Pinchy Spider  (Back to overview)

First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates. CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.” PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.

---

Associated Families

---

References

2021-01-04 ⋅ KELA ⋅ Almog Zoosman, Victoria Kivilevich @online{zoosman:20210104:darknet:f6708c0, author = {Almog Zoosman and Victoria Kivilevich}, title = {{Darknet Threat Actors Are Not Playing Games with the Gaming Industry}}, date = {2021-01-04}, organization = {KELA}, url = {https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/}, language = {English}, urldate = {2021-01-10} } Darknet Threat Actors Are Not Playing Games with the Gaming Industry REvil

2020-12-16 ⋅ Accenture ⋅ Paul Mansfield @online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion DarkSide Egregor Maze Nefilim Ransomware RagnarLocker REvil Ryuk SunCrypt

2020-12-16 ⋅ Dragos ⋅ Selena Larson, Camille Singleton, IBM SECURITY X-FORCE @techreport{larson:20201216:assessing:9a5adb8, author = {Selena Larson and Camille Singleton and IBM SECURITY X-FORCE}, title = {{Assessing Ransomware and Extortion Activities Impacting Industrial Organizations: Ransomware in ICS Environments}}, date = {2020-12-16}, institution = {Dragos}, url = {https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf}, language = {English}, urldate = {2020-12-17} } Assessing Ransomware and Extortion Activities Impacting Industrial Organizations: Ransomware in ICS Environments REvil

2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC @online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus

2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES) Cobalt Strike DoppelPaymer QakBot REvil

2020-12-03 ⋅ KELA ⋅ Victoria Kivilevich @online{kivilevich:20201203:easy:bae365d, author = {Victoria Kivilevich}, title = {{Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked}}, date = {2020-12-03}, organization = {KELA}, url = {https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/}, language = {English}, urldate = {2021-01-01} } Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked REvil

2020-12-01 ⋅ Trend Micro ⋅ Ryan Flores @online{flores:20201201:impact:415bf2e, author = {Ryan Flores}, title = {{The Impact of Modern Ransomware on Manufacturing Networks}}, date = {2020-12-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html}, language = {English}, urldate = {2020-12-08} } The Impact of Modern Ransomware on Manufacturing Networks Maze Petya REvil

2020-11-30 ⋅ Malwarebytes ⋅ hasherezade, Jérôme Segura @online{hasherezade:20201130:german:72b40c6, author = {hasherezade and Jérôme Segura}, title = {{German users targeted with Gootkit banker or REvil ransomware}}, date = {2020-11-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/}, language = {English}, urldate = {2020-12-03} } German users targeted with Gootkit banker or REvil ransomware GootKit REvil

2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike DoppelPaymer MimiKatz QakBot REvil

2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich @online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations Conti Ransomware DoppelPaymer Egregor LockBit Maze REvil Snake Ransomware

2020-11-18 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20201118:revil:fda480b, author = {Lawrence Abrams}, title = {{REvil ransomware hits Managed.com hosting provider, 500K ransom}}, date = {2020-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/}, language = {English}, urldate = {2020-11-19} } REvil ransomware hits Managed.com hosting provider, 500K ransom REvil

2020-11-16 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware

2020-11-10 ⋅ AP News ⋅ Ashish Gahlot @online{gahlot:20201110:threat:e9c7a9c, author = {Ashish Gahlot}, title = {{Threat Hunting for REvil Ransomware}}, date = {2020-11-10}, organization = {AP News}, url = {https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/}, language = {English}, urldate = {2020-11-12} } Threat Hunting for REvil Ransomware REvil

2020-11-04 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20201104:revil:02ca78c, author = {Catalin Cimpanu}, title = {{REvil ransomware gang 'acquires' KPOT malware}}, date = {2020-11-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/}, language = {English}, urldate = {2020-11-06} } REvil ransomware gang 'acquires' KPOT malware KPOT Stealer REvil

2020-10-29 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20201029:revil:e6b68d1, author = {Ionut Ilascu}, title = {{REvil ransomware gang claims over $100 million profit in a year}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/}, language = {English}, urldate = {2020-11-02} } REvil ransomware gang claims over $100 million profit in a year REvil

