Skip to the main content.
Partner Programs
Technology Partners
Featured Report


  • Netenrich /
  • Blog /
  • Discovering the ADHUBLLKA Ransomware Family: Tracing the Roots of LOLKEK, BIT, OBZ, U2K, TZW Variants

8 min read

Discovering the ADHUBLLKA Ransomware Family: Tracing the Roots of LOLKEK, BIT, OBZ, U2K, TZW Variants

Identifying ADHUBLLKA Ransomware: LOLKEK, BIT, OBZ, U2K, TZW Variants


This article is not an in-depth reverse-engineering analysis of a ransomware variant. Rather, it discusses the methods and different techniques used to uncover previous ransomware campaigns. 

When a ransomware is successful out in the wild, it is a common to see cybercriminals use the same ransomware samples — slightly tweaking their codebase — to pilot other projects. For example, they may change the encryption scheme, ransom notes, or command-and-control (C2) communication channels and then, re-brand themselves as a “new” ransomware. 

These slight tweaks can confuse security researchers during the classification process. It is important to attribute the observed/detected indicators of compromise (IOCs) to the respective malware/ransomware. However, because the newly re-branded names are also tied to the old malware, it can create duplicates, in some instances.  

As a result, analysts/researchers can hit a roadblock while investigating for an IOC hash if they see multiple malware families bond to an uploaded sample. For example, when someone leaked Babuk ransomware code, a plethora of new ransomware, such as Rorschach, Mario, ESXi, RTM Locker, and more, were quick to appear on the scene. The same happened when Conti source code was leaked. In these cases, confirmation often requires reverse engineering. 

In this research, we tracked down a similar case.


Case study: ADHUBLLKA ransomware

In August 2023, a new ransomware strain (Filename: r.exe) caught our attention. Our analysis showed that the newly found ransomware, active since August 1, 2023, is a spin-off of an earlier variant called ADHUBLLKA ransomware, which first appeared on January 13, 2020. 

In VirusTotal, you can find the following information on this case (MD5: 0f77484639b1193ad66e313040c92571b): 

randsomware intel


Multiple engines have already detected this ransomware and by tracking its genealogy, we find traces of CryptoLocker, which has been prevalent since 2016. Since many of the malware code bases get an exact match, we can’t conclude it is CryptoLocker. Instead, we must look at additional parameters, like contact emails, ransom notes, and execution method, as these all play a vital role in analysis.

The ransom note reveals several important details.

Ransom note from ADHUBLLKA ransomware


The threat actor asks victims to communicate via a TOR-based victim portal to obtain decryption keys following ransom payment. 

TOR Address: mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad.onion 
Alternate communication channel: 

Diving deeper into the Dark Web, we can extract more information about the negotiation phase.

Dark web panel



The ransomware group advises infected victims to contact them directly and open a ticket for further negotiation, such as sample file submission, payment negotiation, and finally, receiving the decryption keys post payment. 

Once the ticket is submitted, a channel is created on the fly and this default message automatically pops up:

Default message negotiation 


As evidenced with this correspondence, the ransomware operator appears unwilling to negotiate, holding firm on the initial demand for decryption keys. 

Negotiation phase


The operator would not provide a decrypted sample screenshot to the victim directly, but instead, provided one on ImgBB, an image hosting service. This confirms there is a working decryptor present with the group. 

Communicated IPs 
Decryption Key Cost: $1350 or 0.047BTC 

NOTE: To clear his/her tracks, the threat actor could delete the message sent to their victims as well as any created tickets once they are resolved.


File execution 

The file is named “r.exe”. Once executed, it begins to launch malicious tasks, such as process injection or dropping a malicious executable (AddInProcess32.exe) in a victim environment and initializing the infection chain. All files will be encrypted with “.MMM” extensions appended to the affected files. 

All the encrypted files contain the string “CRYPTO LOCKER” along with the encrypted gibberish text.

Keyword found in encrypted text

To explore further, you can refer/analyze the sample file from this Joe Sandbox Report. 


Tracing the ransomware family 

While tracing this ransomware sample, you must consider a few parameters, such as sample, ransom note, and email addresses, to find the ransomware root.  

