<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Data Encrypted for Impact, Technique T1486 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Data Encrypted for Impact</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Data Encrypted for Impact </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019."data-reference="US-CERT Ransomware 2016">^{<a href="https://www.us-cert.gov/ncas/alerts/TA16-091A" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019."data-reference="FireEye WannaCry 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019."data-reference="US-CERT NotPetya 2017">^{<a href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019."data-reference="US-CERT SamSam 2018">^{<a href="https://www.us-cert.gov/ncas/alerts/AA18-337A" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p><p>In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as <a href="/techniques/T1222">File and Directory Permissions Modification</a> or <a href="/techniques/T1529">System Shutdown/Reboot</a>, in order to unlock and/or gain access to manipulate these files.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021."data-reference="CarbonBlack Conti July 2020">^{<a href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019."data-reference="US-CERT NotPetya 2017">^{<a href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> </p><p>To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like <a href="/techniques/T1078">Valid Accounts</a>, <a href="/techniques/T1003">OS Credential Dumping</a>, and <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a>.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019."data-reference="FireEye WannaCry 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019."data-reference="US-CERT NotPetya 2017">^{<a href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> Encryption malware may also leverage <a href="/techniques/T1491/001">Internal Defacement</a>, such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020."data-reference="NHS Digital Egregor Nov 2020">^{<a href="https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p><p>In cloud environments, storage objects within compromised accounts may also be encrypted.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved April 14, 2021."data-reference="Rhino S3 Ransomware Part 1">^{<a href="https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1486 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques:&nbsp;</span> No sub-techniques </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/tactics/TA0040">Impact</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>IaaS, Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Denotes if the (sub-)technique can be used for integrity or availability attacks">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Impact Type:&nbsp;</span>Availability </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>ExtraHop; Harshal Tupsamudre, Qualys; Mayuresh Dani, Qualys; Oleg Kolesnikov, Securonix; Travis Smith, Qualys </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.4 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>15 March 2019 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>16 June 2022 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1486" href="/versions/v16/techniques/T1486/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1486" href="/versions/v16/techniques/T1486/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S1129"> S1129 </a> </td> <td> <a href="/software/S1129"> Akira </a> </td> <td> <p><a href="/software/S1129">Akira</a> encrypts victim filesystems for financial extortion purposes.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024."data-reference="Kersten Akira 2023">^{<a href="https://www.trellix.com/blogs/research/akira-ransomware/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1024"> G1024 </a> </td> <td> <a href="/groups/G1024"> Akira </a> </td> <td> <p><a href="/groups/G1024">Akira</a> encrypts files in victim environments as part of ransomware operations.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024."data-reference="BushidoToken Akira 2023">^{<a href="https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1133"> S1133 </a> </td> <td> <a href="/software/S1133"> Apostle </a> </td> <td> <p><a href="/software/S1133">Apostle</a> creates new, encrypted versions of files then deletes the originals, with the new filenames consisting of a random GUID and ".lock" for an extension.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024."data-reference="SentinelOne Agrius 2021">^{<a href="https://assets.sentinelone.com/sentinellabs/evol-agrius" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0082"> G0082 </a> </td> <td> <a href="/groups/G0082"> APT38 </a> </td> <td> <p><a href="/groups/G0082">APT38</a> has used Hermes ransomware to encrypt files with AES256.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018."data-reference="FireEye APT38 Oct 2018">^{<a href="https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0096"> G0096 </a> </td> <td> <a href="/groups/G0096"> APT41 </a> </td> <td> <p><a href="/groups/G0096">APT41</a> used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."data-reference="FireEye APT41 Aug 2019">^{<a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span> <a href="/groups/G0096">APT41</a> also used Microsoft Bitlocker to encrypt workstations and Jetico’s BestCrypt to encrypt servers.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024."data-reference="apt41_dcsocytec_dec2022">^{<a href="https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0640"> S0640 </a> </td> <td> <a href="/software/S0640"> Avaddon </a> </td> <td> <p><a href="/software/S0640">Avaddon</a> encrypts the victim system using a combination of AES256 and RSA encryption schemes.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021."data-reference="Arxiv Avaddon Feb 2021">^{<a href="https://arxiv.org/pdf/2102.04796.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1053"> S1053 </a> </td> <td> <a href="/software/S1053"> AvosLocker </a> </td> <td> <p><a href="/software/S1053">AvosLocker</a> has encrypted files and network resources using AES-256 and added an <code>.avos</code>, <code>.avos2</code>, or <code>.AvosLinux</code> extension to filenames.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023."data-reference="Malwarebytes AvosLocker Jul 2021">^{<a href="https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023."data-reference="Trend Micro AvosLocker Apr 2022">^{<a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023."data-reference="Cisco Talos Avos Jun 2022">^{<a href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023."data-reference="Joint CSA AvosLocker Mar 2022">^{<a href="https://www.ic3.gov/Media/News/2022/220318.