Obscura

Obscura, also referred to as Obscura Locker, is a ransomware family first observed in late August to early September 2025. It encrypts victim files using AES and RSA and appends the .obscura extension. The ransom note is named README-OBSCURA.txt and states that the victim network has been encrypted and that data from devices across the network, including NAS systems, has been stolen, indicating double-extortion behavior. The note threatens publication of stolen data if the victim does not respond within about 240 hours and provides victim contact details via a TOX ID beginning with AE55FC0EB1C25A5B081650108F9081E23 and the Tor site obscurad3aphckihv7wptdxvdnl5emma6t3vikcf3c5oiiqndq6y6xad.onion. Reported delivery vectors include exposed or insecure RDP, phishing or spam emails with malicious attachments, exploit-based delivery, deceptive downloads, malvertising, fake updates, botnets, web injects, and trojanized installers. Technically, Obscura deletes shadow copies using "cmd.exe /c vssadmin delete shadows /all /quiet", terminates processes that may interfere with encryption, and excludes various system, boot, firmware, configuration, and already-encrypted file types from encryption. The malware has been reported to use a BYOVD (Bring Your Own Vulnerable Driver) technique to evade or bypass security protections, and separate reporting cites an Obscura incident in late August 2025 as an example of ransomware bundling defense-evasion capability with the payload. An analyzed sample was identified as a Go binary. Reported associated filenames include a.exe and r49hz.exe. Published hashes for one sample are SHA-256 1942510d3b5691819636067ec89b7b7bb18f784d819060d687fc0248dbed5047, SHA-1 2f859eeaa01238ed704fe504470186904dc59629, and MD5 e8c19bf10d044fe448a60e3fa0f60d58. A notable implementation flaw has been reported in Obscura’s encryption process: files larger than 1 GB may become permanently unrecoverable because the malware fails to write the encrypted temporary key to the file footer, meaning data may remain undecryptable regardless of ransom payment.