Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).
2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein @online{olshtein:20230130:following:e442fcc,
author = {Arie Olshtein},
title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}},
date = {2023-01-30},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/},
language = {English},
urldate = {2023-01-31}
}
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot |
2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20220509:ransomwareasaservice:13ec472,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}},
date = {2022-05-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself},
language = {English},
urldate = {2022-05-17}
}
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT |
2022-05-05 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220505:cybercrime:f091e4f,
author = {Intel 471},
title = {{Cybercrime loves company: Conti cooperated with other ransomware gangs}},
date = {2022-05-05},
organization = {Intel 471},
url = {https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker},
language = {English},
urldate = {2022-05-05}
}
Cybercrime loves company: Conti cooperated with other ransomware gangs LockBit Maze RagnarLocker Ryuk |
2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov @online{fokker:20220331:conti:3bc2974,
author = {John Fokker and Jambul Tologonov},
title = {{Conti Leaks: Examining the Panama Papers of Ransomware}},
date = {2022-03-31},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html},
language = {English},
urldate = {2022-04-07}
}
Conti Leaks: Examining the Panama Papers of Ransomware LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot |
2022-03-23 ⋅ splunk ⋅ Shannon Davis @online{davis:20220323:gone:56f570f,
author = {Shannon Davis},
title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}},
date = {2022-03-23},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html},
language = {English},
urldate = {2022-03-25}
}
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk |
2022-03-17 ⋅ Sophos ⋅ Tilly Travers @online{travers:20220317:ransomware:df38f2f,
author = {Tilly Travers},
title = {{The Ransomware Threat Intelligence Center}},
date = {2022-03-17},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/},
language = {English},
urldate = {2022-03-18}
}
The Ransomware Threat Intelligence Center ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker |
2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe @techreport{davis:20220223:empirically:fe03729,
author = {Shannon Davis and SURGe},
title = {{An Empirically Comparative Analysis of Ransomware Binaries}},
date = {2022-02-23},
institution = {splunk},
url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf},
language = {English},
urldate = {2022-03-25}
}
An Empirically Comparative Analysis of Ransomware Binaries Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk |
2022-02-09 ⋅ Security Affairs ⋅ Pierluigi Paganini @online{paganini:20220209:master:b0b64b8,
author = {Pierluigi Paganini},
title = {{Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online}},
date = {2022-02-09},
organization = {Security Affairs},
url = {https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html},
language = {English},
urldate = {2022-02-10}
}
Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online Egregor m0yv Maze Sekhmet |
2022-02-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20220209:ransomware:e36973b,
author = {Lawrence Abrams},
title = {{Ransomware dev releases Egregor, Maze master decryption keys}},
date = {2022-02-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/},
language = {English},
urldate = {2022-02-10}
}
Ransomware dev releases Egregor, Maze master decryption keys Egregor Maze Sekhmet |
2021-11-03 ⋅ CERT-FR ⋅ ANSSI @online{anssi:20211103:identification:3143cbb,
author = {ANSSI},
title = {{Identification of a new cybercriminal group: Lockean}},
date = {2021-11-03},
organization = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/},
language = {English},
urldate = {2021-11-03}
}
Identification of a new cybercriminal group: Lockean DoppelPaymer Egregor Maze PwndLocker REvil |
2021-10-26 ⋅ ANSSI @techreport{anssi:20211026:identification:9444ac3,
author = {ANSSI},
title = {{Identification of a new cyber criminal group: Lockean}},
date = {2021-10-26},
institution = {},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf},
language = {English},
urldate = {2022-01-25}
}
Identification of a new cyber criminal group: Lockean Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil |
2021-09-06 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20210906:av:215e5aa,
author = {cocomelonc},
title = {{AV engines evasion for C++ simple malware: part 2}},
date = {2021-09-06},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html},
language = {English},
urldate = {2023-07-24}
}
AV engines evasion for C++ simple malware: part 2 Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team @techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-10 ⋅ Bleeping Computer ⋅ Sergiu Gatlan @online{gatlan:20210810:crytek:59f98bc,
author = {Sergiu Gatlan},
title = {{Crytek confirms Egregor ransomware attack, customer data theft}},
