Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. 

These days, it’s easy to come across new ransomware strains without much effort. But the ransomware threat landscape is far broader than it seems, especially when you dive into the commodity ransomware scene. This type of ransomware is developed by a group that sells a builder to third-party operators, with no formal agreement or contract between them, unlike the more organized Ransomware-as-a-Service (RaaS) model. 

On this side of the fence, we see countless new products appearing on the cybercrime shelf every day. They’re much harder to track, as victims, strains, infrastructure, and builds often have no direct connection to each other. 

Let’s take a look at one of them: Mamona Ransomware. Never heard of it? That’s probably because it’s a new strain but despite its short lifespan, it has already made some noise. It’s been spotted in campaigns run by BlackLock affiliates (who are also linked to Embargo), one of its online builders was exposed and later leaked on the clearnet, and the DragonForce group even stole the main website’s .env file, publishing it on their Dedicated Leak Site on Tor under the headline: “Is this your .env file?” 

So, let’s find out what this is all about. 

Mamona Ransomware: Key Takeaways 

• Emerging threat: Mamona is a newly identified commodity ransomware strain. 

• No external communication: The malware operates entirely offline, with no observed Command and Control (C2) channels or data exfiltration. 

• Local encryption only: All cryptographic processes are executed locally using custom routines, with no reliance on standard libraries. 

• Obfuscated delay technique: A ping to 127[.]0.0[.]7 is used as a timing mechanism, followed by a self-deletion command to minimize forensic traces. 

• False extortion claims: The ransom note threatens data leaks, but analysis confirms there is no actual data exfiltration. 

• File encryption behavior: User files are encrypted and renamed with the .HAes extension; ransom notes are dropped in multiple directories. 

• Decryption available: A working decryption tool was identified and successfully tested, enabling file recovery. 

• Functional, despite poor design: The decrypter features an outdated interface but effectively restores encrypted files. 

This emerging ransomware can be clearly observed within ANY.RUN’s cloud-based sandbox environment. You can explore a full analysis session below for a detailed visual breakdown. 

View analysis session with Mamona ransomware 

Offline and Dangerous: Mamona’s Silent Tactics 

When you hear about ransomware, your first educated guess is usually a threat that comes from the outside, exfiltrates sensitive files, encrypts the local versions, and then demands a ransom. Pretty much the full ransomware cycle. But this one is different. it has no network communication at all, acting surprisingly as a mute ransomware. So far, the only connections it attempts are local, plus one to port 80 (HTTP), where no data is actually sent or received. 

This lack of network communication strongly suggests that the encryption key is either generated locally on the fly or hardcoded within the binary itself. In the medium term, this increases the chances of reverse-engineering a working decrypter which, fortunately, we already have in this case. 

A closer look reveals that the encryptor relies entirely on homemade routines. There are no calls to standard cryptographic libraries, no use of the Windows CryptoAPI, and no references to external modules like OpenSSL. Instead, all cryptographic logic is implemented internally using low-level memory manipulation and arithmetic operations. 

One key routine is located at internal offsets such as 0x40E100. This function is repeatedly called after pushing registers and buffer pointers to the stack and exhibits patterns typical of custom symmetric logic. 

The symmetric structure reinforces the hypothesis of a static or trivially derived key, making Mamona a strong example of commodity ransomware that prioritises simplicity over cryptographic robustness. 

Still, just because this malware doesn’t communicate with external hosts doesn’t mean it can’t cause serious local damage. Let’s take a closer look. 

How Mamona Executes Its Attack 

The first thing Mamona does is execute a ping command as a crude time delay mechanism, chaining it with a self-deletion routine via cmd.exe. 

The use of ping 127[.]0.0[.]7 is a classic trick in commodity malware: instead of using built-in sleep APIs or timers (which can be flagged by behavioural monitoring), the malware sends ping requests to a loopback IP address, effectively pausing execution.  

Interestingly, it uses 127[.]0.0[.]7 instead of the more common 127[.]0.0[.]1, likely as a basic form of obfuscation. It’s still within the reserved localhost block (127[.]0.0[.]0/8) but may bypass simple detection rules that specifically target 127[.]0.0[.]1. 

