GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.
Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.
Grim Spider is reportedly associated with Lunar Spider and Wizard Spider.
2023-09-12 ⋅ ANSSI ⋅ ANSSI
@techreport{anssi:20230912:fin12:b0a08e2,
author = {ANSSI},
title = {{FIN12: A Cybercriminal Group with Multiple Ransomware}},
date = {2023-09-12},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf},
language = {French},
urldate = {2023-09-20}
}
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC |
2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence
@online{intelligence:20220913:advintels:ea02331,
author = {Advanced Intelligence},
title = {{AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022}},
date = {2022-09-13},
organization = {AdvIntel},
url = {https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022},
language = {English},
urldate = {2022-09-19}
}
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot |
2022-08-31 ⋅ Fourcore ⋅ Hardik Manocha
@online{manocha:20220831:ryuk:478c7d7,
author = {Hardik Manocha},
title = {{Ryuk Ransomware: History, Timeline, And Adversary Simulation}},
date = {2022-08-31},
organization = {Fourcore},
url = {https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp},
language = {English},
urldate = {2022-09-13}
}
Ryuk Ransomware: History, Timeline, And Adversary Simulation
Ryuk |
2022-08-22 ⋅ Microsoft ⋅ Microsoft
@online{microsoft:20220822:extortion:67c26d4,
author = {Microsoft},
title = {{Extortion Economics - Ransomware’s new business model}},
date = {2022-08-22},
organization = {Microsoft},
url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v},
language = {English},
urldate = {2022-08-31}
}
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk |
2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin
@online{goutin:20220524:malware:e85b49b,
author = {Florian Goutin},
title = {{Malware Analysis: Trickbot}},
date = {2022-05-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/05/malware-analysis-trickbot.html},
language = {English},
urldate = {2022-05-29}
}
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot |
2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}},
date = {2022-05-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself},
language = {English},
urldate = {2022-05-17}
}
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT |
2022-05-05 ⋅ Intel 471 ⋅ Intel 471
@online{471:20220505:cybercrime:f091e4f,
author = {Intel 471},
title = {{Cybercrime loves company: Conti cooperated with other ransomware gangs}},
date = {2022-05-05},
organization = {Intel 471},
url = {https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker},
language = {English},
urldate = {2022-05-05}
}
Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk |
2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken
@online{bushidotoken:20220417:lessons:d4d0595,
author = {BushidoToken},
title = {{Lessons from the Conti Leaks}},
date = {2022-04-17},
organization = {BushidoToken Blog},
url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html},
language = {English},
urldate = {2022-04-25}
}
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot |
2022-04-15 ⋅ Arctic Wolf ⋅ Arctic Wolf
@online{wolf:20220415:karakurt:623f8e6,
author = {Arctic Wolf},
title = {{The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model}},
date = {2022-04-15},
organization = {Arctic Wolf},
url = {https://arcticwolf.com/resources/blog/karakurt-web},
language = {English},
urldate = {2022-05-04}
}
The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model
Conti Diavol Ryuk TrickBot |
2022-04-13 ⋅ Microsoft ⋅ Amy Hogan-Burney
@online{hoganburney:20220413:notorious:30afb78,
author = {Amy Hogan-Burney},
title = {{Notorious cybercrime gang’s botnet disrupted}},
date = {2022-04-13},
organization = {Microsoft},
url = {https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/},
language = {English},
urldate = {2022-04-15}
}
Notorious cybercrime gang’s botnet disrupted
Ryuk Zloader |
2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
@online{team:20220413:dismantling:ace8546,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware}},
date = {2022-04-13},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/},
language = {English},
urldate = {2022-04-14}
}
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader |
2022-04-06 ⋅ TRM Labs ⋅ TRM Labs
@online{labs:20220406:trm:84a2174,
author = {TRM Labs},
title = {{TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider}},
date = {2022-04-06},
organization = {TRM Labs},
url = {https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider},
language = {English},
urldate = {2022-05-05}
}
TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider
Conti Ryuk |
2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974,
author = {John Fokker and Jambul Tologonov},
title = {{Conti Leaks: Examining the Panama Papers of Ransomware}},
date = {2022-03-31},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html},
language = {English},
urldate = {2022-04-07}
}
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot |
2022-03-23 ⋅ splunk ⋅ Shannon Davis
@online{davis:20220323:gone:56f570f,
author = {Shannon Davis},
title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}},
date = {2022-03-23},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html},
language = {English},
urldate = {2022-03-25}
}
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk |
2022-03-17 ⋅ Sophos ⋅ Tilly Travers
@online{travers:20220317:ransomware:df38f2f,
author = {Tilly Travers},
title = {{The Ransomware Threat Intelligence Center}},
date = {2022-03-17},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/},
language = {English},
urldate = {2022-03-18}
}
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker |
2022-03-02 ⋅ elDiario ⋅ Carlos del Castillo
@online{castillo:20220302:cybercrime:c1663a8,
author = {Carlos del Castillo},
title = {{Cybercrime bosses warn that they will "fight back" if Russia is hacked}},
date = {2022-03-02},
organization = {elDiario},
url = {https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html},
language = {Spanish},
urldate = {2022-03-04}
}
Cybercrime bosses warn that they will "fight back" if Russia is hacked
Conti Ryuk |
2022-03-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs
@online{krebs:20220302:conti:03b0358,
author = {Brian Krebs},
title = {{Conti Ransomware Group Diaries, Part II: The Office}},
date = {2022-03-02},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/},
language = {English},
urldate = {2022-03-07}
}
Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot |
2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe
@techreport{davis:20220223:empirically:fe03729,
author = {Shannon Davis and SURGe},
title = {{An Empirically Comparative Analysis of Ransomware Binaries}},
date = {2022-02-23},
institution = {splunk},
url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf},
language = {English},
urldate = {2022-03-25}
}
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk |
2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17,
