From 42d8fab8ad0651f1b9ddc2863415e54aef6d3865 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 28 May 2024 08:24:45 +0200 Subject: [PATCH] update ransomware galaxy with ransomlook data --- clusters/ransomware.json | 3094 +++++++++++++++++++++++++++++++++++++- 1 file changed, 3042 insertions(+), 52 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 69fbfe0..7143c4f 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -7658,6 +7658,9 @@ ".fs0ciety", ".dll" ], + "links": [ + "http://flock4cvoeqm4c62gyohvmncx6ck2e7ugvyqgyxqtrumklhd5ptwzpqd.onion/" + ], "payment-method": "No Ransom - No Descrypter", "ransomnotes-filenames": [ "fs0ciety.html", @@ -7667,7 +7670,8 @@ "https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/", "http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/", "https://twitter.com/siri_urz/status/795969998707720193", - "https://id-ransomware.blogspot.com/2016/08/fsociety-ransomware.html" + "https://id-ransomware.blogspot.com/2016/08/fsociety-ransomware.html", + "https://www.ransomlook.io/group/fsociety" ] }, "uuid": "d1e7c0d9-3c96-41b7-a4a2-7eaef64d7b0f", @@ -11489,7 +11493,11 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/", "https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-process-doppelg-nging-technique/", - "https://id-ransomware.blogspot.com/2017/09/synack-ransomware.html" + "https://id-ransomware.blogspot.com/2017/09/synack-ransomware.html", + "https://www.zdnet.com/article/synack-ransomware-group-releases-decryption-keys-as-they-rebrand-to-el-cometa", + "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/", + "https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/", + "https://www.ransomlook.io/group/synack" ], "synonyms": [ "Syn Ack" @@ -13842,7 +13850,300 @@ "http://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion/Blog" ], "refs": [ - "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" + "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "https://www.zdnet.com/article/revil-ransomware-group-resurfaces-after-brief-hiatus", + "https://www.macrumors.com/2021/04/26/revil-delists-stolen-apple-schematics-threat", + "https://www.theverge.com/2021/7/22/22589643/ransomware-kaseya-vsa-decryptor-revil", + "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html", + "https://analyst1.com/file-assets/History-of-REvil.pdf", + "https://angle.ankura.com/post/102hcny/revix-linux-ransomware", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", + "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/", + "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", + "https://github.com/f0wl/REconfig-linux", + "https://home.treasury.gov/news/press-releases/jy0471", + "https://ke-la.com/will-the-revils-story-finally-be-over/", + "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/", + "https://malienist.medium.com/revix-linux-ransomware-d736956150d0", + "https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo", + "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf", + "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf", + "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/", + "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/", + "https://threatpost.com/ransomware-revil-sites-disappears/167745/", + "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", + "https://twitter.com/IntezerLabs/status/1452980772953071619", + "https://twitter.com/VK_Intel/status/1409601311092490248", + "https://twitter.com/VK_Intel/status/1409601311092490248?s=20", + "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", + "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil", + "https://www.bbc.com/news/technology-59297187", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/", + "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend", + "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/", + "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", + "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin", + "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf", + "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/", + "https://www.flashpoint-intel.com/blog/revil-disappears-again/", + "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/", + "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", + "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.youtube.com/watch?v=mDUMpYAOMOo", + "https://www.youtube.com/watch?v=ptbNMlWxYnE", + "http://www.secureworks.com/research/threat-profiles/gold-southfield", + "https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf", + "https://asec.ahnlab.com/ko/19640/", + "https://asec.ahnlab.com/ko/19860/", + "https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/", + "https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/", + "https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/", + "https://blog.amossys.fr/sodinokibi-malware-analysis.html", + "https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/", + "https://blog.group-ib.com/REvil_RaaS", + "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", + "https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack", + "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit", + "https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics", + "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://community.riskiq.com/article/3315064b", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view", + "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf", + "https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf", + "https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://hatching.io/blog/ransomware-part2", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://intel471.com/blog/changes-in-revil-ransomware-version-2-2", + "https://isc.sans.edu/diary/27012", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40", + "https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/", + "https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80", + "https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317", + "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", + "https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/", + "https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/", + "https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/", + "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/", + "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt", + "https://redcanary.com/blog/uncompromised-kaseya/", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process", + "https://securelist.com/ransomware-world-in-2021/102169/", + "https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/", + "https://securelist.com/sodin-ransomware/91473/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html", + "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", + "https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/", + "https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/", + "https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/", + "https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html", + "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", + "https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://threatintel.blog/OPBlueRaven-Part1/", + "https://twitter.com/Jacob_Pimental/status/1391055792774729728", + "https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20", + "https://twitter.com/LloydLabs/status/1411098844209819648", + "https://twitter.com/R3MRUM/status/1412064882623713283", + "https://twitter.com/SophosLabs/status/1412056467201462276", + "https://twitter.com/SophosLabs/status/1413616952313004040?s=20", + "https://twitter.com/SyscallE/status/1411074271875670022", + "https://twitter.com/VK_Intel/status/1374571480370061312?s=20", + "https://twitter.com/VK_Intel/status/1411066870350942213", + "https://twitter.com/_alex_il_/status/1412403420217159694", + "https://twitter.com/fwosar/status/1411281334870368260", + "https://twitter.com/fwosar/status/1420119812815138824", + "https://twitter.com/resecurity_com/status/1412662343796813827", + "https://twitter.com/svch0st/status/1411537562380816384", + "https://unit42.paloaltonetworks.com/prometheus-ransomware/", + "https://unit42.paloaltonetworks.com/revil-threat-actors/", + "https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://velzart.nl/blog/ransomeware/", + "https://vimeo.com/449849549", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs", + "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", + "https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent", + "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", + "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom", + "https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/", + "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/", + "https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/", + "https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/", + "https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/", + "https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/", + "https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://www.certego.net/en/news/malware-tales-sodinokibi/", + "https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html", + "https://www.connectwise.com/resources/revil-profile", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/", + "https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", + "https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.cyjax.com/2021/07/09/revilevolution/", + "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", + "https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/", + "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", + "https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422", + "https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego", + "https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter", + "https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain", + "https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged", + "https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/", + "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", + "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/", + "https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/", + "https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/", + "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions", + "https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis", + "https://www.grahamcluley.com/travelex-paid-ransom/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", + "https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident", + "https://www.ironnet.com/blog/ransomware-graphic-blog", + "https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas", + "https://www.kaseya.com/potential-attack-on-kaseya-vsa/", + "https://www.kpn.com/security-blogs/Tracking-REvil.htm", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.netskope.com/blog/netskope-threat-coverage-revil", + "https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", + "https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801", + "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "https://www.secureworks.com/research/lv-ransomware", + "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "https://www.secureworks.com/research/threat-profiles/gold-southfield", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html", + "https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004", + "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", + "https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html", + "https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html", + "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/", + "https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.youtube.com/watch?v=P8o6GItci5w", + "https://www.youtube.com/watch?v=QYQQUUpU04s", + "https://www.youtube.com/watch?v=l2P5CMH9TE0", + "https://www.youtube.com/watch?v=tZVFMVm5GAk", + "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", + "https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/", + "https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload", + "https://www.ransomlook.io/group/revil" ], "synonyms": [ "REvil", @@ -13887,7 +14188,35 @@ "payment-method": "Bitcoin", "price": "1000 $", "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections" + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections", + "http://www.secureworks.com/research/threat-profiles/gold-mansard", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b", + "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw", + "https://securelist.com/evolution-of-jsworm-ransomware/102428/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", + "https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/", + "https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/", + "https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/", + "https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html", + "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/", + "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/", + "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.ransomlook.io/group/nemty" ] }, "related": [ @@ -13961,7 +14290,84 @@ ], "refs": [ "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", - "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer", + "https://aithority.com/security/doppelpaymer-ransomware-attack-sinks-a-global-motor-companys-20-million", + "https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding", + "http://www.secureworks.com/research/threat-profiles/gold-heron", + "https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://redcanary.com/blog/grief-ransomware/", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://techcrunch.com/2020/03/01/visser-breach/", + "https://twitter.com/AltShiftPrtScn/status/1385103712918642688", + "https://twitter.com/BrettCallow/status/1453557686830727177?s=20", + "https://twitter.com/vikas891/status/1385306823662587905", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/", + "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/", + "https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/", + "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.ic3.gov/Media/News/2020/201215-1.pdf", + "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.secureworks.com/research/threat-profiles/gold-heron", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html", + "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", + "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", + "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", + "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", + "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.ransomlook.io/group/doppelpaymer" ], "synonyms": [ "Pay OR Grief", @@ -13994,7 +14400,116 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", - "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us" + "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", + "https://techcrunch.com/2020/11/02/maze-ransomware-group-shutting-down", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "http://www.secureworks.com/research/threat-profiles/gold-village", + "https://adversary.crowdstrike.com/adversary/twisted-spider/", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", + "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html", + "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f", + "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/", + "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", + "https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U", + "https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/", + "https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", + "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/", + "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://oag.ca.gov/system/files/Letter%204.