ShadowRoot Ransomware Targeting Turkish Businesses
An analysis reveals a basic ransomware campaign targeting Turkish enterprises. The attack commences with a malicious PDF attachment delivered via email containing a link that downloads an executable payload. This executable then drops further components including a .NET binary obfuscated with dotnet confuser. The malware recursively encrypts files with the .shadowroot extension and communicates with a Russian SMTP server. While exhibiting fundamental functionality this campaign appears to be the work of an inexperienced actor aiming to extort victims through ransom demands.