author = {The BlackBerry Research & Intelligence Team},
title = {{Kraken the Code on Prometheus}},
date = {2022-01-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus},
language = {English},
urldate = {2022-05-25}
}
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk |
2021-11-18 ⋅ Medium 0xchina ⋅ Hamad Alnakal
@online{alnakal:20211118:malware:a0b177d,
author = {Hamad Alnakal},
title = {{Malware reverse engineering (Ryuk Ransomware)}},
date = {2021-11-18},
organization = {Medium 0xchina},
url = {https://0xchina.medium.com/malware-reverse-engineering-31039450af27},
language = {English},
urldate = {2021-11-19}
}
Malware reverse engineering (Ryuk Ransomware)
Ryuk |
2021-10-22 ⋅ HUNT & HACKETT ⋅ Krijn de Mik
@online{mik:20211022:advanced:e22d6f6,
author = {Krijn de Mik},
title = {{Advanced IP Scanner: the preferred scanner in the A(P)T toolbox}},
date = {2021-10-22},
organization = {HUNT & HACKETT},
url = {https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox},
language = {English},
urldate = {2021-11-02}
}
Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk |
2021-10-07 ⋅ Mandiant ⋅ Joshua Shilko, Zach Riddle, Jennifer Brooks, Genevieve Stark, Adam Brunner, Kimberly Goody, Jeremy Kennelly
@online{shilko:20211007:fin12:43d89f5,
author = {Joshua Shilko and Zach Riddle and Jennifer Brooks and Genevieve Stark and Adam Brunner and Kimberly Goody and Jeremy Kennelly},
title = {{FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets}},
date = {2021-10-07},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets},
language = {English},
urldate = {2021-10-08}
}
FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets
BazarBackdoor GRIMAGENT Ryuk |
2021-10-05 ⋅ Trend Micro ⋅ Fyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
@online{yarochkin:20211005:ransomware:e5f5375,
author = {Fyodor Yarochkin and Janus Agcaoili and Byron Gelera and Nikko Tamana},
title = {{Ransomware as a Service: Enabler of Widespread Attacks}},
date = {2021-10-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks},
language = {English},
urldate = {2021-10-20}
}
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk |
2021-09-16 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20210916:untangling:d1e0f1b,
author = {RiskIQ},
title = {{Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit}},
date = {2021-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/c88cf7e6},
language = {English},
urldate = {2021-09-19}
}
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
@techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs
@online{krebs:20210805:ransomware:0962b82,
author = {Brian Krebs},
title = {{Ransomware Gangs and the Name Game Distraction}},
date = {2021-08-05},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/},
language = {English},
urldate = {2021-12-13}
}
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet |
2021-07-07 ⋅ McAfee ⋅ McAfee Labs
@techreport{labs:20210707:ryuk:ee88024,
author = {McAfee Labs},
title = {{Ryuk Ransomware Now Targeting Webservers}},
date = {2021-07-07},
institution = {McAfee},
url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf},
language = {English},
urldate = {2021-07-11}
}
Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk |
2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0,
author = {Selena Larson and Daniel Blackford and Garrett M. Graff},
title = {{The First Step: Initial Access Leads to Ransomware}},
date = {2021-06-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware},
language = {English},
urldate = {2021-06-21}
}
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker |
2021-06-09 ⋅ Twitter (@SecurityJoes) ⋅ SecurityJoes
@online{securityjoes:20210609:net:13f2b90,
author = {SecurityJoes},
title = {{Tweet on .NET builder of a Ryuk imposter malware}},
date = {2021-06-09},
organization = {Twitter (@SecurityJoes)},
url = {https://twitter.com/SecurityJoes/status/1402603695578157057},
language = {English},
urldate = {2021-06-16}
}
Tweet on .NET builder of a Ryuk imposter malware
Ryuk |
2021-06-07 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
@online{platt:20210607:inside:6c363a7,
author = {Joshua Platt and Jason Reaves},
title = {{Inside the SystemBC Malware-As-A-Service}},
date = {2021-06-07},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6},
language = {English},
urldate = {2021-06-08}
}
Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot |
2021-05-22 ⋅ Youtube (ACPEnw) ⋅ YouTube (ACPEnw)
@online{acpenw:20210522:lessons:6747f56,
author = {YouTube (ACPEnw)},
title = {{Lessons Learned from a Cyber Attack System Admin Perspective}},
date = {2021-05-22},
organization = {Youtube (ACPEnw)},
url = {https://www.youtube.com/watch?v=HwfRxjV2wok},
language = {English},
urldate = {2021-06-21}
}
Lessons Learned from a Cyber Attack System Admin Perspective
Ryuk |
2021-05-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20210518:darkside:d8e345b,
author = {Ionut Ilascu},
title = {{DarkSide ransomware made $90 million in just nine months}},
date = {2021-05-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/},
language = {English},
urldate = {2021-06-07}
}
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk |
2021-05-18 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210518:darkside:14b6690,
author = {Catalin Cimpanu},
title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}},
date = {2021-05-18},
organization = {The Record},
url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/},
language = {English},
urldate = {2021-05-19}
}
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk |
2021-05-06 ⋅ Sophos Labs ⋅ Tilly Travers, Bill Kearney, Kyle Link, Peter Mackenzie, Matthew Sharf
@online{travers:20210506:mtr:1f2feb4,
author = {Tilly Travers and Bill Kearney and Kyle Link and Peter Mackenzie and Matthew Sharf},
title = {{MTR in Real Time: Pirates pave way for Ryuk ransomware}},
date = {2021-05-06},
organization = {Sophos Labs},
url = {https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/},
language = {English},
urldate = {2021-05-13}
}
MTR in Real Time: Pirates pave way for Ryuk ransomware
Ryuk |
2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
@online{denker:20210506:ransomware:a1f31df,
author = {Brandon Denker},
title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}},
date = {2021-05-06},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/},
language = {English},
urldate = {2021-05-08}
}
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX |
2021-04-26 ⋅ CoveWare ⋅ CoveWare
@online{coveware:20210426:ransomware:12586d5,
author = {CoveWare},
title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}},
date = {2021-04-26},
organization = {CoveWare},
url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound},
language = {English},
urldate = {2021-05-13}
}
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt |
2021-04-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Al Calleo, Yelisey Boguslavskiy
@online{kremez:20210417:adversary:197fcfa,
author = {Vitali Kremez and Al Calleo and Yelisey Boguslavskiy},
title = {{Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021}},