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", + "https://securelist.com/maze-ransomware/99137/", + "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", + "https://twitter.com/certbund/status/1192756294307995655", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/", + "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", + "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/", + "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", + "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/", + "https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/", + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.docdroid.net/dUpPY5s/maze.pdf", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-village", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/", + "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/", + "https://www.ransomlook.io/group/maze" ] }, "related": [ @@ -14057,7 +14572,80 @@ ], "refs": [ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-ransomware-tactics-get-another-new-twist", + "https://unit42.paloaltonetworks.com/clop-ransomware", + "https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html", + "https://asec.ahnlab.com/en/19542/", + "https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf", + "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://github.com/Tera0017/TAFOF-Unpacker", + "https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/", + "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/", + "https://twitter.com/darb0ng/status/1338692764121251840", + "https://unit42.paloaltonetworks.com/clop-ransomware/", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks", + "https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/", + "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/", + "https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/", + "https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/", + "https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/", + "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", + "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", + "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e", + "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html", + "https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", + "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop", + "https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever", + "https://www.youtube.com/watch?v=PqGaZgepNTE", + "https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/", + "https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.ransomlook.io/group/clop" ] }, "uuid": "21b349c3-ede2-4e11-abda-1444eb272eff", @@ -14161,7 +14749,26 @@ "https://robinhoodleaks.tumblr.com" ], "refs": [ - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/", + "https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://goggleheadedhacker.com/blog/post/12", + "https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/", + "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", + "https://twitter.com/VK_Intel/status/1121440931759128576", + "https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/", + "https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/", + "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://www.ransomlook.io/group/robinhood" ], "synonyms": [ "HelpYemen" @@ -14250,7 +14857,39 @@ "refs": [ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-002.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf", + "https://www.ic3.gov/Media/News/2021/210316.pdf", + "https://blog.malwarebytes.com/threat-spotlight/2021/03/pysa-the-ransomware-attacking-schools", + "http://www.secureworks.com/research/threat-profiles/gold-burlap", + "https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/", + "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat", + "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://twitter.com/campuscodi/status/1347223969984897026", + "https://twitter.com/inversecos/status/1456486725664993287", + "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/", + "https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/", + "https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf", + "https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis", + "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/", + "https://www.ransomlook.io/group/pysa" ], "synonyms": [ "Pyza", @@ -14313,7 +14952,19 @@ ], "refs": [ "https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-campaign-targets-qnap-nas-devices/", - "https://www.anomali.com/blog/the-ech0raix-ransomware" + "https://www.anomali.com/blog/the-ech0raix-ransomware", + "https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/", + "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", + "https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/", + "https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/", + "https://www.ibm.com/downloads/cas/Z81AVOY7", + "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/", + "https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/", + "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", + "https://www.qnap.com/en/security-advisory/QSA-20-02", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.ransomlook.io/group/ech0raix" ] }, "uuid": "f3ded787-783e-4c6b-909a-8da01254380c", @@ -14371,7 +15022,31 @@ "refs": [ "https://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware", "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/", - "https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/" + "https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/", + "https://www.tetradefense.com/incident-response-services/cause-and-effect-suncrypt-ransomware-analysis", + "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022", + "https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83", + "https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc", + "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", + "https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/", + "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", + "https://www.ransomlook.io/group/suncrypt" ], "synonyms": [ "Sun", @@ -14399,7 +15074,124 @@ ], "refs": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/", - "https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware" + "https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware", + "https://blog.compass-security.com/2022/03/vpn-appliance-forensics/", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf", + "https://security.packt.com/understanding-lockbit/", + "https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/", + "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/", + "https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/", + "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", + "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants", + "https://www.ic3.gov/Media/News/2022/220204.pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://asec.ahnlab.com/en/35822/", + "https://asec.ahnlab.com/ko/39682/", + "https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/", + "https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/", + "https://blog.lexfo.fr/lockbit-malware.html", + "https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness", + "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/", + "https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/", + "https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://id-ransomware.blogspot.com/search?q=lockbit", + "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", + "https://intel471.com/blog/privateloader-malware", + "https://ke-la.com/lockbit-2-0-interview-with-russian-osint/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511", + "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", + "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", + "https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/", + "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", + "https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/", + "https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf", + "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354", + "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421", + "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/", + "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/", + "https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/", + "https://twitter.com/MsftSecIntel/status/1522690116979855360", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://unit42.paloaltonetworks.com/lockbit-2-ransomware/", + "https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", + "https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", + "https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/", + "https://www.connectwise.com/resources/lockbit-profile", + "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/", + "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion", + "https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware", + "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool", + "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb", + "https://www.glimps.fr/lockbit3-0/", + "https://www.intrinsec.com/alphv-ransomware-gang-analysis", + "https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.netskope.com/blog/netskope-threat-coverage-lockbit", + "https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", + "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html", + "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.youtube.com/watch?v=C733AyPzkoc", + "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/", + "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", + "https://www.ransomlook.io/group/lockbit" ], "synonyms": [ "ABCD ransomware" @@ -14458,7 +15250,188 @@ "refs": [ "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/", "https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/", - "https://darksidedxcftmqa.onion.foundation/" + "https://darksidedxcftmqa.onion.foundation/", + "https://www.tripwire.com/state-of-security/featured/blackmatter-pose-new-ransomware-threat", + "https://venturebeat.com/2021/08/23/sophoslabs-research-shows-blackmatter-ransomware-is-closely-acquainted-with-darkside", + "https://blog.group-ib.com/blackmatter#", + "https://blog.group-ib.com/blackmatter2", + "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", + "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", + "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", + "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", + "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", + "https://twitter.com/GelosSnake/status/1451465959894667275", + "https://twitter.com/VK_Intel/status/1423188690126266370", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", + "https://us-cert.cisa.gov/ncas/alerts/aa21-291a", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", + "https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", + "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.youtube.com/watch?v=NIiEcOryLpI", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html", + "https://blog.minerva-labs.com/blackmatter", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/", + "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", + "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/", + "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", + "https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps", + "https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/", + "https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/", + "https://www.glimps.fr/lockbit3-0/", + "https://www.mandiant.com/resources/cryptography-blackmatter-ransomware", + "https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.netskope.com/blog/netskope-threat-coverage-blackmatter", + "https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/", + "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/", + "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html", + "https://www.varonis.com/blog/blackmatter-ransomware/", + "http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", + "http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/", + "https://asec.ahnlab.com/en/34549/", + "https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/", + "https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/", + "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/", + "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html", + "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections", + "https://brandefense.io/darkside-ransomware-analysis-report/", + "https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", + "https://community.riskiq.com/article/fdf74f23", + "https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6", + "https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf", + "https://github.com/sisoma2/malware_analysis/tree/master/blackmatter", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html", + "https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/", + "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", + "https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/", + "https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/", + "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted", + "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/", + "https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/", + "https://threatpost.com/guess-fashion-data-loss-ransomware/167754/", + "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", + "https://twitter.com/ValthekOn/status/1422385890467491841?s=20", + "https://twitter.com/sysopfb/status/1422280887274639375", + "https://unit42.paloaltonetworks.com/darkside-ransomware/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-131a", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.acronis.com/en-us/articles/darkside-ransomware/", + "https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", + "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/", + "https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/", + "https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/", + "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.databreaches.net/a-chat-with-darkside/", + "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968", + "https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/", + "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", + "https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/", + "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", + "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/", + "https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://www.ic3.gov/Media/News/2021/211101.pdf", + "https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack", + "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", + "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", + "https://www.mandiant.com/resources/burrowing-your-way-into-vpns", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", + "https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#", + "https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/", + "https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/", + "https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/", + "https://www.secjuice.com/blue-team-detection-darkside-ransomware/", + "https://www.secureworks.com/research/threat-profiles/gold-waterfall", + "https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html", + "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", + "https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://www.varonis.com/blog/darkside-ransomware/", + "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", + "https://www.youtube.com/watch?v=qxPXxWMI2i4", + "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html", + "https://zawadidone.nl/darkside-ransomware-analysis/", + "https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside", + "https://www.ransomlook.io/group/blackmatter", + "https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware", + "https://www.varonis.com/blog/darkside-ransomware", + "https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212", + "https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version", + "https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/", + "https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9", + "https://pylos.co/2021/05/13/mind-the-air-gap/", + "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", + "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", + "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", + "https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/", + "https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://www.ransomlook.io/group/darkside" ], "synonyms": [ "BlackMatter" @@ -14479,7 +15452,8 @@ ".0s" ], "links": [ - "http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/" + "http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/", + "http://zubllg7o774lgc4rdxmfcfpjewfkqa7ml7gxwl5fetogc7hbkvaprhid.onion/" ], "ransomnotes": [ "Greetings, Texas Department of Transportation!\nRead this message CAREFULLY and contact someone from IT department..\nYour files are securely ENCRYPTED.\nNo third party decryption software EXISTS.\nMODIFICATION or RENAMING encrypted files may cause decryption failure.\nYou can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all Files\nFrom all aFFected systems ANY TIME.\nEncrypted File SHOULD NOT contain sensitive inFormation (technical, backups, databases, large documents).\nThe rest oF data will be available aFter the PAYMENT.\ninfrastructure rebuild will cost you MUCH more.\nContact us ONLY if you officially represent the whole affected network.\nThe ONLY attachments we accept are non archived encrypted files For test decryption.\nSpeak ENGLISH when contacting us.\nMail us: ***@protonmail.com\nWe kindly ask you not to use GMAIL, YAHOO or LIVE to contact us.\nThe PRICE depends on how quickly you do it. " @@ -14500,7 +15474,38 @@ "https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/", "https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4/", - "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/" + "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", + "https://www.bleepingcomputer.com/news/security/computer-hardware-giant-gigabyte-hit-by-ransomexx-ransomware", + "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", + "https://www.infosecurity-magazine.com/news/aerospace-giant-embraer-hit", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf", + "https://www.ic3.gov/Media/News/2021/211101.pdf", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.youtube.com/watch?v=qxPXxWMI2i4", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", + "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", + "https://www.ransomlook.io/group/ransomexx" ], "synonyms": [ "Ransom X", @@ -14549,7 +15554,55 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", - "https://www.cybersecurity-insiders.com/ransomware-attack-makes-cwt-pay-4-5-million-in-bitcoins-to-hackers/" + "https://www.cybersecurity-insiders.com/ransomware-attack-makes-cwt-pay-4-5-million-in-bitcoins-to-hackers/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security", + "https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-leak-data-if-victim-contacts-fbi-police", + "https://twitter.com/malwrhunterteam/status/1475568201673105409", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html", + "http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html", + "http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/", + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", + "https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/", + "https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/", + "https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", + "https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html", + "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/", + "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://seguranca-informatica.pt/ragnar-locker-malware-analysis/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", + "https://www.acronis.com/en-sg/articles/ragnar-locker/", + "https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/", + "https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/", + "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/", + "https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/", + "https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.ic3.gov/Media/News/2022/220307.pdf", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/", + "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf", + "https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/", + "https://www.ransomlook.io/group/ragnarlocker" ], "synonyms": [ "RagnarLocker" @@ -15011,6 +16064,14 @@ }, { "description": "Ransomware", + "meta": { + "links": [ + "http://black3gnkizshuynieigw6ejgpblb53mpasftzd6pydqpmq2vn2xf6yd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/blackout" + ] + }, "uuid": "b05ae01a-bcc4-4642-a165-40b503ad260f", "value": "Blackout" }, @@ -21179,6 +22240,26 @@ "date": "December 2020", "links": [ "http://ixltdyumdlthrtgx.onion" + ], + "refs": [ + "http://www.secureworks.com/research/threat-profiles/gold-winter", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", + "https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/", + "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://twitter.com/inversecos/status/1381477874046169089?s=20", + "https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware", + "https://www.accenture.com/us-en/blogs/security/ransomware-hades", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", + "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", + "https://www.ransomlook.io/group/hades" ] }, "related": [ @@ -21954,6 +23035,40 @@ "meta": { "links": [ "http://hxt254aygrsziejn.onion" + ], + "refs": [ + "https://www.zdnet.com/article/a-deep-dive-into-nefilim-a-double-extortion-ransomware-group", + "https://www.trendmicro.com/en_nz/research/21/f/nefilim-modern-ransomware-attack-story.html", + "http://www.secureworks.com/research/threat-profiles/gold-mansard", + "https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf", + "https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html", + "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", + "https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://securelist.com/evolution-of-jsworm-ransomware/102428/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", + "https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html", + "https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://www.ransomlook.io/group/nefilim" ] }, "related": [ @@ -22263,6 +23378,35 @@ "meta": { "links": [ "http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion" + ], + "refs": [ + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/", + "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", + "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", + "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/", + "https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/", + "https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.group-ib.com/blog/prolock", + "https://www.group-ib.com/blog/prolock_evolution", + "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", + "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", + "https://www.intrinsec.com/egregor-prolock/", + "https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.ransomlook.io/group/prolock" ] }, "related": [ @@ -22822,7 +23966,25 @@ "meta": { "links": [ "http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion", - "https://snatch.press/" + "https://snatch.press/", + "https://snatchteam.cc", + "https://snatchnews.top/" + ], + "refs": [ + "https://t.me/snatch_news", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://twitter.com/VK_Intel/status/1191414501297528832", + "https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/", + "https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", + "https://www.ransomlook.io/group/snatch" ] }, "uuid": "1a58eeac-26dc-40e6-8182-22cd461ba736", @@ -23708,6 +24870,10 @@ "meta": { "links": [ "http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion" + ], + "refs": [ + "https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81", + "https://www.ransomlook.io/group/exorcist" ] }, "uuid": "b8b0933a-896a-45d1-8284-ebc55dff1f98", @@ -23835,7 +25001,199 @@ "refs": [ "https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-010-acsc-ransomware-profile-conti", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines", + "https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442", + "https://unit42.paloaltonetworks.com/conti-ransomware-gang", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", + "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures", + "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html", + "https://www.youtube.com/watch?v=cYx7sQRbjGA", + "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/", + "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed", + "https://arcticwolf.com/resources/blog/karakurt-web", + "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", + "https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked", + "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", + "https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware", + "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", + "https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html", + "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html", + "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger", + "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/", + "https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html", + "https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html", + "https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html", + "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my", + "https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", + "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", + "https://github.com/TheParmak/conti-leaks-englished", + "https://github.com/cdong1012/ContiUnpacker", + "https://github.com/whichbuffer/Conti-Ransomware-IOC", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://intel471.com/blog/conti-leaks-cybercrime-fire-team", + "https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding", + "https://intel471.com/blog/shipping-companies-ransomware-credentials", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/", + "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", + "https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf", + "https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/", + "https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b", + "https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8", + "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", + "https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/", + "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/", + "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/", + "https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/", + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/", + "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/", + "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", + "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", + "https://securelist.com/luna-black-basta-ransomware/106950", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html", + "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", + "https://share.vx-underground.org/Conti/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://thedfirreport.com/2021/05/12/conti-ransomware/", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", + "https