Colossus

Description

Colossus ransomware was first observed in September 2021, when ZeroFox researchers uncovered the variant attacking a U.S.-based automotive group. It employs a double-extortion model, using Themida packing and sandbox evasion to disable defenses and deliver encrypted payloads. Victims are urged to visit a support site—hosted at a domain like colossus.support—to negotiate payment, or face large-scale data dumps and increasing ransom amounts tied to countdown timers. Operators demonstrated familiarity with RaaS playbooks, drawing architectural parallels to groups like EpsilonRed, BlackCocaine, and REvil/Sodinokibi.

External Analysis
https://www.zerofox.com/intelligence/flash-report-colossus-ransomware/
https://www.securityweek.com/colossus-ransomware-hits-automotive-company-us/
https://www.superantispyware.com/blog/what-is-colossus-ransomware/

Urls	Screen

File servers	Screen

Chat servers	Screen

Admin servers	Screen