date = {2021-04-17},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021},
language = {English},
urldate = {2021-04-19}
}
Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021
Ryuk |
2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac,
author = {Jon DiMaggio},
title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}},
date = {2021-04-07},
institution = {ANALYST1},
url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf},
language = {English},
urldate = {2021-04-09}
}
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
@techreport{unit42:20210317:ransomware:504cc32,
author = {Unit42},
title = {{Ransomware Threat Report 2021}},
date = {2021-03-17},
institution = {Palo Alto Networks Unit 42},
url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf},
language = {English},
urldate = {2021-03-19}
}
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker |
2021-03-04 ⋅ NCC Group ⋅ Ollie Whitehouse
@online{whitehouse:20210304:deception:7435450,
author = {Ollie Whitehouse},
title = {{Deception Engineering: exploring the use of Windows Service Canaries against ransomware}},
date = {2021-03-04},
organization = {NCC Group},
url = {https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/},
language = {English},
urldate = {2021-03-11}
}
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
Ryuk |
2021-03 ⋅ CCN-CERT ⋅ CCN-CERT
@online{ccncert:202103:informe:1628d52,
author = {CCN-CERT},
title = {{Informe Código DañinoCCN-CERT ID-03/21: RyukRansomware}},
date = {2021-03},
organization = {CCN-CERT},
url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html},
language = {Spanish},
urldate = {2021-03-19}
}
Informe Código DañinoCCN-CERT ID-03/21: RyukRansomware
Ryuk |
2021-03-01 ⋅ YouTube ( Malware_Analyzing_&_RE_Tips_Tricks) ⋅ Jiří Vinopal
@online{vinopal:20210301:ryuk:333699d,
author = {Jiří Vinopal},
title = {{Ryuk Ransomware - Advanced using of Scylla for Imports reconstruction}},
date = {2021-03-01},
organization = {YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)},
url = {https://www.youtube.com/watch?v=Of_KjNG9DHc},
language = {English},
urldate = {2021-03-02}
}
Ryuk Ransomware - Advanced using of Scylla for Imports reconstruction
Ryuk |
2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10,
author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev},
title = {{Ransomware Uncovered 2020/2021}},
date = {2021-03},
institution = {Group-IB},
url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf},
language = {English},
urldate = {2021-06-16}
}
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
2021-02-28 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
2021-02-27 ⋅ 4rchibld ⋅ 4rchibld
@online{4rchibld:20210227:nice:e7960f8,
author = {4rchibld},
title = {{Nice to meet you, too. My name is Ryuk.}},
date = {2021-02-27},
organization = {4rchibld},
url = {https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/},
language = {English},
urldate = {2021-05-11}
}
Nice to meet you, too. My name is Ryuk.
Ryuk |
2021-02-25 ⋅ ANSSI ⋅ CERT-FR
@techreport{certfr:20210225:ryuk:7895e12,
author = {CERT-FR},
title = {{Ryuk Ransomware}},
date = {2021-02-25},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf},
language = {English},
urldate = {2021-03-02}
}
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-22 ⋅ YouTube ( Malware_Analyzing_&_RE_Tips_Tricks) ⋅ Jiří Vinopal
@online{vinopal:20210222:ryuk:e9c5fb4,
author = {Jiří Vinopal},
title = {{Ryuk Ransomware API Resolving in 10 minutes}},
date = {2021-02-22},
organization = {YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)},
url = {https://www.youtube.com/watch?v=7xxRunBP5XA},
language = {English},
urldate = {2021-02-25}
}
Ryuk Ransomware API Resolving in 10 minutes
Ryuk |
2021-02-16 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
@online{team:20210216:q4:4a82474,
author = {Proofpoint Threat Research Team},
title = {{Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes}},
date = {2021-02-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes},
language = {English},
urldate = {2021-05-31}
}
Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes
Emotet Ryuk NARWHAL SPIDER TA800 |
2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8,
author = {CTI LEAGUE},
title = {{CTIL Darknet Report – 2021}},
date = {2021-02-11},
institution = {CTI LEAGUE},
url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf},
language = {English},
urldate = {2021-02-20}
}
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk |
2021-02-04 ⋅ ClearSky ⋅ ClearSky Research Team
@techreport{team:20210204:conti:27cb3a2,
author = {ClearSky Research Team},
title = {{CONTI Modus Operandi and Bitcoin Tracking}},
date = {2021-02-04},
institution = {ClearSky},
url = {https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf},
language = {English},
urldate = {2021-02-06}
}
CONTI Modus Operandi and Bitcoin Tracking
Conti Ryuk |
2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
@online{fernndez:20210202:de:6ff4f3a,
author = {Germán Fernández},
title = {{De ataque con Malware a incidente de Ransomware}},
date = {2021-02-02},
organization = {CRONUP},
url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware},
language = {Spanish},
urldate = {2021-03-02}
}
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
2021-02-01 ⋅ Twitter (@IntelAdvanced) ⋅ Advanced Intelligence
@online{intelligence:20210201:active:0a4f59f,
author = {Advanced Intelligence},
title = {{Tweet on Active Directory Exploitation by RYUK "one" group}},
date = {2021-02-01},
organization = {Twitter (@IntelAdvanced)},
url = {https://twitter.com/IntelAdvanced/status/1356114606780002308},
language = {English},
urldate = {2021-02-04}
}
Tweet on Active Directory Exploitation by RYUK "one" group
Ryuk |
2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210131:bazar:c3b3859,
author = {The DFIR Report},
title = {{Bazar, No Ryuk?}},
date = {2021-01-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/},
language = {English},
urldate = {2021-02-02}
}
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk |
2021-01-28 ⋅ Huntress Labs ⋅ John Hammond
@techreport{hammond:20210128:analyzing:2f8dae2,
author = {John Hammond},
title = {{Analyzing Ryuk Another Link in the Cyber Attack Chain}},
date = {2021-01-28},
institution = {Huntress Labs},
url = {https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf},
language = {English},
urldate = {2021-01-29}
}
Analyzing Ryuk Another Link in the Cyber Attack Chain
BazarBackdoor Ryuk |
2021-01-25 ⋅ Twitter (@IntelAdvanced) ⋅ Advanced Intelligence
@online{intelligence:20210125:ryuk:25a96a7,
author = {Advanced Intelligence},
title = {{Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool}},
date = {2021-01-25},
organization = {Twitter (@IntelAdvanced)},
url = {https://twitter.com/IntelAdvanced/status/1353546534676258816},
language = {English},
urldate = {2021-01-25}
}
Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool
Ryuk |
2021-01-07 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Brian Carter, HYAS
@online{kremez:20210107:crime:4c6f5c3,
author = {Vitali Kremez and Brian Carter and HYAS},