It’s clear this is not limited to a single family. A genealogy can be found here: 


Here is a listing of the hashes observed in the wild for each variant with timeline:

Ransomware notes


This graph shows the top infected/supplied ransom notes, where the victims are asked to contact the TOR domain address.  

All the v2 Tor Onion links now are defunct.


Ransom note analysis 

Here, we can analyze a few ransomware notes from different variants that dropped ransom notes onto victim computers.  

2019 Variant 
All your files, documents, photos, databases and other important files are encrypted 
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. 
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. 
Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/ 
2022-23 Variants 
All your files, documents, photos, databases and other important files are encrypted 
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. 
Alternate communication channel here: 
U2K Variant 
All your files, documents, photos, databases and other important files are encrypted 
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. 
The server with your decryptor is in a closed network TOR. 
TZW Variant 
All your files, documents, photos, databases and other important files are encrypted  
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.  
The server with your decryptor is in a closed network TOR. 


The above ransom notes indicate that the group has changed their communication channel from v2 TOR Onion URLs to v3 TOR URL. This is because the TOR community deprecated v2 Onion domains.  

It is important to note that an additional sentence — “The server with your decryptor is in a closed network TOR.” — can only be seen in two new variants: TZW and U2K.  

Additionally, the notes show that the group also used a URL shortener service to redirect to a Freshdesk ticketing site. 

Expanding leads you to a Freshdesk support site,

Freshdesk ticketing system from the archives


Further investigation revealed that this link ( appeared on December 27, 2019, in Pastebin, which is used by U2K Ransomware, a 2022 variant of ADHUBLLKA ransomware.

Freshdesk support ticketing


The newer variant of ADHUBLLKA ransomware, U2K, used the Freshdesk ticketing tool to communicate with its victim, confirming that the Freshdesk ticketing tool was active for last three years, but is no longer available.  

By checking the profile of Antex7, we can see there are three pastes from this profile, where the other two pastes have the IP address listed as, which is associated with LimeRAT.

Record from AbuseCH


When the short URL: was again loaded at another timeline (2022), this message appeared:

 Message display while loading (2022

This signifies that the threat actor is maintaining a direct line of communication via email for victims in case the TOR site goes down or the ticketing service is cancelled. 

It is also important to note that this email address has been seen with multiple ransomware variants at different timelines, which seems to prove that the threat actor(s) have been the same since 2019.

URLs used in each Ransomware Projects 
alcx6zctcmhmn3kx.onion: JOPE,DeathRansom 
decrmbgpvh6kvmti.onion: DOCM 
helpinfh6vj47ift.onion: DOCM 
7rzpyw3hflwe2c7h.onion: ADHUBLLKA, Bit 
54fjmcwsszltlixn.onion: Bit 
24cduc2htewrcv37.onion: Bit 
helpqvrg3cc5mvb3.onion: Bit 
mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion: MME, GlobeImposter XLS, Bit, Lolkek 
mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad.onion: Lolkek 
mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion: Bit, MME, OBZ,



ADHUBLLKA is chosen as an anchor point due to the large number of reports covering the same email address, which belongs to the ransomware group and the sample spotted (MD5: 77d0a95415ef989128805252cba93dc2) in 2019, which still has relevancy with the 2023 variant.  

Moreover, DeathRansom’s note and contact emails (which contain “death” as a main keyword) are different from ADHUBLLKA. This is despite the fact that it uses ADHUBLLKA as the extension after encrypting the files in a scenario. However, PCRisk confirmed that the group behind ADHUBLLKA ransomware had updated its version where TOR support exists and “.readme” extensions are added to the encrypted files instead of ADHUBLLKA. It is also notable that Lolkek samples encrypt the file with the “.readme” extension. Hence, we can classify them as an ADHUBLLKA variant.  

NOTE: It can be considered as LOLKEK ransomware, but because it appeared after ADHUBLLKA (comparing timelines), the roots are traced to the ADHUBLLKA family.  

In another instance, the older onion address alcx6zctcmhmn3kx.onion is associated with DeathRansom, which indirectly links to ADHUBLLKA ransomware. This hash 860b89a4138f744adbe41cee1de0848f was identified in May 2019 and categorized as ADHUBLLKA.