date = {2021-08-10},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/},
language = {English},
urldate = {2021-08-11}
}
Crytek confirms Egregor ransomware attack, customer data theft Egregor Maze |
2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20210805:ransomware:0962b82,
author = {Brian Krebs},
title = {{Ransomware Gangs and the Name Game Distraction}},
date = {2021-08-05},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/},
language = {English},
urldate = {2021-12-13}
}
Ransomware Gangs and the Name Game Distraction DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet |
2021-07-09 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210709:ransomwhere:bd77fbe,
author = {Catalin Cimpanu},
title = {{Ransomwhere project wants to create a database of past ransomware payments}},
date = {2021-07-09},
organization = {The Record},
url = {https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/},
language = {English},
urldate = {2021-07-20}
}
Ransomwhere project wants to create a database of past ransomware payments Egregor Mailto Maze REvil |
2021-07-01 ⋅ DomainTools ⋅ Chad Anderson @online{anderson:20210701:most:39f64b8,
author = {Chad Anderson},
title = {{The Most Prolific Ransomware Families: A Defenders Guide}},
date = {2021-07-01},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide},
language = {English},
urldate = {2021-07-11}
}
The Most Prolific Ransomware Families: A Defenders Guide REvil Conti Egregor Maze REvil |
2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff @online{larson:20210616:first:2e436a0,
author = {Selena Larson and Daniel Blackford and Garrett M. Graff},
title = {{The First Step: Initial Access Leads to Ransomware}},
date = {2021-06-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware},
language = {English},
urldate = {2021-06-21}
}
The First Step: Initial Access Leads to Ransomware BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker |
2021-05-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20210518:darkside:d8e345b,
author = {Ionut Ilascu},
title = {{DarkSide ransomware made $90 million in just nine months}},
date = {2021-05-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/},
language = {English},
urldate = {2021-06-07}
}
DarkSide ransomware made $90 million in just nine months DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk |
2021-05-18 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210518:darkside:14b6690,
author = {Catalin Cimpanu},
title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}},
date = {2021-05-18},
organization = {The Record},
url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/},
language = {English},
urldate = {2021-05-19}
}
Darkside gang estimated to have made over $90 million from ransomware attacks DarkSide DarkSide Mailto Maze REvil Ryuk |
2021-05-10 ⋅ DarkTracer ⋅ DarkTracer @online{darktracer:20210510:intelligence:b9d1c3f,
author = {DarkTracer},
title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}},
date = {2021-05-10},
organization = {DarkTracer},
url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3},
language = {English},
urldate = {2021-05-13}
}
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX |
2021-05-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20210507:data:c674b2b,
author = {Lawrence Abrams},
title = {{Data leak marketplaces aim to take over the extortion economy}},
date = {2021-05-07},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/},
language = {English},
urldate = {2021-05-08}
}
Data leak marketplaces aim to take over the extortion economy Babuk Maze |
2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker @online{denker:20210506:ransomware:a1f31df,
author = {Brandon Denker},
title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}},
date = {2021-05-06},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/},
language = {English},
urldate = {2021-05-08}
}
Ransomware: Hunting for Inhibiting System Backup or Recovery Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX |
2021-04-27 ⋅ CrowdStrike ⋅ Josh Dalman, Kamil Janton, Eben Kaplan @online{dalman:20210427:ransomware:8242ac5,
author = {Josh Dalman and Kamil Janton and Eben Kaplan},
title = {{Ransomware Preparedness: A Call to Action}},
date = {2021-04-27},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/},
language = {English},
urldate = {2021-05-31}
}
Ransomware Preparedness: A Call to Action Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER |
2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio @techreport{dimaggio:20210407:ransom:a543eac,
author = {Jon DiMaggio},
title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}},
date = {2021-04-07},
institution = {ANALYST1},
url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf},
language = {English},
urldate = {2021-04-09}
}
Ransom Mafia Analysis of the World's First Ransomware Cartel Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER |
2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio @online{dimaggio:20210407:ransom:a109d6f,
author = {Jon DiMaggio},
title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}},
date = {2021-04-07},
organization = {ANALYST1},
url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel},
language = {English},