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/", + "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/", + "https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/", + "https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/", + "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/", + "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", + "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", + "https://twitter.com/AltShiftPrtScn/status/1417849181012647938", + "https://twitter.com/AltShiftPrtScn/status/1423188974298861571", + "https://twitter.com/TheDFIRReport/status/1498642512935800833", + "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", + "https://unit42.paloaltonetworks.com/conti-ransomware-gang/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", + "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", + "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir", + "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups", + "https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement", + "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573", + "https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/", + "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", + "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/", + "https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/", + "https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/", + "https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/", + "https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/", + "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/", + "https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/", + "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", + "https://www.connectwise.com/resources/conti-profile", + "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", + "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", + "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware", + "https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", + "https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", + "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/", + "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html", + "https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", + "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://www.ic3.gov/Media/News/2021/210521.pdf", + "https://www.ironnet.com/blog/ransomware-graphic-blog", + "https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf", + "https://www.mbsd.jp/research/20210413/conti-ransomware/", + "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", + "https://www.prevailion.com/what-wicked-webs-we-unweave/", + "https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf", + "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", + "https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia", + "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", + "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.threatstop.com/blog/conti-ransomware-source-code-leaked", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti", + "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider", + "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", + "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", + "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2", + "https://www.youtube.com/watch?v=hmaWy9QIC7c", + "https://www.youtube.com/watch?v=uORuVVQzZ0A", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks", + "https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/", + "https://www.ransomlook.io/group/conti" ] }, "related": [ @@ -24025,6 +25383,19 @@ "date": "November 2020", "links": [ "http://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion/" + ], + "refs": [ + "https://research.checkpoint.com/2020/ransomware-alert-pay2key", + "https://www.twitter.com/p2ktwtacc", + "https://keybase.io/pay2key", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://research.checkpoint.com/2020/ransomware-alert-pay2key/", + "https://twitter.com/TrendMicroRSRCH/status/1389422784808378370", + "https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/", + "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.ransomlook.io/group/pay2key" ] }, "uuid": "678bc24d-a5c3-4ddd-9292-40958afa3492", @@ -24101,6 +25472,36 @@ "links": [ "http://3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion" ], + "refs": [ + "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", + "https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", + "https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/", + "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html", + "https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html", + "https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/", + "https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7", + "https://twitter.com/fwosar/status/1359167108727332868", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/", + "https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", + "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/", + "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", + "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", + "https://www.ic3.gov/Media/News/2021/211029.pdf", + "https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/", + "https://www.ransomlook.io/group/hellokitty" + ], "synonyms": [ "FiveHands" ] @@ -24570,7 +25971,19 @@ ], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnaro", - "https://borncity.com/win/2021/03/27/tu-darmstadt-opfer-der-ragnarok-ransomware/" + "https://borncity.com/win/2021/03/27/tu-darmstadt-opfer-der-ragnarok-ransomware/", + "https://techcrunch.com/2021/08/30/ragnarok-ransomware-gang-shuts-down-and-releases-its-decryption-key", + "https://www.cpomagazine.com/cyber-security/ragnarok-ransomware-gang-closes-up-shop-leaves-master-decryptor-key-behind", + "https://www.sababasecurity.com/cheese-shortage-in-dutch-supermarkets-after-a-ransomware-attack", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://news.sophos.com/en-us/2020/05/21/asnarok2/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/", + "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", + "https://www.ransomlook.io/group/ragnarok" ] }, "uuid": "fe7e4df0-97b9-4dd2-b3f8-79404fc8272d", @@ -24598,7 +26011,8 @@ "http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion", "http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion", "http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/api/blog/all/0/6", - "http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion/" + "http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion/", + "http://alphvuzxyxv6ylumd2ngp46xzq3pw6zflomrghvxeuks6kklberrbmyd.onion" ], "ransomnotes-refs": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/word-image-78.png" @@ -24613,7 +26027,50 @@ "https://www.intrinsec.com/alphv-ransomware-gang-analysis", "https://unit42.paloaltonetworks.com/blackcat-ransomware/", "https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat", - "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" + "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/", + "https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/", + "https://blog.group-ib.com/blackcat", + "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://killingthebear.jorgetesta.tech/actors/alphv", + "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://securelist.com/a-bad-luck-blackcat/106254/", + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", + "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", + "https://twitter.com/sisoma2/status/1473243875158499330", + "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", + "https://www.forescout.com/resources/analysis-of-an-alphv-incident", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html", + "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", + "https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf", + "https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware", + "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps", + "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/", + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://www.ic3.gov/Media/News/2022/220420.pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/", + "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", + "https://www.ransomlook.io/group/alphv" ], "synonyms": [ "ALPHV", @@ -24801,7 +26258,9 @@ ], "refs": [ "https://www.cyclonis.com/mount-locker-ransomware-more-dangerous", - "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game" + "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game", + "https://www.securitymagazine.com/articles/94954-sophos-identifies-connection-between-mount-locker-and-astro-locker-team-ransomware", + "https://www.ransomlook.io/group/mount-locker" ], "synonyms": [ "Mount-Locker" @@ -24829,7 +26288,17 @@ ], "refs": [ "https://twitter.com/malwrhunterteam/status/1501857263493001217", - "https://dissectingmalwa.re/blog/pandora" + "https://dissectingmalwa.re/blog/pandora", + "https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/", + "https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/", + "https://dissectingmalwa.re/blog/pandora/", + "https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/", + "https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques", + "https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://www.ransomlook.io/group/pandora" ] }, "uuid": "4d37a857-fef2-496d-9992-49f6da11e3cb", @@ -24843,7 +26312,16 @@ ], "refs": [ "https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk", - "https://twitter.com/techyteachme/status/1464317136944435209" + "https://twitter.com/techyteachme/status/1464317136944435209", + "https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/", + "https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/", + "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md", + "https://seguranca-informatica.pt/rook-ransomware-analysis/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/", + "https://www.ransomlook.io/group/rook" ] }, "uuid": "bb6d933f-7b6d-4694-853d-1ca400f6bd8f", @@ -24916,7 +26394,46 @@ "https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/", "https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf", "https://www.varonis.com/blog/hive-ransomware-analysis", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/" + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://inf.news/en/tech/c28d9382ab78a5ac3d8fc802f3f0f1e0.html", + "https://www.healthcareitnews.com/news/fbi-issues-alert-about-hive-ransomware", + "https://arxiv.org/pdf/2202.08477.pdf", + "https://blog.group-ib.com/hive", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://github.com/rivitna/Malware/tree/main/Hive", + "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html", + "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html", + "https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/", + "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/", + "https://twitter.com/ESETresearch/status/1454100591261667329", + "https://twitter.com/malwrhunterteam/status/1455628865229950979", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", + "https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/", + "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html", + "https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/", + "https://www.connectwise.com/resources/hive-profile", + "https://www.ic3.gov/Media/News/2021/210825.pdf", + "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf", + "https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/", + "https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals", + "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware", + "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", + "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.ransomlook.io/group/hive" ] }, "uuid": "8ce915d3-8c6d-4841-b509-18379d7a8999", @@ -24944,7 +26461,8 @@ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines", "https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/", "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware", - "https://thedfirreport.com/2022/04/25/quantum-ransomware/" + "https://thedfirreport.com/2022/04/25/quantum-ransomware/", + "https://www.ransomlook.io/group/quantum" ], "synonyms": [ "Quantum", @@ -24979,7 +26497,8 @@ ], "links": [ "https://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/", - "https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion" + "https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion", + "http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/" ], "ransomnotes": [ "Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]" @@ -25011,7 +26530,8 @@ "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", - "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html" + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://www.ransomlook.io/group/blackbasta" ] }, "related": [ @@ -25041,7 +26561,8 @@ "http://f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion", "http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion", "http://fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onion", - "http://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion/" + "http://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion/", + "http://53d5skw4ypzku4bfq2tk2mr3xh5yqrzss25sooiubmjz67lb3gdivcad.onion/" ], "ransomnotes": [ "BLACKBYTE \n\nAll your files have been encrypted, your confidential data has been stolen, in order to decrypt files and avoid leakage, you must follow our steps.\n\n1) Download and install TOR browser from this site: https://torproject.org/ \n\n2) Paste the URL in TOR browser and you will be redirected to our chat with all information that you need. \n\n3) If you won't contact with us within 4 days, your access to our chat will be removed and you wont be able to restore your system. \n\nYour URL: [LINK]\n\nYour Key: [KEY]", @@ -25066,7 +26587,14 @@ "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", - "https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/" + "https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/", + "https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html", + "https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html", + "https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", + "https://www.ransomlook.io/group/blackbyte" ] }, "related": [ @@ -25086,6 +26614,9 @@ "meta": { "links": [ "http://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhuqhas355janyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/redalert" ] }, "uuid": "549c9766-b45d-4d14-86e8-e6a74d69d067", @@ -25111,7 +26642,8 @@ "meta": { "links": [ "http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion/", - "http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion" + "http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion", + "http://avos2fuj6olp6x36.onion" ], "ransomnotes": [ "AvosLocker\n\nAttention!