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0638"> S0638 </a> </td> <td> <a href="/software/S0638"> Babuk </a> </td> <td> <p><a href="/software/S0638">Babuk</a> can use ChaCha8 and ECDH to encrypt data.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021."data-reference="Sogeti CERT ESEC Babuk March 2021">^{<a href="https://www.sogeti.com/globalassets/reports/cybersecchronicles_-_babuk.pdf" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021."data-reference="McAfee Babuk February 2021">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021."data-reference="Medium Babuk February 2021">^{<a href="https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021."data-reference="Trend Micro Ransomware February 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0606"> S0606 </a> </td> <td> <a href="/software/S0606"> Bad Rabbit </a> </td> <td> <p><a href="/software/S0606">Bad Rabbit</a> has encrypted files and disks using AES-128-CBC and RSA-2048.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021."data-reference="Secure List Bad Rabbit">^{<a href="https://securelist.com/bad-rabbit-ransomware/82851/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0570"> S0570 </a> </td> <td> <a href="/software/S0570"> BitPaymer </a> </td> <td> <p><a href="/software/S0570">BitPaymer</a> can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending <code>.locked</code> to the filename.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021."data-reference="Crowdstrike Indrik November 2018">^{<a href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1070"> S1070 </a> </td> <td> <a href="/software/S1070"> Black Basta </a> </td> <td> <p><a href="/software/S1070">Black Basta</a> can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023."data-reference="Minerva Labs Black Basta May 2022">^{<a href="https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Ballmer, D. (2022, May 6). Black Basta: Rebrand of Conti or Something New?. Retrieved March 7, 2023."data-reference="BlackBerry Black Basta May 2022">^{<a href="https://blogs.blackberry.com/en/2022/05/black-basta-rebrand-of-conti-or-something-new" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023."data-reference="Cyble Black Basta May 2022">^{<a href="https://blog.cyble.com/2022/05/06/black-basta-ransomware/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023."data-reference="NCC Group Black Basta June 2022">^{<a href="https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span><span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023."data-reference="Uptycs Black Basta ESXi June 2022">^{<a href="https://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023."data-reference="Deep Instinct Black Basta August 2022">^{<a href="https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023."data-reference="Palo Alto Networks Black Basta August 2022">^{<a href="https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023."data-reference="Trend Micro Black Basta Spotlight September 2022">^{<a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023."data-reference="Check Point Black Basta October 2022">^{<a href="https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1068"> S1068 </a> </td> <td> <a href="/software/S1068"> BlackCat </a> </td> <td> <p><a href="/software/S1068">BlackCat</a> has the ability to encrypt Windows devices, Linux devices, and VMWare instances.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022."data-reference="Microsoft BlackCat Jun 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0015"> C0015 </a> </td> <td> <a href="/campaigns/C0015"> C0015 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0015">C0015</a>, the threat actors used <a href="/software/S0575">Conti</a> ransomware to encrypt a compromised network.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022."data-reference="DFIR Conti Bazar Nov 2021">^{<a href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0018"> C0018 </a> </td> <td> <a href="/campaigns/C0018"> C0018 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0018">C0018</a>, the threat actors used <a href="/software/S1053">AvosLocker</a> ransomware to encrypt files on the compromised network.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023."data-reference="Cisco Talos Avos Jun 2022">^{<a href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023."data-reference="Costa AvosLocker May 2022">^{<a href="https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1096"> S1096 </a> </td> <td> <a href="/software/S1096"> Cheerscrypt </a> </td> <td> <p><a href="/software/S1096">Cheerscrypt</a> can encrypt data on victim machines using a Sosemanuk stream cipher with an Elliptic-curve Diffie–Hellman (ECDH) generated key.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023."data-reference="Trend Micro Cheerscrypt May 2022">^{<a href="https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023."data-reference="Sygnia Emperor Dragonfly October 2022">^{<a href="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0611"> S0611 </a> </td> <td> <a href="/software/S0611"> Clop </a> </td> <td> <p><a href="/software/S0611">Clop</a> can encrypt files using AES, RSA, and RC4 and will add the ".clop" extension to encrypted files.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021."data-reference="Mcafee Clop Aug 2019">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021."data-reference="Unit42 Clop April 2021">^{<a href="https://unit42.paloaltonetworks.com/clop-ransomware/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021."data-reference="Cybereason Clop Dec 2020">^{<a href="https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0575"> S0575 </a> </td> <td> <a href="/software/S0575"> Conti </a> </td> <td> <p><a href="/software/S0575">Conti</a> can use <code>CreateIoCompletionPort()</code>, <code>PostQueuedCompletionStatus()</code>, and <code>GetQueuedCompletionPort()</code> to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. <a href="/software/S0575">Conti</a> can use "Windows Restart Manager" to ensure files are unlocked and open for encryption.