urldate = {2021-06-01}
}
Ransom Mafia - Analysis of the World's First Ransomware Cartel Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER |
2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42 @techreport{unit42:20210317:ransomware:504cc32,
author = {Unit42},
title = {{Ransomware Threat Report 2021}},
date = {2021-03-17},
institution = {Palo Alto Networks Unit 42},
url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf},
language = {English},
urldate = {2021-03-19}
}
Ransomware Threat Report 2021 RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker |
2021-03-02 ⋅ CERT-FR ⋅ CERT-FR @online{certfr:20210302:egregor:f0da4ec,
author = {CERT-FR},
title = {{The Egregor Ransomware}},
date = {2021-03-02},
organization = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/},
language = {English},
urldate = {2021-06-29}
}
The Egregor Ransomware Egregor Maze Sekhmet |
2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev @techreport{skulkin:202103:ransomware:992ca10,
author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev},
title = {{Ransomware Uncovered 2020/2021}},
date = {2021-03},
institution = {Group-IB},
url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf},
language = {English},
urldate = {2021-06-16}
}
Ransomware Uncovered 2020/2021 RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
2021-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta @online{abdo:20210225:so:88f3400,
author = {Bryce Abdo and Brendan McKeague and Van Ta},
title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}},
date = {2021-02-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html},
language = {English},
urldate = {2021-03-02}
}
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE @techreport{league:20210211:ctil:69c2ab8,
author = {CTI LEAGUE},
title = {{CTIL Darknet Report – 2021}},
date = {2021-02-11},
institution = {CTI LEAGUE},
url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf},
language = {English},
urldate = {2021-02-20}
}
CTIL Darknet Report – 2021 Conti Mailto Maze REvil Ryuk |
2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team @online{team:20210204:blockchain:4e63b2f,
author = {Chainalysis Team},
title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}},
date = {2021-02-04},
organization = {Chainanalysis},
url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer},
language = {English},
urldate = {2021-02-06}
}
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains DoppelPaymer Egregor Maze SunCrypt |
2021 ⋅ Talos ⋅ Talos Incident Response @techreport{response:2021:evicting:c795470,
author = {Talos Incident Response},
title = {{Evicting Maze}},
date = {2021},
institution = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf},
language = {English},
urldate = {2021-05-26}
}
Evicting Maze Cobalt Strike Maze |
2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:7e8aa73,
author = {SecureWorks},
title = {{Threat Profile: GOLD VILLAGE}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-village},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD VILLAGE Maze TA2101 |
2020-12-16 ⋅ Accenture ⋅ Paul Mansfield @online{mansfield:20201216:tracking:25540bd,
author = {Paul Mansfield},
title = {{Tracking and combatting an evolving danger: Ransomware extortion}},
date = {2020-12-16},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion},
language = {English},
urldate = {2020-12-17}
}
Tracking and combatting an evolving danger: Ransomware extortion DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt |
2020-12-14 ⋅ Medium Killbit ⋅ killbit @online{killbit:20201214:applying:75d0dde,
author = {killbit},
title = {{Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware}},
date = {2020-12-14},
organization = {Medium Killbit},
url = {https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f},
language = {English},
urldate = {2020-12-17}
}
Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware Maze |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC @online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20201209:quarterly:9ed3062,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends from Fall 2020}},
date = {2020-12-09},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html},
language = {English},
urldate = {2020-12-10}
}
Quarterly Report: Incident Response trends from Fall 2020 Cobalt Strike IcedID Maze RansomEXX Ryuk |
2020-12-08 ⋅ Sophos ⋅ Sean Gallagher, Anand Aijan, Gabor Szappanos, Syed Shahram, Bill Kearney, Mark Loman, Peter Mackenzie, Sergio Bestulic @online{gallagher:20201208:egregor:fe48cfd,
author = {Sean Gallagher and Anand Aijan and Gabor Szappanos and Syed Shahram and Bill Kearney and Mark Loman and Peter Mackenzie and Sergio Bestulic},
title = {{Egregor ransomware: Maze’s heir apparent}},
date = {2020-12-08},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/},
language = {English},
urldate = {2020-12-08}
}
Egregor ransomware: Maze’s heir apparent Egregor Maze |
2020-12-07 ⋅ Minerva Labs ⋅ Tom Roter @online{roter:20201207:egregor:2d3dced,
author = {Tom Roter},
title = {{Egregor Ransomware - An In-Depth Analysis}},
date = {2020-12-07},
organization = {Minerva Labs},
url = {https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis},
