APT / THREAT GROUP

0Mega

1
aliases

Intelligence Profile

0mega, a new ransomware operation, has been observed targeting organizations around the world. The ransomware operators are launching double-extortion attacks and demanding millions of dollars as ransom.

0mega ransomware operation launched in May and has already claimed multiple victims.

0mega maintains a dedicated data leak site that the attackers use to post stolen data if the demanded ransom is not paid.

The leak site currently hosts 152 GB of data stolen from an electronics repair firm in an attack that happened in May.

However, an additional victim has since been removed, implying that they might have paid the ransom to the 0mega group.

How does it work?

Hackers add the .0mega extension to the encrypted file’s names and create ransom notes (DECRYPT-FILES[.]txt).

The ransom note has a link to a Tor payment negotiation site with a support chat to reach out to the ransomware group.

To log in to this site, the victims are asked to upload their ransom notes with a unique Base64-encoded blob identity.

Threat Analysis

0Mega is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases1

Also Known As

0Mega

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
0Mega — APT / Threat Group | Threat Intelligence | CTIWATCH.COM