2020-10-28 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201028:alleged:46a2bb1, author = {Intel 471}, title = {{Alleged REvil member spills details on group’s ransomware operations}}, date = {2020-10-28}, organization = {Intel 471}, url = {https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/}, language = {English}, urldate = {2020-11-02} } Alleged REvil member spills details on group’s ransomware operations REvil

2020-10-26 ⋅ Checkpoint ⋅ Itay Cohen, Eyal Itkin @online{cohen:20201026:exploit:9ec173c, author = {Itay Cohen and Eyal Itkin}, title = {{Exploit Developer Spotlight: The Story of PlayBit}}, date = {2020-10-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/}, language = {English}, urldate = {2020-10-27} } Exploit Developer Spotlight: The Story of PlayBit Dyre Maze PyLocky Ramnit REvil

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab @online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks Avaddon Ransomware Clop Conti Ransomware DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim Ransomware RagnarLocker REvil Sekhmet Ransomware SunCrypt

2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI @online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } Die Lage der IT-Sicherheit in Deutschland 2020 Clop Emotet REvil Ryuk TrickBot

2020-10-06 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team @online{team:20201006:double:bb0f240, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 2}}, date = {2020-10-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/}, language = {English}, urldate = {2020-10-12} } Double Trouble: Ransomware with Data Leak Extortion, Part 2 Maze MedusaLocker REvil

2020-09-29 ⋅ Microsoft ⋅ Microsoft @techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot

2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team @online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1 DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker

2020-09-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT @techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020 Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware

2020-08-21 ⋅ RiskIQ ⋅ Steve Ginty @online{ginty:20200821:pinchy:24fe21a, author = {Steve Ginty}, title = {{Pinchy Spider: Ransomware Infrastructure Connected to Dark Web Marketplace}}, date = {2020-08-21}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/3315064b}, language = {English}, urldate = {2020-09-01} } Pinchy Spider: Ransomware Infrastructure Connected to Dark Web Marketplace REvil

2020-08-21 ⋅ Vimeo (RiskIQ) ⋅ Josh Burgess, Steve Ginty @online{burgess:20200821:evolution:6d5c407, author = {Josh Burgess and Steve Ginty}, title = {{The Evolution of Ransomware & Pinchy Spider's Shot at the Title}}, date = {2020-08-21}, organization = {Vimeo (RiskIQ)}, url = {https://vimeo.com/449849549}, language = {English}, urldate = {2020-08-25} } The Evolution of Ransomware & Pinchy Spider's Shot at the Title Gandcrab REvil

2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider @online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities Clop Maze REvil Ryuk

2020-08-20 ⋅ DomainTools ⋅ Chad Anderson @online{anderson:20200820:revealing:7a1da00, author = {Chad Anderson}, title = {{Revealing REvil Ransomware With DomainTools and Maltego}}, date = {2020-08-20}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego}, language = {English}, urldate = {2020-08-24} } Revealing REvil Ransomware With DomainTools and Maltego REvil

2020-08-03 ⋅ Bitdefender ⋅ Filip Truta @online{truta:20200803:belarus:42f9175, author = {Filip Truta}, title = {{Belarus Authorities Arrest GandCrab Ransomware Operator}}, date = {2020-08-03}, organization = {Bitdefender}, url = {https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html}, language = {English}, urldate = {2020-08-10} } Belarus Authorities Arrest GandCrab Ransomware Operator Gandcrab

2020-08 ⋅ Temple University ⋅ CARE @online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor

2020-07-31 ⋅ PRODAFT Threat Intelligence ⋅ Yusuf Arslan Polat @online{polat:20200731:opblueraven:9e58e0c, author = {Yusuf Arslan Polat}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion}}, date = {2020-07-31}, organization = {PRODAFT Threat Intelligence}, url = {https://threatintel.blog/OPBlueRaven-Part1/}, language = {English}, urldate = {2020-08-05} } OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion Carbanak REvil Anunak

2020-07-31 ⋅ BleepingComputer ⋅ Ionut Ilascu @online{ilascu:20200731:gandcrab:f2cd6ef, author = {Ionut Ilascu}, title = {{GandCrab ransomware operator arrested in Belarus}}, date = {2020-07-31}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/}, language = {English}, urldate = {2020-08-05} } GandCrab ransomware operator arrested in Belarus Gandcrab