language = {English},
urldate = {2020-12-09}
}
Egregor Ransomware - An In-Depth Analysis Egregor Maze Sekhmet |
2020-12-01 ⋅ Trend Micro ⋅ Ryan Flores @online{flores:20201201:impact:415bf2e,
author = {Ryan Flores},
title = {{The Impact of Modern Ransomware on Manufacturing Networks}},
date = {2020-12-01},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html},
language = {English},
urldate = {2020-12-08}
}
The Impact of Modern Ransomware on Manufacturing Networks Maze Petya REvil |
2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich @online{kivilevich:20201118:zooming:f28a9c1,
author = {Victoria Kivilevich},
title = {{Zooming into Darknet Threats Targeting Japanese Organizations}},
date = {2020-11-18},
organization = {KELA},
url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/},
language = {English},
urldate = {2020-11-19}
}
Zooming into Darknet Threats Targeting Japanese Organizations Conti DoppelPaymer Egregor LockBit Maze REvil Snake |
2020-11-16 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201116:ransomwareasaservice:11a5a8b,
author = {Intel 471},
title = {{Ransomware-as-a-service: The pandemic within a pandemic}},
date = {2020-11-16},
organization = {Intel 471},
url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/},
language = {English},
urldate = {2020-11-17}
}
Ransomware-as-a-service: The pandemic within a pandemic Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX |
2020-11-11 ⋅ Kaspersky Labs ⋅ Dmitry Bestuzhev, Fedor Sinitsyn @online{bestuzhev:20201111:targeted:e2e0c3a,
author = {Dmitry Bestuzhev and Fedor Sinitsyn},
title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}},
date = {2020-11-11},
organization = {Kaspersky Labs},
url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/},
language = {English},
urldate = {2020-11-11}
}
Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends” Egregor Maze RagnarLocker |
2020-11-06 ⋅ Telsy ⋅ Telsy Research Team @techreport{team:20201106:malware:7b6dd9d,
author = {Telsy Research Team},
title = {{Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze}},
date = {2020-11-06},
institution = {Telsy},
url = {https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf},
language = {English},
urldate = {2020-11-09}
}
Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze Maze |
2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20201029:maze:f90b399,
author = {Lawrence Abrams},
title = {{Maze ransomware is shutting down its cybercrime operation}},
date = {2020-10-29},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/},
language = {English},
urldate = {2020-11-02}
}
Maze ransomware is shutting down its cybercrime operation Egregor Maze |
2020-10-28 ⋅ Bitdefender ⋅ Ruben Andrei Condor @techreport{condor:20201028:decade:b8d7422,
author = {Ruben Andrei Condor},
title = {{A Decade of WMI Abuse – an Overview of Techniques in Modern Malware}},
date = {2020-10-28},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf},
language = {English},
urldate = {2020-11-02}
}
A Decade of WMI Abuse – an Overview of Techniques in Modern Malware sLoad Emotet Maze |
2020-10-26 ⋅ Checkpoint ⋅ Itay Cohen, Eyal Itkin @online{cohen:20201026:exploit:9ec173c,
author = {Itay Cohen and Eyal Itkin},
title = {{Exploit Developer Spotlight: The Story of PlayBit}},
date = {2020-10-26},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/},
language = {English},
urldate = {2020-10-27}
}
Exploit Developer Spotlight: The Story of PlayBit Dyre Maze PyLocky Ramnit REvil |
2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab @online{lab:20201023:leakwareransomwarehybrid:ae1de8e,
author = {Hornetsecurity Security Lab},
title = {{Leakware-Ransomware-Hybrid Attacks}},
date = {2020-10-23},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/},
language = {English},
urldate = {2020-12-08}
}
Leakware-Ransomware-Hybrid Attacks Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt |
2020-10-21 ⋅ Kaspersky Labs ⋅ Fedor Sinitsyn, Nikita Galimov, Vladimir Kuskov @online{sinitsyn:20201021:life:5906110,
author = {Fedor Sinitsyn and Nikita Galimov and Vladimir Kuskov},
title = {{Life of Maze ransomware}},
date = {2020-10-21},
organization = {Kaspersky Labs},
url = {https://securelist.com/maze-ransomware/99137/},
language = {English},
urldate = {2020-10-23}
}
Life of Maze ransomware Maze |
2020-10-06 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team @online{team:20201006:double:bb0f240,
author = {The Crowdstrike Intel Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 2}},
date = {2020-10-06},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/},
language = {English},
urldate = {2020-10-12}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 2 Maze MedusaLocker REvil VIKING SPIDER |
2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich @online{kivilevich:20201001:to:fd3aa09,
author = {Victoria Kivilevich},
title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}},
date = {2020-10-01},
organization = {KELA},
url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/},
language = {English},
urldate = {2021-05-07}
}
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt |
2020-09-29 ⋅ Microsoft ⋅ Microsoft @techreport{microsoft:20200929:microsoft:6e5d7b0,
author = {Microsoft},
