Summary:

The emergence of Milkyway ransomware presents a significant threat to the UAE’s digital ecosystem, particularly targeting critical infrastructure and high-value economic sectors. The variant employs advanced evasion mechanisms and high-speed encryption capabilities while leveraging the region’s high digital connectivity to maximize operational impact. Files are appended with the .milkyway extension, and attackers employ triple-extortion tactics, encrypting data, exfiltrating sensitive information, and threatening distributed denial-of-service (DDoS) attacks to increase pressure on victims.

Given the UAE’s strategic role as a regional financial and energy hub, this threat has material implications for economic stability and business continuity. Organizations must prioritize immutable offline backups, strict alignment with national cybersecurity standards such as NESA, and AI-driven detection mechanisms to prevent lateral spread and large-scale compromise.

Technical Description:

Milkyway ransomware is a 64-bit Windows executable engineered with advanced evasion and persistence capabilities. It incorporates anti-debugging routines and extended sleep intervals to evade sandbox environments and endpoint detection and response (EDR) solutions. Initial infiltration frequently occurs through phishing campaigns or malicious macro-enabled documents. Upon execution, the malware leverages Windows Management Instrumentation (WMI) for reconnaissance and system modification activities.

Persistence is achieved through the creation of scheduled tasks with SYSTEM-level privileges, enabling continued execution even after system restarts or remediation attempts. During the encryption phase, the malware targets critical business data, including databases and document repositories.

To prevent local recovery, the ransomware systematically deletes Volume Shadow Copies and appends the .milkyway extension to encrypted files. Before encryption, sensitive data is exfiltrated to an attacker-controlled command-and-control (C2) infrastructure. This dual-extortion model enhances leverage by threatening public data disclosure even if backups are available.

Delivery and Infection Chain:

Milkyway ransomware is primarily distributed through targeted social engineering campaigns, particularly spear-phishing operations aimed at government and enterprise personnel. Malicious macros embedded in documents disguised as official business communications are a common infection vector. Threat actors also leverage compromised cloud storage links, malvertising campaigns, and poisoned search results to distribute fraudulent software updates or tampered installation packages.

This multi-vector approach increases infection success rates by exploiting human trust and bypassing conventional perimeter-based email defenses.

The Infection chain was identified as follows,

• The infection chain initiates when a user executes a malicious payload delivered via a spear-phishing attachment or fraudulent software download, triggering the initial dropper.
• Once active, the malware performs environment validation and anti-analysis checks, including virtual machine detection and extended sleep cycles, to evade automated security
• After confirming a legitimate target, it utilizes WMI and PowerShell to conduct internal reconnaissance, mapping network architecture and identifying critical data repositories and connected drives.
• Persistence is established through scheduled task creation or registry modifications executed with SYSTEM-level privileges, ensuring continued operation after reboots or scans.
• In the final stage, sensitive data is exfiltrated to a remote C2 server before mass encryption begins and Volume Shadow Copies are deleted to prevent local restoration.

Technical Capabilities:

Milkyway employs a hybrid encryption model combining AES-256 for file encryption and RSA-2048 for secure key exchange, making unauthorized decryption computationally impractical. A defining characteristic is its systematic deletion of Volume Shadow Copies using the vssadmin utility, eliminating local restoration options and increasing victim pressure.

Beyond encryption, Milkyway integrates structured data exfiltration modules capable of identifying and transmitting high-value documents and databases to attacker-controlled infrastructure. This dual-extortion capability ensures that even organizations with reliable backups remain vulnerable to reputational and regulatory exposure through public data leaks.

Attribution and Evolution:

Milkyway is assessed as a next-generation ransomware strain likely developed by a sophisticated cybercriminal syndicate. While definitive attribution remains pending, its operational model and code structure resemble established Ransomware-as-a-Service (RaaS) ecosystems, suggesting affiliate-driven deployment.

The evolution of its codebase reflects a broader shift toward “Ransomware 3.0” strategies, where threat actors prioritize targeted, high-GDP regions undergoing rapid digital transformation. The Middle East, particularly the UAE, represents a strategically attractive target due to its dense concentration of financial institutions, energy infrastructure, and digitally connected enterprises.

Active Campaign and Geographic Spread:

Current intelligence indicates targeted activity focused on the UAE and broader GCC region, leveraging the concentration of financial centers and critical infrastructure assets. The UAE’s position as a global logistics and digital gateway enhances its appeal for high-value ransom operations.

Targeted phishing lures referencing regional business contexts and sector-specific terminology suggest deliberate targeting of Middle Eastern organizations, particularly within logistics, healthcare, and energy sectors. While global telemetry confirms broader activity, the concentration of contextualized lures indicates strategic targeting rather than indiscriminate distribution.

Conclusion:

Milkyway ransomware represents a dynamic and high-impact threat requiring a proactive, defense-in-depth security posture across UAE enterprises. Traditional reactive security approaches are insufficient against adversaries capable of evading detection and neutralizing conventional recovery mechanisms.

Organizations must adopt Zero Trust architectures, maintain air-gapped and immutable backups, and ensure strict adherence to national cybersecurity standards. Preparedness, rapid detection, and structured response capabilities remain the most effective defenses against the extortion cycles and operational paralysis associated with this variant

Impact:

The consequences of a Milkyway ransomware incident extend beyond immediate data encryption. Successful compromise can result in prolonged operational disruption, substantial financial losses, regulatory exposure under national data protection laws, and reputational damage due to sensitive data leaks.

In the UAE context, mandatory breach reporting obligations may trigger regulatory scrutiny and potential penalties. The financial impact is amplified by the region’s higher-than-global-average cost of data breaches. For critical infrastructure and essential services, such incidents may directly threaten business continuity and public trust.

IOC and Context Details:

‍

Recommended Actions:

• Implement immutable, air-gapped offline backups to ensure data restoration capability even if primary and online backups are compromised.
  
• Enforce Multi-Factor Authentication (MFA) across corporate accounts, VPN access, and privileged credentials to mitigate credential-based compromise.
• Deploy EDR solutions with behavioral detection capable of identifying WMI misuse, anti-debugging routines, and suspicious scheduled task creation.
  
• Conduct targeted security awareness training addressing region-specific phishing lures and malicious macro campaigns.
• Apply the principle of Least Privilege to prevent unauthorized SYSTEM-level access required for network-wide encryption.
  
• Ensure operating systems and third-party applications are consistently updated to close vulnerabilities exploited for initial access.
  
• Configure advanced email filtering, DNS protection, and web filtering controls to block malicious domains and C2 communications.
  
• Develop and regularly test an incident response plan aligned with UAE NESA cybersecurity standards to minimize downtime and ensure regulatory compliance.

‍

Reference:

https://www.cyfirma.com/news/weekly-intelligence-report-06-february-2026/