title = {{Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders}},
date = {2021-01-07},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders},
language = {English},
urldate = {2021-01-11}
}
Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders
Ryuk |
2020-12-28 ⋅ 0xC0DECAFE ⋅ Thomas Barabosch
@online{barabosch:20201228:never:f7e93aa,
author = {Thomas Barabosch},
title = {{Never upload ransomware samples to the Internet}},
date = {2020-12-28},
organization = {0xC0DECAFE},
url = {https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/},
language = {English},
urldate = {2021-01-01}
}
Never upload ransomware samples to the Internet
Ryuk |
2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28,
author = {Mattias Wåhlén},
title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}},
date = {2020-12-22},
organization = {TRUESEC},
url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/},
language = {English},
urldate = {2021-01-01}
}
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk |
2020-12-21 ⋅ IronNet ⋅ Adam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f,
author = {Adam Hlavek and Kimberly Ortiz},
title = {{Russian cyber attack campaigns and actors}},
date = {2020-12-21},
organization = {IronNet},
url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors},
language = {English},
urldate = {2021-01-05}
}
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess |
2020-12-16 ⋅ Accenture ⋅ Paul Mansfield
@online{mansfield:20201216:tracking:25540bd,
author = {Paul Mansfield},
title = {{Tracking and combatting an evolving danger: Ransomware extortion}},
date = {2020-12-16},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion},
language = {English},
urldate = {2020-12-17}
}
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
2020-12-10 ⋅ Cybereason ⋅ Joakim Kandefelt
@online{kandefelt:20201210:cybereason:0267d5e,
author = {Joakim Kandefelt},
title = {{Cybereason vs. Ryuk Ransomware}},
date = {2020-12-10},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware},
language = {English},
urldate = {2020-12-14}
}
Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot |
2020-12-10 ⋅ CyberInt ⋅ CyberInt
@online{cyberint:20201210:ryuk:e74b8f6,
author = {CyberInt},
title = {{Ryuk Crypto-Ransomware}},
date = {2020-12-10},
organization = {CyberInt},
url = {https://blog.cyberint.com/ryuk-crypto-ransomware},
language = {English},
urldate = {2020-12-14}
}
Ryuk Crypto-Ransomware
Ryuk TrickBot |
2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends from Fall 2020}},
date = {2020-12-09},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html},
language = {English},
urldate = {2020-12-10}
}
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-19 ⋅ Threatpost ⋅ Elizabeth Montalbano
@online{montalbano:20201119:exploits:f40feb2,
author = {Elizabeth Montalbano},
title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}},
date = {2020-11-19},
organization = {Threatpost},
url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/},
language = {English},
urldate = {2020-11-23}
}
APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk |
2020-11-18 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20201118:analyzing:abccd43,
author = {Joe Slowik},
title = {{Analyzing Network Infrastructure as Composite Objects}},
date = {2020-11-18},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects},
language = {English},
urldate = {2020-11-19}
}
Analyzing Network Infrastructure as Composite Objects
Ryuk |
2020-11-16 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b,
author = {Intel 471},
title = {{Ransomware-as-a-service: The pandemic within a pandemic}},
date = {2020-11-16},
organization = {Intel 471},
url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/},
language = {English},
urldate = {2020-11-17}
}
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX |
2020-11-14 ⋅ Medium 0xastrovax ⋅ astrovax
@online{astrovax:20201114:deep:b50ae08,
author = {astrovax},
title = {{Deep Dive Into Ryuk Ransomware}},
date = {2020-11-14},
organization = {Medium 0xastrovax},
url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12},
language = {English},
urldate = {2021-01-25}
}
Deep Dive Into Ryuk Ransomware
Hermes Ryuk |
2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae,
author = {Vitali Kremez},
title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}},
date = {2020-11-06},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike},
language = {English},
urldate = {2020-11-09}
}
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk |
2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85,
author = {TheAnalyst},
title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}},
date = {2020-11-05},
organization = {Twitter (@ffforward)},
url = {https://twitter.com/ffforward/status/1324281530026524672},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader |
2020-11-05 ⋅ Github (scythe-io) ⋅ SCYTHE
@online{scythe:20201105:ryuk:8d7c4de,
author = {SCYTHE},
title = {{Ryuk Adversary Emulation Plan}},
date = {2020-11-05},
organization = {Github (scythe-io)},
url = {https://github.com/scythe-io/community-threats/tree/master/Ryuk},
language = {English},
urldate = {2020-11-11}
}
Ryuk Adversary Emulation Plan
Ryuk |
2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201105:ryuk:ceaa823,
author = {The DFIR Report},
title = {{Ryuk Speed Run, 2 Hours to Ransom}},
date = {2020-11-05},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/},
language = {English},
urldate = {2020-11-06}
}
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk |
2020-11-05 ⋅ SCYTHE ⋅ Jorge Orchilles, Sean Lyngaas
@online{orchilles:20201105:threatthursday:a3297b9,
author = {Jorge Orchilles and Sean Lyngaas},
title = {{#ThreatThursday - Ryuk}},
date = {2020-11-05},
organization = {SCYTHE},
url = {https://www.scythe.io/library/threatthursday-ryuk},
language = {English},
urldate = {2020-11-06}
}
#ThreatThursday - Ryuk
BazarBackdoor Ryuk |
2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
@online{vigna:20201104:trick:a59a333,
author = {Giovanni Vigna},
title = {{Trick or Threat: Ryuk ransomware targets the health care industry}},
date = {2020-11-04},
organization = {VMRay},
url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/},
language = {English},
urldate = {2020-11-06}
}
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-31 ⋅ splunk ⋅ Ryan Kovar
@online{kovar:20201031:ryuk:735f563,
author = {Ryan Kovar},
title = {{Ryuk and Splunk Detections}},
date = {2020-10-31},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html},
language = {English},
urldate = {2020-11-02}
}
Ryuk and Splunk Detections
Ryuk |
2020-10-30 ⋅ Cofense ⋅ The Cofense Intelligence Team
@online{team:20201030:ryuk:9166a9a,
author = {The Cofense Intelligence Team},
title = {{The Ryuk Threat: Why BazarBackdoor Matters Most}},
date = {2020-10-30},
organization = {Cofense},
url = {https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/},
language = {English},
urldate = {2020-11-02}
}
The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk |
2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0,
author = {ThreatConnect},