title = {{Microsoft Digital Defense Report}},
date = {2020-09-29},
institution = {Microsoft},
url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf},
language = {English},
urldate = {2020-10-05}
}
Microsoft Digital Defense Report Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot |
2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team @online{team:20200925:double:fe3b093,
author = {The Crowdstrike Intel Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}},
date = {2020-09-25},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/},
language = {English},
urldate = {2020-10-02}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 1 DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER |
2020-09-25 ⋅ StateScoop ⋅ Benjamin Freed @online{freed:20200925:baltimore:296e7d1,
author = {Benjamin Freed},
title = {{Baltimore ransomware attack was early attempt at data extortion, new report shows}},
date = {2020-09-25},
organization = {StateScoop},
url = {https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/},
language = {English},
urldate = {2021-05-28}
}
Baltimore ransomware attack was early attempt at data extortion, new report shows Maze RobinHood OUTLAW SPIDER |
2020-09-24 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team @online{team:20200924:double:3b3ade6,
author = {CrowdStrike Intelligence Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}},
date = {2020-09-24},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1},
language = {English},
urldate = {2021-05-31}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 1 DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER |
2020-09-22 ⋅ Sophos SecOps ⋅ Greg Iddon @online{iddon:20200922:mtr:77e8701,
author = {Greg Iddon},
title = {{MTR Casebook: Blocking a $15 million Maze ransomware attack}},
date = {2020-09-22},
organization = {Sophos SecOps},
url = {https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/},
language = {English},
urldate = {2022-03-18}
}
MTR Casebook: Blocking a $15 million Maze ransomware attack Maze |
2020-09-17 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200917:maze:81b8c38,
author = {Lawrence Abrams},
title = {{Maze ransomware now encrypts via virtual machines to evade detection}},
date = {2020-09-17},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/},
language = {English},
urldate = {2020-09-21}
}
Maze ransomware now encrypts via virtual machines to evade detection Maze |
2020-09-17 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie @online{brandt:20200917:maze:714f603,
author = {Andrew Brandt and Peter Mackenzie},
title = {{Maze attackers adopt Ragnar Locker virtual machine technique}},
date = {2020-09-17},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/},
language = {English},
urldate = {2020-09-21}
}
Maze attackers adopt Ragnar Locker virtual machine technique Maze |
2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20200901:quarterly:c02962b,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends in Summer 2020}},
date = {2020-09-01},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html},
language = {English},
urldate = {2020-09-03}
}
Quarterly Report: Incident Response trends in Summer 2020 Cobalt Strike LockBit Mailto Maze Ryuk |
2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich @online{kivilevich:20200825:how:5db6a82,
author = {Victoria Kivilevich},
title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}},
date = {2020-08-25},
organization = {KELA},
url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/},
language = {English},
urldate = {2021-05-07}
}
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet |
2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider @online{cyberthreatinsider:20200820:global:34ee2ea,
author = {cyberthreatinsider},
title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}},
date = {2020-08-20},
organization = {sensecy},
url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/},
language = {English},
urldate = {2020-11-04}
}
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities Clop Maze REvil Ryuk |
2020-08-13 ⋅ SentinelOne ⋅ SentinelLabs @online{sentinellabs:20200813:case:4560aed,
author = {SentinelLabs},
title = {{Case Study: Catching a Human-Operated Maze Ransomware Attack In Action}},
date = {2020-08-13},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/},
language = {English},
urldate = {2020-08-14}
}
Case Study: Catching a Human-Operated Maze Ransomware Attack In Action Maze |
2020-08-04 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200804:ransomware:e0320ee,
author = {Catalin Cimpanu},
title = {{Ransomware gang publishes tens of GBs of internal data from LG and Xerox}},
date = {2020-08-04},
organization = {ZDNet},
url = {https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/},
language = {English},
urldate = {2020-08-18}
}
Ransomware gang publishes tens of GBs of internal data from LG and Xerox Maze |
2020-08 ⋅ Temple University ⋅ CARE @online{care:202008:critical:415c34d,
author = {CARE},
title = {{Critical Infrastructure Ransomware Attacks}},
date = {2020-08},
organization = {Temple University},
url = {https://sites.temple.edu/care/ci-rw-attacks/},
language = {English},
urldate = {2020-09-15}