Once the short delay is complete, the second part of the command attempts to delete the executable from disk using Del /f /q. Since a process can’t delete itself while it’s still running, this whole sequence is executed in a separate shell process. This is a simple but effective form of self-cleanup, aimed at reducing forensic traces post-infection. 

Mamona begins with a straightforward reconnaissance phase, harvesting basic host data like the system’s name and configured language. It then proceeds to drop a ransom note (README.HAes.txt) not only on the Desktop, but recursively inside multiple folders, increasing the chances the victim will see it. 

Following the ransom note deployment, Mamona begins encrypting user files, renaming them with the .HAes extension and making them inaccessible. To reinforce the impact, it changes the system wallpaper to a stark warning: “Your files have been encrypted!” 

The ransom note shares links to a dedicated leak site (DLS) and a victim’s chat support, both on Tor. Also, it states that “we have stolen a significant amount of your important files from your network” and “Refuse to pay: your stolen data will be published publicly” but that actually does not happen, as we discussed earlier. There’s literally no network activity so this seems to be a threat to coerce the victim into paying the ransom. 

But we have an ace up our sleeve. For this engagement, alongside the malware sample, we also managed to obtain a decrypter thanks to Merlax, a friend and fellow malware researcher. Let’s take a look at how it works. 

Undoing Mamona’s Damage 

We’re dealing with a Ctrl-Z in .exe form, so let’s give it a chance and see how it performs. Visually, it’s a mess: the interface looks like a homemade project built with an older version of Visual Studio. UI elements are poorly rendered, often misaligned or clipping outside window boundaries.  

But the backend does its job far better than the frontend, and the files are back to normal. 

By analysing the decrypter, we find an interesting internal function at offset 0x40C270. Much like in the ransomware sample, we observe a series of low-level operations: alignment to 4-byte boundaries (and $0xfffffffc, %ecx), fixed memory offsets (add $0x23), and repeated use of instructions such as mov, lea, and arithmetic operations, all indicative of a custom-built symmetric routine. 

Despite the absence of a traditional XOR operation, the logic appears reversible and consistent with homemade encryption mechanisms. 

We have already infected our test machine and vaccinated it, and we are ready for the next stop on our journey: the ATT&CK Matrix. As usual, ANY.RUN takes care of that automagically. 

Mapping the Threat: Mamona via MITRE ATT&CK 

ANY.RUN’s ATT&CK integration makes it easy to understand and track malware behaviour by profiling its events, tactics, and techniques.  

Let’s take a look at how Mamona’s behaviour fits into this framework: 

• Discovery: T1012: Query Registry + T1082: System Information Discovery. The reconnaissance routine where the malware queries different local registries like hostname and language. 

• Execution: T1059.003: Command and Scripting Interpreter. Since Mamona spawns CMD to invoke ping as a cheap delay mechanism and then moves on to its self-deletion. 

• Defense Evasion: T1070.004: Indicator Removal. The self deletion routine attached to the previous ping command. 

• Impact: T1486: Data Encrypted for Impact. The encryption process where all our files end up having the “.HAes” extension. 

This sums up Mamona’s behavior, which deviates from the usual pattern seen in commodity ransomware. It shows no network activity, no Command and Control channels over Telegram, Discord, or similar platforms. Instead, it relies on a weak, locally executed key generation routine and doesn’t include any form of double extortion, making its threats of data theft and publication purely coercive. 

What it does have is a retro-styled decrypter that, despite its clunky and outdated interface, simply works. 

Mamona Threat Impact 

The Mamona ransomware campaign presents significant risks despite its offline, minimalistic design: 

For end users: Victims face immediate file encryption, system disruption, and psychological pressure through false claims of data theft. The ransom note’s threatening tone adds urgency, even though there’s no actual data exfiltration. 

For organizations: Mamona can interrupt workflows, encrypt shared drives, and complicate incident response, especially in environments lacking offline backups or real-time monitoring. Its simplicity also makes it harder to detect through conventional network-based defenses. 