2020-07-29 ⋅ AmosSys ⋅ Nicolas Guillois @online{guillois:20200729:sodinokibi:6d76347, author = {Nicolas Guillois}, title = {{Sodinokibi / REvil Malware Analysis}}, date = {2020-07-29}, organization = {AmosSys}, url = {https://blog.amossys.fr/sodinokibi-malware-analysis.html}, language = {English}, urldate = {2020-08-31} } Sodinokibi / REvil Malware Analysis REvil

2020-07-29 ⋅ ESET Research ⋅ welivesecurity @techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor

2020-07-22 ⋅ TEHTRIS ⋅ TEHTRIS @online{tehtris:20200722:peuton:472b0cd, author = {TEHTRIS}, title = {{Peut-on neutraliser un ransomware lancé en tant que SYSTEM sur des milliers de machines en même temps?}}, date = {2020-07-22}, organization = {TEHTRIS}, url = {https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/}, language = {French}, urldate = {2020-07-23} } Peut-on neutraliser un ransomware lancé en tant que SYSTEM sur des milliers de machines en même temps? REvil

2020-07-17 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus

2020-07-15 ⋅ Advanced Intelligence ⋅ Yelisey Boguslavskiy, Samantha van de Ven @online{boguslavskiy:20200715:inside:f9b95b1, author = {Yelisey Boguslavskiy and Samantha van de Ven}, title = {{Inside REvil Extortionist “Machine”: Predictive Insights}}, date = {2020-07-15}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights}, language = {English}, urldate = {2020-07-16} } Inside REvil Extortionist “Machine”: Predictive Insights Gandcrab REvil

2020-07-10 ⋅ Advanced Intelligence ⋅ Advanced Intelligence @online{intelligence:20200710:dark:a29ccb4, author = {Advanced Intelligence}, title = {{The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel}}, date = {2020-07-10}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel}, language = {English}, urldate = {2020-07-13} } The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel Gandcrab REvil

2020-06-30 ⋅ AppGate ⋅ The Immunity Team @online{team:20200630:electric:823676a, author = {The Immunity Team}, title = {{Electric Company Ransomware Attack Calls for $14 Million in Ransom}}, date = {2020-06-30}, organization = {AppGate}, url = {https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom}, language = {English}, urldate = {2020-07-21} } Electric Company Ransomware Attack Calls for $14 Million in Ransom REvil

2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20200623:sodinokibi:7eff193, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}}, date = {2020-06-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos}, language = {English}, urldate = {2020-06-23} } Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Cobalt Strike REvil

2020-06-22 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505 Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot

2020-06-02 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200602:revil:883c59f, author = {Catalin Cimpanu}, title = {{REvil ransomware gang launches auction site to sell stolen data}}, date = {2020-06-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/}, language = {English}, urldate = {2020-06-03} } REvil ransomware gang launches auction site to sell stolen data REvil

2020-06 ⋅ Arete ⋅ Arete Incident Response @techreport{response:202006:sodinokibi:06e3a79, author = {Arete Incident Response}, title = {{Sodinokibi / REvil Ransomware attacks against the Education Sector}}, date = {2020-06}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf}, language = {English}, urldate = {2020-07-30} } Sodinokibi / REvil Ransomware attacks against the Education Sector REvil

2020-05-21 ⋅ Intel 471 ⋅ Intel 471 @online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505 AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot

2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja @online{ziaja:20200507:sodinokibi:f5c5cd1, author = {Adam Ziaja}, title = {{Sodinokibi / REvil ransomware}}, date = {2020-05-07}, organization = {REDTEAM.PL}, url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html}, language = {English}, urldate = {2020-05-13} } Sodinokibi / REvil ransomware Maze MimiKatz REvil

2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team @online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood

2020-04-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200411:sodinokibi:82f9f79, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware to stop taking Bitcoin to hide money trail}}, date = {2020-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/}, language = {English}, urldate = {2020-04-26} } Sodinokibi Ransomware to stop taking Bitcoin to hide money trail REvil

