RANSOMWARE


DATE

NAME

CATEGORY

SUBCATE

INFO

8.9.24

Cicada3301RANSOMWARERANSOMWAREDissecting the Cicada

5.9.24

RansomHub RansomwareRANSOMWARERANSOMWARE#StopRansomware: RansomHub Ransomwa

5.9.24

Cicada3301RANSOMWARERANSOMWAREDecoding the Puzzle: Cicada3301 Ransomware Threat Analysis

24.8.24

Qilin ransomwareRANSOMWARERANSOMWAREQilin ransomware caught stealing credentials stored in Google Chrome

15.8.24

RansomHubRANSOMWARERANSOMWARERansomware attackers introduce new EDR killer to their arsenal

9.8.24

StopRansomware BlackSuit (Royal) RansomwareRANSOMWARERANSOMWAREThe advisory was updated to notify network defenders of the rebrand of “Royal” ransomware actors to “BlackSuit.” The update includes new TTPs, IOCs, and detection methods related to BlackSuit ransomware. “Royal” was updated to “BlackSuit” throughout unless referring to legacy Royal activity. Updates and new content are noted.

15.7.24

HardBit Ransomware 4.0RANSOMWARERANSOMWAREIn this Threat Analysis report, Cybereason Security Services investigates HardBit Ransomware version 4.0, a new version observed in the wild.

8.7.24

EldoradoRANSOMRANSOMEldorado Ransomware: The New Golden Empire of Cybercrime?
13.6.24Black BastaRANSOMWARERANSOMWARERansomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day

5.6.24

RansomHub

RANSOMWARE

RANSOMWARE

RansomHub: New Ransomware has Origins in Older Knight

24.5.24

ESXi Ransomware

Ransomware

Hacking

ESXi Ransomware Attacks: Evolution, Impact, and Defense Strategy

11.5.24

StopRansomware: Black BastaRansomwareRansomwareBlack Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data.
19.4.24AkiraRansomwareRansomwareAkira is swiftly becoming one of the fastest-growing ransomware families thanks to its use of double extortion tactics, a ransomware-as-a-service (RaaS) distribution model, and unique payment options.
17.4.24CerberRansomwareRansomwareCerber Ransomware: Dissecting the three heads
15.3.24Daixin TeamRansomwareRansomwareThe Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have
15.3.24CubaRansomwareRansomwareCuba ransomware, upon compromise, installs and executes a CobaltStrike beacon as a service on the victim’s network via PowerShell. Once installed, the ransomware downloads two executable files, which include “pones.exe” for password acquisition and “krots.exe,” also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file. Once the TMP file is uploaded, the “krots.exe” file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com.
15.3.24ESXiArgsRansomwareRansomwareThe Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable.
15.3.24RoyalRansomwareRansomwareSince September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous joint CSA for Royal ransomware was published on March 2, 2023. This joint CSA provides updated IOCs identified through FBI investigations.
15.3.24LockBit 3.0

Ransomware

Ransomware

LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware. LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise).
15.3.24BianLian

Ransomware

RansomwareBianLian is a ransomware developer, deployer, and data extortion cybercriminal group. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a doubleextortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltrationbased extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made.
15.3.24CL0PRansomwareRansomwareAppearing in February 2019, and evolving from the CryptoMix ransomware variant, CL0P was leveraged as a Ransomware as a Service (RaaS) in large-scale spear-phishing campaigns that used a verified and digitally signed binary to bypass system defenses. CL0P was previously known for its use of the ‘double extortion’ tactic of stealing and encrypting victim data, refusing to restore victim access and publishing exfiltrated data on Tor via the CL0P^_-LEAKS website. In 2019, TA505 actors leveraged CL0P ransomware as the final payload of a phishing campaign involving a macro-enabled document that used a Get2 malware dropper for downloading SDBot and FlawedGrace. In recent campaigns beginning 2021, CL0P preferred to rely mostly on data exfiltration over encryption.
15.3.24LockBitRansomwareRansomwareIn 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.
15.3.24TruebotRansomwareRansomwarePrevious Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.
15.3.24QakBotRansomwareRansomwareQakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector.
15.3.24SnatchRansomwareRansomwareFirst appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.
15.3.24AvosLockerRansomwareRansomwareThe Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known IOCs, TTPs, and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023.
15.3.24RoyalRansomwareRansomwareRoyal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
15.3.24RhysidaRansomwareRansomwareThreat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors
15.3.24Scattered Spider RansomwareRansomwareScattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities.[1] Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).
15.3.24BlackCat/ALPHVRansomwareRansomwareThis FLASH is part of a series of FBI reports to disseminate known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) associated with ransomware variants identified through FBI investigations. As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing.
15.3.24PhobosRansomwareRansomwareAccording to open source reporting, Phobos ransomware is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs observed in Phobos intrusions. Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors.
8.3.24JasminRansomwareRansomwareGoodWill Ransomware? Or Just Another Jasmin Variant?
7.3.24Abyss LockerRansomwareRansomwareOn a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
7.3.24BlackCat (ALPHV) AttackRansomwareRansomwareExplore the thwarted cyber extortion attempt by the BlackCat ransomware group, unraveled by Sygnia’s Incident Response team in mid-2023.
4.3.24CACTUSRansomwareRansomwareCACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks
25.2.24LockBit Attempts to Stay Afloat With a New VersionRansomwareRansomwareThis research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations.

17.2.24

Akira ransomware

RansomwareAnti-Tool

Akira Ransomware and Exploitation of Cisco Anyconnect Vulnerability CVE-2020-3259

12.2.24

Rhysida Decryption Tool

RansomwareRansomware

Korea Internet & Security Agency (KISA) distribuuje nastroj pro obnovu ransomwaru Rhysida.

30.1.24

NONAMERansomwareRansomwareOlder Leaks Re-Surfaces: LOCKBIT Imitator on Surface Web

30.1.24

MimusRansomwareRansomwareMimo CoinMiner and Mimus Ransomware Installed via Vulnerability Attacks

30.1.24

KuiperRansomwareRansomwareKuiper ransomware analysis: Stairwell’s technical report

30.1.24

KasseikaRansomwareRansomwareThe ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira, AvosLocker, BlackByte, and RobbinHood.

30.1.24

AlbabatRansomwareRansomwareOn a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community.

30.1.24

PhobosRansomwareRansomwareAnother Phobos Ransomware Variant Launches Attack – FAUST

29.1.24

KasseikaRansomwareRansomwareKasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver 

12.1.24

MedusaRansomwareRansomwareMedusa Ransomware Turning Your Files into Stone

10.1.24

Babuk RansomwareAnti-ToolBabuk is a Russian ransomware. In September 2021, the source code leaked with some of the decryption keys. Victims can decrypt their files for free.

24.12.23

Dark PowerRansomwareRansomwareDark Power Ransomware: In-Depth Analysis, Detection, and Mitigation

24.12.23

KantiRansomwareRansomwareKanti: A NIM-Based Ransomware Unleashed in the Wild