\nYour systems have been encrypted, and your confidential documents were downloaded.\nIn order to restore your data, you must pay for the decryption key & application.\nYou may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion.\nThis is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/\nDetails such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website.\nContact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly.\nThe corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion" @@ -25150,7 +26682,13 @@ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", - "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape" + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://blog.cyble.com/2021/07/23/deep-dive-analysis-avoslocker-ransomware", + "https://blog.malwarebytes.com/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners", + "https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/", + "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", + "https://www.ransomlook.io/group/avoslocker", + "https://www.ransomlook.io/group/avos" ], "synonyms": [ "Avos" @@ -25188,6 +26726,9 @@ "https://www.karanews.live", "https://karakurt.tech", "https://karaleaks.com" + ], + "refs": [ + "https://www.ransomlook.io/group/karakurt" ] }, "uuid": "a7623a1b-4551-4e5a-a622-2b91dea16b42", @@ -25208,7 +26749,8 @@ ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/", - "https://cyware.com/news/new-0mega-ransomware-joins-the-double-extortion-threat-landscape-158fb321" + "https://cyware.com/news/new-0mega-ransomware-joins-the-double-extortion-threat-landscape-158fb321", + "https://www.ransomlook.io/group/0mega" ] }, "uuid": "91a085dc-9667-4dcd-9434-8cbb53e592fe", @@ -25218,10 +26760,12 @@ "description": "Abraham's Ax announced their existence and mission through social media channels such as Twitter posts on November 8, 2022.\nAbraham's Ax use a WordPress blog as the basis for their leak sites. Abraham's Ax site is available in Hebrew, Farsi, and English. The site also provides versions available via Tor websites, although it appeared to be under construction at the time of analysis. Used domain is registered with EgenSajt.se", "meta": { "links": [ - " http://abrahamm32umasogaqojib3ey2w2nwoafffrguq43tsyke4s3fz3w4yd.onion/ " + " http://abrahamm32umasogaqojib3ey2w2nwoafffrguq43tsyke4s3fz3w4yd.onion/ ", + "http://abrahamm32umasogaqojib3ey2w2nwoafffrguq43tsyke4s3fz3w4yd.onion/" ], "refs": [ - "https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff" + "https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff", + "https://www.ransomlook.io/group/abrahams_ax" ], "synonyms": [ "Abrahams_Ax" @@ -25235,11 +26779,13 @@ "meta": { "links": [ "http://hitlerransomware[.]000webhostapp[.]com/", - "http://hitleransomware[.]cf/" + "http://hitleransomware[.]cf/", + "http://hitleransomware.cf" ], "refs": [ "https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/malware/hitler_ransomware.txt", - "https://twitter.com/fr0s7_/status/1460229982278541315" + "https://twitter.com/fr0s7_/status/1460229982278541315", + "https://www.ransomlook.io/group/agl0bgvycg" ] }, "related": [ @@ -25263,7 +26809,8 @@ ".jJNm9j" ], "links": [ - " http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion" + " http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion", + "http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion" ], "ransomnotes": [ "Your network have been locked.\n\nAll your files, documents, photos, databases and other important data are encrypted and have the extension: *******\n\nBackups and shadow copies also encrypted or removed. Any third-party software may damage encrypted data but not recover.\nFrom this moment, it will be impossible to use files until they are decrypted.\n\nThe only method of recovering files is to purchase an unique private key.\nOnly we can give you this key and only we can recovery your files.\n\nTo get info (decrypt your files) follow this steps:\n1) Download and install Tor Browser: hxxps://www.torproject.org/download/\n2) Open our website in TOR: hxxp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2th cw5gz75qncv7rbhyad.onion/I8VC6PIEQL8JFKHM\n3) Paste your ID in form (you can find your ID below)\n\n!! ATTENTION !!\n!! Any third - party software may damage encrypted data but not recover.\n!! DO NOT MODIFY ENCRYPTED FILES\n!! DO NOT CHANGE YOUR ID\n!! DO NOT REMOVE YOUR ID.KEY FILE\n\n --- BEGIN PERSONAL ID ---\n\n --- END PERSONAL ID ---", @@ -25286,7 +26833,8 @@ "https://www.pcrisk.com/images/stories/screenshots202004/ako-ransomware-update-2020-04-09-text-file.jpg", "https://www.pcrisk.com/images/stories/screenshots202004/ako-update-2020-04-21-text-file.jpg", "https://www.pcrisk.com/images/stories/screenshots202004/ako-update-2020-04-21-html-file.jpg", - "https://www.pcrisk.com/images/stories/screenshots202010/ako-ransomware-update-2020-10-15-text-file.gif" + "https://www.pcrisk.com/images/stories/screenshots202010/ako-ransomware-update-2020-10-15-text-file.gif", + "https://www.ransomlook.io/group/ako" ], "synonyms": [ "MedusaReborn" @@ -25299,7 +26847,12 @@ "description": "Arvin Club is a popular Ransomware group with a widespread Telegram presence, which includes personal group chats, and official channels.\nThe group recently launched their official TOR/ Onion website to update their status and release details of their latest attacks and data breaches.\nTheir latest target is Kendriya Vidyala, a chain of Schools in India. The group has exposed the Personally Identifiable Information (PII) of some students.", "meta": { "links": [ - "http://3kp6j22pz3zkv76yutctosa6djpj4yib2icvdqxucdaxxedumhqicpad.onion/" + "http://3kp6j22pz3zkv76yutctosa6djpj4yib2icvdqxucdaxxedumhqicpad.onion/", + "http://arvinc7prj6ln5wpd6yydfqulsyepoc7aowngpznbn3lrap2aib6teid.onion/" + ], + "refs": [ + "http://t.me/arvin_club", + "https://www.ransomlook.io/group/arvinclub" ], "synonyms": [ "Arvin Club" @@ -25339,7 +26892,11 @@ "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", - "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo", + "https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/", + "https://twitter.com/siri_urz/status/1437664046556274694?s=20", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.ransomlook.io/group/atomsilo" ] }, "uuid": "a322f03f-4bc8-455f-b302-e8724c46f80c", @@ -25349,11 +26906,52 @@ "description": "Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.", "meta": { "links": [ - " http://avaddongun7rngel.onion " + " http://avaddongun7rngel.onion ", + "http://avaddongun7rngel.onion" ], "refs": [ "https://heimdalsecurity.com/blog/avaddon-ransomware/", - "https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis" + "https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis", + "https://www.acronis.com/en-us/articles/avaddon-ransomware", + "https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf", + "https://arxiv.org/pdf/2102.04796.pdf", + "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/", + "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4", + "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/", + "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", + "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", + "https://twitter.com/Securityinbits/status/1271065316903120902", + "https://twitter.com/dk_samper/status/1348560784285167617", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire", + "https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/", + "https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/", + "https://www.connectwise.com/resources/avaddon-profile", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.swascan.com/it/avaddon-ransomware/", + "https://www.tgsoft.it/files/report/download.asp?id=568531345", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.ransomlook.io/group/avaddon" ] }, "uuid": "fdfbe721-abd1-4760-8e52-f23306f6cb80", @@ -25381,6 +26979,9 @@ "meta": { "links": [ "http://anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmql55tvgqad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/aztroteam" ] }, "uuid": "9850bffb-8cc6-45c7-9e6a-4c77fd5093c3", @@ -25390,6 +26991,12 @@ "meta": { "links": [ "http://nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion/#section-3" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks", + "https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum", + "https://blog.cyberint.com/babuk-locker", + "https://www.ransomlook.io/group/babuk-locker" ] }, "related": [ @@ -25402,7 +27009,7 @@ } ], "uuid": "05be1a86-92a9-48e1-8be1-9c1014dfd1cd", - "value": " Babuk-Locker" + "value": "Babuk-Locker" }, { "meta": { @@ -25422,7 +27029,8 @@ "https://digitalrecovery.com/wp-content/uploads/2022/12/Ransomware-Baby-Duck.webp" ], "refs": [ - "https://twitter.com/PolarToffee/status/1445873002801889280/photo/3" + "https://twitter.com/PolarToffee/status/1445873002801889280/photo/3", + "https://www.ransomlook.io/group/babyduck" ] }, "uuid": "18e67723-a0de-4adf-aa28-f3e0b0d6d8ab", @@ -25460,7 +27068,9 @@ "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html", "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Hunting-the-Android-BianLian-botnet.pdf", "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Hunting-the-Android-BianLian-botnet.pdf", - "https://www.youtube.com/watch?v=DPFcvSy4OZk" + "https://www.youtube.com/watch?v=DPFcvSy4OZk", + "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html", + "https://www.ransomlook.io/group/bianlian" ], "synonyms": [ "Hydra" @@ -25483,6 +27093,9 @@ "links": [ "http://544corkfh5hwhtn4.onion", "http://blackshadow.cc" + ], + "refs": [ + "https://www.ransomlook.io/group/blackshadow" ] }, "uuid": "d9561bfc-08a0-4e9f-9189-d079bae4f9b7", @@ -25492,15 +27105,25 @@ "meta": { "links": [ "http://bl%40ckt0r:bl%40ckt0r@bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onion/0x00/data-breach.html" + ], + "refs": [ + "https://www.ransomlook.io/group/blacktor" ] }, "uuid": "25bd46bf-b4f5-4c34-b451-90a7809fa03a", "value": "Blacktor" }, { + "description": "Ransomware.", "meta": { "links": [ "http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion" + ], + "refs": [ + "https://unit42.paloaltonetworks.com/bluesky-ransomware/", + "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/", + "https://yoroi.company/research/dissecting-bluesky-ransomware-payload/", + "https://www.ransomlook.io/group/bluesky" ] }, "uuid": "1f369229-a68d-4e08-aee4-f251111fa186", @@ -25510,6 +27133,9 @@ "meta": { "links": [ "http://bonacifryrxr4siz6ptvokuihdzmjzpveruklxumflz5thmkgauty2qd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/bonacigroup" ] }, "uuid": "ef47092c-d86e-4db5-b0bf-e7676e85873f", @@ -25519,26 +27145,50 @@ "meta": { "links": [ "http://rwiajgajdr4kzlnrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/cheers" ] }, "uuid": "eac9a5d5-509b-421a-a2d2-d91f7b27383a", "value": "Cheers" }, { + "description": "previous clearnet domain coomingproject.com", "meta": { "links": [ "http://z6mikrtphid5fmn52nbcbg25tj57sowlm3oc25g563yvsfmygkcxqbyd.onion", "http://teo7aj5mfgzxyeme.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/cooming" ] }, "uuid": "4ecf9aa9-69c8-4347-a9c6-cb4a5481ac8c", "value": "Cooming" }, { + "description": "", "meta": { "links": [ "http://d57uremugxjrafyg.onion" ], + "refs": [ + "https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html", + "https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/", + "https://hackmag.com/security/ransomware-russian-style/", + "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/", + "https://securelist.com/cis-ransomware/104452/", + "https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/", + "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", + "https://twitter.com/albertzsigovits/status/1217866089964679174", + "https://twitter.com/bartblaze/status/1305197264332369920", + "https://twitter.com/demonslay335/status/971164798376468481", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", + "https://www.telekom.com/en/blog/group/article/lockdata-auction-631300", + "https://www.ransomlook.io/group/crylock" + ], "synonyms": [ "Cryakl" ] @@ -25547,11 +27197,34 @@ "value": "Crylock" }, { + "description": "Ransomware.", "meta": { "links": [ "http://cuba4mp6ximo2zlo.onion", "http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/" ], + "refs": [ + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf", + "https://digital.nhs.uk/cyber-alerts/2021/cc-3855", + "https://blog.group-ib.com/hancitor-cuba-ransomware", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html", + "https://lab52.io/blog/cuba-ransomware-analysis/", + "https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf", + "https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", + "https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis", + "https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more", + "https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/", + "https://www.ic3.gov/Media/News/2021/211203-2.pdf", + "https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/", + "https://www.mandiant.com/resources/unc2596-cuba-ransomware", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware", + "https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html", + "https://www.ransomlook.io/group/cuba" + ], "synonyms": [ "COLDDRAW" ] @@ -25572,6 +27245,9 @@ "meta": { "links": [ "http://7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/daixin" ] }, "uuid": "a1a445c4-708e-42f2-afdf-6d904328dafb", @@ -25581,6 +27257,9 @@ "meta": { "links": [ "http://powerj7kmpzkdhjg4szvcxxgktgk36ezpjxvtosylrpey7svpmrjyuyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/dark power" ] }, "uuid": "64d155a9-8e33-4c3f-8f58-0a483475c65d", @@ -25590,6 +27269,9 @@ "meta": { "links": [ "https://wemo2ysyeq6km2nqhcrz63dkdhez3j25yw2nvn7xba2z4h7v7gyrfgid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/darkangel" ] }, "uuid": "5276ed20-c9fa-4028-9272-3f5c0e4bc9b6", @@ -25600,6 +27282,9 @@ "links": [ "http://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion", "http://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion/support/" + ], + "refs": [ + "https://www.ransomlook.io/group/darkbit01" ] }, "uuid": "69e2ce57-67bb-4d53-a8c4-00b3501f45a3", @@ -25610,15 +27295,36 @@ "links": [ "http://woqjumaahi662ka26jzxyx7fznbp4kg3bsjar4b52tqkxgm2pylcjlad.onion/", "http://woqjumaahi662ka26jzxyx7fznbp4kg3bsjar4b52tqkxgm2pylcjlad.onion/atom.xml" + ], + "refs": [ + "https://www.ransomlook.io/group/dataleak" ] }, "uuid": "80a634ae-519f-46e3-8e24-8eb733dfd22f", "value": "Dataleak" }, { + "description": "A ransomware with potential ties to Wizard Spider.", "meta": { "links": [ "https://7ypnbv3snejqmgce4kbewwvym4cm5j6lkzf2hra2hyhtsvwjaxwipkyd.onion" + ], + "refs": [ + "https://arcticwolf.com/resources/blog/karakurt-web", + "https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/", + "https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/", + "https://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922", + "https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648", + "https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/", + "https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/", + "https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/", + "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", + "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", + "https://www.ic3.gov/Media/News/2022/220120.pdf", + "https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday", + "https://www.ransomlook.io/group/diavol" ] }, "uuid": "6c4b88a4-64d6-4fa2-a552-99974794de16", @@ -25628,7 +27334,12 @@ "meta": { "links": [ "https://sbc2zv2qnz5vubwtx3aobfpkeao6l4igjegm3xx7tk5suqhjkp5jxtqd.onion/", - "https://doq32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onion" + "https://doq32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onion", + "http://sbc2zv2qnz5vubwtx3aobfpkeao6l4igjegm3xx7tk5suqhjkp5jxtqd.onion/", + "http://dk4mkfzqai6ure62oukzgtypedmwlfq57yj2fube7j5wsoi6tuia7nyd.onion/index.php?" + ], + "refs": [ + "https://www.ransomlook.io/group/donutleaks" ] }, "uuid": "50fdc311-e6c5-4843-9b91-24d66afbdb8d", @@ -25638,15 +27349,26 @@ "meta": { "links": [ "http://h44jyyfomcbnnw5dha7zgwgkvpzbzbdyx2onu4fxaa5smxrgbjgq7had.