CYFIRMA Researchers Identify 'Friends' Ransomware Employing Double-Extortion Tactics

New 'Friends' Ransomware Strain Uses Double-Extortion Strategy

HIGH
July 3, 2026
4m read
RansomwareMalwareThreat Intelligence

Related Entities

Organizations

Other

Friends Ransomware

Full Report

Executive Summary

Researchers from the cybersecurity firm CYFIRMA have identified a new ransomware family dubbed 'Friends'. This malware operates on a double-extortion model, a tactic that has become standard practice for modern ransomware groups. The ransomware encrypts files on the victim's system, appending the .friends124 extension, and simultaneously exfiltrates sensitive data. A ransom note, RANSOM_NOTE.html, is dropped on the compromised system, threatening to publish or sell the stolen data if the victim fails to make contact and pay the ransom. CYFIRMA assesses that this is likely an early version of the malware and expects it to evolve with more sophisticated features in the future.

Threat Overview

The 'Friends' ransomware follows a well-established attack pattern for double-extortion groups:

  1. Initial Compromise: The initial access vector is currently unknown but typically involves methods like phishing, exploiting unpatched vulnerabilities, or using stolen credentials.
  2. Data Exfiltration: Before encryption, the attackers locate and steal valuable corporate and personal data (T1041). This data serves as the primary leverage for extortion.
  3. Encryption: The ransomware then encrypts files across the compromised network, appending the .friends124 extension to each file. This action disrupts business operations and renders data inaccessible.
  4. Extortion: The attackers drop the RANSOM_NOTE.html file, which contains instructions for contacting them, a threat to leak the exfiltrated data, and an offer to decrypt a few files for free to prove their capability. The note also includes a deadline, after which the ransom demand will increase.

This two-pronged approach puts immense pressure on victims, as paying the ransom is positioned as the only way to both restore operations and prevent a damaging public data leak.

Technical Analysis

The 'Friends' ransomware performs the following key actions on a compromised system:

  • File Encryption (T1486): It systematically traverses the file system, identifies files to encrypt based on a predefined list of extensions (or by excluding system-critical files), and encrypts them using a strong cryptographic algorithm. The .friends124 extension is appended to the filename of each encrypted file.
  • Ransom Note Creation: It creates an HTML file named RANSOM_NOTE.html in multiple directories on the system. This file serves as the communication channel with the victim.
  • Defense Evasion (Anticipated): While not detailed in the initial report, CYFIRMA anticipates future versions will likely incorporate techniques to disable security software (T1562.001), delete volume shadow copies (T1490) to prevent easy recovery, and use anti-analysis techniques to hinder reverse engineering.

Impact Assessment

As with any double-extortion ransomware attack, the potential impact on a victim organization is severe:

  • Operational Disruption: Encryption of critical files can bring business operations to a complete halt, leading to significant revenue loss.
  • Data Breach and Reputational Damage: The public leak of sensitive corporate data, customer information, or intellectual property can cause irreparable reputational damage and loss of customer trust.
  • Regulatory Fines: If personal data is leaked, the organization can face substantial fines under regulations like GDPR or CCPA.
  • Recovery Costs: Even if a ransom is not paid, the costs of rebuilding systems, restoring from backups (if available), and conducting a forensic investigation can be exorbitant.

IOCs — Directly from Articles

Type
File Name
Value
RANSOM_NOTE.html
Description
The name of the ransom note file dropped by the malware.
Type
File Name
Value
*.friends124
Description
The file extension appended to encrypted files.

Detection & Response

Detecting 'Friends' ransomware involves monitoring for its specific indicators and general ransomware behaviors:

  1. File-Based Detection: Create detection rules in EDR and antivirus solutions to look for the creation of files named RANSOM_NOTE.html or files with the .friends124 extension.
  2. Behavioral Detection: Use EDR/XDR to monitor for rapid, high-volume file modification and encryption activity, which is a strong indicator of ransomware. This is a form of D3FEND's File Analysis.
  3. Network Monitoring: Monitor for large, unexpected outbound data flows, which could indicate the data exfiltration phase that precedes encryption. This aligns with D3FEND's Network Traffic Analysis.

Mitigation

Standard ransomware mitigation best practices apply:

  1. Backup and Recovery: Maintain regular, offline, and immutable backups of critical data. Test the restoration process frequently to ensure backups are viable. This is the most critical defense against the encryption portion of the attack.
  2. Security Awareness Training: Train employees to recognize and report phishing emails, which are a primary initial access vector for ransomware.
  3. Patch Management: Keep all operating systems, software, and firmware patched to prevent attackers from exploiting known vulnerabilities for initial access.
  4. Network Segmentation: Segment the network to prevent the rapid lateral movement of ransomware. Critical systems should be isolated in secure zones.

Timeline of Events

1
July 3, 2026
This article was published

MITRE ATT&CK Mitigations

Use endpoint protection with behavioral analysis to detect and block ransomware activity, such as rapid file encryption.

The most critical mitigation is to maintain offline, immutable backups of data to enable recovery without paying a ransom.

Train users to recognize phishing emails, a common initial access vector for ransomware.

D3FEND Defensive Countermeasures

The cornerstone of ransomware resilience is a robust backup strategy. Organizations must implement the 3-2-1 backup rule (3 copies, 2 different media, 1 offsite). Crucially, the offsite or cloud-based backup copy must be immutable, meaning it cannot be altered or deleted for a set period. This prevents ransomware, even if it compromises administrative accounts, from deleting the backups. Regularly test the restoration process from these immutable backups to ensure data integrity and to validate that you can meet your Recovery Time Objectives (RTOs). This directly counters the encryption portion of the 'Friends' ransomware attack.

Deploy an Endpoint Detection and Response (EDR) solution with canary file capabilities. This involves placing hidden 'bait' files across file shares and endpoints. The EDR system monitors these canary files for any modification. Since ransomware encrypts files indiscriminately, it will attempt to encrypt these bait files, triggering a high-confidence alert. Advanced EDRs can then automatically isolate the infected host from the network to stop the ransomware from spreading, and even terminate the offending process. This provides a last line of defense to detect and contain an active ransomware attack in real-time.

To combat the double-extortion tactic, implement strict egress filtering on your network perimeter. Block all outbound traffic by default and only allow connections to known-good destinations required for business operations. This can prevent or at least hinder the data exfiltration phase of the 'Friends' ransomware attack. Combine this with a Data Loss Prevention (DLP) solution that inspects allowed outbound traffic for sensitive data patterns. Even if the attackers have an allowed channel, the DLP can detect and block the theft of PII, financial data, or intellectual property.

Sources & References

Weekly Intelligence Report - 03 Jul 2026
CYFIRMA (cyfirma.com) July 3, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

Friends RansomwareRansomwareMalwareDouble ExtortionCYFIRMAData Encryption

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.