Skip to content

Latest commit

 

History

History
79 lines (76 loc) · 9.27 KB

ExtraThreatIntel.md

File metadata and controls

79 lines (76 loc) · 9.27 KB
Raw

Extra Threat Intel

Important

The Threat Groups mentioned in other files in this repository are highlighted in the following list of additional reports provided by a variety of sources. It was important to use this list of publicly available reports as the main source as it makes it so the research can be independently peer reviewed.

Date Published Ransomware/Extortionist Report
26 September 2024 Storm-0501* (Sabbath/54bb47h, Hive, BlackCat, Hunters International, LockBit, Embargo) https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
10 September 2024 CosmicBeetle* (Scarab, ScRansom, NONAME, RansomHub) https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/
10 September 2024 Cicada3301 https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/
3 September 2024 CIcada3301 https://blog.morphisec.com/cicada3301-ransomware-threat-analysis
28 August 2024 *Br0k3r (NoEscape, Ransomhouse, BlackCat, Pay2Key) https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
28 August 2024 BlackByte https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/
26 August 2024 BlackSuit https://thedfirreport.com/2024/08/26/blacksuit-ransomware/
20 August 2024 Everest https://www.aha.org/system/files/media/file/2024/08/hc3-tlp-clear-threat-actor-profile-everest-ransomware-group-august-20-2024.pdf
14 August 2024 RansomHub https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/
14 August 2024 INC Ransom https://www.guidepointsecurity.com/blog/update-from-the-ransomware-trenches/
5 August 2024 Zola https://www.acronis.com/en-us/cyber-protection-center/posts/zola-ransomware-the-many-faces-of-the-proton-family/
29 July 2024 Black Basta https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight
19 June 2024 Qilin https://www.secureworks.com/research/threat-profiles/gold-feather
5 June 2024 RansomHub https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware
4 June 2024 Fog https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/
9 May 2024 RansomHub https://www.forescout.com/blog/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack/
1 May 2024 INC Ransom https://www.huntress.com/blog/lolbin-to-inc-ransomware
15 April 2024 INC Ransom https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware
26 March 2024 Qilin https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html
8 March 2024 Scattered Spider https://unit42.paloaltonetworks.com/muddled-libra/
29 February 2024 BlackCat https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/
28 February 2024 Cactus https://www.bitdefender.com/blog/businessinsights/cactus-analyzing-a-coordinated-ransomware-attack-on-corporate-networks/
22 February 2024 Scattered Spider https://blog.sekoia.io/scattered-spider-laying-new-eggs/
11 January 2024 Medusa https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/
11 November 2023 Hunters International https://www.bitdefender.com/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage/
31 October 2023 Rhysida https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/rhysida-ransomware-intrusion.pdf
20 September 2023 *Prophet Spider (MAZE, Egregor, MountLocker) https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker
15 September 2023 Akira https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html
14 September 2023 Scattered Spider* (BlackCat, Qilin, RansomHub) https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware/
11 September 2023 Cuba https://securelist.com/cuba-ransomware/110533/
11 August 2023 INC Ransom https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity
8 August 2023 Rhysida https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
1 June 2023 Various Groups https://github.com/Casualtek/Ransomchats
10 May 2023 Cactus https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
25 April 2023 Bassterlord* (REvil, RansomEXX, Avadon, LockBit) https://analyst1.com/ransomware-diaries-volume-2/
10 April 2023 RagnarLocker https://www.sygnia.co/blog/threat-actor-spotlight-ragnarlocker-ransomware/
7 April 2023 DarkBit+ https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment
23 March 2023 *Prophet Spider (MAZE, Egregor, MountLocker) https://cloud.google.com/blog/topics/threat-intelligence/unc961-multiverse-financially-motivated/
2 December 2022 Scattered Spider* https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
17 November 2022 Royal https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/
25 October 2022 Vice Society https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector
12 October 2022 Black Basta https://www.trendmicro.com/en_ca/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
7 September 2022 MONTI https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger
2 September 2022 Vice Society https://www.sygnia.co/blog/the-vice-society-ransomware-investigation
25 August 2022 Qilin https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html
10 August 2022 Yanluowang https://blog.talosintelligence.com/recent-cyber-attack/
10 August 2022 ALPHV/BlackCat https://news.sophos.com/en-us/2022/08/10/lockbit-hive-and-blackcat-attack-automotive-supplier-in-triple-ransomware-attack
21 June 2022 AvosLocker https://blog.talosintelligence.com/avoslocker-new-arsenal/
13 June 2022 BlackCat https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware
2 June 2022 EvilCorp* (BitPaymer, DoppelPaymer, WastedLocker, Hades, Phoenix, Macaw, PayloadBIN, LockBit, RansomHub) https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions
2 May 2022 AvosLocker https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
4 April 2022 AvosLocker https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker
22 March 2022 Lapsus$ https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
17 March 2022 AvosLocker https://www.ic3.gov/Media/News/2022/220318.pdf
7 March 2022 *Prophet Spider (MAZE, Egregor, MountLocker) https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/
23 February 2022 BlackCat https://www.emsisoft.com/en/blog/40931/ransomware-profile-alphv/
19 January 2022 Avaddon https://cloud.google.com/blog/topics/threat-intelligence/chasing-avaddon-ransomware/
30 November 2021 Yanluowang https://symantec-enterprise-blogs.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue
28 October 2021 FiveHands https://www.ic3.gov/Media/News/2021/211029.pdf
21 October 2021 Lockean* (Maze, Egregor, REvil, DoppelPaymer, ProLock) https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf
30 August 2021 DarkSide https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1
23 August 2021 OnePercent* (REvil) https://www.ic3.gov/Media/News/2021/210823.pdf
4 August 2021 *Prophet Spider (MAZE, Egregor, MountLocker) https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/
15 July 2021 PYSA https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/
21 June 2021 PYSA https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat
11 May 2021 DarkSide https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/
6 May 2021 FiveHands https://www.cisa.gov/news-events/analysis-reports/ar21-126a
29 April 2021 FiveHands https://cloud.google.com/blog/topics/threat-intelligence/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat
5 July 2020 MAZE https://cloud.google.com/blog/topics/threat-intelligence/tactics-techniques-procedures-associated-with-maze-ransomware-incidents

Note

This list will also be used by others to contribute additional threat intelligence about tools used by ransomware gangs to the repo.