Ransomware Ransomware Jak útočí Klany Techniky Obrana Popisky Anti-Ramson Tool Rescue plan Anti-ransomware vaccine Prevence Video Vývoj 2021 2020 2019 2018 0 1 2
DATE | NAME | CATEGORY | SUBCATE | INFO |
30.10.24 |
Jumpy Pisces Engages in Play Ransomware | RANSOMWARE | RANSOMWARE | Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. |
28.10.24 | Qilin | RANSOMWARE | RANSOMWARE | New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion |
27.10.24 | Cicada3301 | RANSOMWARE | RANSOMWARE | Encrypted Symphony: Infiltrating the Cicada3301 Ransomware-as-a-Service Group |
8.9.24 | Cicada3301 | RANSOMWARE | RANSOMWARE | Dissecting the Cicada |
5.9.24 | RansomHub Ransomware | RANSOMWARE | RANSOMWARE | #StopRansomware: RansomHub Ransomwa |
5.9.24 | Cicada3301 | RANSOMWARE | RANSOMWARE | Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis |
24.8.24 | Qilin ransomware | RANSOMWARE | RANSOMWARE | Qilin ransomware caught stealing credentials stored in Google Chrome |
15.8.24 | RansomHub | RANSOMWARE | RANSOMWARE | Ransomware attackers introduce new EDR killer to their arsenal |
9.8.24 | StopRansomware BlackSuit (Royal) Ransomware | RANSOMWARE | RANSOMWARE | The advisory was updated to notify network defenders of the rebrand of “Royal” ransomware actors to “BlackSuit.” The update includes new TTPs, IOCs, and detection methods related to BlackSuit ransomware. “Royal” was updated to “BlackSuit” throughout unless referring to legacy Royal activity. Updates and new content are noted. |
15.7.24 | HardBit Ransomware 4.0 | RANSOMWARE | RANSOMWARE | In this Threat Analysis report, Cybereason Security Services investigates HardBit Ransomware version 4.0, a new version observed in the wild. |
8.7.24 | Eldorado | RANSOM | RANSOM | Eldorado Ransomware: The New Golden Empire of Cybercrime? |
13.6.24 | Black Basta | RANSOMWARE | RANSOMWARE | Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day |
5.6.24 | RANSOMWARE | RansomHub: New Ransomware has Origins in Older Knight | ||
24.5.24 | Hacking | ESXi Ransomware Attacks: Evolution, Impact, and Defense Strategy | ||
11.5.24 | StopRansomware: Black Basta | Ransomware | Ransomware | Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. |
19.4.24 | Akira | Ransomware | Ransomware | Akira is swiftly becoming one of the fastest-growing ransomware families thanks to its use of double extortion tactics, a ransomware-as-a-service (RaaS) distribution model, and unique payment options. |
17.4.24 | Cerber | Ransomware | Ransomware | Cerber Ransomware: Dissecting the three heads |
15.3.24 | Daixin Team | Ransomware | Ransomware | The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have |
15.3.24 | Cuba | Ransomware | Ransomware | Cuba ransomware, upon compromise, installs and executes a CobaltStrike beacon as a service on the victim’s network via PowerShell. Once installed, the ransomware downloads two executable files, which include “pones.exe” for password acquisition and “krots.exe,” also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file. Once the TMP file is uploaded, the “krots.exe” file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com. |
15.3.24 | ESXiArgs | Ransomware | Ransomware | The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable. |
15.3.24 | Royal | Ransomware | Ransomware | Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous joint CSA for Royal ransomware was published on March 2, 2023. This joint CSA provides updated IOCs identified through FBI investigations. |
15.3.24 | LockBit 3.0 | Ransomware | LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware. LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). | |
15.3.24 | BianLian | Ransomware | BianLian is a ransomware developer, deployer, and data extortion cybercriminal group. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a doubleextortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltrationbased extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made. | |