For security teams: The absence of C2 traffic and use of locally executed logic reduce visibility in traditional detection systems. Its use of basic commands like ping and cmd.exe mimics legitimate activity, requiring deeper behavioral analysis to flag accurately. 

For the broader threat landscape: Mamona exemplifies the rise of easy-to-use, builder-based ransomware that favors simplicity over sophistication. Its leaked builder lowers the entry barrier for attackers, raising concerns about wider adoption by low-skilled threat actors. 

Conclusion 

The analysis of Mamona Ransomware shows how even a quiet, offline threat can cause disruptions.  

This strain highlights a rising trend: ransomware that trades complexity for accessibility. It’s easy to deploy, harder to detect with traditional tools, and still effective enough to encrypt systems and pressure victims into paying. Its leaked builder and low barrier to entry only raise the risk of widespread abuse by less sophisticated attackers. 

By analyzing Mamona in real time using ANY.RUN’s Interactive Sandbox, we were able to capture the full attack chain, from initial execution and system changes to ransom note deployment and encryption logic, all without needing external network traces. 

Here’s how this type of dynamic analysis helps defenders stay ahead: 

• Detect threats faster: Spot unusual behavior, even in offline-only attacks. 

• See everything in motion: Monitor local activity, file operations, and persistence techniques as they happen. 

• Speed up investigations: Gather and interpret IOCs without jumping from one tool to another. 

• Respond more effectively: Share artifacts and tactics across security teams. 

Experience real-time visibility with ANY.RUN and catch threats others might miss. 

Try ANY.RUN’s Interactive Sandbox today 

IOCs 

SHA256:b6c969551f35c5de1ebc234fd688d7aa11eac01008013914dbc53f3e811c7c77 

SHA256:c5f49c0f566a114b529138f8bd222865c9fa9fa95f96ec1ded50700764a1d4e7 

Ext:.HAes 

File:README.HAes.txt 

References 

https://bazaar.abuse.ch/sample/c5f49c0f566a114b529138f8bd222865c9fa9fa95f96ec1ded50700764a1d4e7

https://bazaar.abuse.ch/sample/b6c969551f35c5de1ebc234fd688d7aa11eac01008013914dbc53f3e811c7c77

https://app.any.run/tasks/cdcc75cd-d1f0-4fae-8924-d1aa44525e7e

The post Mamona: Technical Analysis of a New Ransomware Strain appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Earlier this year, Apple announced a string of new initiatives aimed at creating a safer environment for young kids and teens using the company’s devices. Besides making it easier to set up kids’ accounts, the company plans to give parents the option of sharing their children’s age with app developers so as to be able to control what content they show.

Apple says these updates will be made available to parents and developers later this year. In this post, we break down the pros and cons of the new measures. We also touch on what Instagram, Facebook (and the rest of Meta) have to do with it, and discuss how the tech giants are trying to pass the buck on young users’ mental health.

Before the updates: how Apple protects kids right now

Before we talk about Apple’s future innovations, let’s quickly review the parental control status quo on Apple devices. The company introduced its first parental controls way back in June 2009 with the release of the iPhone 3.0, and has been developing them bit by bit ever since.

As things stand, users under 13 must have a special Child Account. These accounts allow parents to access the parental control features built into Apple’s operating systems. Teenagers can continue using a Child Account until the age of 18, as their parents see fit.

Now for the new stuff…

The company has announced a series of changes to its Child Account system related to how parental status is verified. Additionally, it’ll soon be possible to edit a child’s age if it was entered incorrectly. Previously, for accounts of users under 13, it wasn’t even an option: Apple suggested waiting “for the account to naturally age up”. In borderline cases (accounts of kids just under 13), you could try a workaround involving changing the birth date — but such tricks won’t be needed for much longer.

But perhaps the most significant innovation relates to simplifying the creation of these Child Accounts. Henceforth, if parents don’t set up a device before their under-13-year-old starts using it, the child can do it themselves. In this case, Apple will automatically apply age-appropriate web content filters and only allow pre-installed apps, such as Notes, Pages, and Keynote.