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021."data-reference="Cybereason Conti Jan 2021">^{<a href="https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021."data-reference="CarbonBlack Conti July 2020">^{<a href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021."data-reference="Cybleinc Conti January 2020">^{<a href="https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span><span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021."data-reference="CrowdStrike Wizard Spider October 2020">^{<a href="https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022."data-reference="DFIR Conti Bazar Nov 2021">^{<a href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0625"> S0625 </a> </td> <td> <a href="/software/S0625"> Cuba </a> </td> <td> <p><a href="/software/S0625">Cuba</a> has the ability to encrypt system data and add the ".cuba" extension to encrypted files.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021."data-reference="McAfee Cuba April 2021">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S1111"> S1111 </a> </td> <td> <a href="/software/S1111"> DarkGate </a> </td> <td> <p><a href="/software/S1111">DarkGate</a> can deploy follow-on ransomware payloads.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024."data-reference="Ensilo Darkgate 2018">^{<a href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1033"> S1033 </a> </td> <td> <a href="/software/S1033"> DCSrv </a> </td> <td> <p><a href="/software/S1033">DCSrv</a> has encrypted drives using the core encryption mechanism from DiskCryptor.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022."data-reference="Checkpoint MosesStaff Nov 2021">^{<a href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0616"> S0616 </a> </td> <td> <a href="/software/S0616"> DEATHRANSOM </a> </td> <td> <p><a href="/software/S0616">DEATHRANSOM</a> can use public and private key pair encryption to encrypt files for ransom payment.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."data-reference="FireEye FiveHands April 2021">^{<a href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0659"> S0659 </a> </td> <td> <a href="/software/S0659"> Diavol </a> </td> <td> <p><a href="/software/S0659">Diavol</a> has encrypted files using an RSA key though the <code>CryptEncrypt</code> API and has appended filenames with ".lock64". <span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021."data-reference="Fortinet Diavol July 2021">^{<a href="https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0554"> S0554 </a> </td> <td> <a href="/software/S0554"> Egregor </a> </td> <td> <p><a href="/software/S0554">Egregor</a> can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020."data-reference="NHS Digital Egregor Nov 2020">^{<a href="https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020."data-reference="Cybereason Egregor Nov 2020">^{<a href="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0605"> S0605 </a> </td> <td> <a href="/software/S0605"> EKANS </a> </td> <td> <p><a href="/software/S0605">EKANS</a> uses standard encryption library functions to encrypt files.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021."data-reference="Dragos EKANS">^{<a href="https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021."data-reference="Palo Alto Unit 42 EKANS">^{<a href="https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0046"> G0046 </a> </td> <td> <a href="/groups/G0046"> FIN7 </a> </td> <td> <p><a href="/groups/G0046">FIN7</a> has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021."data-reference="CrowdStrike Carbon Spider August 2021">^{<a href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span><span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022."data-reference="Mandiant FIN7 Apr 2022">^{<a href="https://www.mandiant.com/resources/evolution-of-fin7" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0061"> G0061 </a> </td> <td> <a href="/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/groups/G0061">FIN8</a> has deployed ransomware such as <a href="/software/S0481">Ragnar Locker</a>, White Rabbit, and attempted to execute Noberus on compromised networks.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023."data-reference="Symantec FIN8 Jul 2023">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0618"> S0618 </a> </td> <td> <a href="/software/S0618"> FIVEHANDS </a> </td> <td> <p><a href="/software/S0618">FIVEHANDS</a> can use an embedded NTRU public key to encrypt data for ransom.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."data-reference="FireEye FiveHands April 2021">^{<a href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span><span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021."data-reference="CISA AR21-126A FIVEHANDS May 2021">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span><span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021."data-reference="NCC Group Fivehands June 2021">^{<a href="https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0617"> S0617 </a> </td> <td> <a href="/software/S0617"> HELLOKITTY </a> </td> <td> <p><a href="/software/S0617">HELLOKITTY</a> can use an embedded RSA-2048 public key to encrypt victim data for ransom.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."data-reference="FireEye FiveHands April 2021">^{<a href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0038"> C0038 </a> </td> <td> <a href="/campaigns/C0038"> HomeLand Justice </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0038">HomeLand Justice</a>, threat actors used <a href="/software/S1150">ROADSWEEP</a> ransomware to encrypt files on targeted systems.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024."data-reference="Mandiant ROADSWEEP August 2022">^{<a href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span><span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024."data-reference="CISA Iran Albanian Attacks September 2022">^{<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024."data-reference="Microsoft Albanian Government Attacks September 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1032"> G1032 </a> </td> <td> <a href="/groups/G1032"> INC Ransom </a> </td> <td> <p><a href="/groups/G1032">INC Ransom</a> has used <a href="/software/S1139">INC Ransomware</a> to encrypt victim's data.