2020-04-09 ⋅ Graham Cluley Blog ⋅ Graham Cluley @online{cluley:20200409:travelex:bb5a2d7, author = {Graham Cluley}, title = {{Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack}}, date = {2020-04-09}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/travelex-paid-ransom/}, language = {English}, urldate = {2020-04-26} } Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack REvil

2020-03-31 ⋅ Intel 471 ⋅ Intel 471 @online{471:20200331:revil:0e5226a, author = {Intel 471}, title = {{REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation}}, date = {2020-03-31}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/}, language = {English}, urldate = {2020-04-01} } REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation Gandcrab REvil

2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil

2020-03-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200307:ransomware:f839049, author = {Lawrence Abrams}, title = {{Ransomware Threatens to Reveal Company's 'Dirty' Secrets}}, date = {2020-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/}, language = {English}, urldate = {2020-03-11} } Ransomware Threatens to Reveal Company's 'Dirty' Secrets REvil

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team @online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER

2020-03-03 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom

2020-02-29 ⋅ Security Affairs ⋅ Pierluigi Paganini @online{paganini:20200229:sodinokibi:799a623, author = {Pierluigi Paganini}, title = {{Sodinokibi Ransomware gang threatens to disclose data from Kenneth Cole fashion firm}}, date = {2020-02-29}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html}, language = {English}, urldate = {2020-03-11} } Sodinokibi Ransomware gang threatens to disclose data from Kenneth Cole fashion firm REvil

2020-02-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200226:sodinokibi:7d730ac, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices}}, date = {2020-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/}, language = {English}, urldate = {2020-03-02} } Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices REvil

2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua @online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus

2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz @techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor

2020-02-02 ⋅ Nullteilerfrei Blog ⋅ Lars Wallenborn @online{wallenborn:20200202:defeating:95aa07e, author = {Lars Wallenborn}, title = {{Defeating Sodinokibi/REvil String-Obfuscation in Ghidra}}, date = {2020-02-02}, organization = {Nullteilerfrei Blog}, url = {https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/}, language = {English}, urldate = {2020-02-09} } Defeating Sodinokibi/REvil String-Obfuscation in Ghidra REvil

2020-01-30 ⋅ Under The Breach ⋅ Under The Breach @online{breach:20200130:tracking:bfa4550, author = {Under The Breach}, title = {{Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods}}, date = {2020-01-30}, organization = {Under The Breach}, url = {https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80}, language = {English}, urldate = {2020-01-31} } Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods REvil

2020-01-30 ⋅ Digital Shadows ⋅ Photon Research Team @online{team:20200130:competitions:90773f4, author = {Photon Research Team}, title = {{Competitions on Russian-language cybercriminal forums: Sharing expertise or threat actor showboating?}}, date = {2020-01-30}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/}, language = {English}, urldate = {2020-02-03} } Competitions on Russian-language cybercriminal forums: Sharing expertise or threat actor showboating? REvil

2020-01-29 ⋅ ANSSI ⋅ ANSSI @techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam

2020-01-28 ⋅ KPN ⋅ KPN @online{kpn:20200128:tracking:6c628f3, author = {KPN}, title = {{Tracking REvil}}, date = {2020-01-28}, organization = {KPN}, url = {https://www.kpn.com/security-blogs/Tracking-REvil.htm}, language = {English}, urldate = {2020-01-28} } Tracking REvil REvil

2020-01-26 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff, Sean Wilson @online{frankoff:20200126:ida:a8194b4, author = {Sergei Frankoff and Sean Wilson}, title = {{IDA Pro Automated String Decryption For REvil Ransomware}}, date = {2020-01-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=l2P5CMH9TE0}, language = {English}, urldate = {2020-01-27} } IDA Pro Automated String Decryption For REvil Ransomware REvil

2020-01-23 ⋅ Bleeping Computer ⋅ Sergiu Gatlan @online{gatlan:20200123:sodinokibi:86b1d46, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Threatens to Publish Data of Automotive Group}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/}, language = {English}, urldate = {2020-01-23} } Sodinokibi Ransomware Threatens to Publish Data of Automotive Group REvil