Upon visiting the App Store for the first time to download an app, the child will be prompted to ask a parent to complete the setup. On the other hand, until parental consent is given, neither app developers nor Apple itself can collect data on the child.

At this point, even the least tech-savvy parent might ask the logical question: what if my child enters the wrong age during setup? Say, not 10, but 18. Won’t the deepest, darkest corners of the internet be opened up to them?

How Apple intends to solve the age verification issue

The single most substantial of Apple’s new initiatives announced in early 2025 attempts to address the problem of online age verification. The company proposes the following solution: parents will be able to select an age category and authorize sharing this information with app developers during installation or registration.

This way, instead of relying on young users to enter their date-of-birth honestly, developers will be able to use the new Declared Age Range API. In theory, app creators will also be able to use age information to steer their recommendation algorithms away from inappropriate content.

Through the API, developers will only know a child’s age category — not their exact date of birth. Apple has also stated that parents will be able to revoke permission to share age information at any time.

In practice, access to the age category will become yet another permission that young users will be able to give (or, more likely, not give) to apps — just like permissions to access the camera and microphone, or to track user actions across apps.

This is where the main flaw of the proposed solution lies. At present, Apple has given no guarantee that if a user denies permission for age-category access, they won’t be able to use a downloaded app. This decision rests with app developers, as there are no legal consequences for allowing children access to inappropriate content. Moreover, many companies are actively seeking to grow their young audience, since young kids and teens spend a lot of their time online (more on this below).

Finally, let’s mention Apple’s latest innovation: its updating its age-rating system. It will now consist of five categories: 4+, 9+, 13+, 16+, and 18+. In the company’s own words, “This will allow users a more granular understanding of an app’s appropriateness, and developers a more precise way to rate their apps”.

Apple and Meta disagree over who’s responsible for children’s safety online

The problem of verifying a young person’s age online has long been a hot topic. The idea of showing ID every time you want to use an app is, naturally, hardly a crowd-pleaser.

At the same time, taking all users at their word is asking for trouble. After all, even an 11-year-old can figure out how to edit their age in order to register on TikTok, Instagram, or Facebook.

App developers and app stores are all too eager to lay the responsibility for verifying a child’s age at anyone else’s doorstep but their own. Among app developers, Meta is particularly vocal in advocating that age verification is the duty of app stores. And app stores (especially Apple’s) insist that the buck stops with app developers.

Many view Apple’s new initiatives on this matter as a compromise. Meta itself has this to say:

“Parents tell us they want to have the final say over the apps their teens use, and that’s why we support legislation that requires app stores to verify a child’s age and get a parent’s approval before their child downloads an app”.

All very well on paper — but can it be trusted?

Child safety isn’t the priority: why you shouldn’t trust tech giants

Entrusting kids’ online safety to companies that directly profit from the addictive nature of their products doesn’t seem like the best approach. Leaks from Meta, whose statements on Apple’s solution we cited above, have repeatedly shown that the company targets young users deliberately.

For example, in her book Careless People, Sarah Wynne-Williams, former global public policy director at Facebook (now Meta), recounts how in 2017 she learned that the company was inviting advertisers to target teens aged 13 to 17 across all its platforms, including Instagram.

At the time, Facebook was selling the chance to show ads to youngsters at their most psychologically vulnerable — when they felt “worthless”, “insecure”, “stressed”, “defeated”, “anxious”, “stupid”, “useless”, and/or “like a failure”. In practice, this meant, for example, that the company would track when teenage girls deleted selfies to then show them ads for beauty products.

Another leak revealed that Facebook was actively hiring new employees to develop products aimed at kids as young as six, with the goal of expanding its consumer base. It’s all a bit reminiscent of tobacco companies’ best practices back in the 1960s.

Apple has never particularly prioritized kids’ online safety, either. For a long time its parental controls were quite limited, and kids themselves were quick to exploit holes in them.

