Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

LostTrust

135
Global rank
128 infographic chevron month
Month rank
118 infographic chevron week
Week rank
0
IOCs

LostTrust is a ransomware that has been active since March 2023. It is a multi-extortion malware, meaning that it not only encrypts data on the compromised system and demands a ransom, but also exfiltrates some of the critical files to the attacker. The criminals publish the stolen data on a special website, where dozens of companies are listed as victims of the malware.

Ransomware
Type
Unknown
Origin
1 March, 2023
First seen
19 January, 2025
Last seen

How to analyze LostTrust with ANY.RUN

Type
Unknown
Origin
1 March, 2023
First seen
19 January, 2025
Last seen

IOCs

Domains
metacrptmytukkj7ajwjovdpjqzd7esg5v3sg344uzhigagpezcqlpyd.onion
Last Seen at

Recent blog posts

post image
New Pre-Installed Dev Tools for Deep Sandbox...
watchers 334
comments 0
post image
AI Safety: Key Threats and Solutions 
watchers 444
comments 0
post image
5 Common Evasion Techniques in Malware 
watchers 599
comments 0

What is LostTrust malware?

LostTrust is a multi-extortion ransomware. The creators of this malware claim to be former cybersecurity specialists who turned to malicious software due to low compensation. They present their actions as a service.

LostTrust is believed to be linked to MetaEncryptor, another ransomware that emerged a year prior. Additionally, both programs’ characteristics closely resemble those of Sfile and Mindware.

The group behind LostTrust openly shares information about their victims, which includes companies from various sectors, including healthcare. They even go as far as publishing some of the stolen data.

The ransom demanded from victims as part of an attack starts from $100,000, with the exact amount depending on each targeted organization. This is in stark contrast to more common ransomware families such as Wannacry, whose amounts usually do not surpass the $1000 mark.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the LostTrust malicious software

As mentioned above, the LostTrust operation largely resembles that of MetaEncryptor. The malware is capable of both encrypting the files on the compromised system and transferring some of the most critical data to the attacker’s server. The program adds the .losttrustencoded extension to the files that have been subjected to modification.

LostTrust also can kill many of the system processes and services, such as those related to Tomcat, SharePoint, MSSQL, and PostgreSQL, in order to ensure unimpeded encryption. It does it via Command Prompt by launching multiple sessions running in the background. At the same time, the malware makes the execution of its payload visible to the victim using a separate command window.

To prevent the user from recovering data, the malware removes Windows Event Logs and shadow copies.

Once the encryption process is finished, users are shown a note where they are instructed to communicate with the hackers through a designated website chat. They are given a 72-hour timeframe to respond before their files are leaked to the public.

Execution process of LostTrust

By uploading a sample of LostTrust to the ANY.RUN sandbox we can gain a better look at the malware execution process and collect essential threat intelligence.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

LostTrust process tree shown in ANY.RUN LostTrust's process tree demonstrated in ANY.RUN

Upon execution, LostTrust ransomware, like any malware of its kind, immediately begins encrypting files on the infected system. A distinctive feature of LostTrust is its initiation of numerous child processes for carrying out additional malicious activities. System utilities are launched to halt system and network processes, services, and application processes, as well as to remove shadow copies and perform other disruptive actions. The encrypted files receive the ".losttrustencoded" extension, and "!LostTrustEncoded.txt" files are created containing ransom demands and instructions.

LostTrust ransom note shown in ANY.RUN LostTrust ransom note

Distribution methods of the LostTrust malware

In their attacks, criminals employ a variety of methods to distribute LostTrust. However, just like most ransomware, including such notable examples as LockBit, LostTrust is usually delivered in the form of malicious email attachments. Attackers design phishing campaigns that exploit social engineering tactics to trick users into downloading and running payloads that hijack and compromise their systems.

Conclusion

LostTrust is one of the key emerging ransomware threats of 2023, which means that companies must be equipped with the necessary capabilities to detect and prevent infection. One way they can ensure protection is by uploading any suspicious email to ANY.RUN to determine if it is malicious or not.

ANY.RUN is fully interactive and lets you engage with the infected system like you would on your own computer but in a safe cloud environment. The service automatically generates a comprehensive report on the analyzed file or link and presents its verdict as well as IOCs and malware config.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
Trojan screenshot
Trojan
trojan trojan horse
Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.
Read More