Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Milkyway Ransomware

Milkyway Ransomware is a developing Windows-targeting ransomware strain reported by CYFIRMA (identified via underground forum monitoring) that targets organizational environments. It encrypts accessible files across infected systems, appends the ".milkyway" extension to encrypted data (e.g., "2.png" -> "2.png.milkyway"), and then displays a full-screen ransom message.

Per CYFIRMA’s reporting, the ransom note claims the victim’s servers, workstations, and backups are encrypted and unavailable, and uses coercive pressure tactics including threats to leak allegedly stolen data, report the victim to tax authorities/security services/law enforcement, share credentials/internal information, and contact the victim’s clients and partners. Victims are instructed to communicate with the attackers via a provided Outlook email address.

CYFIRMA maps Milkyway activity to multiple MITRE ATT&CK techniques and describes persistence and recovery-inhibition behaviors, including creating/modifying Windows scheduled tasks configured to run with SYSTEM-level privileges on recurring triggers (e.g., hourly or logon events), and deleting Volume Shadow Copies using commands such as "vssadmin.exe Delete Shadows /all /quiet" and "wmic shadowcopy delete /nointeractive." CYFIRMA assesses Milkyway is in an early/developing state and could evolve into a more sophisticated operation, potentially including a ransomware-as-a-service (RaaS) model.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

6 techniques
T1053.005Scheduled TaskEvidence1

The ransomware maintains long-term presence on the system by creating and modifying Windows scheduled tasks... set tasks to run with SYSTEM-level privileges... hourly or logon events.

T1059Command and Scripting InterpreterEvidence1

The following are the TTPs based on the MITRE Attack Framework ... Execution T1059 Command and Scripting Interpreter

T1059.003Windows Command ShellEvidence1

TTPs based on MITRE ATT&CK Framework ... Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell

T1106Native APIEvidence1

...exposes native Windows API functions, such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.

T1129Shared ModulesEvidence1

The following are the TTPs based on the MITRE Attack Framework ... Execution T1129 Shared Modules

T1569.002Service ExecutionEvidence1

The following are the TTPs based on the MITRE Attack Framework ... Execution T1569.002 System Services: Service Execution

Persistence

4 techniques
T1053.005Scheduled TaskEvidence1

The ransomware maintains long-term presence on the system by creating and modifying Windows scheduled tasks... set tasks to run with SYSTEM-level privileges... hourly or logon events.

T1112Modify RegistryEvidence1

Persistence T1112 Modify Registry; Defense Evasion T1112 Modify Registry

T1543.003Windows ServiceEvidence1

Persistence T1543.003 Create or Modify System Process: Windows Service; Privilege Escalation T1543.003 Create or Modify System Process: Windows Service

T1547.001Registry Run Keys / Startup FolderEvidence1

“Persistence T1547.001 … Registry Run Keys / Startup Folder” and “registers a randomized entry within the Windows Run registry key… execution at every user logon.”

Privilege Escalation

3 techniques
T1053.005Scheduled TaskEvidence1

The ransomware maintains long-term presence on the system by creating and modifying Windows scheduled tasks... set tasks to run with SYSTEM-level privileges... hourly or logon events.

T1543.003Windows ServiceEvidence1

Persistence T1543.003 Create or Modify System Process: Windows Service; Privilege Escalation T1543.003 Create or Modify System Process: Windows Service

T1547.001Registry Run Keys / Startup FolderEvidence1

“Persistence T1547.001 … Registry Run Keys / Startup Folder” and “registers a randomized entry within the Windows Run registry key… execution at every user logon.”

Stealth

3 techniques
T1027.002Software PackingEvidence1

“Defense Evasion T1027.002 Obfuscated Files or Information: Software Packing”

T1070.004File DeletionEvidence1

...extracts an embedded Base64-encoded PowerShell payload... launches it... and then deletes the script.

T1564.003Hidden WindowEvidence1

...launches it using a hidden PowerShell instance...

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

Persistence T1112 Modify Registry; Defense Evasion T1112 Modify Registry

Discovery

2 techniques
T1057Process DiscoveryEvidence1

“Discovery T1057 Process Discovery” and “may look for specific processes… linked to analysis tools”

T1082System Information DiscoveryEvidence1

The following are the TTPs based on the MITRE Attack Framework ... Discovery T1082 System Information Discovery

Command and Control

1 technique
T1095Non-Application Layer ProtocolEvidence1

“Command and control T1095 Non-Application Layer Protocol”

Other

1 technique
T1562.001Disable or Modify ToolsEvidence1

The following are the TTPs based on the MITRE Attack Framework ... Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
cyfirma newsNews
Feb 10, 2026
Weekly Intelligence Report - 06 February 2026 - CYFIRMA

Encrypts accessible files on Windows systems, appends the ".milkyway" extension, displays a full-screen ransom message, and attempts to inhibit recovery by deleting Volume Shadow Copies (e.g., via vssadmin/wmic). Uses persistence mechanisms such as scheduled tasks and registry modifications; includes anti-analysis/anti-debug checks.

Read more
cyfirma newsNews
Feb 10, 2026
Weekly Intelligence Report - 06 February 2026 - CYFIRMA

Windows-targeting ransomware that encrypts files (adding the .milkyway extension), displays a full-screen ransom note, and attempts to inhibit recovery by deleting Volume Shadow Copies (e.g., via vssadmin/wmic).

Read more
cyfirma newsNews
Feb 5, 2026
Weekly Intelligence Report - 06 February 2026 - CYFIRMA

Windows-targeting ransomware that encrypts files (appending .milkyway) and presents a full-screen ransom note; attempts to inhibit recovery by deleting Volume Shadow Copies and uses persistence mechanisms (e.g., scheduled tasks/registry modifications).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.