2020-01-20 ⋅ Virus Bulletin ⋅ AhnLab Security Analysis Team @online{team:20200120:behind:edefc01, author = {AhnLab Security Analysis Team}, title = {{Behind the scenes of GandCrab’s operation}}, date = {2020-01-20}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/}, language = {English}, urldate = {2020-01-20} } Behind the scenes of GandCrab’s operation Gandcrab

2020-01-18 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200118:new:4ad3c25, author = {Lawrence Abrams}, title = {{New Jersey Synagogue Suffers Sodinokibi Ransomware Attack}}, date = {2020-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/}, language = {English}, urldate = {2020-01-22} } New Jersey Synagogue Suffers Sodinokibi Ransomware Attack REvil

2020-01-17 ⋅ Secureworks ⋅ Tamada Kiyotaka, Keita Yamazaki, You Nakatsuru @techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack? Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware

2020-01-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200111:sodinokibi:8fe0ebe, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Publishes Stolen Data for the First Time}}, date = {2020-01-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/}, language = {English}, urldate = {2020-01-20} } Sodinokibi Ransomware Publishes Stolen Data for the First Time REvil

2020-01-10 ⋅ BleepingComputer ⋅ Sergiu Gatlan @online{gatlan:20200110:sodinokibi:73cbf66, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Hits New York Airport Systems}}, date = {2020-01-10}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/}, language = {English}, urldate = {2020-01-20} } Sodinokibi Ransomware Hits New York Airport Systems REvil

2020-01-10 ⋅ CSIS ⋅ CSIS @techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019 Gustuff magecart Emotet Gandcrab Ramnit TrickBot

2020-01-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200109:sodinokibi:c0204cc, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another}}, date = {2020-01-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/}, language = {English}, urldate = {2020-01-13} } Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another REvil

2020-01-06 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20200106:sodinokibi:1feb8a3, author = {Ionut Ilascu}, title = {{Sodinokibi Ransomware Hits Travelex, Demands $3 Million}}, date = {2020-01-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/}, language = {English}, urldate = {2020-01-13} } Sodinokibi Ransomware Hits Travelex, Demands $3 Million REvil

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:bc28839, author = {SecureWorks}, title = {{GOLD SOUTHFIELD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-southfield}, language = {English}, urldate = {2020-05-23} } GOLD SOUTHFIELD REvil

2020 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware Maze MedusaLocker Nefilim Ransomware Phobos Ransomware REvil Ryuk STOP Ransomware Zeppelin Ransomware

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:c7d5baf, author = {SecureWorks}, title = {{GOLD GARDEN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-garden}, language = {English}, urldate = {2020-05-23} } GOLD GARDEN Gandcrab

2019-12-18 ⋅ Hatching.io ⋅ Pete Cowman @online{cowman:20191218:understanding:d629d14, author = {Pete Cowman}, title = {{Understanding Ransomware Series: Detecting Sodin}}, date = {2019-12-18}, organization = {Hatching.io}, url = {https://hatching.io/blog/ransomware-part2}, language = {English}, urldate = {2020-01-08} } Understanding Ransomware Series: Detecting Sodin REvil

2019-12-12 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191212:another:77246f4, author = {Lawrence Abrams}, title = {{Another Ransomware Will Now Publish Victims' Data If Not Paid}}, date = {2019-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/}, language = {English}, urldate = {2020-01-05} } Another Ransomware Will Now Publish Victims' Data If Not Paid REvil

2019-12-04 ⋅ Elastic ⋅ David French @online{french:20191204:ransomware:92a6fae, author = {David French}, title = {{Ransomware, interrupted: Sodinokibi and the supply chain}}, date = {2019-12-04}, organization = {Elastic}, url = {https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain}, language = {English}, urldate = {2020-06-30} } Ransomware, interrupted: Sodinokibi and the supply chain REvil

2019-11-09 ⋅ Lars Wallenborn @online{wallenborn:20191109:apihashing:ec59534, author = {Lars Wallenborn}, title = {{API-Hashing in the Sodinokibi/Revil Ransomware - Why and How?}}, date = {2019-11-09}, url = {https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/}, language = {English}, urldate = {2019-12-18} } API-Hashing in the Sodinokibi/Revil Ransomware - Why and How? REvil