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024."data-reference="SentinelOne INC Ransomware">^{<a href="https://www.sentinelone.com/anthology/inc-ransom/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span><span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024."data-reference="Huntress INC Ransom Group August 2023">^{<a href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span><span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024."data-reference="Bleeping Computer INC Ransomware March 2024">^{<a href="https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span><span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024."data-reference="Secureworks GOLD IONIC April 2024">^{<a href="https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span><span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024."data-reference="Cybereason INC Ransomware November 2023">^{<a href="https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span><span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024."data-reference="SOCRadar INC Ransom January 2024">^{<a href="https://socradar.io/dark-web-profile-inc-ransom/" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1139"> S1139 </a> </td> <td> <a href="/software/S1139"> INC Ransomware </a> </td> <td> <p><a href="/software/S1139">INC Ransomware</a> can encrypt data on victim systems, including through the use of partial encryption and multi-threading to speed encryption.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024."data-reference="SentinelOne INC Ransomware">^{<a href="https://www.sentinelone.com/anthology/inc-ransom/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span><span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024."data-reference="Huntress INC Ransom Group August 2023">^{<a href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span><span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024."data-reference="Cybereason INC Ransomware November 2023">^{<a href="https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span><span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024."data-reference="SOCRadar INC Ransom January 2024">^{<a href="https://socradar.io/dark-web-profile-inc-ransom/" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span><span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024."data-reference="SentinelOne INC Ransomware">^{<a href="https://www.sentinelone.com/anthology/inc-ransom/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0119"> G0119 </a> </td> <td> <a href="/groups/G0119"> Indrik Spider </a> </td> <td> <p><a href="/groups/G0119">Indrik Spider</a> has encrypted domain-controlled systems using <a href="/software/S0570">BitPaymer</a>.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021."data-reference="Crowdstrike Indrik November 2018">^{<a href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span> Additionally, <a href="/groups/G0119">Indrik Spider</a> used <a href="/software/S0029">PsExec</a> to execute a ransomware script.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024."data-reference="Mandiant_UNC2165">^{<a href="https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions/" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0389"> S0389 </a> </td> <td> <a href="/software/S0389"> JCry </a> </td> <td> <p><a href="/software/S0389">JCry</a> has encrypted files and demanded Bitcoin to decrypt those files. <span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019."data-reference="Carbon Black JCry May 2019">^{<a href="https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0607"> S0607 </a> </td> <td> <a href="/software/S0607"> KillDisk </a> </td> <td> <p><a href="/software/S0607">KillDisk</a> has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021."data-reference="KillDisk Ransomware">^{<a href="https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0372"> S0372 </a> </td> <td> <a href="/software/S0372"> LockerGoga </a> </td> <td> <p><a href="/software/S0372">LockerGoga</a> has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019."data-reference="CarbonBlack LockerGoga 2019">^{<a href="https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span><span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019."data-reference="Unit42 LockerGoga 2019">^{<a href="https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span><span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019."data-reference="Wired Lockergoga 2019">^{<a href="https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0059"> G0059 </a> </td> <td> <a href="/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used BitLocker and DiskCryptor to encrypt targeted workstations. <span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span><span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0449"> S0449 </a> </td> <td> <a href="/software/S0449"> Maze </a> </td> <td> <p><a href="/software/S0449">Maze</a> has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. <a href="/software/S0449">Maze</a> has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020."data-reference="FireEye Maze May 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0576"> S0576 </a> </td> <td> <a href="/software/S0576"> MegaCortex </a> </td> <td> <p><a href="/software/S0576">MegaCortex</a> has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021."data-reference="IBM MegaCortex">^{<a href="https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span><span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="ARMmbed. (2018, June 21). Mbed Crypto. Retrieved February 15, 2021."data-reference="mbed-crypto">^{<a href="https://github.com/ARMmbed/mbed-crypto" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1137"> S1137 </a> </td> <td> <a href="/software/S1137"> Moneybird </a> </td> <td> <p><a href="/software/S1137">Moneybird</a> targets a common set of file types such as documents, certificates, and database files for encryption while avoiding executable, dynamic linked libraries, and similar items.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024."data-reference="CheckPoint Agrius 2023">^{<a href="https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1036"> G1036 </a> </td> <td> <a href="/groups/G1036"> Moonstone Sleet </a> </td> <td> <p><a href="/groups/G1036">Moonstone Sleet</a> has deployed ransomware in victim environments.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024."data-reference="Microsoft Moonstone Sleet 2024">^{<a href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0457"> S0457 </a> </td> <td> <a href="/software/S0457"> Netwalker </a> </td> <td> <p><a href="/software/S0457">Netwalker</a> can encrypt files on infected machines to extort victims.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."data-reference="TrendMicro Netwalker May 2020">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0368"> S0368 </a> </td> <td> <a href="/software/S0368"> NotPetya </a> </td> <td> <p><a href="/software/S0368">NotPetya</a> encrypts user files and disk structures like the MBR with 2048-bit RSA.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019."data-reference="Talos Nyetya June 2017">^{<a href="https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019."data-reference="US-CERT NotPetya 2017">^{<a href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0556"> S0556 </a> </td> <td> <a href="/software/S0556"> Pay2Key </a> </td> <td> <p><a href="/software/S0556">Pay2Key</a> can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020."data-reference="ClearkSky Fox Kitten February 2020">^{<a href="https://www.clearskysec.com/fox-kitten/" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span><span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021."data-reference="Check Point Pay2Key November 2020">^{<a href="https://research.checkpoint.com/2020/ransomware-alert-pay2key/" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1162"> S1162 </a> </td> <td> <a href="/software/S1162"> Playcrypt </a> </td> <td> <p><a href="/software/S1162">Playcrypt</a> encrypts files on targeted hosts with an AES-RSA hybrid encryption, encrypting every other file portion of 0x100000 bytes.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024."data-reference="CISA Play Ransomware Advisory December 2023">^{<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span><span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024."data-reference="Trend Micro Ransomware Spotlight Play July 2023">^{<a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1058"> S1058 </a> </td> <td> <a href="/software/S1058"> Prestige </a> </td> <td> <p><a href="/software/S1058">Prestige</a> has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with <code>.enc</code>.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0654"> S0654 </a> </td> <td> <a href="/software/S0654"> ProLock </a> </td> <td> <p><a href="/software/S0654">ProLock</a> can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021."data-reference="Group IB Ransomware September 2020">^{<a href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0583"> S0583 </a> </td> <td> <a href="/software/S0583"> Pysa </a> </td> <td> <p><a href="/software/S0583">Pysa</a> has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021."data-reference="CERT-FR PYSA April 2020">^{<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0481"> S0481 </a> </td> <td> <a href="/software/S0481"> Ragnar Locker </a> </td> <td> <p><a href="/software/S0481">Ragnar Locker</a> encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."data-reference="Sophos Ragnar May 2020">^{<a href="https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span><span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020."data-reference="Cynet Ragnar Apr 2020">^{<a href="https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0496"> S0496 </a> </td> <td> <a href="/software/S0496"> REvil </a> </td> <td> <p><a href="/software/S0496">REvil</a> can encrypt files on victim systems and demands a ransom to decrypt the files.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020."data-reference="Kaspersky Sodin July 2019">^{<a href="https://securelist.com/sodin-ransomware/91473/" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span><span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020."data-reference="Cylance Sodinokibi July 2019">^{<a href="https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span><span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020."data-reference="Talos Sodinokibi April 2019">^{<a href="https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a>}</span><span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020."data-reference="McAfee REvil October 2019">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a>}</span><span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020."data-reference="Intel 471 REvil March 2020">^{<a href="https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a>}</span><span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020."data-reference="Picus Sodinokibi January 2020">^{<a href="https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a>}</span><span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020."data-reference="Secureworks REvil September 2019">^{<a href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a>}</span><span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020."data-reference="Tetra Defense Sodinokibi March 2020">^{<a href="https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1150"> S1150 </a> </td> <td> <a href="/software/S1150"> ROADSWEEP </a> </td> <td> <p><a href="/software/S1150">ROADSWEEP</a> can RC4 encrypt content in blocks on targeted systems.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024."data-reference="Mandiant ROADSWEEP August 2022">^{<a href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span><span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024."data-reference="CISA Iran Albanian Attacks September 2022">^{<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024."data-reference="Microsoft Albanian Government Attacks September 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0400"> S0400 </a> </td> <td> <a href="/software/S0400"> RobbinHood </a> </td> <td> <p><a href="/software/S0400">RobbinHood</a> will search for an RSA encryption key and then perform its encryption process on the system files.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019."data-reference="CarbonBlack RobbinHood May 2019">^{<a href="https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S1073"> S1073 </a> </td> <td> <a href="/software/S1073"> Royal </a> </td> <td> <p><a href="/software/S1073">Royal</a> uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL library and the AES256 algorithm.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023."data-reference="Cybereason Royal December 2022">^{<a href="https://www.cybereason.com/blog/royal-ransomware-analysis" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a>}</span><span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023."data-reference="Kroll Royal Deep Dive February 2023">^{<a href="https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a>}</span><span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023."data-reference="Trend Micro Royal Linux ESXi February 2023">^{<a href="https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0446"> S0446 </a> </td> <td> <a href="/software/S0446"> Ryuk </a> </td> <td> <p><a href="/software/S0446">Ryuk</a> has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."data-reference="CrowdStrike Ryuk January 2019">^{<a href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a>}</span><span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021."data-reference="CrowdStrike Wizard Spider October 2020">^{<a href="https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0370"> S0370 </a> </td> <td> <a href="/software/S0370"> SamSam </a> </td> <td> <p><a href="/software/S0370">SamSam</a> encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title=" Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019."data-reference="Sophos SamSam Apr 2018">^{<a href="https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0034"> G0034 </a> </td> <td> <a href="/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/groups/G0034">Sandworm Team</a> has used <a href="/software/S1058">Prestige</a> ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1015"> G1015 </a> </td> <td> <a href="/groups/G1015"> Scattered Spider </a> </td> <td> <p><a href="/groups/G1015">Scattered Spider</a> has used BlackCat ransomware to encrypt files on VMWare ESXi servers.