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/endurance" ] }, "uuid": "14658178-6fea-43bb-ae11-4ae5c2f14560", "value": "Endurance" }, { + "description": "Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples. ", "meta": { "links": [ "http://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onion/posts" + ], + "refs": [ + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", + "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.ransomlook.io/group/entropy" ] }, "uuid": "11a458b9-df9c-486f-8556-2ae662df2802", @@ -25656,15 +27378,23 @@ "meta": { "links": [ "http://dg5fyig37abmivryrxlordrczn6d6r5wzcfe2msuo5mbbu2exnu46fid.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/ep918" ] }, "uuid": "3a074223-6c97-48ca-b019-50a16a37e956", "value": "Ep918" }, { + "description": "", "meta": { "links": [ "http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/" + ], + "refs": [ + "https://www.reuters.com/article/us-usa-products-colonial-pipeline-ransom/more-ransomware-websites-disappear-in-aftermath-of-colonial-pipeline-hack-idUSKCN2CX0KT", + "https://www.ransomlook.io/group/everest" ] }, "uuid": "3c2835b1-53de-4755-ac0f-48dff1e53745", @@ -25674,6 +27404,9 @@ "meta": { "links": [ "http://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/freecivilian" ] }, "uuid": "34c540d5-70ad-44cc-b5a2-cd8ec7e2efd6", @@ -25683,15 +27416,23 @@ "meta": { "links": [ "http://hkk62og3s2tce2gipcdxg3m27z4b62mrmml6ugctzdxs25o26q3a4mid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/fsteam" ] }, "uuid": "29408532-b5d3-47ab-9b31-1ea63a084e45", "value": "Fsteam" }, { + "description": "captcha prevents indexing", "meta": { "links": [ "http://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion/" + ], + "refs": [ + "https://heimdalsecurity.com/blog/doppelpaymer-gets-a-rebranding", + "https://www.ransomlook.io/group/grief" ] }, "uuid": "506716cf-7e60-46e5-a853-c8a67fe696f9", @@ -25701,16 +27442,27 @@ "meta": { "links": [ "http://ws3dh6av66sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.onion/" + ], + "refs": [ + "https://intel471.com/blog/groove-gang-ransomware-babuk-revil-blackmatter", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates", + "https://www.ransomlook.io/group/groove" ] }, "uuid": "267b7b61-ed82-4809-aafe-9d2487c56f19", "value": "Groove" }, { + "description": "login page, no posts", "meta": { "links": [ "http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion/login.php", "http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion/blog.php" + ], + "refs": [ + "https://therecord.media/new-haron-ransomware-gang-emerges-borrowing-from-avaddon-and-thanos", + "https://threatpost.com/ransomware-gangs-haron-blackmatter/168212", + "https://www.ransomlook.io/group/haron" ] }, "uuid": "949fe61d-6df6-4f36-996b-c58bbbc5140f", @@ -25720,6 +27472,9 @@ "meta": { "links": [ "http://r6d636w47ncnaukrpvlhmtdbvbeltc6enfcuuow3jclpmyga7cz374qd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/hotarus" ] }, "uuid": "3c5832ae-3961-423e-8331-218a7aa6e5db", @@ -25730,6 +27485,9 @@ "links": [ "http://kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onion/board/leak_list/", "http://7kstc545azxeahkduxmefgwqkrrhq3mzohkzqvrv7aekob7z3iwkqvyd.onion/board/victim_list/" + ], + "refs": [ + "https://www.ransomlook.io/group/icefire" ] }, "uuid": "deea56de-1237-46bf-9ea7-4e1a3b3acd10", @@ -25739,6 +27497,9 @@ "meta": { "links": [ "https://justice-blade.io" + ], + "refs": [ + "https://www.ransomlook.io/group/justice_blade" ] }, "uuid": "71a6edfe-9764-4c9b-b528-e0ee7b73c110", @@ -25748,6 +27509,9 @@ "meta": { "links": [ "https://kelvinsecteamcyber.wixsite.com/my-site/items" + ], + "refs": [ + "https://www.ransomlook.io/group/kelvin security" ] }, "uuid": "3c61d677-a2a6-40fb-aadd-72974f68e62c", @@ -25757,15 +27521,31 @@ "meta": { "links": [ "https://t.me/minsaudebr" + ], + "refs": [ + "https://www.ransomlook.io/group/lapsus$" ] }, "uuid": "e2e035aa-eb95-48af-98a7-f18ddfcc347b", "value": "Lapsus$" }, { + "description": "", "meta": { "links": [ "http://yeuajcizwytgmrntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onion/" + ], + "refs": [ + "https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", + "https://github.com/werkamsus/Lilith", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", + "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/", + "https://www.ransomlook.io/group/lilith" ] }, "uuid": "7dea3669-5ec4-4bdf-898f-c3a9f796365e", @@ -25791,7 +27571,20 @@ "http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion", "http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion", "http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion", - "http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion" + "http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion", + "http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion", + "http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/", + "http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/", + "http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion", + "http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion", + "http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion", + "http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion", + "http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion" + ], + "refs": [ + "https://threatpost.com/lockbit-ransomware-proliferates-globally/168746", + "https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html", + "https://www.ransomlook.io/group/lockbit3" ] }, "related": [ @@ -25811,17 +27604,27 @@ "links": [ "http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion", "http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion", - "http://nclen75pwlgebpxpsqhlcnxsmdvpyrr7ogz36ehhatfmkvakeyden6ad.onion" + "http://nclen75pwlgebpxpsqhlcnxsmdvpyrr7ogz36ehhatfmkvakeyden6ad.onion", + "http://mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/lolnek" ] }, "uuid": "9886732d-76a2-4fbb-86b7-9e6a80669fb5", "value": "Lolnek" }, { + "description": "parser needs to be built", "meta": { "links": [ "http://rbvuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy7tskinwad.onion/", "http://4qbxi3i2oqmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchqe27id.onion/" + ], + "refs": [ + "https://www.secureworks.com/research/lv-ransomware", + "https://securityaffairs.co/wordpress/119306/malware/lv-ransomware-repurposed-revil-binary.html", + "https://www.ransomlook.io/group/lv" ] }, "uuid": "46d56775-5f8c-411e-adbe-2acd07bf99ac", @@ -25831,6 +27634,9 @@ "meta": { "links": [ "http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/mallox" ] }, "uuid": "95891bae-09a4-4d02-990e-2477cb09b9c2", @@ -25840,15 +27646,25 @@ "meta": { "links": [ "http://xembshruusobgbvxg4tcjs3jpdnks6xrr6nbokfxadcnlc53yxir22ad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/mbc" ] }, "uuid": "7ecd6452-d521-4095-8fd7-eecdeb6c8d96", "value": "Mbc" }, { + "description": "This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy.", "meta": { "links": [ "http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion/blog.php" + ], + "refs": [ + "https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/", + "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/", + "https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants", + "https://www.ransomlook.io/group/midas" ] }, "uuid": "c0ce34c6-13b9-41ef-847c-840b090f2bfc", @@ -25858,6 +27674,9 @@ "meta": { "links": [ "http://moishddxqnpdxpababec6exozpl2yr7idfhdldiz5525ao25bmasxhid.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/moisha" ] }, "uuid": "b2e44cc2-2df9-4210-a0ee-9ae913278c00", @@ -25868,6 +27687,9 @@ "links": [ "http://monteoamwxlutyovf7oxeviwjlbu3vbgdmkncecl2ydteqncrmcv67yd.onion/", "http://monteoamwxlutyovf7oxeviwjlbu3vbgdmkncecl2ydteqncrmcv67yd.onion/catalog/" + ], + "refs": [ + "https://www.ransomlook.io/group/monte" ] }, "uuid": "814f656d-7107-41d3-a934-1667e427ad8a", @@ -25878,6 +27700,9 @@ "links": [ "http://4s4lnfeujzo67fy2jebz2dxskez2gsqj2jeb35m75ktufxensdicqxad.onion/", "http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/monti" ] }, "uuid": "0ea4daa9-0b83-4acb-bc54-420635b7bfea", @@ -25887,6 +27712,9 @@ "meta": { "links": [ "http://58b87e60649ccc808ac8mstiejnj.5s4ixqul2enwxrqv.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/mydecryptor" ] }, "uuid": "8b726e6a-ed85-4a5b-a501-6bc06dab288d", @@ -25896,15 +27724,86 @@ "meta": { "links": [ "http://n3twormruynhn3oetmxvasum2miix2jgg56xskdoyihra4wthvlgyeyd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/n3tworm" ] }, "uuid": "815b13b2-2b94-4ea9-adc2-8193936a1c61", "value": "N3Tworm" }, { + "description": "", "meta": { "links": [ "http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion" + ], + "refs": [ + "https://threatpost.com/netwalker-ransomware-suspect-charged/163405", + "https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware", + "https://www.ncsc.org/trends/monthly-trends-articles/2020/netwalker-ransomware", + "https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/", + "https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware", + "https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware", + "https://lopqto.me/posts/automated-dynamic-import-resolving", + "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf", + "https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html", + "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", + "https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million", + "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/", + "https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/", + "https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/", + "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.ic3.gov/media/news/2020/200929-2.pdf", + "https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas", + "https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware", + "https://www.justice.gov/usao-mdfl/press-release/file/1360846/download", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/", + "https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.youtube.com/watch?v=q8of74upT_g", + "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", + "https://zengo.com/bitcoin-ransomware-detective-ucsf/", + "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://www.ransomlook.io/group/netwalker" ] }, "uuid": "a449e5a4-a835-419e-af3e-d223c74d0536", @@ -25916,26 +27815,46 @@ "http://nevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd.onion/", "http://nevbackvzwfu5yu3gszap77bg66koadds6eln37gxdhdk4jdsbkayrid.onion/", "http://nevaffcwswjosddmw55qhn4u4secw42wlppzvf26k5onrlxjevm6avad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/nevada" ] }, "uuid": "9c517547-8002-4a9a-a360-8d836d2fe3e3", "value": "Nevada" }, { + "description": "", "meta": { "links": [ "http://gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2lvq5x7fx76ygcosad.onion" + ], + "refs": [ + "https://twitter.com/cglyer/status/1480734487000453121", + "https://twitter.com/cglyer/status/1480742363991580674", + "https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/", + "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/", + "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://www.youtube.com/watch?v=Yzt_zOO8pDM", + "https://www.ransomlook.io/group/nightsky" ] }, "uuid": "886a2d59-2e8d-4357-b70f-a6dd3d034dfd", "value": "Nightsky" }, { + "description": "", "meta": { "links": [ "http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion", "http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion/", - "http://6yofnrq7evqrtz3tzi3dkbrdovtywd35lx3iqbc5dyh367nrdh4jgfyd.onion/" + "http://6yofnrq7evqrtz3tzi3dkbrdovtywd35lx3iqbc5dyh367nrdh4jgfyd.onion/", + "http://nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/nokoyawa" ] }, "uuid": "2b2f2e07-f764-4cc2-86ac-cc087a953cbb", @@ -25945,24 +27864,49 @@ "meta": { "links": [ "http://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/onepercent" ] }, "uuid": "e9e810e3-a919-4417-85d0-fcab700e45de", "value": "Onepercent" }, { + "description": "", "meta": { "links": [ "http://vbmisqjshn4yblehk2vbnil53tlqklxsdaztgphcilto3vdj4geao5qd.onion/" + ], + "refs": [ + "https://cyberintelmag.com/malware-viruses/payloadbin-ransomware-attributed-to-evil-corp", + "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", + "https://www.ransomlook.io/group/payloadbin" ] }, "uuid": "fd2161a9-cd88-4d12-94d9-52b93b28eb5b", "value": "Payloadbin" }, { + "description": "Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.", "meta": { "links": [ "http://promethw27cbrcot.onion/blog/" + ], + "refs": [ + "https://therecord.media/decryptor-released-for-prometheus-ransomware-victims", + "https://unit42.paloaltonetworks.com/prometheus-ransomwar", + "https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html", + "https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea", + "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", + "https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd", + "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/", + "https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/", + "https://twitter.com/inversecos/status/1441252744258461699?s=20", + "https://unit42.paloaltonetworks.com/prometheus-ransomware/", + "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", + "https://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/", + "https://www.ransomlook.io/group/prometheus" ] }, "uuid": "bcf0a9da-dca3-42c0-b875-59d434564fbb", @@ -25975,16 +27919,23 @@ "http://24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion", "http://wlh3dpptx2gt7nsxcor37a3kiyaiy6qwhdv7o6nl6iuniu5ycze5ydid.onion/blog", "http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/qilin" ] }, "uuid": "d5b3ce3d-59e2-4e56-a29a-42fb8b733a51", "value": "Qilin" }, { + "description": "login page, no posts", "meta": { "links": [ "http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion", "http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/qlocker" ] }, "uuid": "065110c5-574a-4466-a336-e6c5f3ef86c4", @@ -25996,6 +27947,9 @@ "http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion", "http://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion", "http://ramp4u5iz4xx75vmt6nk5xfrs5mrmtokzszqxhhkjqlk7pbwykaz7zid.