Cyphort Discovers New Radamant Ransomware

Radamant Ransomware distributed via Rig EK- A new ransomware called Radamant has been discovered in early December 2015. On December 31, we found compromised websites redirecting to Rig Exploit Kit and downloading this ransomware. The following sites have been infected:




On the affected page, a malicious html code was injected at the end of the page. The code displays a malicious flash file that redirects to Rig EK landing page.


As of this writing the said websites are now free from infection.

Flash Exploit

The Rig EK on both sites uses the same flash exploit and also delivers the same payload. The flash exploit targets the following vulnerability:

  • CVE-2015-5560

This is an old exploit which affects versions and below. The exploit was patched on August 15, 2015 via Adobe flash player update After exploitation, it will download its payload.

Radamant Ransomware

This is a new breed of ransomware that encrypts files using AES-256 encryption. provides an excellent coverage of this ransomware. This malware was also found to be leased as a kit on private  malicious sites. It costs $1,000 to rent it for one month or potential buyers can test it for 48 hours for $100 USD.


As early as December 14, people have been complaining  on bleepingcomputer forum that  their files encrypted and renamed with .RDM or .RRK extension. This malware scans all files that match certain extensions and encrypts them using a unique AES-256 key for each file. The  generated AES-256 key is then encrypted with a Master key which is then embedded into the target file.   Network Connections: The malware will first issue a POST request to its CnC server to get possible domain/s


Server Reply: []

Then it will POST to together with its ID and IP address to check if it is already registered in the server

POST  id={machine fingerprint}&ip={victims IP address}

Server Reply: [0:unknownID][6:{IP region e.g., RU}]

If the victim is new it will reply with [0:unknownID] which instructs the bot to register and post additional system information.

POST   id={machine fingerprint}&apt=0&os={OS version}&ip={victims IP address}&bits={32 or 64 bit}&discs={Drive Letters}&pub={public key}&prv={private key}

Server Reply:[r:good]

The server will send its public key and the malware will POST to:


The server replies with a list of extensions to encrypt which also triggers the start of encryption. After the malware is finished encrypting files, it will show the following page informing the user that files have been encrypted and instructing the victim to pay .5 Bitcoin (approx 220 USD).



Luckily the malware’s encryption had some flaws which allows  Fabian Wosar to recover the encrypted files without paying the ransom. 

Fabian’s tool can be downloaded from the following link:


The tool has been updated to support the latest version known. It is also evident that the malware author/s aren’t pleased with Fabian as they placed some cursed strings on their code in the latest version.

The first version of radamant was first seen on on Dec 3, 2015 and we have identified 3 versions to date.

Version MD5 Mutex Name Extension of Encrypted Files
1 e62d58a48f3aca29acd535c3ae4b7ce1 Radamant_v1_Klitschko_number_one .RDM
2 a40f1a7d3c1db966bbabdeb965697c1b Radamant_v2_Klitschko_number_one .RDM
2.1 72c71e4c78af74f4e500f1422a2f9092 \Sessions\1radamantv2_emisoft_fucked .RRK

Indicators of Compromise

Mutex Names:




Install Path:


Registry Keys:


Value:svchost or DirectX

Data: C:\Windows\directx.exe


Value: svchost or DirectX

Data: C:\Windows\directx.exe

Share/Follow Us:

Leave a Reply

Your email address will not be published. Required fields are marked *


Like our blog? Spread the word!