title = {{UNC 1878 Indicators from Threatconnect}},
date = {2020-10-30},
organization = {Github (ThreatConnect-Inc)},
url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv},
language = {English},
urldate = {2020-11-06}
}
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk |
2020-10-29 ⋅ McAfee ⋅ McAfee Labs
@techreport{labs:20201029:mcafee:84eed4e,
author = {McAfee Labs},
title = {{McAfee Labs Threat Advisory Ransom-Ryuk}},
date = {2020-10-29},
institution = {McAfee},
url = {https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf},
language = {English},
urldate = {2020-11-02}
}
McAfee Labs Threat Advisory Ransom-Ryuk
Ryuk |
2020-10-29 ⋅ Reuters ⋅ Christopher Bing, Joseph Menn
@online{bing:20201029:building:ceeb50f,
author = {Christopher Bing and Joseph Menn},
title = {{Building wave of ransomware attacks strike U.S. hospitals}},
date = {2020-10-29},
organization = {Reuters},
url = {https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP},
language = {English},
urldate = {2020-11-02}
}
Building wave of ransomware attacks strike U.S. hospitals
Ryuk |
2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201029:hacking:c8d5379,
author = {Lawrence Abrams},
title = {{Hacking group is targeting US hospitals with Ryuk ransomware}},
date = {2020-10-29},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/},
language = {English},
urldate = {2020-11-02}
}
Hacking group is targeting US hospitals with Ryuk ransomware
Ryuk |
2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d,
author = {Brittany Barbehenn and Doel Santos and Brad Duncan},
title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}},
date = {2020-10-29},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/},
language = {English},
urldate = {2020-11-02}
}
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot |
2020-10-29 ⋅ Twitter (@anthomsec) ⋅ Andrew Thompson
@online{thompson:20201029:unc1878:26c88d4,
author = {Andrew Thompson},
title = {{Tweet on UNC1878 activity}},
date = {2020-10-29},
organization = {Twitter (@anthomsec)},
url = {https://twitter.com/anthomsec/status/1321865315513520128},
language = {English},
urldate = {2020-11-04}
}
Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878 |
2020-10-29 ⋅ Twitter (@SophosLabs) ⋅ SophosLabs
@online{sophoslabs:20201029:similarities:408a640,
author = {SophosLabs},
title = {{Tweet on similarities between BUER in-memory loader & RYUK in-memory loader}},
date = {2020-10-29},
organization = {Twitter (@SophosLabs)},
url = {https://twitter.com/SophosLabs/status/1321844306970251265},
language = {English},
urldate = {2020-11-02}
}
Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk |
2020-10-29 ⋅ CNN ⋅ Vivian Salama, Alex Marquardt, Lauren Mascarenhas
@online{salama:20201029:several:88d8127,
author = {Vivian Salama and Alex Marquardt and Lauren Mascarenhas},
title = {{Several hospitals targeted in new wave of ransomware attacks}},
date = {2020-10-29},
organization = {CNN},
url = {https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html},
language = {English},
urldate = {2020-11-02}
}
Several hospitals targeted in new wave of ransomware attacks
Ryuk |
2020-10-29 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20201029:ryuk:0643968,
author = {RiskIQ},
title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}},
date = {2020-10-29},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/0bcefe76},
language = {English},
urldate = {2020-11-02}
}
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk |
2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
@online{team:20201029:bazar:1846b93,
author = {The Red Canary Team},
title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}},
date = {2020-10-29},
organization = {Red Canary},
url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/},
language = {English},
urldate = {2020-11-02}
}
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot |
2020-10-28 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Van Ta, Aaron Stephens, Katie Nickels
@online{ta:20201028:star:16965fb,
author = {Van Ta and Aaron Stephens and Katie Nickels},
title = {{STAR Webcast: Spooky RYUKy: The Return of UNC1878}},
date = {2020-10-28},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=BhjQ6zsCVSc},
language = {English},
urldate = {2020-11-02}
}
STAR Webcast: Spooky RYUKy: The Return of UNC1878
Ryuk |
2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock},
title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}},
date = {2020-10-28},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html},
language = {English},
urldate = {2020-11-02}
}
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878 |
2020-10-28 ⋅ Github (aaronst) ⋅ Aaron Stephens
@online{stephens:20201028:unc1878:5f717f6,
author = {Aaron Stephens},
title = {{UNC1878 indicators}},
date = {2020-10-28},
organization = {Github (aaronst)},
url = {https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456},
language = {English},
urldate = {2020-11-04}
}
UNC1878 indicators
Ryuk UNC1878 |
2020-10-28 ⋅ Youtube (SANS Institute) ⋅ Katie Nickels, Van Ta, Aaron Stephens
@online{nickels:20201028:spooky:3bf0a0a,
author = {Katie Nickels and Van Ta and Aaron Stephens},
title = {{Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast}},
date = {2020-10-28},
organization = {Youtube (SANS Institute)},
url = {https://www.youtube.com/watch?v=CgDtm05qApE},
language = {English},
urldate = {2020-11-04}
}
Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast
Ryuk UNC1878 |
2020-10-28 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
@online{gallagher:20201028:hacks:8e1d051,
author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos},
title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}},
date = {2020-10-28},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/},
language = {English},
urldate = {2020-11-02}
}
Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader |
2020-10-28 ⋅ CISA ⋅ CISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06,
author = {CISA and FBI and HHS},
title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}},
date = {2020-10-28},
institution = {CISA},
url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf},
language = {English},
urldate = {2020-11-02}
}
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
AnchorDNS Anchor BazarBackdoor Ryuk |
2020-10-28 ⋅ KrebsOnSecurity ⋅ Brian Krebs
@online{krebs:20201028:fbi:26b9480,
author = {Brian Krebs},
title = {{FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals}},
date = {2020-10-28},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/},
language = {English},
urldate = {2020-11-02}
}
FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals
Ryuk |
2020-10-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201027:steelcase:25f66a9,
author = {Lawrence Abrams},
title = {{Steelcase furniture giant hit by Ryuk ransomware attack}},
date = {2020-10-27},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-28}
}
Steelcase furniture giant hit by Ryuk ransomware attack
Ryuk |
2020-10-26 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20201026:threatconnect:0e90cc3,