It wasn’t until 2024 that Apple finally closed a vulnerability allowing kids to bypass controls just by entering a specific nonsensical phrase in the Safari address bar. That was all it took to disable Screen Time controls for Safari — giving kids access to any website. The vulnerability was first reported back in 2021, yet it took three years for the company to react.

Content control: what really helps parents

Child psychology experts agree that unlimited consumption of digital content is bad for children’s psychological and physical health. In his 2024 book The Anxious Generation, US psychologist Jonathan Haidt describes how smartphone and social media use among teenage girls can lead to depression, anxiety, and even self-harm. As for boys, Haidt points to the dangers of overexposure to video games and pornography during their formative years.

Apple may have taken a step in the right direction, but it’ll be for nothing if third-party app developers decide not to play ball. And as the example of Meta illustrates, relying on their honesty and integrity seems premature.

Therefore, despite Apple’s innovations, if you need a helping hand, you’ll find one… at the end of your own arm. If you want to maintain control over what and how much your child consumes online with minimal interference in their life, look no further than our parental control solution.

Kaspersky Safe Kids lets you view reports detailing your child’s activity in apps and online in general. You can use these to customize restrictions and prevent digital addiction by filtering out inappropriate content in search results and, if necessary, blocking specific sites and apps.

What other online threats do kids face, and how to neutralize them? Essential reading:

• Choosing wisely: a guide to your kids’ first gadget
• Back to School Security Tips
• Back-to-school threats: gadgets
• Back-to-school threats: social networking
• Back-to-school threats: virtual classrooms and videoconferencing
• Keeping kids safe: a new variation on an old theme

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

Recently, I was invited to sit on a panel at the CIO4Good Conference here in Washington D.C., where I talked about incident response and cyber preparedness to a room full of CIOs who help lead wonderful missions to help others. I’m incredibly fortunate to be able to volunteer for the NGO community. I’ve been involved with them for a few years now, and it has been a singular experience.  

I sit in a uniquely blessed situation. Cisco Talos is resourced to help protect our customers — we have expertise, tooling and a huge array of diverse security skillsets. A humanitarian assistance or non-governmental organization (NGO) usually has none or very few of these luxuries. If I can take some of my time and experience here at Talos and help others who provide housing to the homeless, protect refugees or feed the hungry, damn right I’m gonna do it. And NGOs? They really need help.  

In today’s global humanitarian funding climate, money and grants are very scarce to come by. This means the competition for the dollars that remain is fierce, and that things like cybersecurity can fall by the wayside. But security in an NGO is incredibly important. We’re talking about incredibly vulnerable and marginalized people who deserve aid, and the amazing volunteers who should have privacy without malicious interference. 

The hard truth is that cybersecurity can be a bleak space. We as professionals do not operate in the “good news” business. We work, and thrive, in adversarial conditions — actively searching for what the bad guys are doing and learning how they are coming after the good guys. They’re launching ransomware. They are extorting and causing real harm to others. This is day in and day out, and it can wear you down mentally. You have to endure and focus on the mission. After all, that’s the gig. 

This is why I enjoy volunteering by either giving some of my time and expertise to a mentee or to an NGO that has an outstanding mission to help others. It puts fuel in your soul and reminds you that others are fighting their own good fights. These organizations are some of the best. They have a thankless, often dangerous, mission to help others have better lives. The way I see it, volunteering is the least I could do. 

If you want to join me, there are some places that could use your help. Check out the Cyber Peace Institute, or Defcon Project Franklin.

The one big thing 

This week is bittersweet because we’re discussing the final section of Talos’ 2024 Year in Review report. Let’s jump into the abyss of AI-based threats together. 

Why do I care? 

AI may not have upended the threat landscape last year, but it’s setting the stage for 2025, where agentic AI and automated vulnerability discovery could pose serious challenges for defenders. The future may bring:

1. The use of agentic AI to conduct multi-stage attacks or find creative ways to access restricted systems 
2. Improved personalization and professionalization of social engineering 
3. Automated vulnerability discovery and exploitation 
4. Capabilities to compromise AI models, systems and infrastructure that organizations around the world are building 

So now what? 