2019-11 ⋅ Virus Bulletin ⋅ Alexandre Mundo Alguacil, John Fokker @online{alguacil:201911:vb2019:a565e76, author = {Alexandre Mundo Alguacil and John Fokker}, title = {{VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth}}, date = {2019-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/}, language = {English}, urldate = {2020-01-08} } VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth Gandcrab

2019-10-20 ⋅ McAfee ⋅ Jessica Saavedra-Morales, Ryan Sherstobitoff, Christiaan Beek @online{saavedramorales:20191020:mcafee:237cd1b, author = {Jessica Saavedra-Morales and Ryan Sherstobitoff and Christiaan Beek}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo}}, date = {2019-10-20}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/}, language = {English}, urldate = {2020-01-09} } McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo REvil

2019-10-02 ⋅ McAfee ⋅ McAfee Labs @online{labs:20191002:mcafee:1a04182, author = {McAfee Labs}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us}}, date = {2019-10-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/}, language = {English}, urldate = {2019-12-22} } McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us Gandcrab REvil

2019-09-24 ⋅ Secureworks ⋅ CTU Research Team @online{team:20190924:revil:3f165f3, author = {CTU Research Team}, title = {{REvil: The GandCrab Connection}}, date = {2019-09-24}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/revil-the-gandcrab-connection}, language = {English}, urldate = {2020-01-08} } REvil: The GandCrab Connection REvil

2019-09-24 ⋅ Secureworks ⋅ CTU Research Team @online{team:20190924:revilsodinokibi:646c88c, author = {CTU Research Team}, title = {{REvil/Sodinokibi Ransomware}}, date = {2019-09-24}, organization = {Secureworks}, url = {https://www.secureworks.com/research/revil-sodinokibi-ransomware}, language = {English}, urldate = {2020-01-08} } REvil/Sodinokibi Ransomware REvil

2019-08-30 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20190830:look:9a976c7, author = {Ionut Ilascu}, title = {{A Look Inside the Highly Profitable Sodinokibi Ransomware Business}}, date = {2019-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/}, language = {English}, urldate = {2019-12-20} } A Look Inside the Highly Profitable Sodinokibi Ransomware Business REvil

2019-08-23 ⋅ The New York Times ⋅ Manny Fernandez, David E. Sanger, Marina Trahan Martinez @online{fernandez:20190823:ransomware:dffa5db, author = {Manny Fernandez and David E. Sanger and Marina Trahan Martinez}, title = {{Ransomware Attacks Are Testing Resolve of Cities Across America}}, date = {2019-08-23}, organization = {The New York Times}, url = {https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html}, language = {English}, urldate = {2020-01-13} } Ransomware Attacks Are Testing Resolve of Cities Across America REvil

2019-08-10 ⋅ Dissecting Malware ⋅ Marius Genheimer @online{genheimer:20190810:germanwipers:96d9745, author = {Marius Genheimer}, title = {{GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!}}, date = {2019-08-10}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html}, language = {English}, urldate = {2020-03-27} } GermanWiper's big Brother? GandGrab's kid ? Sodinokibi! REvil

2019-07-15 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20190715:is:4e715d7, author = {Brian Krebs}, title = {{Is ‘REvil’ the New GandCrab Ransomware?}}, date = {2019-07-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-06} } Is ‘REvil’ the New GandCrab Ransomware? REvil

2019-07-08 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20190708:whos:54977ab, author = {Brian Krebs}, title = {{Who’s Behind the GandCrab Ransomware?}}, date = {2019-07-08}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-07} } Who’s Behind the GandCrab Ransomware? Gandcrab

2019-07-03 ⋅ Kaspersky Labs ⋅ Orkhan Mamedov, Artur Pakulov, Fedor Sinitsyn @online{mamedov:20190703:sodin:74c101f, author = {Orkhan Mamedov and Artur Pakulov and Fedor Sinitsyn}, title = {{Sodin ransomware exploits Windows vulnerability and processor architecture}}, date = {2019-07-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/sodin-ransomware/91473/}, language = {English}, urldate = {2019-12-20} } Sodin ransomware exploits Windows vulnerability and processor architecture REvil

