GreenBlood Ransomware

Summary

GreenBlood is a modern ransomware first identified in early 2026. It’s known for its rapid system disruption and recovery prevention. Unlike basic ransomware that focuses mainly on file encryption, GreenBlood actively sabotages system recovery mechanisms and security controls before or during encryption, significantly increasing the impact on victims.

Behavioral Summary

One of the first actions performed by GreenBlood is system profiling. The malware collects a unique hardware identifier (system UUID) using standard Windows tooling. This identifier allows attackers to inventory infected machines, correlate victims with ransom records, and manage encryption keys more efficiently across campaigns.

To ensure recovery is difficult or impossible, GreenBlood aggressively targets backup and restore capabilities. It will delete all Volume Shadow Copies and remove the Windows Backup catalog, effectively neutralizing both user-created restore points and system-level backups. This prevents victims from rolling back files or restoring the system without external backups, thus increasing the pressure to pay the demanded ransom.

GreenBlood further strengthens recovery inhibition by disabling the Windows Recovery Environment (WinRE) and suppressing boot failure warnings. These changes block access to automated repair tools and rollback options that might otherwise help victims recover after the attack or troubleshoot the system.

The ransomware also actively weakens system defenses by disabling the Windows Firewall, allowing unrestricted inbound and outbound network traffic. This results in facilitating command-and-control communication, data exfiltration, or lateral movement within a network. In addition, GreenBlood disables Microsoft Defender’s real-time protection through registry modifications, reducing the likelihood of detection or intervention during execution.

Once encryption is complete, affected files may be appended with the .tgbg extension. A ransom note named !!!READ_ME_TO_RECOVER_FILES!!!.txt is dropped into every directory containing encrypted files, ensuring the victim encounters the ransom message regardless of where they navigate.

(Example of Ransom Note | Source: https://community.broadcom.com/viewdocument/tau-tin-greenblood-ransomware?CommunityKey=3bd4783a-2be9-4de0-a8b9-893f8e815743)

Finally, GreenBlood attempts to erase its own footprint. It drops a cleanup batch file (cleanup_GreenBlood.bat) into the system’s temporary directory and executes it after encryption finishes. This removes the ransomware binary and related artifacts, complicating forensic analysis and incident response efforts.

Below is a list of command lines utilized by GreenBlood during an attack: (Source: https://community.broadcom.com/viewdocument/tau-tin-greenblood-ransomware?CommunityKey=3bd4783a-2be9-4de0-a8b9-893f8e815743)

• For collecting unique hardware identifiers: wmic csproduct get uuid
• Deleting shadow copies: c:/windows/system32/cmd.exe /c vssadmin delete shadows /All quiet;c:/windows/sytem32/cmd.exe /c wmic shadowcopy delete
• Disabling the firewall: netsh firewall set opmode mode=disable;netsh advfirewall set currentprofile state off
• Disabling MS Defender’s Real-Time Protection: reg add \”HKLM\SOFTWARE\Policies\MicrosoftWindows Defender\Real-Time Protection\” /v DisableRealTimeMonitoring /t RED_DWORD /d 1 /f 
• Disabling Window Recovery Environment: bcdedit /set {default} recoveryenabled no ; bcdedit /set {default} bootstatuspolicy ignoreallfailures
• It will drop a cleanup_GreenBlood.batfile in %temp% to delete ransomware after encryption is complete to remove artifacts.

Conclusion

GreenBlood is a highly disruptive ransomware strain that prioritizes defense evasion, recovery denial, and victim tracking as much as encryption itself. Its methodical disabling of backups, recovery tools, firewall protections, and antivirus defenses makes post-infection remediation especially challenging, aligning it with more advanced and professionally operated ransomware campaigns.

What DefenseStorm Is Doing

The DefenseStorm team will continue to monitor additional developments and information regarding this emerging threat. All currently available IPs and hashes associated with this threat have been uploaded to the DefenseStorm ThreatMatch feed.

Continuous research is being conducted for all newly discovered or recurring malware and ransomware. As always, DefenseStorm recommends the following practices to help secure your environment:

• Continued internal training for phishing campaigns
• Block threat indicators at their respective controls
• Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
• Maintain a strong password policy
• Enable multi-factor authentication
• Regularly back up data, air gap, and password backup copies offline
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
• Use app hardening
• Restrict administrative access