Continue to stay informed and alert, and for more information, read Talos’ blog post about these threats or download the full Year in Review.

Top security headlines of the week 

AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover. The identified security defects, 23 in total, could be exploited over wireless networks and peer–to-peer connections, leading to the complete compromise of not only Apple products, but also third-party devices that use the AirPlay SDK. (SecurityWeek) 

4 Million Affected by VeriSource Data Breach. VeriSource says the stolen information belonged to employees and dependents of companies using its services. It has been working with its customers to “collect the necessary information to notify additional individuals affected by this incident.” (SecurityWeek) 

SAP NetWeaver Visual Composer Flaw Under Active Exploitation. CVE-2025-31324 is a critical vulnerability with a maximum CVSS score of 10 that affects all SAP NetWeaver 7.xx versions. It allows unauthenticated remote attackers to upload arbitrary files to Internet exposed systems without any restrictions. (DarkReading) 

FBI shares massive list of 42,000 LabHost phishing domains. The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024. (BleepingComputer)

Can’t get enough Talos? 

State-of-the-art phishing: MFA bypass. Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies.

IR Trends Q1 2025: Phishing soars as identity-based attacks persist. This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.

TTP Episode 11. Craig, Bill and Hazel discuss three of the biggest callouts from Cisco Talos’ latest Incident Response Quarterly Trends.

Talos Takes: Identity and MFA. Hazel and friends discuss how AI isn’t rewriting the cybercrime playbook, but it is turbo charging some of the old tricks, particularly on the social engineering side.

Upcoming events where you can find Talos 

• PIVOTcon (May 7 – 9) Malaga, Spain 
• CTA TIPS 2025 (May 14 – 15)
 Arlington, VA 
• Cisco Connect UK & Ireland (May 20) London, UK 
• BotConf (May 20 – 23) Angers, France 
• Cisco Live U.S. (June 8 – 12) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/  
Typical Filename: VID001.exe 
Detection Name: Win.Worm.Bitmin-9847045-0 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: img001.exe 
Detection Name: Simple_Custom_Detection 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: VID001.exe  
Detection Name: Coinminer:MBT.26mw.in14.Talos

Cisco Talos Blog – ​Read More

The flow of new information we’re bombarded with never ebbs. In 2025, you get less and less room in your head for things like the password for the email account you set up back in 2020 to sign your mom up for that online marketplace. On World Password Day, which falls on May 1 this year, we suggest putting in a little effort to combat poor memory, weak passwords, and cybercrooks.

As our experts have repeatedly proven, it’s only a matter of time — and money — before someone targeting your password cracks it. Often, it takes very little time and money, too. Our mission is to complicate cracking your password as much as possible, so hackers lose any desire to go after your data.

Our study last year found that intelligent algorithms — whether running on a powerful graphics card like the RTX 4090 or on inexpensive leased cloud hardware — can crack 59% of all passwords in the world in under an hour. We’re in the middle of that study’s phase two, and we’re about to share whether the situation has changed for the better over the year, so subscribe to our blog or Telegram channel to be among the first to know.

Today’s conversation covers more than just the most secure authentication methods and ways to make strong passwords. We’ll discuss techniques for remembering passwords, and answer the question of why using a password manager in 2025 is a really good idea.

How to sign in more securely in 2025

There are several options for signing in to online services and websites today:

• The traditional login-and-password combination
• Logging in with a third-party service like Google, Facebook, Apple, etc.
• Two-factor authentication using one of the following methods for verification:
  • SMS one-time code
  • Authenticator app like Kaspersky Password Manager, Google Authenticator, or Microsoft Authenticator
  • Hardware key like Flipper, YubiKey, or a USB token
• Passkeys and biometric authentication

Naturally, any of these methods can be compromised (for example, by leaving your hardware token sticking out of the USB port of an unattended computer in a public place), or toughened up (for example, by creating a complex password of more than 20 random characters). And so, as the era of traditional passwords isn’t over just yet, let’s try to figure out how we can improve our current standing by coming up with and memorizing an easy-to-remember password.

