
Executive Summary
SquadLocker recently appeared as a new ransomware threat promoted by its operators as an advanced tool with “double encryption levels” and full features developed in C#/.NET/C++.
The available evidence includes images consistent with the execution or demonstration of the ransomware, a ransom note named SquadLocker_ReadMe.txt, files using the .SquadLocker extension and a publicly reported sample under analysis. The ransom note claims the use of AES-256 and RSA-4096, the deletion or encryption of backups, the exfiltration of sensitive data and a ransom demand of USD 300 in Bitcoin.
However, the set of capabilities announced by the actor has not yet been validated. The mix of declared algorithms, partially described functions and public questions about its stability suggest an early-stage threat, with signs of immature development but aggressive technical marketing.
Key Judgments
- SquadLocker shows initial signs consistent with a functional ransomware threat or a ransomware in demonstration phase, but there is not enough evidence to confirm a sustained operation against real victims.
- The actor announces a broad set of capabilities, including hybrid encryption, a multi-stage dropper, UAC bypass, evasion, backup deletion, local and network encryption, file theft and log clearing.
- The technical consistency of the announcement requires validation. The combination of cryptographic schemes mentioned by the actor could reflect modularity, technical confusion, recycled commercial language or exaggerated capabilities.
- The USD 300 ransom amount, Telegram-based contact and public discussion with another actor suggest an incipient or low-cost operational model.
What Happened
SquadLocker operators released promotional information describing the malware as an advanced ransomware with encryption, evasion, deployment and information-theft capabilities.
Among the announced functions are hybrid ChaCha20 + ECIES encryption, partial encryption, multi-stage dropper architecture, UAC bypass, polymorphic obfuscation, behavioral evasion, an automated build pipeline, backup deletion, encryption of local drives and network resources, file theft, Windows Defender disabling, log clearing, dynamic wallpaper, intermittent encryption, multithreaded encryption and unique IV generation per file.
The available images show a ransom note stating that files were encrypted, backups were deleted or encrypted and sensitive data had allegedly been exfiltrated. The .SquadLocker extension is also visible on encrypted files.
A circulating sample was also identified with the SHA1 hash d20233110f648c434132e2917681c8d31e7128c9. The existence of these artifacts allows SquadLocker to be treated as an emerging threat under analysis, but it does not automatically validate all capabilities announced by the actor.
Operational Assessment
SquadLocker is an early-stage ransomware threat. The contrast between the promoted capability list and public signs of technical immaturity is relevant. The ransom note mentions AES-256 and RSA-4096, while the actor’s communication also lists ChaCha20 + ECIES, Salsa20, RSA-2048 and AES-256-CBC. This overlap may reflect different development stages, non-integrated components or a commercially imprecise presentation.
Although it is not yet possible to determine whether those functions are correctly implemented or whether they could cause file corruption, race conditions or failures during the encryption process, the mention of partial and multithreaded encryption may indicate an intention to accelerate impact on compromised systems.
The public discussion with another actor in the ransomware ecosystem reinforces this caution. In the observed conversation, some functions are questioned as not being fully operational, and the alleged developer is challenged about thread-synchronization issues during encryption. This exchange does not prove technical failures by itself, but it provides a useful indicator of perceived immaturity within the criminal or hacktivist environment itself.
The use of Telegram as a contact and negotiation channel, together with a low ransom demand, also suggests a low-barrier operational model. Kaspersky has previously documented actors using Telegram to negotiate with victims and relying on leaked or reused builders, illustrating how part of the ransomware ecosystem can operate with low-cost tools and public promotion.
Intelligence Significance
The appearance of SquadLocker warrants monitoring because it represents an early signal within the low-cost and rapidly promoted ransomware ecosystem.
Although the actor attempts to present the malware as an advanced tool, the available evidence suggests a still immature but potentially dangerous threat. Its immature condition does not make it irrelevant. Immature families, incomplete builders or low-quality projects can still cause real damage if used against users, small organizations or environments with weak controls.
The main intelligence interest is to determine whether SquadLocker evolves into an operational tool, remains an incomplete demonstration or functions as a reputation-building component for actors seeking entry into the criminal market.
The existence of a reported sample enables technical analysis to confirm critical capabilities: the real encryption scheme, cryptographic robustness, handling of large files, partial encryption, backup deletion, network execution, persistence, evasion, external communication and exfiltration behavior.
If these capabilities are confirmed, SquadLocker could escalate as a practical threat. If they are not confirmed, it will remain relevant as an example of aggressive technical marketing in emerging ransomware projects.
Analytical Closing
SquadLocker appears as a new ransomware threat with initial signs of activity, but still without enough evidence to consider it a mature or technically consolidated family.
Until real technical evidence is available, iQBlack assesses SquadLocker as an emerging threat under validation. Its immediate intelligence value lies in the combination of observable artifacts, public promotion of capabilities and signs of technical immaturity within the very ecosystem where it is attempting to position itself.
Explore 2C-INT
Go deeper into criminal, extremist and hybrid structures through an intelligence environment built around context.
Get new publications
Subscribe to receive new articles and public updates from iQBlack without unnecessary noise.