2019-06-24 ⋅ Fortinet ⋅ Joie Salvio @online{salvio:20190624:gandcrab:6120cb2, author = {Joie Salvio}, title = {{GandCrab Threat Actors Retire...Maybe}}, date = {2019-06-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html}, language = {English}, urldate = {2020-01-08} } GandCrab Threat Actors Retire...Maybe Gandcrab

2019-06-24 ⋅ VirIT ⋅ Gianfranco Tonello, Michele Zuin, Federico Girotto @online{tonello:20190624:ransomware:d1922b8, author = {Gianfranco Tonello and Michele Zuin and Federico Girotto}, title = {{Ransomware REvil - Sodinokibi: Technical analysis and Threat Intelligence Report}}, date = {2019-06-24}, organization = {VirIT}, url = {https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004}, language = {English}, urldate = {2020-01-08} } Ransomware REvil - Sodinokibi: Technical analysis and Threat Intelligence Report REvil

2019-06-17 ⋅ Bitdefender ⋅ Bogdan Botezatu @online{botezatu:20190617:good:c24ed06, author = {Bogdan Botezatu}, title = {{Good riddance, GandCrab! We’re still fixing the mess you left behind}}, date = {2019-06-17}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind}, language = {English}, urldate = {2020-01-10} } Good riddance, GandCrab! We’re still fixing the mess you left behind Gandcrab

2019-06-14 ⋅ Certego ⋅ Matteo Lodi @online{lodi:20190614:malware:c93f3de, author = {Matteo Lodi}, title = {{Malware Tales: Sodinokibi}}, date = {2019-06-14}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-sodinokibi/}, language = {English}, urldate = {2019-12-17} } Malware Tales: Sodinokibi REvil

2019-06-03 ⋅ SC Magazine ⋅ Doug Olenick @online{olenick:20190603:gandcrab:9ed3174, author = {Doug Olenick}, title = {{GandCrab ransomware operators put in retirement papers}}, date = {2019-06-03}, organization = {SC Magazine}, url = {https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/}, language = {English}, urldate = {2020-01-08} } GandCrab ransomware operators put in retirement papers Gandcrab

2019-06-01 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20190601:gandcrab:cb581e3, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion}}, date = {2019-06-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/}, language = {English}, urldate = {2019-12-20} } GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion Gandcrab

2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc. @techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam

2019-04-30 ⋅ Cisco Talos ⋅ Pierre Cadieux, Colin Grady, Jaeson Schultz, Matt Valites @online{cadieux:20190430:sodinokibi:d04e315, author = {Pierre Cadieux and Colin Grady and Jaeson Schultz and Matt Valites}, title = {{Sodinokibi ransomware exploits WebLogic Server vulnerability}}, date = {2019-04-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html}, language = {English}, urldate = {2019-12-17} } Sodinokibi ransomware exploits WebLogic Server vulnerability REvil

2019-03-13 ⋅ MyOnlineSecurity ⋅ MyOnlineSecurity @online{myonlinesecurity:20190313:fake:b89ed04, author = {MyOnlineSecurity}, title = {{Fake CDC Flu Pandemic Warning delivers Gandcrab 5.2 ransomware}}, date = {2019-03-13}, organization = {MyOnlineSecurity}, url = {https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/}, language = {English}, urldate = {2020-11-26} } Fake CDC Flu Pandemic Warning delivers Gandcrab 5.2 ransomware Cold$eal Gandcrab

2019-03-06 ⋅ CrowdStrike ⋅ Brendon Feeley, Bex Hartley, Sergei Frankoff @online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware Gandcrab Phorpiex Pinchy Spider Zombie Spider

2019-02-19 ⋅ Bitdefender ⋅ Bogdan Botezatu @online{botezatu:20190219:new:21079a9, author = {Bogdan Botezatu}, title = {{New GandCrab v5.1 Decryptor Available Now}}, date = {2019-02-19}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/}, language = {English}, urldate = {2019-10-15} } New GandCrab v5.1 Decryptor Available Now Gandcrab

2019-01-07 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20190107:gandcrab:8167b7f, author = {Ionut Ilascu}, title = {{GandCrab Operators Use Vidar Infostealer as a Forerunner}}, date = {2019-01-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/}, language = {English}, urldate = {2019-12-20} } GandCrab Operators Use Vidar Infostealer as a Forerunner Gandcrab vidar