How do you remember a complex password?

Before answering this question, let’s recall the basic truths about passwords:

• Recommended length: 12–16 characters.
• A password should use different types of characters: numbers, lowercase and uppercase letters, and special characters.
• A password shouldn’t contain personal information easily traced back to the user.
• A password needs to be unique to each of your accounts.

Got it? Good. Now for the key issue: a complex password is easy to forget; a simple one — easy to crack. To help you achieve a balance between the two, we’ve put together some well-known, but still effective rules for creating easy-to-remember passwords.

Basic level

String together some unrelated words like the ones used in seed phrases when registering crypto wallets. And add a couple of numbers and special characters on the end that are meaningful to you but won’t be easily guessed by an attacker.

Example: DryLandStandGift2015;)

Shorter words are easier to remember, and the number shouldn’t be the year you or a loved one was born. It could be any memorable combination, such as the year you first went to Disneyland, the license plate of your first car, or your wedding date.

Advanced level

Think of a favorite line from a song or a memorable quote from a movie, and then replace, say, every second or third letter with special characters that aren’t in sequential order on the keyboard. Using easily accessible special characters (those you see on your phone’s on-screen keyboard in numeric mode) is handier. This is how you can make a strong password that’s quick to type and makes your life easier.

For example, if you’re a fan of the Harry Potter saga, you may try to use the Avada Kedavra spell for a good cause. Let’s try transforming this killing curse according to the rule above while peppering it generously with capital letters: A!ad@Kd$vr%. At first glance, a password like that looks impossible to remember, but all it takes is a little typing practice. Type it up two or three times, and you’ll see your fingers reaching for the right keys by themselves.

How about entrusting password generation to neural networks?

With the recent surge of ChatGPT and other large language models (LLMs), users have started turning to them for passwords. And it’s easy to see why that would be an appealing option: instead of straining to come up with a strong password, you just ask the AI assistant to generate it — with immediate results. And you can ask to make that password mnemonic if you wish to.

Alas, the danger of using AI as a strong password generator is that it creates combinations of characters that only appear random to the human eye. Passwords generated by AI are not as reliable as they may seem at first glance…

Alexey Antonov, Data Science Team Lead at Kaspersky, who conducted the previous password strength study, has generated a thousand passwords with ChatGPT, Llama, and DeepSeek each. It turned out each model knew that a good password consisted of at least a dozen characters, including both uppercase and lowercase letters, numbers, and special characters. However, DeepSeek and Llama sometimes generated passwords consisting of dictionary words, with some letters replaced with similar-looking numbers or symbols, such as B@n@n@7 or S1mP1eL1on. Amusingly, both models seemed to have a soft spot for the Password password, providing such variations as P@ssw0rd, P@ssw0rd!23, P@ssw0rd1, or P@ssw0rdV.

Needless to say, these are not secure passwords, as intelligent brute-forcing algorithms are well aware of the letter substitution trick. ChatGPT does a better job. Here are some examples of what it came up with:

• qLUx@^9Wp#YZ
• LU#@^9WpYqxZ
• YLU@x#Wp9q^Z
• P@zq^XWLY#v9
• v#@LqYXW^9pz

These seem to be completely random sets of letters, special characters, and numbers. However, if you look closely, you can easily find some patterns. Some characters, for example, 9, W, p, x, and L, are used more often than others. We compiled a character frequency histogram for all generated passwords, and here’s what we found: ChatGPT’s favorite letters are x and p, Llama loves the character # and is partial to p too, while DeepSeek is hooked on t and w. Meanwhile, a perfectly random number generator would never favor any particular letter over others, but use every character roughly an equal number of times, making the passwords less predictable.

In addition, LLMs, like humans, often neglect to insert special characters or numbers into passwords. A lack of these symbols was found in 26% of passwords generated by ChatGPT, 32% of those generated by Llama, and 29% by DeepSeek.