author = {ThreatConnect Research Team},
title = {{ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft}},
date = {2020-10-26},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/},
language = {English},
urldate = {2020-10-29}
}
ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft
Ryuk |
2020-10-22 ⋅ Sentinel LABS ⋅ Marco Figueroa
@online{figueroa:20201022:inside:228798e,
author = {Marco Figueroa},
title = {{An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques}},
date = {2020-10-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/},
language = {English},
urldate = {2020-10-26}
}
An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques
Ryuk |
2020-10-22 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201022:french:6d52e19,
author = {Lawrence Abrams},
title = {{French IT giant Sopra Steria hit by Ryuk ransomware}},
date = {2020-10-22},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/},
language = {English},
urldate = {2020-10-26}
}
French IT giant Sopra Steria hit by Ryuk ransomware
Ryuk |
2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI
@online{bsi:20201020:die:0683ad4,
author = {BSI},
title = {{Die Lage der IT-Sicherheit in Deutschland 2020}},
date = {2020-10-20},
organization = {Bundesamt für Sicherheit in der Informationstechnik},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2},
language = {German},
urldate = {2020-10-21}
}
Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot |
2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201018:ryuk:fbaadb8,
author = {The DFIR Report},
title = {{Ryuk in 5 Hours}},
date = {2020-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/},
language = {English},
urldate = {2020-10-19}
}
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk |
2020-10-16 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20201016:threatconnect:2010d70,
author = {ThreatConnect Research Team},
title = {{ThreatConnect Research Roundup: Possible Ryuk Infrastructure}},
date = {2020-10-16},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/},
language = {English},
urldate = {2020-10-23}
}
ThreatConnect Research Roundup: Possible Ryuk Infrastructure
Ryuk |
2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a,
author = {The Crowdstrike Intel Team},
title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}},
date = {2020-10-16},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/},
language = {English},
urldate = {2020-10-21}
}
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot |
2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
@online{gallagher:20201014:theyre:99f5d1e,
author = {Sean Gallagher},
title = {{They’re back: inside a new Ryuk ransomware attack}},
date = {2020-10-14},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-16}
}
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC |
2020-10-13 ⋅ VirusTotal ⋅ Gerardo Fernández, Vicente Diaz
@online{fernndez:20201013:tracing:14bb6fa,
author = {Gerardo Fernández and Vicente Diaz},
title = {{Tracing fresh Ryuk campaigns itw}},
date = {2020-10-13},
organization = {VirusTotal},
url = {https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html},
language = {English},
urldate = {2020-10-23}
}
Tracing fresh Ryuk campaigns itw
Ryuk |
2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1,
author = {Roman Marshanski and Vitali Kremez},
title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}},
date = {2020-10-12},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon},
language = {English},
urldate = {2020-10-13}
}
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk |
2020-10-12 ⋅ Microsoft ⋅ Tom Burt
@online{burt:20201012:new:045c1c3,
author = {Tom Burt},
title = {{New action to combat ransomware ahead of U.S. elections}},
date = {2020-10-12},
organization = {Microsoft},
url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/},
language = {English},
urldate = {2020-10-12}
}
New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot |
2020-10-12 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20201012:trickbot:5c1e5bf,
author = {Threat Hunter Team},
title = {{Trickbot: U.S. Court Order Hits Botnet’s Infrastructure}},
date = {2020-10-12},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption},
language = {English},
urldate = {2020-10-12}
}
Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot |
2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201008:ryuks:e47d8fa,
author = {The DFIR Report},
title = {{Ryuk’s Return}},
date = {2020-10-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/08/ryuks-return/},
language = {English},
urldate = {2020-10-09}
}
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk |
2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f,
author = {Health Sector Cybersecurity Coordination Center (HC3)},
title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}},
date = {2020-10-02},
institution = {Health Sector Cybersecurity Coordination Center (HC3)},
url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf},
language = {English},
urldate = {2020-11-02}
}
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09,
author = {Victoria Kivilevich},
title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}},
date = {2020-10-01},
organization = {KELA},
url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/},
language = {English},
urldate = {2021-05-07}
}
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt |
2020-09-29 ⋅ PWC UK ⋅ Andy Auld
@online{auld:20200929:whats:2782a62,
author = {Andy Auld},
title = {{What's behind the increase in ransomware attacks this year?}},
date = {2020-09-29},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html},
language = {English},
urldate = {2021-05-25}
}
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker |
2020-09-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d,
author = {Kaspersky Lab ICS CERT},
title = {{Threat landscape for industrial automation systems - H1 2020}},
date = {2020-09-24},
institution = {Kaspersky Labs},
url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf},
language = {English},
urldate = {2020-10-04}
}
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake |
2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends in Summer 2020}},
date = {2020-09-01},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html},
language = {English},
urldate = {2020-09-03}
}
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk |
2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea,
author = {cyberthreatinsider},
title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}},
date = {2020-08-20},
organization = {sensecy},
url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/},
language = {English},
urldate = {2020-11-04}
}
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk |
2020-08-18 ⋅ Arete ⋅ Arete Incident Response
@techreport{response:20200818:is:72e08da,
author = {Arete Incident Response},
title = {{Is Conti the New Ryuk?}},
date = {2020-08-18},
institution = {Arete},
url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf},
language = {English},
urldate = {2020-08-25}
}
Is Conti the New Ryuk?
