Ransomware Research
Rhino Ransomware
Rhino is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on September 1, 2018, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Marvel, Parrot, GeneralChin, Coka, Termit.
Quick Facts
- Ransomware Family
- Rhino
- First Seen
- September 1, 2018
- Known Aliases
- MarvelParrotGeneralChinCokaTermit
How Rhino Ransomware Works
Targeted Files
Full extension of encrypted file - .[generalchin@countermail.com].rhino
File Encryption Patterns
Rhino modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..rhino
..parrot
..coka
..termit
Ransom Note and Payment Demands
After encrypting files, Rhino displays ransom notes demanding payment for file recovery:
ReadMe_Decryptor.txt
Ransom message:
notes/ReadMe_Decryptor.txt
Note locations:
EveryFolder
Decryptor_Info.hta
Ransom message:
notes/Decryptor_Info.hta
Ransom message:
notes/note.txt
Note locations:
OnceOnCompletion
Technical Indicators
Associated Executable Files
The following executable files are associated with Rhino ransomware:
mhtop32bit.exe
cake4.exe
s.exe
MHTOP32BIT.EXE
marvel.exe
MARVEL.EXE
.coco.exe
NS.exe
NS v.222_.exe
sssss111.e x e
local.exe
NS v.2.exe
program.exe
NetworkShare_pre2.exe
NS2.exe
tmp31F8.tmpuscszqdj.exe
tmpF185.tmpuscszqdj.exe
tmp4C51.tmpuscszqdj.exe
tmp1DD2.tmplbhcpsokfdayzewqkyhnvykpprcqmeocggxdhtlyqkhzmvglqneosaxnyrhhfktpwfwbrkgnhiwullzvkyzxaavfhfypldesmtuueqvdiorwuqejtqxykupwkjulmrrdhqbbmqwcpcllteyvpkgzgvmgbglgntlfhqhjtitfxavwjqvvpmiekrxquoaysjfhugfghlls.exe
tmp559E.tmplbhcpsokfdayzewqkyhnvykpprcqmeocggxdhtlyqkhzmvglqneosaxnyrhhfktpwfwbrkgnhiwullzvkyzxaavfhfypldesmtuueqvdiorwuqejtqxykupwkjulmrrdhqbbmqwcpcllteyvpkgzgvmgbglgntlfhqhjtitfxavwjqvvpmiekrxquoaysjfhugfghlls.exe
tmp43B3.tmpidiiqvptjwrghazidsbrttmhwmvhfwsmtumwvbfsjzofymhblhdhrzjdqwjuzrqvlpiujunjcmjyviiiyscxkvkyloaeyysmunbvduymevkpppjmmusxueueedjuyqpqptxsbntxtfreuubiwkoxtfffhqealxgdfxahmgxzddwezgbvkigkomvyqbveqtuyzwkoyivh.exe
NSs.exe
NS-v2.exeC
executable.exe
nc123.exe
share.exe
NetworkShare v.2.exe
NS-v2.exe
tmp8786.tmputxyhyqm.exe
tmpA3C8.tmputxyhyqm.exe
ns._xe
5-NS new.exe
1NS.exe
6.exe
NS.exe.exe
ns2.exe
NETWORKSHARE_PRE2.EXE
ns.exe
_CACHE~1.EXE
tmp429A.tmputxyhyqm.exe
tmpC857.tmputxyhyqm.exe
NetworkShare v.2.exe.Hermes865
tmp52C0.tmpineuwanlzvwosgccarmhanxrgbcaibcszyofdwlctkrcomtixulalgnvbxwufnpgzqprrnnufbpmksbeljsatvpbnbkgamnpylxlsafgnmvteaynfxjvppidocporiuqsahzftwkfchnzgqmjtasrxzvobifkeogftrwbuiuyxmbrvdrtzezuycfallkvjaoha.exe
tmp7B66.tmpbazijldzdy.exe
tmp497D.tmpbbpinq.exe
tmp7992.tmpi.exe
build.exe
tmp81D8.tmpineuwanlzvwosgccarmhanxrgbcaibcszyofdwlctkrcomtixulalgnvbxwufnpgzqprrnnufbpmksbeljsatvpbnbkgamnpylxlsafgnmvteaynfxjvppidocporiuqsahzftwkfchnzgqmjtasrxzvobifkeogftrwbuiuyxmbrvdrtzezuycfallkvjaoha.exe
tmp527B.tmpbazijldzdy.exe
tmp3F80.tmpbbpinq.exe
Marvel.exe
Elastio Can Help You
Don't let Rhino ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Rhino ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Rhino.
Last updated: July 30, 2025