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/ramp" ] }, "uuid": "824f225c-7cd9-47e3-9f5b-c3194e4a26ea", @@ -26005,6 +27959,9 @@ "meta": { "links": [ "http://u67aylig7i6l657wxmp274eoilaowhp3boljowa6bli63rxyzfzsbtyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/ransomcartel" ] }, "uuid": "62e56597-01c8-4721-abd2-c7efa37fb566", @@ -26015,6 +27972,9 @@ "links": [ "http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion", "http://zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/ransomhouse" ] }, "uuid": "00a6fc79-8a29-417b-a298-adc8e17d8aba", @@ -26024,6 +27984,9 @@ "meta": { "links": [ "http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/ranzy" ] }, "uuid": "840d5e7b-e96f-426d-8cf0-a5a10f5e4a46", @@ -26033,6 +27996,9 @@ "meta": { "links": [ "http://relic5zqwemjnu4veilml6prgyedj6phs7de3udhicuq53z37klxm6qd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/relic" ] }, "uuid": "f4340cdb-ed0c-411e-ae11-b14ee151886a", @@ -26043,6 +28009,9 @@ "links": [ "http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion", "http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/royal" ] }, "uuid": "9a970739-24e3-4eb5-9154-d0ac6b2c378d", @@ -26052,6 +28021,9 @@ "meta": { "links": [ "http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/rransom" ] }, "uuid": "470306b5-5a3b-4b63-9c02-0dc917584e72", @@ -26062,15 +28034,24 @@ "links": [ "http://54bb47h5qu4k7l4d7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onion/blog", "http://54bb47h.blog" + ], + "refs": [ + "https://www.mandiant.com/resources/sabbath-ransomware-affiliate", + "https://www.ransomlook.io/group/sabbath" ] }, "uuid": "efdf315c-e85c-4d87-b816-ec29dbea67b5", "value": "Sabbath" }, { + "description": "Ransomware, written in .NET.", "meta": { "links": [ "http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion/login" + ], + "refs": [ + "https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html", + "https://www.ransomlook.io/group/solidbit" ] }, "uuid": "70719914-dc82-4ab0-b925-da837b337c89", @@ -26080,6 +28061,9 @@ "meta": { "links": [ "http://zj2ex44e2b2xi43m2txk4uwi3l55aglsarre7repw7rkfwpj54j46iqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/sparta" ] }, "uuid": "ce4eb745-e341-4f5d-be93-2af23b9ad756", @@ -26089,15 +28073,25 @@ "meta": { "links": [ "http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/blog/" + ], + "refs": [ + "https://www.ransomlook.io/group/spook" ] }, "uuid": "0d4a8359-d607-4e5a-b85c-c8248cfa520a", "value": "Spook" }, { + "description": "", "meta": { "links": [ - "http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion" + "http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion", + "http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion", + "http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion/stm.html", + "http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/stormous" ] }, "uuid": "6e20bdd2-31ac-4429-8aa7-4ce8cb7dc7b5", @@ -26107,6 +28101,9 @@ "meta": { "links": [ "http://tdoe2fiiamwkiadhx2a4dfq56ztlqhzl2vckgwmjtoanfaya4kqvvvyd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/unknown" ] }, "uuid": "0e2d3ead-3de9-4089-b7a3-10790b6f70f2", @@ -26116,6 +28113,9 @@ "meta": { "links": [ "http://unsafeipw6wbkzzmj7yqp7bz6j7ivzynggmwxsm6u2wwfmfqrxqrrhyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/unsafe" ] }, "uuid": "df2b1358-b3f1-4af4-8153-02f4fc018b03", @@ -26125,6 +28125,9 @@ "meta": { "links": [ "http://test.cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/v is vendetta" ] }, "related": [ @@ -26151,6 +28154,9 @@ "links": [ "http://vfokxcdzjbpehgit223vzdzwte47l3zcqtafj34qrr26htjo4uf3obid.onion", "http://746pbrxl7acvrlhzshosye3b3udk4plurpxt2pp27pojfhkkaooqiiqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/vfokx" ] }, "uuid": "465828ea-6e81-4851-b02c-458d696629c1", @@ -26164,24 +28170,38 @@ "http://ml3mjpuhnmse4kjij7ggupenw34755y4uj7t742qf7jg5impt5ulhkid.onion/", "http://ssq4zimieeanazkzc5ld4v5hdibi2nzwzdibfh5n5w4pw5mcik76lzyd.onion/", "http://wmp2rvrkecyx72i3x7ejhyd3yr6fn5uqo7wfus7cz7qnwr6uzhcbrwad.onion" + ], + "refs": [ + "https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html", + "https://www.ransomlook.io/group/vicesociety" ] }, "uuid": "41979767-bfb8-4633-af1f-3946a599f922", "value": "Vicesociety" }, { + "description": "aka Onix/Onyx", "meta": { "links": [ "http://mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/vsop" ] }, "uuid": "8b2e6391-05b4-439e-b318-1c3ace388c2d", "value": "Vsop" }, { + "description": "xing use a custom mountlocker exe", "meta": { "links": [ "http://xingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onion/" + ], + "refs": [ + "https://www.izoologic.com/2021/06/19/xing-locker-team-ransomgroup-is-on-a-roll-they-recently-hit-sharafi-group-investments", + "https://itsecuritywire.com/quick-bytes/xinglocker-spreading-worm-using-mountlocker", + "https://www.ransomlook.io/group/xinglocker" ] }, "uuid": "e92d5c00-81ae-4909-9994-74bf48180f22", @@ -26191,15 +28211,28 @@ "meta": { "links": [ "http://wj3b2wtj7u2bzup75tzhnso56bin6bnvsxcbwbfcuvzpc4vcixbywlid.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/xinof" ] }, "uuid": "64b7dc11-a627-43b2-91cd-38608784c53f", "value": "Xinof" }, { + "description": "Ransomware.", "meta": { "links": [ "http://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onion/" + ], + "refs": [ + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html", + "https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang", + "https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware", + "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.ransomlook.io/group/yanluowang" ] }, "uuid": "476de1fe-d9b7-441a-8cb9-e6648189be3b", @@ -26211,11 +28244,968 @@ "https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/", "https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/n", "https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/akira" ] }, "uuid": "74f4aa81-d494-41b0-90dd-b5958fa4a822", "value": "Akira" + }, + { + "description": "", + "meta": { + "links": [ + "http://eraleignews.com/", + "http://wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/eraleign (apt73)" + ], + "synonyms": [ + "Apt73" + ] + }, + "uuid": "8855d8b5-7082-5504-aca4-24a83eca1197", + "value": "Eraleign" + }, + { + "meta": { + "links": [ + "http://zhuobnfsddn2myfxxdqtpxk367dqnntjf3kq7mrzdgienfxjyllq4rqd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/zero tolerance gang (ztg)" + ], + "synonyms": [ + "Ztg" + ] + }, + "uuid": "82bd1c85-fa32-53ca-984b-9f4e5830beb9", + "value": "Zero Tolerance Gang" + }, + { + "meta": { + "links": [ + "http://gookie256cvccntvenyxrvn7ht73bs6ss3oj2ocfkjt5y6vq6gfi2tad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/hellogookie" + ] + }, + "uuid": "95cd32e5-4679-5871-a0ce-a0ecb361443d", + "value": "hellogookie" + }, + { + "meta": { + "links": [ + "http://nn5ua7gc7jkllpoztymtfcu64yjm7znlsriq3a6v5kw7l6jvirnczyyd.onion", + "http://krjv3wondknwdrlvzp6ktqcqkrlvpme2xjt3fu7ojqpaqgl3sm33bdqd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/lambda" + ] + }, + "uuid": "8d65309c-a3f8-514a-bc24-de3056dc3e16", + "value": "lambda" + }, + { + "meta": { + "links": [ + "http://wkrlpub5k52rjigwxfm6m7ogid55kamgc5azxlq7zjgaopv33tgx2sqd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/darkrace" + ] + }, + "uuid": "b6aa46b3-46f5-522f-931f-b1ac57e8aadc", + "value": "darkrace" + }, + { + "description": "", + "meta": { + "links": [ + "http://metacrptmytukkj7ajwjovdpjqzd7esg5v3sg344uzhigagpezcqlpyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/metaencryptor" + ] + }, + "uuid": "be0414f6-efd9-5fb7-9383-8f9caf75d965", + "value": "metaencryptor" + }, + { + "meta": { + "links": [ + "http://toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/clop torrents" + ] + }, + "uuid": "a25db83a-0467-52f8-8eee-2f871607d982", + "value": "clop torrents" + }, + { + "meta": { + "links": [ + "https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion", + "https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login" + ], + "refs": [ + "https://www.ransomlook.io/group/hunters" + ] + }, + "uuid": "97979d5f-2ab0-530a-b578-cb6b4ad381eb", + "value": "hunters" + }, + { + "meta": { + "links": [ + "http://33zo6hifw4usofzdnz74fm2zmhd3zsknog5jboqdgblcbwrmpcqzzbid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/red ransomware" + ] + }, + "uuid": "9fa719ee-cc7b-5565-b510-8ea31f3e113d", + "value": "red ransomware" + }, + { + "meta": { + "links": [ + "http://mydatae2d63il5oaxxangwnid5loq2qmtsol2ozr6vtb7yfm5ypzo6id.onion/blog" + ], + "refs": [ + "https://www.ransomlook.io/group/mydata" + ] + }, + "uuid": "b3162bc6-9f24-5da8-9473-e9a63448d342", + "value": "mydata" + }, + { + "meta": { + "links": [ + "http://nv5p2mmpctvyqdyyi5zwh4gnifq2uxdx4etvnmaheqlrw6ordrjwxryd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/siegedsec" + ] + }, + "uuid": "89e5aab9-7d2d-5291-9f44-15001f97b981", + "value": "siegedsec" + }, + { + "description": "Ransomware.", + "meta": { + "links": [ + "http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/karma", + "https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/", + "https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware", + "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/", + "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.youtube.com/watch?v=hgz5gZB3DxE" + ] + }, + "uuid": "b2fb8726-0274-5d51-b0eb-58a9351dc10b", + "value": "karma" + }, + { + "meta": { + "links": [ + "http://2c7nd54guzi6xhjyqrj5kdkrq2ngm2u3e6oy4nfhn3wm3r54ul2utiqd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/dan0n" + ] + }, + "uuid": "3e099540-9fe5-5e2e-9a48-ed0ec8b35828", + "value": "dan0n" + }, + { + "meta": { + "links": [ + "http://dfi7ynmrugokn4fgvpbz5unt4d6k2i5abyez7wnoxxa2ifaw6s5puzqd.onion/", + "http://dfi7ynmrugokn4fgvpbz5unt4d6k2i5abyez7wnoxxa2ifaw6s5puzqd.onion/TOPDz/data/" + ], + "refs": [ + "https://www.ransomlook.io/group/lulzsec muslims" + ] + }, + "uuid": "2492a6db-3f8c-5429-a5c0-c0dcc08aa000", + "value": "lulzsec muslims" + }, + { + "meta": { + "links": [ + "http://cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/cloak" + ] + }, + "uuid": "c4a19468-e34d-527f-a88c-32f75419bf8f", + "value": "cloak" + }, + { + "meta": { + "links": [ + "http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion/", + "http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/8base" + ] + }, + "uuid": "1cc6ada3-a632-54a4-9df1-f41287e3f566", + "value": "8base" + }, + { + "meta": { + "links": [ + "http://noescaperjh3gg6oy7rck57fiefyuzmj7kmvojxgvlmwd5pdzizrb7ad.onion/login", + "http://noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion/", + "http://noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion/archive" + ], + "refs": [ + "https://www.ransomlook.io/group/noescape" + ] + }, + "uuid": "1f016089-b996-5695-81b0-4a93eacb5b6d", + "value": "noescape" + }, + { + "description": "", + "meta": { + "links": [ + "http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/black suit" + ] + }, + "uuid": "300f682f-707f-590f-9202-87f0ce6c1a04", + "value": "black suit" + }, + { + "description": "", + "meta": { + "links": [ + "https://werewolves.pro", + "https://weerwolven.biz/en/ " + ], + "refs": [ + "https://www.ransomlook.io/group/werewolves" + ] + }, + "uuid": "3b35ff68-a503-54a1-9bc0-d7664340a5da", + "value": "werewolves" + }, + { + "meta": { + "links": [ + "http://kill432ltnkqvaqntbalnsgojqqs2wz4lhnamrqjg66tq6fuvcztilyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/killsec" + ] + }, + "uuid": "f2eeb8ab-160c-5e4a-bf04-bc93cff90622", + "value": "killsec" + }, + { + "meta": { + "links": [ + "http://z5jixbfejdu5wtxd2baliu6hwzgcitlspnttr7c2eopl5ccfcjrhkqid.