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024."data-reference="CISA Scattered Spider Advisory November 2023">^{<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span><span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024."data-reference="MSTIC Octo Tempest Operations October 2023">^{<a href="https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0639"> S0639 </a> </td> <td> <a href="/software/S0639"> Seth-Locker </a> </td> <td> <p><a href="/software/S0639">Seth-Locker</a> can encrypt files on a targeted system, appending them with the suffix .seth.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021."data-reference="Trend Micro Ransomware February 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0140"> S0140 </a> </td> <td> <a href="/software/S0140"> Shamoon </a> </td> <td> <p><a href="/software/S0140">Shamoon</a> has an operational mode for encrypting data instead of overwriting it.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017."data-reference="Palo Alto Shamoon Nov 2016">^{<a href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a>}</span><span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019."data-reference="Unit 42 Shamoon3 2018">^{<a href="https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0242"> S0242 </a> </td> <td> <a href="/software/S0242"> SynAck </a> </td> <td> <p><a href="/software/S0242">SynAck</a> encrypts the victims machine followed by asking the victim to pay a ransom. <span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018."data-reference="SecureList SynAck Doppelgänging May 2018">^{<a href="https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0092"> G0092 </a> </td> <td> <a href="/groups/G0092"> TA505 </a> </td> <td> <p><a href="/groups/G0092">TA505</a> has used a wide variety of ransomware, such as <a href="/software/S0611">Clop</a>, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019."data-reference="Proofpoint TA505 Sep 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0595"> S0595 </a> </td> <td> <a href="/software/S0595"> ThiefQuest </a> </td> <td> <p><a href="/software/S0595">ThiefQuest</a> encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021."data-reference="wardle evilquest partii">^{<a href="https://objective-see.com/blog/blog_0x60.html" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0366"> S0366 </a> </td> <td> <a href="/software/S0366"> WannaCry </a> </td> <td> <p><a href="/software/S0366">WannaCry</a> encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019."data-reference="LogRhythm WannaCry">^{<a href="https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019."data-reference="FireEye WannaCry 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019."data-reference="SecureWorks WannaCry Analysis">^{<a href="https://www.secureworks.com/research/wcry-ransomware-analysis" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0612"> S0612 </a> </td> <td> <a href="/software/S0612"> WastedLocker </a> </td> <td> <p><a href="/software/S0612">WastedLocker</a> can encrypt data and leave a ransom note.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021."data-reference="Symantec WastedLocker June 2020">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a>}</span><span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021."data-reference="NCC Group WastedLocker June 2020">^{<a href="https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a>}</span><span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021."data-reference="Sentinel Labs WastedLocker July 2020">^{<a href="https://www.sentinelone.com/labs/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0341"> S0341 </a> </td> <td> <a href="/software/S0341"> Xbash </a> </td> <td> <p><a href="/software/S0341">Xbash</a> has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.<span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018."data-reference="Unit42 Xbash Sept 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0658"> S0658 </a> </td> <td> <a href="/software/S0658"> XCSSET </a> </td> <td> <p><a href="/software/S0658">XCSSET</a> performs AES-CBC encryption on files under <code>~/Documents</code>, <code>~/Downloads</code>, and<code>~/Desktop</code> with a fixed key and renames files to give them a <code>.enc</code> extension. Only files with sizes less than 500MB are encrypted.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021."data-reference="trendmicro xcsset xcode project 2020">^{<a href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1040"> M1040 </a> </td> <td> <a href="/mitigations/M1040"> Behavior Prevention on Endpoint </a> </td> <td> <p>On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware. <span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021."data-reference="win10_asr">^{<a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a>}</span></p> </td> </tr> <tr> <td> <a href="/mitigations/M1053"> M1053 </a> </td> <td> <a href="/mitigations/M1053"> Data Backup </a> </td> <td> <p>Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019."data-reference="Ready.gov IT DRP">^{<a href="https://www.ready.gov/business/implementation/IT" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a>}</span> Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. Consider enabling versioning in cloud environments to maintain backup copies of storage objects.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Gietzen, S. (n.d.). S3 Ransomware Part 2: Prevention and Defense. Retrieved April 14, 2021."data-reference="Rhino S3 Ransomware Part 2">^{<a href="https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0010"> <td> <a href="/datasources/DS0010">DS0010</a> </td> <td class="nowrap"> <a href="/datasources/DS0010">Cloud Storage</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0010/#Cloud%20Storage%20Modification">Cloud Storage Modification</a> </td> <td> <p>Monitor for changes made in cloud environments for events that indicate storage objects have been anomalously modified.