Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

LostTrust

132
Global rank
112 infographic chevron month
Month rank
114 infographic chevron week
Week rank
0
IOCs

LostTrust is a ransomware that has been active since March 2023. It is a multi-extortion malware, meaning that it not only encrypts data on the compromised system and demands a ransom, but also exfiltrates some of the critical files to the attacker. The criminals publish the stolen data on a special website, where dozens of companies are listed as victims of the malware.

Ransomware
Type
Unknown
Origin
1 March, 2023
First seen
19 January, 2025
Last seen

How to analyze LostTrust with ANY.RUN

Type
Unknown
Origin
1 March, 2023
First seen
19 January, 2025
Last seen

IOCs

Domains
metacrptmytukkj7ajwjovdpjqzd7esg5v3sg344uzhigagpezcqlpyd.onion
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 220
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 596
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1488
comments 0

What is LostTrust malware?

LostTrust is a multi-extortion ransomware. The creators of this malware claim to be former cybersecurity specialists who turned to malicious software due to low compensation. They present their actions as a service.

LostTrust is believed to be linked to MetaEncryptor, another ransomware that emerged a year prior. Additionally, both programs’ characteristics closely resemble those of Sfile and Mindware.

The group behind LostTrust openly shares information about their victims, which includes companies from various sectors, including healthcare. They even go as far as publishing some of the stolen data.

The ransom demanded from victims as part of an attack starts from $100,000, with the exact amount depending on each targeted organization. This is in stark contrast to more common ransomware families such as Wannacry, whose amounts usually do not surpass the $1000 mark.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the LostTrust malicious software

As mentioned above, the LostTrust operation largely resembles that of MetaEncryptor. The malware is capable of both encrypting the files on the compromised system and transferring some of the most critical data to the attacker’s server. The program adds the .losttrustencoded extension to the files that have been subjected to modification.

LostTrust also can kill many of the system processes and services, such as those related to Tomcat, SharePoint, MSSQL, and PostgreSQL, in order to ensure unimpeded encryption. It does it via Command Prompt by launching multiple sessions running in the background. At the same time, the malware makes the execution of its payload visible to the victim using a separate command window.

To prevent the user from recovering data, the malware removes Windows Event Logs and shadow copies.

Once the encryption process is finished, users are shown a note where they are instructed to communicate with the hackers through a designated website chat. They are given a 72-hour timeframe to respond before their files are leaked to the public.

Execution process of LostTrust

By uploading a sample of LostTrust to the ANY.RUN sandbox we can gain a better look at the malware execution process and collect essential threat intelligence.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

LostTrust process tree shown in ANY.RUN LostTrust's process tree demonstrated in ANY.RUN

Upon execution, LostTrust ransomware, like any malware of its kind, immediately begins encrypting files on the infected system. A distinctive feature of LostTrust is its initiation of numerous child processes for carrying out additional malicious activities. System utilities are launched to halt system and network processes, services, and application processes, as well as to remove shadow copies and perform other disruptive actions. The encrypted files receive the ".losttrustencoded" extension, and "!LostTrustEncoded.txt" files are created containing ransom demands and instructions.

LostTrust ransom note shown in ANY.RUN LostTrust ransom note

Distribution methods of the LostTrust malware

In their attacks, criminals employ a variety of methods to distribute LostTrust. However, just like most ransomware, including such notable examples as LockBit, LostTrust is usually delivered in the form of malicious email attachments. Attackers design phishing campaigns that exploit social engineering tactics to trick users into downloading and running payloads that hijack and compromise their systems.

Conclusion

LostTrust is one of the key emerging ransomware threats of 2023, which means that companies must be equipped with the necessary capabilities to detect and prevent infection. One way they can ensure protection is by uploading any suspicious email to ANY.RUN to determine if it is malicious or not.

ANY.RUN is fully interactive and lets you engage with the infected system like you would on your own computer but in a safe cloud environment. The service automatically generates a comprehensive report on the analyzed file or link and presents its verdict as well as IOCs and malware config.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Fog Ransomware screenshot
Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More