Free Demo

Trending

Recognition:Cyble Recognized in Forrester’s External Threat Intelligence Service Providers Landscape, Q1 2026 Recognition:Cyble Recognized as 2026 Gartner® Peer Insights™ Strong Performer Report:Global Cybersecurity Report 2025 Report:Europe Threat Landscape Report 2025 Report:APAC Cyber Threat Landscape Report 2025 Report:North America Cyber Threat Landscape Report 2025 Report:META Threat Landscape Report 2025
Recognition:Cyble Recognized in Forrester’s External Threat Intelligence Service Providers Landscape, Q1 2026 Recognition:Cyble Recognized as 2026 Gartner® Peer Insights™ Strong Performer Report:Global Cybersecurity Report 2025 Report:Europe Threat Landscape Report 2025 Report:APAC Cyber Threat Landscape Report 2025 Report:North America Cyber Threat Landscape Report 2025 Report:META Threat Landscape Report 2025
ee-track">
Report:Global Cybersecurity Report 2025 Report:Europe Threat Landscape Report 2025 Report:APAC Cyber Threat Landscape Report 2025 Report:North America Cyber Threat Landscape Report 2025 Report:META Threat Landscape Report 2025 Recognition:Cyble Recognized as 2026 Gartner® Peer Insights™ Strong Performer Recognition:Cyble Recognized in Gartner® Hype Cycle™ 2025 Recognition:Cyble Named in Gartner® Hype Cycle™ for Managed IT Services 2025
Report:Global Cybersecurity Report 2025 Report:Europe Threat Landscape Report 2025 Report:APAC Cyber Threat Landscape Report 2025 Report:North America Cyber Threat Landscape Report 2025 Report:META Threat Landscape Report 2025 Recognition:Cyble Recognized as 2026 Gartner® Peer Insights™ Strong Performer Recognition:Cyble Recognized in Gartner® Hype Cycle™ 2025 Recognition:Cyble Named in Gartner® Hype Cycle™ for Managed IT Services 2025
HomeBlog
ColdLock Ransomware Hits Taiwanese Organizations

ColdLock Ransomware Hits Taiwanese Organizations

On one side where the organizations are striving hard from recovering from the ongoing COVID-19 phase, on the other side they are struggling to cope up with their security measures for defending themselves from the various types of cyberattacks. Recently, a new targeted cyberattack has infected several organizations in Taiwan with a new ransomware family, which has been named as ColdLock. Recently, Cyble’s researchers detected a big mining company also falling as a victim of this ransomware family. According to the security researchers, this ransomware-type mainly targets databases and email servers for encryption. Along with that, the security researchers seem to find similarities between ColdLock and previously discovered ransomware variants such as Lockergoga, Freezing, and EDA2.

As per the information gathered it indicates that this ransomware started to strike organizations based in Taiwan from the starting of May 2020. To execute this attack cybercriminals infuse the ransomware payload as a .NET executable (as a .DLL file), which is packed/protected using the ConfuserEx packer. It uses PowerShell reflective loading of .NET executables to run the .DLL file. To verify if the ransomware file is running, the hacker runs two checks on it. Firstly, the hacker checks for the presence of %System Root%ProgramDatareadme.tmp, which is used by the ransom note. This check prevents a system from being reinfected by the same threat. Secondly, the hacker would check the system clock. It will only run at or later than 12:10 PM on any given day; if it is earlier, it will sleep for 15 seconds until it is past the said time. Just to ensure the cyberattack to launch successfully, before encrypting the files ColdLock performs certain preliminary routines to terminate multiple services on the system which might be preventing file access. Along with that, the ransomware also takes note of the Windows version running on the system. For instance, if it is running windows 10 then it carries out several windows 10-specific routines such as disabling the windows defender, the push notifications, and the ability to send the malware samples further to Microsoft.

How to remove ColdLock Ransomware and decrypt .locked files ...

Original Text of ColdLock Ransomware Note Displayed on the Affected System

This ransomware-type has connections to multiple other ransomware families such as its code share similarities with the open-source EDA2 ransomware kit, and it shares a similar method of propagation with networks, reflective injection methods, and internal module architecture. As stated, before that this ransomware has only affected organizations based in Taiwan, but it is seen as fast-spreading and malicious ransomware by our security researchers. It is advised that the organizations should ensure that their security measures are all up to date and efficient in preventing the organization from being cyber struck.

About Cyble:

Cyble Inc.’s mission is to provide organizations with a real-time view of their supply chain cyber threats and risks. Their SaaS-based solution powered by machine learning and human analysis provides organizations’ insights to cyber threats introduced by suppliers and enables them to respond to them faster and more efficiently.

report-ad-banner

Cyble strives to be a reliable partner/facilitator to its clients allowing them with unprecedented security scoring of suppliers through cyber intelligence sourced from open and closed channels such as OSINT, the dark web and deep web monitoring and passive scanning of internet presence. Furthermore, the intelligence clubbed with machine learning capabilities fused with human analysis also allows clients to gain real-time cyber threat intel and help build better and stronger resilience to cyber breaches and hacks. Due to the nature of the collected data, the company also offer threat intelligence capabilities out-of-box to their subscribers.

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.
why cyble

Get Threat Assessment Report

Identify External Threats Targeting Your Business​
Get My Report
Free
Cyble Vision
CISO's Guide to Threat Intelligence 2024

CISO’s Guide to Threat Intelligence 2024: Best Practices

Stay Ahead of Cyber Threats with Expert Insights and Strategies. Download Free E-Book Now

Stay informed

Subscribe to Cyble

Get the latest threat intelligence, research, and security updates straight to your inbox.

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams
Share the Post:

Related Posts

Scroll to Top