Awareness of these specifics can help cybercriminals bruteforce AI-generated passwords significantly faster. We ran the entire set of AI-generated passwords through the same algorithm we used for the previous study, only to find a discouraging trend: 88% of passwords generated by DeepSeek, and 87% by Llama, proved insufficiently secure. ChatGPT came out on top — with only 33% of its passwords insecure.

Sadly, LLMs don’t create a truly random distribution, and their output is predictable. Besides, they can easily generate the same password for you as for other users. So what should we do?

Combined approach

We recommend using our Password Checker service or, better yet, Kaspersky Password Manager, to generate passwords. These two use cryptographically secure generators to make passwords that don’t contain detectable patterns, which guarantees true randomness. After generating a strong password, you can then come up with a mnemonic phrase to remember it.

Let’s say the password generator gives you the following combination: HSVpk*VR0Gkq#R

Then, a phrase to help you remember the password might look like this: In a high-speed vehicle (HSV), you go over a peak (pk) and see a star (*) in virtual reality (VR). Then you fall at zero gravity (0G) and see the king and queen (kq) behind the bars (#) in a big tower shaped like a chess rook (R).

Only mnemonics can help with this, so we hope you like abstract and absurd imagery. You can also try drawing the scene that describes your password as shown above. Few would be able to understand the picture besides you. That’s an easy way to memorize one password. But what if there are hundreds of them?

How about storing passwords in a browser?

Not a good idea. To address the issue of remembering passwords, browser developers provide options to generate and save passwords right in the browsers. This is naturally very convenient: the browser itself fills in the password for you whenever needed. Unfortunately, a browser is not password manager, and storing passwords there is extremely insecure.

The problem is, cybercriminals figured out a long time ago how to use simple scripts to pull passwords stored in browsers in mere seconds. And the way browsers sync data across different devices in the cloud — such as through a Google account — is a disservice to users. All it takes is to hack or trick someone into giving up the password for that account, and all their other passwords are an open book.

Use a password manager

A real password manager stores all passwords in an encrypted vault. For example, Kaspersky Password Manager stores all your passwords in a vault encrypted with the AES-256 symmetric encryption algorithm, used by the U.S. National Security Agency to store state secrets. The algorithm uses a master password, which only you know (even we don’t know it) as the encryption key. Each time Kaspersky Password Manager is accessed, the app requests this password from you and decrypts the vault for the current session. In this same encrypted vault you can also store other important information such as bank card numbers, document scans, or notes.

Kaspersky Password Manager offers other useful features too:

• It can be used to generate unique and truly random password combinations.
• It can fill in your passwords for you both on computers and mobile devices.
• The app is provided for both major mobile platforms as well as macOS and Windows computers; there are also extensions for popular browsers.
• The password database is synchronized across all your devices in encrypted form.
• You can use it instead of Google Authenticator to generate 2FA codes for all your online accounts.
• It checks if your passwords have been leaked or compromised and alerts you if you need to change any of them.

With Kaspersky Password Manager, all you need do is use the methods described above to come up with and remember one master password, which is used to encrypt the password manager vault. Just remember: you’ll have to memorize this password extremely well, because if you lose it you’re back to square one. No one — not even Kaspersky employees — can access your encrypted vault. We don’t know your master password either.

Let’s recap

So how do you properly handle passwords in 2025?

• Follow the guidelines above to come up with a secure master password, and use our Password Checker service to test its cryptographic strength.
• Can’t think of a strong master password? Create one right there, and use mnemonic rules to memorize it.
• Install Kaspersky Password Manager on all your devices. With this app, you only need to remember the master password. The app will remember the rest for you.
• Use passkeys and various two-factor authentication methods wherever possible — preferably through the app. Combining a strong password with secure authentication methods creates a powerful synergy, which significantly enhances protection against unauthorized access to your accounts.
• Most importantly, read Kaspersky Daily to stay safe.

These posts can help you create the strongest passwords and manage them correctly:

• How to create strong passwords and where to store them
• How hackers can crack your password in an hour
• How to store passwords securely
• Passwords 101: don’t enter your passwords just anywhere they’re asked for
• Kaspersky Password Manager gets a new look

Kaspersky official blog – ​Read More