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/rabbit hole" + ] + }, + "uuid": "10f83e56-37f2-56ec-84c7-b9c80a3dcfee", + "value": "rabbit hole" + }, + { + "meta": { + "links": [ + "http://f6amq3izzsgtna4vw24rpyhy3ofwazlgex2zqdssavevvkklmtudxjad.onion/", + "http://f6amq3izzsgtna4vw24rpyhy3ofwazlgex2zqdssavevvkklmtudxjad.onion/market.html", + "https://ransomed.vc/market.html", + "https://ransomed.vc/" + ], + "refs": [ + "https://www.ransomlook.io/group/raznatovic" + ] + }, + "uuid": "9f8fb586-8511-5baf-a74f-f8d224beac4c", + "value": "raznatovic" + }, + { + "meta": { + "links": [ + "http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/abyss-data" + ] + }, + "uuid": "77e2a547-8288-58f0-ba41-b3c2eb57f24a", + "value": "abyss-data" + }, + { + "meta": { + "links": [ + "http://cryptr3fmuv4di5uiczofjuypopr63x2gltlsvhur2ump4ebru2xd3yd.onion", + "http://blog6zw62uijolee7e6aqqnqaszs3ckr5iphzdzsazgrpvtqtjwqryid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/cryptnet" + ] + }, + "uuid": "e5cc7cd8-3b03-592e-aaed-7a9807647857", + "value": "cryptnet" + }, + { + "meta": { + "links": [ + "http://hscr6cjzhgoybibuzn2xud7u4crehuoo4ykw3swut7m7irde74hdfzyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/losttrust" + ] + }, + "uuid": "a494c749-5902-5aa7-b0da-16de28230b1c", + "value": "losttrust" + }, + { + "meta": { + "links": [ + "http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/", + "http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/archive.php", + "http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/archive.php?auction", + "http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/rhysida" + ] + }, + "uuid": "00cfde20-21c2-547c-ae07-ff42da937b38", + "value": "rhysida" + }, + { + "meta": { + "links": [ + "http://j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/c3rb3r" + ] + }, + "uuid": "80e280df-1cbd-5188-a938-0777db06741d", + "value": "c3rb3r" + }, + { + "meta": { + "links": [ + "http://6n5tfadusp4sarzuxntz34q4ohspiaya2mc6aw6uhlusfqfsdomavyyd.onion", + "http://trigonax2zb3fw34rbaap4cqep76zofxs53zakrdgcxzq6xzt24l5lqd.onion", + "http://trigonax2zb3fw34rbaap4cqep76zofxs53zakrdgcxzq6xzt24l5lqd.onion/api", + "http://krsbhaxbki6jr4zvwblvkaqzjkircj7cxf46qt3na5o5sj2hpikbupqd.onion", + "http://krsbhaxbki6jr4zvwblvkaqzjkircj7cxf46qt3na5o5sj2hpikbupqd.onion/api", + "http://zp6la4xdki3irsenq3t7z7pu2nnaktqgob6aizlzjkdiyw6azjeuhzqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/trigona" + ] + }, + "uuid": "6f03f532-e311-5ef8-bb1c-fe157419ec97", + "value": "trigona" + }, + { + "meta": { + "links": [ + "http://malas2urovbyyavjzaezkt5ohljvyd5lt7vv7mnsgbf2y4bwlh72doqd.onion/posts/", + "http://malas2urovbyyavjzaezkt5ohljvyd5lt7vv7mnsgbf2y4bwlh72doqd.onion/atom.xml" + ], + "refs": [ + "https://www.ransomlook.io/group/malas" + ] + }, + "uuid": "b57a280c-73c5-5e74-b760-32a7caa3bdda", + "value": "malas" + }, + { + "meta": { + "links": [ + "http://5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/space bears" + ] + }, + "uuid": "65e46714-046c-51d9-bae8-c5aa6e967017", + "value": "space bears" + }, + { + "meta": { + "links": [ + "http://lc65fb3wrvox6xlyn4hklwjcojau55diqxxylqs4qsfng23ftzijnxad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/shadow" + ] + }, + "uuid": "346b5835-aae4-5093-bc4f-bdf5c63d3de7", + "value": "shadow" + }, + { + "description": "", + "meta": { + "links": [ + "http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion", + "http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion", + "http://dlmfciajg5s4vliyo5dhs5jyzhi2xr2fnkebul46lpf4xudtqiue4nid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/medusa", + "https://twitter.com/ThreatFabric/status/1285144962695340032", + "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html", + "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", + "https://news.drweb.com/show/?i=10302&lng=en", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", + "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/" + ] + }, + "uuid": "620c3817-320a-5772-acf1-008cc8852b0f", + "value": "medusa" + }, + { + "meta": { + "links": [ + "http://dkgn45pinr7nwvdaehemcrpgcjqf4fooit3c4gjw6dhzrp443ctvnoad.onion", + "http://dkgn45pinr7nwvdaehemcrpgcjqf4fooit3c4gjw6dhzrp443ctvnoad.onion/leaks.html" + ], + "refs": [ + "https://www.ransomlook.io/group/mogilevich" + ] + }, + "uuid": "323fb0b1-b27d-5bd7-aaa0-ab31df49f3b7", + "value": "mogilevich" + }, + { + "meta": { + "links": [ + "https://malekteam.ac", + "http://195.14.123.2/" + ], + "refs": [ + "https://www.ransomlook.io/group/malek team" + ] + }, + "uuid": "5feb8180-266f-5971-ab50-58f3eb7c321c", + "value": "malek team" + }, + { + "meta": { + "links": [ + "http://pa32ymaeu62yo5th5mraikgw5fcvznnsiiwti42carjliarodltmqcqd.onion", + "http://hkpomcx622gnqp2qhenv4ceyrhwvld3zwogr4mnkdeudq2txf55keoad.onion", + "http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/ra group" + ] + }, + "uuid": "f75e53c0-e8c9-55d0-a419-c69272a645e8", + "value": "ra group" + }, + { + "meta": { + "links": [ + "http://3ytm3d25hfzvbylkxiwyqmpvzys5of7l4pbosm7ol7czlkplgukjq6yd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/slug" + ] + }, + "uuid": "5045afba-9ed7-590f-8db9-c9aedb5b7a76", + "value": "slug" + }, + { + "description": "Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files.", + "meta": { + "links": [ + "http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/lorenz", + "https://www.zdnet.com/article/lorenz-ransomware-attack-victims-can-now-retrieve-their-files-for-free-with-this-decryption-tool", + "https://www.cybertalk.org/the-worst-outcomes-lorenz-ransomware-a-new-double-extortion-strategy", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", + "https://therecord.media/free-decrypter-available-for-lorenz-ransomware/", + "https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20", + "https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/", + "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware", + "https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/", + "https://www.tesorion.nl/en/posts/lorenz-ransomware-rebound-corruption-and-irrecoverable-files/" + ] + }, + "uuid": "b87375f3-fa83-5a36-af3a-801ca589cd49", + "value": "lorenz" + }, + { + "meta": { + "links": [ + "http://undgrddapc4reaunnrdrmnagvdelqfvmgycuvilgwb5uxm25sxawaoqd.onion", + "http://ehehqyhw3iev2vfso4vqs7kcrzltfebe5vbimq62p2ja7pslczs3q6qd.onion/auth/login", + "http://47glxkuxyayqrvugfumgsblrdagvrah7gttfscgzn56eyss5wg3uvmqd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/team underground" + ] + }, + "uuid": "517cc412-6624-5daa-8539-1271c51d78b0", + "value": "team underground" + }, + { + "meta": { + "links": [ + "http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/3am" + ] + }, + "uuid": "1c8af0c6-7b20-5878-909d-6ac14429a9ed", + "value": "3am" + }, + { + "meta": { + "links": [ + "http://crosslock5cwfljbw4v37zuzq4talxxhyavjm2lufmjwgbpfjdsh56yd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/crosslock" + ] + }, + "uuid": "e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b", + "value": "crosslock" + }, + { + "meta": { + "links": [ + "http://nt3rrzq5hcyznvdkpslvqbbc2jqecqrinhi5jtwoae2x7psqtcb6dcad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/cyclops" + ] + }, + "uuid": "e4b7ba12-79b7-5728-a4db-1f718959c81c", + "value": "cyclops" + }, + { + "meta": { + "links": [ + "http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog" + ], + "refs": [ + "https://www.ransomlook.io/group/dragonforce" + ] + }, + "uuid": "9cd58774-1f45-52dd-9c00-0050151cb093", + "value": "dragonforce" + }, + { + "description": "", + "meta": { + "links": [ + "http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/", + "http://mjmru3yz65o5szsp4rmkmh4adlezcpy5tqjjc4y5z6lozk3nnz2da2ad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/ransomhub" + ] + }, + "uuid": "9a1bfbf8-e07c-55d0-9ca5-3bcfa67f2468", + "value": "ransomhub" + }, + { + "meta": { + "links": [ + "http://et22fibzuzfyzgurm35sttm52qbzvdgzy5qhzy46a3gmkrrht3lec5ad.onion/", + "http://h3txev6jev7rcm6p2qkxn2vctybi4dvochr3inymzgif53n2j2oqviqd.onion/", + "http://wx3djgl4cacl6y4x7r4e4mbqrrub24ectue7ixyix2du25nfowtvfiyd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/la piovra" + ] + }, + "uuid": "590734bf-3e26-5c67-8a9d-ddb1a62a0bed", + "value": "la piovra" + }, + { + "meta": { + "links": [ + "https://discord.com/invite/jjZQdDNnG" + ], + "refs": [ + "https://www.ransomlook.io/group/wiper leak" + ] + }, + "uuid": "d4362ac0-1dcc-5df4-a890-1d1d3505425e", + "value": "wiper leak" + }, + { + "description": "Ransomware", + "meta": { + "links": [ + "http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion", + "http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/play", + "https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/", + "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html" + ] + }, + "uuid": "353be17b-d108-55e9-a0f1-2f4829183df0", + "value": "play" + }, + { + "description": "Also known as MedusaLocker", + "meta": { + "links": [ + "http://z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion", + "http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion/ " + ], + "refs": [ + "https://www.ransomlook.io/group/ransomware blog" + ] + }, + "uuid": "7b4a7253-b508-56c8-aec8-981e087d1b34", + "value": "ransomware blog" + }, + { + "meta": { + "links": [ + "http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion/victim.html#", + "http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion/", + "http://pkk4gbz7lsbgeja6s6iwsan2ce364sqioici65swwt65uhicke65uyid.onion/", + "http://5qmw6mv5ucbeskd3rv6vgn5dqgsuectmtqvz4paukmvhtlazzkuxuwqd.onion/", + "http://5qmw6mv5ucbeskd3rv6vgn5dqgsuectmtqvz4paukmvhtlazzkuxuwqd.onion/victim.html", + "http://pkk4gbz7lsbgeja6s6iwsan2ce364sqioici65swwt65uhicke65uyid.onion/victim.html" + ], + "refs": [ + "https://www.ransomlook.io/group/trisec" + ] + }, + "uuid": "654d3f47-e30f-593c-9581-885c8d0ef7d5", + "value": "trisec" + }, + { + "meta": { + "links": [ + "http://62brsjf2w77ihz5paods33cdgqnon54gjns5nmag3hmqv6fcwamtkmad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/qiulong" + ] + }, + "uuid": "2b57c176-af54-5165-afb6-845d88049b18", + "value": "qiulong" + }, + { + "meta": { + "links": [ + "https://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion", + "https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/cactus" + ] + }, + "uuid": "e888321e-c84a-5fa7-8761-dd2aaef691b8", + "value": "cactus" + }, + { + "meta": { + "links": [ + "http://ciphbitqyg26jor7eeo6xieyq7reouctefrompp6ogvhqjba7uo4xdid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/ciphbit" + ] + }, + "uuid": "4ca1395f-a6c2-5351-8c93-f746f7562e56", + "value": "ciphbit" + }, + { + "description": "", + "meta": { + "links": [ + "http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion", + "http://incapt.blog/", + "http://incapt.su/blog/leaks", + "http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures" + ], + "refs": [ + "https://www.ransomlook.io/group/inc ransom" + ] + }, + "uuid": "382c9986-8a55-5917-b04e-b0bf2e495320", + "value": "inc ransom" + }, + { + "description": "", + "meta": { + "links": [ + "http://arcuufpr5xxbbkin4mlidt7itmr6znlppk63jbtkeguuhszmc5g7qdyd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/arcus media" + ] + }, + "uuid": "30179cca-34c6-5cec-bc66-cc4e404c7d82", + "value": "arcus media" + }, + { + "meta": { + "links": [ + "http://jos666vxenlqp4xpnsxehovnaumi4c3q4bmvhpgdyz7bsk3ho3caokad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/jo of satan" + ] + }, + "uuid": "8f0a410b-a73f-552b-8a05-6c5725eda76d", + "value": "jo of satan" + }, + { + "meta": { + "links": [ + "http://ze677xuzard4lx4iul2yzf5ks4gqqzoulgj5u4n5n4bbbsxjbfr7eayd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/rancoz" + ] + }, + "uuid": "68b2f074-abf9-5a9b-b2a2-b804129acb31", + "value": "rancoz" + }, + { + "meta": { + "links": [ + "http://p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd.onion/index.html" + ], + "refs": [ + "https://www.ransomlook.io/group/dunghill" + ] + }, + "uuid": "5eadcdf1-b21b-5e62-867d-332cd9bfac68", + "value": "dunghill" + }, + { + "meta": { + "links": [ + "http://contiuevxdgdhn3zl2kubpajtfgqq4ssj2ipv6ujw7fwhggev3rk6hqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/u-bomb" + ] + }, + "uuid": "48fa0281-81fd-5f46-a6ea-55ae3f92f243", + "value": "u-bomb" + }, + { + "meta": { + "links": [ + "http://crypuglupv3bsqnbt5ruu5lgwrwoaojscwhuoccbmbzmcidft5kiccqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/cryptbb" + ] + }, + "uuid": "caf4f04c-bbc1-56a6-993e-e1a297985cb9", + "value": "cryptbb" + }, + { + "meta": { + "links": [ + "http://noname2j6zkgnt7ftxsjju5tfd3s45s4i3egq5bqtl72kgum4ldc6qyd.onion", + "https://www.lockbitblog.info/" + ], + "refs": [ + "https://www.ransomlook.io/group/noname" + ] + }, + "uuid": "23052672-401c-5e1e-89da-2697144ce984", + "value": "noname" + }, + { + "description": "", + "meta": { + "links": [ + "http://knight3xppu263m7g4ag3xlit2qxpryjwueobh7vjdc3zrscqlfu3pqd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/knight" + ] + }, + "uuid": "9de51a68-32b5-562d-9ebb-4727d910550e", + "value": "knight" + }, + { + "meta": { + "links": [ + "http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/zeon" + ] + }, + "uuid": "70badbdc-33fd-5849-a04d-382229713027", + "value": "zeon" + }, + { + "meta": { + "links": [ + "http://nv5lbsrr4rxmewzmpe25nnalowe4ga7ki6yfvit3wlpu7dfc36pyh4ad.onion/", + "http://gfksiwpsqudibondm6o2ipxymaonehq3l26qpgqr3nh4jvcyayvogcid.onion/", + "http://gfksiwpsqudibondm6o2ipxymaonehq3l26qpgqr3nh4jvcyayvogcid.onion/Insane.html", + "http://nv5lbsrr4rxmewzmpe25nnalowe4ga7ki6yfvit3wlpu7dfc36pyh4ad.onion/Insane.html", + "http://r2ad4ayrgpf7og673lhrw5oqyvqg4em2fpialk7l7gxkasvqkqow4qad.onion/", + "http://r2ad4ayrgpf7og673lhrw5oqyvqg4em2fpialk7l7gxkasvqkqow4qad.onion/Insane.html" + ], + "refs": [ + "https://www.ransomlook.io/group/insane ransomware" + ] + }, + "uuid": "b90acd97-b7f3-5523-9344-5fe5ebc2f05f", + "value": "insane ransomware" + }, + { + "meta": { + "links": [ + "https://ransomed.vc/", + "http://k63fo4qmdnl4cbt54sso3g6s5ycw7gf7i6nvxl3wcf3u6la2mlawt5qd.onion", + "http://f6amq3izzsgtna4vw24rpyhy3ofwazlgex2zqdssavevvkklmtudxjad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/ransomed" + ] + }, + "uuid": "627ac5f6-55fe-5fe4-887c-d994ec9fc1c7", + "value": "ransomed" + }, + { + "meta": { + "links": [ + "http://sewo2yliwvgca3abz565nsnnx3khi6x7t5ccpbvvg6wgce4bk2jagiad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/ransom corp" + ] + }, + "uuid": "4e96c839-70cf-5d5b-940f-168ff6285721", + "value": "ransom corp" + }, + { + "meta": { + "links": [ + "http://g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/donex" + ] + }, + "uuid": "bc89266b-31d5-5627-9d1d-822ff84792be", + "value": "donex" + }, + { + "meta": { + "links": [ + "http://blogvl7tjyjvsfthobttze52w36wwiz34hrfcmorgvdzb6hikucb7aqd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/money message" + ] + }, + "uuid": "cd2de3e2-9e43-5f8d-89ec-6cd2c8bad1b8", + "value": "money message" + }, + { + "meta": { + "links": [ + "https://handala.to/" + ], + "refs": [ + "https://www.ransomlook.io/group/handala" + ] + }, + "uuid": "f7e8b3a4-755e-5328-8cb3-3786d330d95a", + "value": "handala" + }, + { + "description": "", + "meta": { + "links": [ + "http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/embargo" + ] + }, + "uuid": "1d275681-09a8-5c54-8736-5c0a1b8ae7eb", + "value": "embargo" + }, + { + "description": "", + "meta": { + "links": [ + "http://mdhby62yvvg6sd5jmx5gsyucs7ynb5j45lvvdh4dsymg43puitu7tfid.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/darkvault" + ] + }, + "uuid": "4f61f5f9-a00a-5390-8514-3510d84f0947", + "value": "darkvault" + }, + { + "description": "", + "meta": { + "links": [ + "http://meow6xanhzfci2gbkn3lmbqq7xjjufskkdfocqdngt3ltvzgqpsg5mid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/meow" + ] + }, + "uuid": "406205b7-bb95-5687-aea0-4e915e743f40", + "value": "meow" + }, + { + "meta": { + "links": [ + "https://apos.blog" + ], + "refs": [ + "https://www.ransomlook.io/group/apos" + ] + }, + "uuid": "ee97d01c-b8b9-5c36-9c27-134f8d2ee603", + "value": "apos" } ], - "version": 120 + "version": 121 }