Lotus ransomware charges 1 BTC . Multi PC discount possible

March 5, 2021

The SonicWall Capture Labs threat research team has observed reports of a variant from the Crysis/Dharma ransomware family called Lotus.  The operators of this malware charge 1 BTC ($49K USD at the time of writing this alert) for file recovery.  However, the price appears to be negotiable after a conversation with the malware operator.


Infection Cycle:


Upon infection, the malware can be seen using the built-in mshta program to display the ransom message:


Files on the system are encrypted and the following extension is appended to their file names:



The following ransom message is displayed on the desktop:


The following files are dropped on to the system:

  • MANUAL.txt (in every directory containing encrypted files)
  • %APPDATA%\Roaming\{original malware file name} [Detected as: GAV: Lotus.RSM (Trojan)]
  • %APPDATA%\Roaming\Info.hta (contains message shown above)
  • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta (contains message shown above)


MANUAL.txt contains the following text:


We reached out to the supplied emails and had the following conversation with the ransomware operator:


The operator asks how many pc's we would like to recover.  This leads us to believe that the malware is aimed at large organizations:


We see if we can negotiate further if we have multiple infected PC's:


SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Lotus.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.