EndPoint
EndPoint is a ransomware family formerly known as Midnight and is assessed to be derived from the Babuk ransomware framework. Reported targets include Windows, ESXi, and NAS environments. It operates as a double-extortion ransomware, encrypting files while threatening disclosure of stolen data. Encrypted files are typically renamed with the .endpoint extension, and the malware drops a ransom note named "How To Restore Your Files.txt" in affected paths. The note states that data was stolen and encrypted, offers decryption of three files for free, provides Session messenger contact details, and warns that the ransom demand will increase over time.
Its behavior includes configurable encryption scope via command-line arguments such as -paths= for specified paths, /n for network shares only, and /e to disable adding the .endpoint extension. Before encryption, it terminates multiple processes, including database, office, and mail-related processes, and forcibly stops services associated with backup and security products, including vss, sql, Veeam, Sophos, and Acronis. It deletes Volume Shadow Copies using "vssadmin.exe delete shadows /all /quiet" to hinder recovery. It excludes certain directories such as Windows, Program Files, and AppData, as well as files including bootmgr and ntuser.dat and extensions such as .exe, .dll, .msi, and .endpoint. It creates threads based on CPU core count, uses the mutex "Mutexisfunnylocal" to prevent duplicate execution, and may create a debug.endpoint file in its execution path to log FindFirstFileW and MoveFileExW failures.
For cryptography, EndPoint uses ChaCha20 for file encryption and protects generated session keys with a custom RSA public-key operation. It uses partial encryption based on file size to improve speed and stores the session key and a SHA-256 hash in the encrypted file footer. The malware reportedly does not change the desktop wallpaper.
The content notes a historical ransom-note email account, schipkealfred@gmail.com, which impersonated the director of the East Asia Institute and was identified as being used by a North Korea-linked threat actor after 2024. A social media post referencing AhnLab's analysis associated the topic with DPRK via hashtags, but the technical reporting only directly states the identified use of that email account by a North Korea-linked actor. Reported detection names include Trojan/Win.Generic.C5765109, Ransom/MDP.Delete.M2117, Ransom/MDP.Command.M2255, Ransom/MDP.Decoy.M1171, Ransom/MDP.Event.M1946, Ransom/MDP.Event.M1875, SystemManipulation/EDR.Event.M2486, and Ransom/EDR.Decoy.M2470. Reported associated MD5 hashes include 34be5e70f1260da87096b80dc7b026ac, b77ad606ba04d2d0077130679a257c96, c00cc937e064946ee42776cfe80754d7, and e82bcf417f51acc6b2d8a94ceabd5e36.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniquedelete volume shadow copies with the command vssadmin.exe delete shadows /all /quiet
Stealth
3 techniquesDiscovery
1 techniqueExfiltration
1 techniqueEndPoint는 Windows 환경뿐 아니라 ESXi와 NAS 환경도 겨냥하며, 파일 암호화와 데이터 유출 협박을 함께 수행하는 Double Extortion 방식을 사용한다.
Impact
3 techniquesdepending on the file size, we use partial encryption, which encrypts only a portion of the file instead of the whole, to control processing speed and impact. | EndPoint is a ransomware variant formerly known as Midnight... uses a double extortion method that combines file encryption with Data exfiltration threats.
또한 vss , sql , Veeam , Sophos , Acronis 등 백업·보안 관련 서비스를 강제로 중단한다. | 암호화 전에는 데이터베이스, 오피스, 메일 클라이언트 등 여러 프로세스를 종료하고
암호화 전에는 데이터베이스, 오피스, 메일 클라이언트 등 여러 프로세스를 종료하고, vssadmin.exe delete shadows /all /quiet 명령어로 볼륨 섀도우 복사본을 삭제한다. 또한 vss , sql , Veeam , Sophos , Acronis 등 백업·보안 관련 서비스를 강제로 중단한다.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Babuk leaked source/framework 기반으로 개발된 랜섬웨어 변종으로, Windows뿐 아니라 ESXi와 NAS 환경도 겨냥하며 파일 암호화와 데이터 유출 협박을 결합한 이중 갈취(Double Extortion)를 수행한다. .endpoint 확장자를 추가하고 How To Restore Your Files.txt 랜섬노트를 생성하며, ChaCha20과 자체 RSA 공개키 연산, 부분 암호화를 사용한다.
Named as a ransomware family in the referenced AhnLab post title.
Ransomware variant believed to be derived from the Babuk framework. It targets Windows, ESXi, and NAS environments, uses double extortion with file encryption and data exfiltration threats, employs ChaCha20 encryption with RSA-protected session keys, supports partial encryption, deletes shadow copies, stops backup/security services, and drops ransom notes named 'How To Restore Your Files.txt'.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.