Conti Ryuk |
2020-08 ⋅ Temple University ⋅ CARE
@online{care:202008:critical:415c34d,
author = {CARE},
title = {{Critical Infrastructure Ransomware Attacks}},
date = {2020-08},
organization = {Temple University},
url = {https://sites.temple.edu/care/ci-rw-attacks/},
language = {English},
urldate = {2020-09-15}
}
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor |
2020-06-23 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20200623:ryuk:c63b0c6,
author = {Ionut Ilascu},
title = {{Ryuk ransomware deployed two weeks after Trickbot infection}},
date = {2020-06-23},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/},
language = {English},
urldate = {2020-06-30}
}
Ryuk ransomware deployed two weeks after Trickbot infection
Ryuk |
2020-06-15 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20200615:quarterly:c2dcd77,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly report: Incident Response trends in Summer 2020}},
date = {2020-06-15},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more},
language = {English},
urldate = {2020-06-19}
}
Quarterly report: Incident Response trends in Summer 2020
Ryuk |
2020-05-05 ⋅ N1ght-W0lf Blog ⋅ Abdallah Elshinbary
@online{elshinbary:20200505:deep:f5661cb,
author = {Abdallah Elshinbary},
title = {{Deep Analysis of Ryuk Ransomware}},
date = {2020-05-05},
organization = {N1ght-W0lf Blog},
url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/},
language = {English},
urldate = {2020-05-10}
}
Deep Analysis of Ryuk Ransomware
Ryuk |
2020-04-19 ⋅ SecurityLiterate ⋅ Kyle Cucci
@online{cucci:20200419:reversing:4523233,
author = {Kyle Cucci},
title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}},
date = {2020-04-19},
organization = {SecurityLiterate},
url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/},
language = {English},
urldate = {2020-08-13}
}
Reversing Ryuk: A Technical Analysis of Ryuk Ransomware
Ryuk |
2020-04-14 ⋅ Intel 471 ⋅ Intel 471
@online{471:20200414:understanding:ca95961,
author = {Intel 471},
title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}},
date = {2020-04-14},
organization = {Intel 471},
url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/},
language = {English},
urldate = {2020-04-26}
}
Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot |
2020-03-31 ⋅ FireEye ⋅ Van Ta, Aaron Stephens
@online{ta:20200331:its:632dfca,
author = {Van Ta and Aaron Stephens},
title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}},
date = {2020-03-31},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html},
language = {English},
urldate = {2020-04-06}
}
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878 |
2020-03-25 ⋅ Wilbur Security ⋅ JW
@online{jw:20200325:trickbot:17b0dc3,
author = {JW},
title = {{Trickbot to Ryuk in Two Hours}},
date = {2020-03-25},
organization = {Wilbur Security},
url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/},
language = {English},
urldate = {2020-03-26}
}
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot |
2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Human-operated ransomware attacks: A preventable disaster}},
date = {2020-03-05},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/},
language = {English},
urldate = {2020-03-06}
}
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA |
2020-03-04 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200304:ryuk:31f2ce0,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}},
date = {2020-03-04},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/},
language = {English},
urldate = {2020-03-09}
}
Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
2020-03-02 ⋅ c't ⋅ Christian Wölbert
@online{wlbert:20200302:was:1b9cc93,
author = {Christian Wölbert},
title = {{Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen}},
date = {2020-03-02},
organization = {c't},
url = {https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html},
language = {German},
urldate = {2020-03-02}
}
Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk |
2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
@online{decapua:20200225:feds:423f929,
author = {Joel DeCapua},
title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}},
date = {2020-02-25},
organization = {RSA Conference},
url = {https://www.youtube.com/watch?v=LUxOcpIRxmg},
language = {English},
urldate = {2020-03-04}
}
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus |
2020-02-13 ⋅ Quick Heal ⋅ Goutam Tripathy
@online{tripathy:20200213:deep:34e3281,
author = {Goutam Tripathy},
title = {{A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk}},
date = {2020-02-13},
organization = {Quick Heal},
url = {https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/},
language = {English},
urldate = {2021-01-25}
}
A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk
Ryuk |
2020-02-12 ⋅ VMWare Carbon Black ⋅ Rachel E. King, AC
@online{king:20200212:ryuk:720c14e,
author = {Rachel E. King and AC},
title = {{Ryuk Ransomware Technical Analysis}},
date = {2020-02-12},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/},
language = {English},
urldate = {2020-11-19}
}
Ryuk Ransomware Technical Analysis
Ryuk |
2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12,
author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz},
title = {{2020 State of Malware Report}},
date = {2020-02-10},
institution = {Malwarebytes},
url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf},
language = {English},
urldate = {2020-02-13}
}
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor |
2020-01-29 ⋅ ANSSI ⋅ ANSSI
@techreport{anssi:20200129:tat:3d59e6e,
author = {ANSSI},
title = {{État de la menace rançongiciel}},
date = {2020-01-29},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf},
language = {English},
urldate = {2020-02-03}
}
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam |
2020-01-29 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20200129:dod:57de65d,
author = {Catalin Cimpanu},
title = {{DOD contractor suffers ransomware infection}},
date = {2020-01-29},
organization = {ZDNet},
url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/},
language = {English},
urldate = {2020-02-03}
}
DOD contractor suffers ransomware infection
Ryuk |
2020-01-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200124:new:05d5a6a,
author = {Lawrence Abrams},
title = {{New Ryuk Info Stealer Targets Government and Military Secrets}},
date = {2020-01-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/},
language = {English},
urldate = {2020-02-03}
}
New Ryuk Info Stealer Targets Government and Military Secrets
Ryuk |
2020-01-24 ⋅ ReversingLabs ⋅ Robert Simmons
@online{simmons:20200124:hunting:f99f1f9,
author = {Robert Simmons},
title = {{Hunting for Ransomware}},
date = {2020-01-24},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/hunting-for-ransomware},
language = {English},
urldate = {2020-01-29}
}
Hunting for Ransomware
Ryuk |
2020-01-17 ⋅ Secureworks ⋅ Tamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38,
author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru},
title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}},
date = {2020-01-17},
institution = {Secureworks},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf},
language = {English},
urldate = {2020-04-06}
}
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware |
2020-01-14 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200114:ryuk:b2e47fa,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}},
date = {2020-01-14},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/},
language = {English},
urldate = {2020-01-15}
}
Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk |
2020 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:2020:state:e5941af,
author = {Blackberry Research},
title = {{State of Ransomware}},
date = {2020},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf},