2019 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:2019:2019:4e50c97, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-15} } 2019 CrowdStrike Global Threat Report Boss Spider Flash Kitten Guru Spider Leviathan Lunar Spider Nomad Panda Pinchy Spider Ratpak Spider Salty Spider Skeleton Spider Tiny Spider

2019 ⋅ CrowdStrike ⋅ CrowdStrike @online{crowdstrike:2019:2019:2c268c8, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/}, language = {English}, urldate = {2020-07-16} } 2019 CrowdStrike Global Threat Report Boss Spider Flash Kitten Guru Spider Leviathan Lunar Spider Nomad Panda Pinchy Spider Ratpak Spider Salty Spider Skeleton Spider Tiny Spider

2018-11-08 ⋅ TC Contre ⋅ tcontre @online{tcontre:20181108:re:c143721, author = {tcontre}, title = {{R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The Eye'}}, date = {2018-11-08}, organization = {TC Contre}, url = {https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html}, language = {English}, urldate = {2020-01-09} } R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The Eye' Gandcrab

2018-10-25 ⋅ Bitdefender ⋅ Bogdan Botezatu @online{botezatu:20181025:gandcrab:4e85fe9, author = {Bogdan Botezatu}, title = {{GandCrab Ransomware decryption tool}}, date = {2018-10-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/}, language = {English}, urldate = {2020-01-10} } GandCrab Ransomware decryption tool Gandcrab

2018-10-25 ⋅ Europol ⋅ Europol @online{europol:20181025:pay:d82bbfc, author = {Europol}, title = {{Pay No More: universal GandCrab decryption tool released for free on No More Ransom}}, date = {2018-10-25}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom}, language = {English}, urldate = {2019-11-26} } Pay No More: universal GandCrab decryption tool released for free on No More Ransom Gandcrab

2018-07-19 ⋅ Sensors Tech Forum ⋅ Ventsislav Krastev @online{krastev:20180719:killswitch:487a882, author = {Ventsislav Krastev}, title = {{Killswitch File Now Available for GandCrab v4.1.2 Ransomware}}, date = {2018-07-19}, organization = {Sensors Tech Forum}, url = {https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/}, language = {English}, urldate = {2020-01-07} } Killswitch File Now Available for GandCrab v4.1.2 Ransomware Gandcrab

2018-07-18 ⋅ ASEC ⋅ AhnLab ASEC Analysis Team @online{team:20180718:gandcrab:dc09385, author = {AhnLab ASEC Analysis Team}, title = {{GandCrab v4.1.2 Encryption Blocking Method (Kill Switch)}}, date = {2018-07-18}, organization = {ASEC}, url = {http://asec.ahnlab.com/1145}, language = {Korean}, urldate = {2020-01-08} } GandCrab v4.1.2 Encryption Blocking Method (Kill Switch) Gandcrab

2018-05-09 ⋅ Cisco Talos ⋅ Nick Biasini, Nick Lister, Christopher Marczewski @online{biasini:20180509:gandcrab:50296a6, author = {Nick Biasini and Nick Lister and Christopher Marczewski}, title = {{Gandcrab Ransomware Walks its Way onto Compromised Sites}}, date = {2018-05-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html}, language = {English}, urldate = {2019-10-21} } Gandcrab Ransomware Walks its Way onto Compromised Sites Gandcrab

2018-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there Gandcrab GlobeImposter

2018-02-08 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20180208:gandcrab:40fb494, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts}}, date = {2018-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/}, language = {English}, urldate = {2019-12-20} } GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts Gandcrab

2018-01-30 ⋅ Malwarebytes ⋅ Malwarebytes Labs @online{labs:20180130:gandcrab:86c30cb, author = {Malwarebytes Labs}, title = {{GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated)}}, date = {2018-01-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/}, language = {English}, urldate = {2019-12-20} } GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Gandcrab

2018-01-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20180129:gandcrab:9e003f9, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension}}, date = {2018-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/}, language = {English}, urldate = {2019-12-20} } GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension Gandcrab

---

Credits: MISP Project