Home
Threat Intelligence Posts
Ransomware

AHP Ransomware Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on AHP ransomware, latest version of Dharma virus, that targets Wndows-based systems.
Updated on
April 19, 2023
Published on
October 1, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
AHP ransomware, a malicious program which is part of the Dharma ransomware family, was spotted in September 2020. It particularly infects Windows-based systems. The ransomware is designed to encrypt data and create a ransom note in exchange for decryption tools. The ransomware is delivered through thousands of phishing emails. It is also spread via other infection vectors such as spam campaigns, illegal activation tools ("cracks"), fake updaters, and untrustworthy download sources. When the ransomware encrypts the files, they are renamed in the following schema: original filename, a unique ID name given to the victims, cybercriminals' email addresses, and the ".AHP" extension. For example, a file titled "one[.]jpg" once encrypted would appear like this: "one[.]jpg[.]id-C279F237.[[email protected]].AHP." Further, ransom notes (fig.1) are made to show up on a pop-up window. The note states that the victim’s data is 'locked' and also instructs them to communicate with the cybercriminals behind the ransomware attack, via email. The text presented in the pop-up window provides slightly more information concerning the infection. [caption id="attachment_8257" align="aligncenter" width="415"]Fig.1 Ransom note pop-up window Fig.1 Ransom note pop-up window[/caption]

Indicators of Compromise 

  1. Encrypted Files Extension -

.AHP 

2. Cyber Criminal Contact -

aihlp24@tuta[.]io 

aihlp@protonmail[.]com

3. MD5 -

b94264963a9dd9ace614cef5668515da

4. SHA1 -

2f7bc3d3121074c7404e078e313bf6ba7d214f90

5. SHA256 - 

5560b7207f4864f73e4331e934d86a381d77a8848e2a7d22bf45e73ab2aa81b5

6. SSDEEP -

1536:mBwl+KXpsqN5vlwWYyhY9S4APmdP1/LutCA3J33fagQqk3DWd9S:Qw+asqN5aW/hLGPZLuV3x3fa48qd9

Preventive Measures

  1. Download applications from an authentic source.
  2. Create a backup for your most important files, on a regular basis.
  3. Personalize your anti-spam settings.
  4. Patch and update your software and system.
  5. Use proper antivirus, one that does not allow unwanted execution.
  6. Do not click on suspicious links.
  7. Spread awareness about such threats among users.
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action
November 15, 2023
CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks
November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more