Confusion with GlobeImposter 

The above discussed ransomware sample or other associated samples have also been tagged as GlobeImposter ransomware, which appeared in 2016. In various sandbox engines, it is still classified as GlobeImposter due to the code re-usage match parameter. 

Example of misclassification


Here, we cannot classify it as GlobeImposter as the infection chain and method of ransom negotiation are different from the current active scenario.  

In the case of GlobeImposter, there are a large number of encrypted file extensions used (instead of using single extension) and the emails/TOR domains used by threat actors do not overlap with any current ransomware campaigns.  

Even if they have changed their modus operandi by changing their toolset or improvised their method of Dark Web communication, we can still consider this as part of the ADHUBLLKA (DeathRansom) family, as the same (observed tactic) is ongoing and has not come to an end since 2019.


Key points

  1. This ransomware strain, which targets individuals and small businesses, demands ransoms in the range of $800 to $1600 from each client. This is evident from previous variants.
  2. ADHUBLLKA is also seen in various other cyberattack campaigns. Popular threat actor group TA547 used ADHUBLLKA variants in their campaigns targeting various sectors of Australia in 2020.
  3. All the malicious files of the ADHUBLLKA ransomware variants are commonly file-named with their MD5 or SHA256 hash names, such as “MD5.vir” or “SHA256.bin”.
  4. The infected filenames (䶲䶮䶴䷣䷭䷢䷡䷠䷠䷟䷞䷆䷩䷢.exe) are in Mandarin.
  5. TZW is the final variant that has appeared (as of now) from the ADHUBLLKA ransomware family. It also uses the same portal for victim communications.
  6. We can see that this ransomware was active for a long while on the Dark Web before the release of version 3 Onion URLs, as version 2 URLs were also used in earlier infections.
  7. Currently, this Ransomware family has not announced any DLS (Data Leak Site) on Dark Web at this moment, but once it gets a strong foothold; their DLS can be expected in near future.


Conclusion: Despite different timelines and names, all variants belong to ADHUBLLKA ransomware family 

This ransomware has been highly active since 2019 and with a few observed changes, notably the v3 TOR domain names and other parameters.  

There are various other names assigned to the same piece, such as ReadMe, MMM, MME, GlobeImposter2.0, which all again belong to the ADHUBLLKA ransomware family 

In the future, this ransomware may be rebranded with other names; or other groups may use it to launch their own ransomware campaigns. However, as long as the threat actor does not change their mode of communication, we will be able to trace all such cases back to the ADHUBLLKA family. 


ATT&CK MATRIX techniques 

T1091: Replication through Removable Media 
T1055: Process Injection 
T1036: Masquerading 
T1562.001: Disable or Modify Tools 
T1497: Virtualization/Sandbox Evasion 
T1158: Hidden Files and Directories 
T1027: Obfuscated Files or Information 
T1406.002: Software Packing 
T1056: Input Capture 
T1124: System Time Discovery 
T1518.001: Security Software Discovery 
T1057: Process Discovery 
T1120: Peripheral Device Discovery 
T1083: File and Directory Discovery 
T1082: System Information Discovery 
T1080: Taint Shared Content 
T1091: Replication Through Removable Media 
T1560: Archive Collected Data 
T1573: Encrypted Channel 
T1090: Proxy 
T1486: Data Encrypted for Impact



MD5 hashes


IP Addresses






Contact emails

========== : Jabber


Netenrich Adaptive MDR™: Not Your Average MDR Solution

Netenrich Adaptive MDR™: Not Your Average MDR Solution

“In cybersecurity, the only constant is change.” This age-old adage continues to ring true as organizations navigate a shifting threat landscape with...

Read More
Red CryptoApp: A New Threat Group in the Ransomware World

Red CryptoApp: A New Threat Group in the Ransomware World

This is a preliminary report based only on the data leak site (DLS), listed victims, and other observed patterns. A detailed investigation will...

Read More
Netenrich Earns Google Cloud SecOps Service Delivery Expertise Certification

Netenrich Earns Google Cloud SecOps Service Delivery Expertise Certification

As the first, exclusive pure-play Google Chronicle SecOps partner, Netenrich is 100% committed to the Chronicle SecOps and Mandiant technology...

Read More