Obscura Ransomware Variant Targets Domain Controllers via NETLOGON Replication
September 12th, 2025
High
Our Cyber Threat Intelligence Unit has identified a new ransomware variant called Obscura, which leverages Active Directory domain controller (DC) mechanics to achieve rapid enterprise-wide distribution. Investigators confirmed that the ransomware binary was placed in the C:\WINDOWS\sysvol\sysvol\[domain].local\scripts\ folder, where it automatically replicates across DCs via the NETLOGON share and executes on multiple hosts. It is a Go-based ransomware that enforces administrator privilege checks before execution and deploys aggressive countermeasures to disable defenses, remove backups, and maximize impact. Indicators include scheduled tasks (e.g., SystemUpdate), firewall modifications enabling RDP access, and ransom notes named README-OBSCURA.txt (dropped on disk) or README_Obscura.txt. Initial access vectors remain unconfirmed.
Technical Details
Attack Type: Ransomware (domain-controller–assisted distribution)
Severity: High
Delivery Method: Binary placed in SYSVOL\NETLOGON, auto-replicated across domain controllers, and executed on endpoints.
Attack Chain/Method:
Enforces administrator privileges; terminates if not elevated.
Deletes shadow copies using:
vssadmin delete shadows /all /quiet
Terminates more than 120 processes, including antivirus, backup, and database services.
Employs Curve25519 key exchange with XChaCha20 encryption.
Each encrypted file receives a 64-byte footer:
OBSCURA! [32-byte public key] [24-byte nonce]
Creates persistence via the scheduled task SystemUpdate.
Executes command to enable RDP through Windows firewall:
netsh firewall set service type = remotedesktop mode = enable
Drops ransom notes named:
README-OBSCURA.txt and README_Obscura.txt
Ransom notes include double-extortion threats with ~240-hour (10-day) response deadlines.
Platform Impacted: Windows Active Directory environments (Domain Controllers and replicated endpoints).
Propagation: Limited to replication abuse of NETLOGON; lateral movement code was present but incomplete.
Impact
Domain-wide encryption: NETLOGON-based replication allows simultaneous impact on multiple systems.
Defense neutralization: Backup deletion and AV process kills significantly increase recovery difficulty.
Data exfiltration risk: Ransom notes assert double-extortion tactics.
Operational disruption: Service termination (databases, backup agents) plus VSS deletion hinder business continuity.
Detection Method
Alert when executables are created or modified in:
C:\Windows\SYSVOL\sysvol\<domain>\scripts\
Monitor for:
vssadmin delete shadows /all /quiet execution
netsh firewall set service type = remotedesktop mode = enable
Mass process termination patterns
Detect suspicious scheduled task names such as SystemUpdate.
Identify ransom notes README-OBSCURA.txt / README_Obscura.txt and the OBSCURA! file footer.
Indicators of Compromise
Type | Indicator |
SHA-256 Hash | c00a2d757349bfff4d7e0665446101d2ab46a1734308cb3704f93d20dc7aac23 |
Recommendations
Audit NETLOGON: Review SYSVOL\NETLOGON for unauthorized binaries; remove and block execution.
Privilege hardening: Enforce strict controls on administrative privileges and monitor suspicious escalations.
Restrict DC script paths: Limit write/modify access to tightly controlled groups; enable auditing on changes.
Enhance monitoring: Deploy SIEM/EDR rules for NETLOGON execution, ransom note creation, and the OBSCURA! Footer.
Backup resilience: Ensure immutable/offline backups are available and regularly tested, accounting for shadow copy deletion.
Containment actions: Isolate affected hosts and disable malicious scheduled tasks.
Conclusion
Obscura demonstrates how domain controller infrastructure can be weaponized for rapid, wide-scale ransomware deployment across a domain. By abusing NETLOGON replication, disabling backups, and enforcing admin-only execution, attackers amplify their impact and complicate recovery efforts. We urge organizations to treat DC script paths as critical attack surfaces. Regularly monitoring DC script paths, quickly detecting Obscura’s unique artifacts, and maintaining strong privilege management are essential to prevent risks associated with this threat.