Ransomware Research
Sojusz Ransomware
Sojusz is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on February 1, 2022, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Alliance, Bec, Nigra, Likeoldboobs, Gachimuchi.
Quick Facts
- Ransomware Family
- Sojusz
- First Seen
- February 1, 2022
- Known Aliases
- AllianceBecNigraLikeoldboobsGachimuchi
How Sojusz Ransomware Works
Targeted Files
Full extension -> clc2000legend.mdb.[7520c7748e].[ustedesfil@safeswiss.com].sojusz
File Encryption Patterns
Sojusz modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..sojusz
..Gachimuchi
..Washedback
Ransom Note and Payment Demands
After encrypting files, Sojusz displays ransom notes demanding payment for file recovery:
-----README_WARNING-----.txt
Ransom message:
notes/-----README_WARNING-----.txt
Note locations:
EveryFolder
!!!HOW_TO_DECRYPT!!!.txt
README_WARNING_.txt
Horse.txt
Ransom message:
notes/Horse.txt
Note locations:
EveryFolder
#HOW_TO_DECRYPT#.txt
Ransom message:
notes/#HOW_TO_DECRYPT#.txt
Note locations:
EveryFolder
Technical Indicators
Associated Executable Files
The following executable files are associated with Sojusz ransomware:
z7w3x.exe
Elastio Can Help You
Don't let Sojusz ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Sojusz ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Sojusz.
Last updated: July 30, 2025