Researchers from the cybersecurity firm CYFIRMA have identified a new ransomware family dubbed 'Friends'. This malware operates on a double-extortion model, a tactic that has become standard practice for modern ransomware groups. The ransomware encrypts files on the victim's system, appending the .friends124 extension, and simultaneously exfiltrates sensitive data. A ransom note, RANSOM_NOTE.html, is dropped on the compromised system, threatening to publish or sell the stolen data if the victim fails to make contact and pay the ransom. CYFIRMA assesses that this is likely an early version of the malware and expects it to evolve with more sophisticated features in the future.
The 'Friends' ransomware follows a well-established attack pattern for double-extortion groups:
T1041). This data serves as the primary leverage for extortion..friends124 extension to each file. This action disrupts business operations and renders data inaccessible.RANSOM_NOTE.html file, which contains instructions for contacting them, a threat to leak the exfiltrated data, and an offer to decrypt a few files for free to prove their capability. The note also includes a deadline, after which the ransom demand will increase.This two-pronged approach puts immense pressure on victims, as paying the ransom is positioned as the only way to both restore operations and prevent a damaging public data leak.
The 'Friends' ransomware performs the following key actions on a compromised system:
T1486): It systematically traverses the file system, identifies files to encrypt based on a predefined list of extensions (or by excluding system-critical files), and encrypts them using a strong cryptographic algorithm. The .friends124 extension is appended to the filename of each encrypted file.RANSOM_NOTE.html in multiple directories on the system. This file serves as the communication channel with the victim.T1562.001), delete volume shadow copies (T1490) to prevent easy recovery, and use anti-analysis techniques to hinder reverse engineering.As with any double-extortion ransomware attack, the potential impact on a victim organization is severe:
RANSOM_NOTE.html*.friends124Detecting 'Friends' ransomware involves monitoring for its specific indicators and general ransomware behaviors:
RANSOM_NOTE.html or files with the .friends124 extension.File Analysis.Network Traffic Analysis.Standard ransomware mitigation best practices apply:
Use endpoint protection with behavioral analysis to detect and block ransomware activity, such as rapid file encryption.
The most critical mitigation is to maintain offline, immutable backups of data to enable recovery without paying a ransom.
Train users to recognize phishing emails, a common initial access vector for ransomware.
The cornerstone of ransomware resilience is a robust backup strategy. Organizations must implement the 3-2-1 backup rule (3 copies, 2 different media, 1 offsite). Crucially, the offsite or cloud-based backup copy must be immutable, meaning it cannot be altered or deleted for a set period. This prevents ransomware, even if it compromises administrative accounts, from deleting the backups. Regularly test the restoration process from these immutable backups to ensure data integrity and to validate that you can meet your Recovery Time Objectives (RTOs). This directly counters the encryption portion of the 'Friends' ransomware attack.
Deploy an Endpoint Detection and Response (EDR) solution with canary file capabilities. This involves placing hidden 'bait' files across file shares and endpoints. The EDR system monitors these canary files for any modification. Since ransomware encrypts files indiscriminately, it will attempt to encrypt these bait files, triggering a high-confidence alert. Advanced EDRs can then automatically isolate the infected host from the network to stop the ransomware from spreading, and even terminate the offending process. This provides a last line of defense to detect and contain an active ransomware attack in real-time.
To combat the double-extortion tactic, implement strict egress filtering on your network perimeter. Block all outbound traffic by default and only allow connections to known-good destinations required for business operations. This can prevent or at least hinder the data exfiltration phase of the 'Friends' ransomware attack. Combine this with a Data Loss Prevention (DLP) solution that inspects allowed outbound traffic for sensitive data patterns. Even if the attackers have an allowed channel, the DLP can detect and block the theft of PII, financial data, or intellectual property.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.