Galaxy Ransomware begins affiliate program

| By:
Stuart Gonzalez

Have you heard of Galaxy Ransomware? Interestingly, neither have I. After a quick Google search, some sifting through files under rocks, < insert available TOR search engine >, and still nothing. I can’t find anything regarding Galaxy Ransomware. In fact, earlier this week was the first time seeing anything related to it.

A thread on a Russian cyber forum popped up with details introducing an affiliate program with the Galaxy software developers. An affiliate program is a way to bring in new talent to help build the software to achieve greater functionality. We’ve seen this with some other ransomware players like REvil, Netwalker, and Darkside. However, those groups have a track record of success and notoriety, samples littering VirusTotal and malware repositories, and even that tweet drop to @demonslay335.

But for Galaxy Ransomware, there’s nothing but this post.


The Brief

First, a completely random observation: The avatar of the Galaxy actor, Artem2245, is the same as the software’s logo, which appears to be a heraldic lion with a squints “Canva” watermark. The logo looks like it was hastily put together.

Reading a bit more about this ransomware from the thread, we find the developers highlight features of the software that include “Specific processes already disabled like restoration system, backup application …,” “Unkillable process,” and “Fully UnDetectable executable in scantime.”

The developers want to prioritize customization, stability, and speed. As listed in the post, the software has options for online or offline encryption, file encryption priority, extension names, desktop backgrounds, 32-or 64-bit architecture, a countdown timer, real-time parameter changes, automatic deletion, etc.

The software is built to compromise Microsoft Windows Servers and Windows XP to Windows 10. Built-in communication options to the ransomware operator includes TOX messenger, email, or Tor Chat. The developers also mention its speed during encryption. A whopping 5 GB per minute depending on CPU, with “no size limit for encryption.”

“This software is targeted for business networks attacks. Any customization can be applied on need based on the situation and environment.” The intended victims are businesses but in their FAQ the operator mentions “we have a residential ransomware for non-business mass distribution.” The operator does not go into any additional details about the difference, so I can only assume it’s the same code but with different or limited features.

The program is looking for affiliates who have previous knowledge of quick victims with high reward. The affiliate must also have knowledge of tools like Cobalt Strike and Metasploit Framework. An interview is required with the software developer(s) to determine the skill and knowledge that will be brought to the group. The conversation for how much the affiliate will profit will be determined prior to any work.

We expect a leak blog site in the future for possibly any ransoms that go unpaid.

I look forward to finding out more information about Galaxy. If any samples are found, please send them to Thanks!