language = {English},
urldate = {2021-01-01}
}
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:d8faa3e,
author = {SecureWorks},
title = {{GOLD ULRICK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick},
language = {English},
urldate = {2020-05-23}
}
GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER |
2019-12-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191226:ryuk:acc2284,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Stops Encrypting Linux Folders}},
date = {2019-12-26},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/},
language = {English},
urldate = {2020-01-08}
}
Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk |
2019-12-21 ⋅ Decrypt ⋅ Adriana Hamacher
@online{hamacher:20191221:how:9d026a8,
author = {Adriana Hamacher},
title = {{How ransomware exploded in the age of Bitcoin}},
date = {2019-12-21},
organization = {Decrypt},
url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc},
language = {English},
urldate = {2020-01-13}
}
How ransomware exploded in the age of Bitcoin
Ryuk |
2019-12-19 ⋅ Malwarebytes ⋅ Jovi Umawing
@online{umawing:20191219:threat:552a941,
author = {Jovi Umawing},
title = {{Threat spotlight: the curious case of Ryuk ransomware}},
date = {2019-12-19},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/},
language = {English},
urldate = {2020-01-08}
}
Threat spotlight: the curious case of Ryuk ransomware
Ryuk |
2019-12-15 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191215:ryuk:74f6eab,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}},
date = {2019-12-15},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/},
language = {English},
urldate = {2020-01-13}
}
Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk |
2019-12-09 ⋅ Emsisoft ⋅ EmsiSoft Malware Lab
@online{lab:20191209:caution:05ff83a,
author = {EmsiSoft Malware Lab},
title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}},
date = {2019-12-09},
organization = {Emsisoft},
url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/},
language = {English},
urldate = {2020-01-07}
}
Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk |
2019-11-27 ⋅ Twitter (@Prosegur) ⋅ Prosegur
@online{prosegur:20191127:incident:bd76c3f,
author = {Prosegur},
title = {{Tweet on Incident of Information Security}},
date = {2019-11-27},
organization = {Twitter (@Prosegur)},
url = {https://twitter.com/Prosegur/status/1199732264386596864},
language = {English},
urldate = {2020-01-09}
}
Tweet on Incident of Information Security
Ryuk |
2019-11-06 ⋅ Heise Security ⋅ Thomas Hungenberg
@online{hungenberg:20191106:emotet:1605954,
author = {Thomas Hungenberg},
title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}},
date = {2019-11-06},
organization = {Heise Security},
url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html},
language = {German},
urldate = {2020-01-06}
}
Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot |
2019-11-05 ⋅ Information Age ⋅ David Braue
@online{braue:20191105:hospital:0e1375e,
author = {David Braue},
title = {{Hospital cyberattack could have been avoided}},
date = {2019-11-05},
organization = {Information Age},
url = {https://ia.acs.org.au/article/2019/hospital-cyberattack-could-have-been-avoided.html},
language = {English},
urldate = {2022-11-09}
}
Hospital cyberattack could have been avoided
Ryuk |
2019-11-01 ⋅ CrowdStrike ⋅ Alexander Hanel, Brett Stone-Gross
@online{hanel:20191101:wizard:a34a09e,
author = {Alexander Hanel and Brett Stone-Gross},
title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}},
date = {2019-11-01},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/},
language = {English},
urldate = {2019-12-20}
}
WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER |
2019-11 ⋅ CCN-CERT ⋅ CCN-CERT
@online{ccncert:201911:informe:69b39b5,
author = {CCN-CERT},
title = {{Informe Código Dañino CCN-CERT ID-26/19}},
date = {2019-11},
organization = {CCN-CERT},
url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html},
language = {Espanyol},
urldate = {2020-01-10}
}
Informe Código Dañino CCN-CERT ID-26/19
Ryuk |
2019-05-09 ⋅ GovCERT.ch ⋅ GovCERT.ch
@online{govcertch:20190509:severe:2767782,
author = {GovCERT.ch},
title = {{Severe Ransomware Attacks Against Swiss SMEs}},
date = {2019-05-09},
organization = {GovCERT.ch},
url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes},
language = {English},
urldate = {2019-07-11}
}
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot |
2019-04-05 ⋅ FireEye ⋅ Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59,
author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock},
title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}},
date = {2019-04-05},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html},
language = {English},
urldate = {2019-12-20}
}
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6 |
2019-04-02 ⋅ Cybereason ⋅ Noa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37,
author = {Noa Pinkas and Lior Rochberger and Matan Zatz},
title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}},
date = {2019-04-02},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware},
language = {English},
urldate = {2020-01-09}
}
Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot |
2019-03-26 ⋅ ANSSI ⋅ ANSSI
@techreport{anssi:20190326:informations:7965c3d,
author = {ANSSI},
title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}},
date = {2019-03-26},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf},
language = {French},
urldate = {2020-01-10}
}
INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk |
2019-01-11 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4,
author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer},
title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}},
date = {2019-01-11},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html},
language = {English},
urldate = {2019-12-20}
}
A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER |
2019-01-10 ⋅ CrowdStrike ⋅ Alexander Hanel
@online{hanel:20190110:big:7e10bdf,
author = {Alexander Hanel},
title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}},
date = {2019-01-10},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/},
language = {English},
urldate = {2019-12-20}
}
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER |
2019-01-09 ⋅ McAfee ⋅ John Fokker, Christiaan Beek
@online{fokker:20190109:ryuk:350f477,
author = {John Fokker and Christiaan Beek},
title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}},
date = {2019-01-09},
organization = {McAfee},
url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/},
language = {English},
urldate = {2020-01-09}
}
Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk |
2019 ⋅ Virus Bulletin ⋅ Gabriela Nicolao, Luciano Martins
@techreport{nicolao:2019:shinigamis:8397861,
author = {Gabriela Nicolao and Luciano Martins},
title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf},
language = {English},
urldate = {2020-01-05}
}
Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk |
2018-12-29 ⋅ Los Angeles Times ⋅ Tony Barboza, Meg James, Emily Alpert Reyes
@online{barboza:20181229:malware:d5d8d0d,
author = {Tony Barboza and Meg James and Emily Alpert Reyes},
title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}},
date = {2018-12-29},
organization = {Los Angeles Times},
url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html},
language = {English},
urldate = {2020-01-10}
}
Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk |
2018-08-20 ⋅ Check Point ⋅ Itay Cohen, Ben Herzog
@online{cohen:20180820:ryuk:5756495,
author = {Itay Cohen and Ben Herzog},
title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}},
date = {2018-08-20},
organization = {Check Point},
url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/},
language = {English},
urldate = {2019-12-10}
}
Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk |