Explore our Ransomware Guide to learn about the threat it poses to your business, the effects of an attack, and what you can do to protect your endpoints.
Surtr Ransomware Attack
Published: 12/2/2025
Written By: Lizzie Danielson
What is Surtr Ransomware?
Surtr ransomware is a destructive strain of malware designed to encrypt files and demand ransom payments from victims in exchange for decryption keys. Thought to primarily target corporations and government organizations, Surtr is known for its rapid encryption capabilities and disruptive tactics. This ransomware operates with the clear purpose of causing significant operational strain on its victims while leveraging the pressure to extract payments.
When did Surtr Ransomware happen?
The Surtr ransomware attack came to public attention in early 2022. Its initial campaigns began surfacing around January, with increased activity noted throughout the first quarter of the year. This timeframe marks a period when ransomware attacks had become more sophisticated and targeted globally.
Who created Surtr Ransomware?
The identities behind Surtr ransomware remain unknown, though some cybersecurity experts speculate that it could be tied to a financially motivated cybercriminal group. Despite ongoing investigations, there has been no confirmed attribution to a specific group or nation-state actor.
How did Surtr Ransomware spread?
Surtr ransomware spread through various attack vectors, including phishing emails containing malicious attachments, exploited vulnerabilities in outdated software, and compromised remote desktop protocol (RDP) access. Once inside a network, Surtr moved laterally, encrypting critical files while attempting to disable backup systems and recovery mechanisms to maximize leverage over its victims.
Victims of the Surtr Ransomware attack
Surtr ransomware targeted sectors such as government organizations, healthcare institutions, and large enterprises. One notable victim was a major public registry in Slovakia, highlighting the ransomware’s ability to paralyze essential services. Many victims faced extended downtimes and operational disruptions due to the severity of the attack.
Ransom demands & amount
The Surtr attackers demanded ransoms in cryptocurrency, with amounts ranging from $50,000 to over $500,000, depending on the organization’s size and perceived ability to pay. Some victims reportedly paid the ransom, while others worked with cybersecurity firms and law enforcement to recover their systems without funding the criminal actors.
Technical analysis of Surtr Ransomware
Surtr leveraged advanced encryption algorithms, such as AES and RSA, to lock victims out of their data. Its payload often included obfuscation techniques to evade detection and anti-analysis safeguards, like disabling security software. The ransomware also deleted shadow copies to hinder recovery efforts and propagated quickly once deployed onto a network.
Tactics, Techniques & Procedures (TTPs)
The Surtr ransomware utilized spear phishing campaigns as its primary delivery mechanism, exploiting human error to gain initial access. It relied on privilege escalation to gain administrator-level control and employed tools to identify and encrypt high-value files while exfiltrating data to pressure victims through the threat of public exposure.
Indicators of Compromise (IoCs)
Organizations should monitor for the following IoCs to detect and mitigate potential Surtr ransomware attacks:
-
IPs: Malicious activity reported from specific IP addresses (e.g., 192.0.2.123, 198.51.100.45).
-
Domains: Suspicious domains resolving activity, such as surtr-encryption[dot]com.
-
File Names: Encrypted files with the extension .surtr_locked.
Impact of the Surtr Ransomware attack
The Surtr ransomware caused significant operational and financial disruption, leading to system downtimes, data breaches, and reputational damage for many organizations. The attack on Slovakia’s land registry resulted in delayed services and impacted public trust. Estimates of overall damages ranged into the millions, factoring in recovery costs and lost productivity.
Response & recovery efforts
Efforts to combat Surtr ransomware involved collaboration from law enforcement, private cybersecurity firms, and affected organizations. Incident response teams focused on isolating infected systems, restoring backups, and implementing comprehensive security patches. Lessons learned included the importance of multi-layered defenses and robust employee cybersecurity training.
Is Surtr Ransomware still a threat?
While Surtr’s activities appeared to decline in late 2022, cybersecurity experts caution that its operators or affiliated groups may still develop new variants. Vigilance and continued monitoring of threat intelligence remain critical to mitigating future risks.
Mitigation & prevention strategies
To prevent and protect against Surtr ransomware and similar threats, organizations should:
-
Keep operating systems and software up to date with the latest patches.
-
Enable multi-factor authentication (MFA) on all accounts.
-
Conduct regular employee training to recognize phishing attempts.
-
Maintain reliable, offline data backups.
-
Employ advanced endpoint detection and response (EDR) solutions.
Latest News
Stay informed about Surtr Ransomware and other cyber threats by visiting the Huntress Blog.
Related Educational Articles & Videos
Learn more about ransomware protection strategies through these Huntress resources:
Read more about Ransomware Explained: A Hub for Guides, Resources, & Solutions
Read more about How Ransomware Attacks Happen
Video
Ransomware is a type of malware that cuts off your access to computers, systems, or networks. Watch the video from our Security Operations Center (SOC) for a breakdown of the ransomware attack path, so you can spot it early, shut it down, and steer clear of hacker paydays.
Read more about Before Ransomware Strikes: Attack Playbook
Ebook
Learn about the key stages of a ransomware attack and effective strategies for protecting yourself.
Surtr Ransomware FAQs
Surtr spreads via phishing emails, compromised RDP access, and software vulnerabilities. Clicking on malicious links or downloading infected attachments enables the ransomware's initial deployment.
Decryption depends on whether security researchers develop a tool for Surtr ransomware. Without a decryption solution, organizations must rely on backups or pay the ransom, which is strongly discouraged.
The ransomware primarily targeted critical infrastructure, government organizations, and large enterprises, with notable impacts on Slovakia’s land registry and similar public entities.
Organizations can safeguard against Surtr by updating software, training employees to detect phishing attempts, enabling MFA, and implementing robust cybersecurity measures like advanced threat detection systems.
Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free