</p> </td> </tr> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments for actions involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit</p> </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/datasources/DS0022">File</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0022/#File%20Creation">File Creation</a> </td> <td> <p>Monitor for newly constructed files in user directories.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0022-File Modification"> <td></td> <td></td> <td> <a href="/datasources/DS0022/#File%20Modification">File Modification</a> </td> <td> <p>Monitor for changes made to files in user directories.</p> </td> </tr> <tr class="datasource" id="uses-DS0033"> <td> <a href="/datasources/DS0033">DS0033</a> </td> <td class="nowrap"> <a href="/datasources/DS0033">Network Share</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0033/#Network%20Share%20Access">Network Share Access</a> </td> <td> <p>Monitor for unexpected network shares being accessed on target systems or on large numbers of systems.</p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.us-cert.gov/ncas/alerts/TA16-091A" target="_blank"> US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" target="_blank"> Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank"> US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.us-cert.gov/ncas/alerts/AA18-337A" target="_blank"> US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank"> Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary" target="_blank"> NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/" target="_blank"> Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved April 14, 2021. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.trellix.com/blogs/research/akira-ransomware/" target="_blank"> Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html" target="_blank"> Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://assets.sentinelone.com/sentinellabs/evol-agrius" target="_blank"> Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" target="_blank"> FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" target="_blank"> DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://arxiv.org/pdf/2102.04796.pdf" target="_blank"> Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners" target="_blank"> Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker" target="_blank"> Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank"> Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.ic3.gov/Media/News/2022/220318.pdf" target="_blank"> FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.sogeti.com/globalassets/reports/cybersecchronicles_-_babuk.pdf" target="_blank"> Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf" target="_blank"> Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62" target="_blank"> Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" target="_blank"> Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://securelist.com/bad-rabbit-ransomware/82851/" target="_blank"> Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank"> Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/" target="_blank"> Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://blogs.blackberry.com/en/2022/05/black-basta-rebrand-of-conti-or-something-new" target="_blank"> Ballmer, D. (2022, May 6). Black Basta: Rebrand of Conti or Something New?. Retrieved March 7, 2023. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://blog.cyble.com/2022/05/06/black-basta-ransomware/" target="_blank"> Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/" target="_blank"> Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems" target="_blank"> Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence" target="_blank"> Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware" target="_blank"> Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta" target="_blank"> Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/" target="_blank"> Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" target="_blank"> Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank"> DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" target="_blank"> Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html" target="_blank"> Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" target="_blank"> Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/" target="_blank"> Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://unit42.paloaltonetworks.com/clop-ransomware/" target="_blank"> Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" target="_blank"> Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" target="_blank"> Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/" target="_blank"> Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" target="_blank"> Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank"> Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank"> Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank"> Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank"> McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" target="_blank"> Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware" target="_blank"> Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" target="_blank"> Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/" target="_blank"> Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank"> Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.mandiant.com/resources/evolution-of-fin7" target="_blank"> Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" target="_blank"> Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" target="_blank"> CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/" target="_blank"> Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank"> Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a" target="_blank"> CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank"> MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://www.sentinelone.com/anthology/inc-ransom/" target="_blank"> SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="62.0"> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank"> Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/" target="_blank"> Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware" target="_blank"> Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf" target="_blank"> Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://socradar.io/dark-web-profile-inc-ransom/" target="_blank"> SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions/" target="_blank"> Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" target="_blank"> Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/" target="_blank"> Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/" target="_blank"> CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/" target="_blank"> Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/" target="_blank"> Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank"> DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank"> MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" target="_blank"> Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/" target="_blank"> Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://github.com/ARMmbed/mbed-crypto" target="_blank"> ARMmbed. (2018, June 21). Mbed Crypto. Retrieved February 15, 2021. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/" target="_blank"> Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank"> Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" target="_blank"> Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" target="_blank"> Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank"> Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://www.clearskysec.com/fox-kitten/" target="_blank"> ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://research.checkpoint.com/2020/ransomware-alert-pay2key/" target="_blank"> Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a" target="_blank"> CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" target="_blank"> Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank"> MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank"> Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" target="_blank"> CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/" target="_blank"> SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/" target="_blank"> Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://securelist.com/sodin-ransomware/91473/" target="_blank"> Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" target="_blank"> Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" target="_blank"> Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/" target="_blank"> Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" target="_blank"> Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" target="_blank"> Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank"> Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis" target="_blank"> Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/" target="_blank"> Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://www.cybereason.com/blog/royal-ransomware-analysis" target="_blank"> Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" target="_blank"> Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html" target="_blank"> Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank"> Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf" target="_blank"> Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a" target="_blank"> CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/" target="_blank"> Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank"> Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-109" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-109" href="https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" target="_blank"> Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-110" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-110" href="https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" target="_blank"> Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-111" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-111" href="https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" target="_blank"> Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-112" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-112" href="https://objective-see.com/blog/blog_0x60.html" target="_blank"> Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. </a> </span> </span> </li> <li> <span id="scite-113" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-113" href="https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/" target="_blank"> Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-114" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-114" href="https://www.secureworks.com/research/wcry-ransomware-analysis" target="_blank"> Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. </a> </span> </span> </li> <li> <span id="scite-115" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-115" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us" target="_blank"> Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. </a> </span> </span> </li> <li> <span id="scite-116" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-116" href="https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/" target="_blank"> Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. </a> </span> </span> </li> <li> <span id="scite-117" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-117" href="https://www.sentinelone.com/labs/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/" target="_blank"> Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021. </a> </span> </span> </li> <li> <span id="scite-118" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-118" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" target="_blank"> Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. </a> </span> </span> </li> <li> <span id="scite-119" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-119" href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank"> Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. </a> </span> </span> </li> <li> <span id="scite-120" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-120" href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction" target="_blank"> Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. </a> </span> </span> </li> <li> <span id="scite-121" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-121" href="https://www.ready.gov/business/implementation/IT" target="_blank"> Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019. </a> </span> </span> </li> <li> <span id="scite-122" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-122" href="https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/" target="_blank"> Gietzen, S. (n.d.). S3 Ransomware Part 2: Prevention and Defense. Retrieved April 14, 2021. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-techniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>