15.3.24 | CL0P | Ransomware | Ransomware | Appearing in February 2019, and evolving from the CryptoMix ransomware variant, CL0P was leveraged as a Ransomware as a Service (RaaS) in large-scale spear-phishing campaigns that used a verified and digitally signed binary to bypass system defenses. CL0P was previously known for its use of the ‘double extortion’ tactic of stealing and encrypting victim data, refusing to restore victim access and publishing exfiltrated data on Tor via the CL0P^_-LEAKS website. In 2019, TA505 actors leveraged CL0P ransomware as the final payload of a phishing campaign involving a macro-enabled document that used a Get2 malware dropper for downloading SDBot and FlawedGrace. In recent campaigns beginning 2021, CL0P preferred to rely mostly on data exfiltration over encryption. |
15.3.24 | LockBit | Ransomware | Ransomware | In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat. |
15.3.24 | Truebot | Ransomware | Ransomware | Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants. |
15.3.24 | QakBot | Ransomware | Ransomware | QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. |
15.3.24 | Snatch | Ransomware | Ransomware | First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running. |
15.3.24 | AvosLocker | Ransomware | Ransomware | The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known IOCs, TTPs, and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023. |
15.3.24 | Royal | Ransomware | Ransomware | Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom. |
15.3.24 | Rhysida | Ransomware | Ransomware | Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors |
15.3.24 | Scattered Spider | Ransomware | Ransomware | Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities.[1] Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). |
15.3.24 | BlackCat/ALPHV | Ransomware | Ransomware | This FLASH is part of a series of FBI reports to disseminate known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) associated with ransomware variants identified through FBI investigations. As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing. |
15.3.24 | Phobos | Ransomware | Ransomware | According to open source reporting, Phobos ransomware is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs observed in Phobos intrusions. Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors. |
8.3.24 | Jasmin | Ransomware | Ransomware | GoodWill Ransomware? Or Just Another Jasmin Variant? |
7.3.24 | Abyss Locker | Ransomware | Ransomware | On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. |
7.3.24 | BlackCat (ALPHV) Attack | Ransomware | Ransomware | Explore the thwarted cyber extortion attempt by the BlackCat ransomware group, unraveled by Sygnia’s Incident Response team in mid-2023. |
4.3.24 | CACTUS | Ransomware | Ransomware | CACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks |
25.2.24 | LockBit Attempts to Stay Afloat With a New Version | Ransomware | Ransomware | This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations. |
17.2.24 | Ransomware | Anti-Tool | Akira Ransomware and Exploitation of Cisco Anyconnect Vulnerability CVE-2020-3259 | |
12.2.24 | Ransomware | Ransomware | Korea Internet & Security Agency (KISA) distribuuje nastroj pro obnovu ransomwaru Rhysida. | |
30.1.24 | NONAME | Ransomware | Ransomware | Older Leaks Re-Surfaces: LOCKBIT Imitator on Surface Web |
30.1.24 | Mimus | Ransomware | Ransomware | Mimo CoinMiner and Mimus Ransomware Installed via Vulnerability Attacks |
30.1.24 | Kuiper | Ransomware | Ransomware | Kuiper ransomware analysis: Stairwell’s technical report |
30.1.24 | Kasseika | Ransomware | Ransomware | The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira, AvosLocker, BlackByte, and RobbinHood. |
30.1.24 | Albabat | Ransomware | Ransomware | On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. |
30.1.24 | Phobos | Ransomware | Ransomware | Another Phobos Ransomware Variant Launches Attack – FAUST |
29.1.24 | Kasseika | Ransomware | Ransomware | Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver |
12.1.24 | Medusa | Ransomware | Ransomware | Medusa Ransomware Turning Your Files into Stone |
10.1.24 | Babuk | Ransomware | Anti-Tool | Babuk is a Russian ransomware. In September 2021, the source code leaked with some of the decryption keys. Victims can decrypt their files for free. |
24.12.23 | Dark Power | Ransomware | Ransomware | Dark Power Ransomware: In-Depth Analysis, Detection, and Mitigation |
24.12.23 | Kanti | Ransomware | Ransomware | Kanti: A NIM-Based Ransomware Unleashed in the Wild |