a name for the process that performs the encryption (default = rundll32.exe), select file extensions, and options to alter the desktop wallpaper for extortion instructions. Additional options are shown in the ransom note image below, which isn't a ransom note image but an image of the builder as a user would see it.

The builder first appeared on the HellOfHackers forum from a user named Hakuna1 on July 7, 2023. Additionally, a user named CmdShell is selling the software for $150 on the underground market, GothamCity. We are uncertain if these are the same users because the CmdShell user created their account in May 2024, almost a year after the builder was publicized. Another user named HeightCoder released the source code on October 5, 2024 (see references) on GitHub, furthering evidence that the CmdShell could be another individual with access to the source code instead of the original author. This user also indicates that this builder is an iteration of Chaos/Yashma, which seems probable considering the similar appearances and behaviors of the encryptors from each of these builders.

All in all, the source code is in the public domain, and users who fall victim to ransomware derived from this builder will undoubtedly have worries. Unlike Chaos 3.0, Chaos 4.0, Yashma, and some variants, Hakuna Matata encryptors have no known decryptor.