}
Critical Infrastructure Ransomware Attacks CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity @techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
2020-07-22 ⋅ SentinelOne ⋅ Jason Reaves, Joshua Platt @online{reaves:20200722:enter:71d9038,
author = {Jason Reaves and Joshua Platt},
title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}},
date = {2020-07-22},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/},
language = {English},
urldate = {2020-07-23}
}
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW) ISFB Maze TrickBot Zloader |
2020-07-15 ⋅ Mandiant ⋅ Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt @online{brubaker:20200715:financially:f217555,
author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt},
title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}},
date = {2020-07-15},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot},
language = {English},
urldate = {2022-07-28}
}
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake |
2020-06-18 ⋅ Quick Heal ⋅ Preksha Saxena @online{saxena:20200618:maze:76ca64b,
author = {Preksha Saxena},
title = {{Maze ransomware continues to be a threat to the consumers}},
date = {2020-06-18},
organization = {Quick Heal},
url = {https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/},
language = {English},
urldate = {2020-07-02}
}
Maze ransomware continues to be a threat to the consumers Maze |
2020-06-17 ⋅ Cognizant ⋅ Cognizant @techreport{cognizant:20200617:notice:37fe994,
author = {Cognizant},
title = {{Notice of Data Breach}},
date = {2020-06-17},
institution = {Cognizant},
url = {https://oag.ca.gov/system/files/Letter%204.pdf},
language = {English},
urldate = {2020-06-18}
}
Notice of Data Breach Maze |
2020-06-16 ⋅ BleepingComputer ⋅ Sergiu Gatlan @online{gatlan:20200616:chipmaker:0e801b8,
author = {Sergiu Gatlan},
title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}},
date = {2020-06-16},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/},
language = {English},
urldate = {2020-06-17}
}
Chipmaker MaxLinear reports data breach after Maze Ransomware attack Maze |
2020-06-04 ⋅ Sophos Naked Security ⋅ Lisa Vaas @online{vaas:20200604:nuclear:9d471e1,
author = {Lisa Vaas},
title = {{Nuclear missile contractor hacked in Maze ransomware attack}},
date = {2020-06-04},
organization = {Sophos Naked Security},
url = {https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/},
language = {English},
urldate = {2020-06-04}
}
Nuclear missile contractor hacked in Maze ransomware attack Maze |
2020-05-21 ⋅ BrightTALK (FireEye) ⋅ Kimberly Goody, Jeremy Kennelly @online{goody:20200521:navigating:a2eae5f,
author = {Kimberly Goody and Jeremy Kennelly},
title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}},
date = {2020-05-21},
organization = {BrightTALK (FireEye)},
url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat},
language = {English},
urldate = {2020-06-05}
}
Navigating MAZE: Analysis of a Rising Ransomware Threat Maze |
2020-05-12 ⋅ SophosLabs Uncut ⋅ Sophos @online{sophos:20200512:maze:5552394,
author = {Sophos},
title = {{Maze ransomware: extorting victims for 1 year and counting}},
date = {2020-05-12},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/},
language = {English},
urldate = {2022-03-18}
}
Maze ransomware: extorting victims for 1 year and counting Maze |
2020-05-07 ⋅ FireEye Inc ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko @online{goody:20200507:navigating:7147cb7,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko},
title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}},
date = {2020-05-07},
organization = {FireEye Inc},
url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html},
language = {English},
urldate = {2020-05-11}
}
Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents Maze |
2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja @online{ziaja:20200507:sodinokibi:f5c5cd1,
author = {Adam Ziaja},
title = {{Sodinokibi / REvil ransomware}},
date = {2020-05-07},
organization = {REDTEAM.PL},
url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html},
language = {English},
urldate = {2020-05-13}
}
Sodinokibi / REvil ransomware Maze MimiKatz REvil |
2020-05-04 ⋅ Blueliv ⋅ Blueliv Team @online{team:20200504:escape:63ebdfa,
author = {Blueliv Team},
title = {{Escape from the Maze}},
date = {2020-05-04},
organization = {Blueliv},
url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/},
language = {English},
urldate = {2020-05-11}
}
Escape from the Maze Maze |
2020-05-01 ⋅ CrowdStrike ⋅ Shaun Hurley @online{hurley:20200501:many:22ed72c,
author = {Shaun Hurley},
title = {{The Many Paths Through Maze}},
date = {2020-05-01},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/},
language = {English},
urldate = {2020-05-05}
}
The Many Paths Through Maze Maze |
2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team @online{team:20200428:ransomware:3205f3a,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}},
date = {2020-04-28},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/},
language = {English},
urldate = {2020-05-05}
}
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood |
2020-04-18 ⋅ Cognizant ⋅ Cognizant @online{cognizant:20200418:cognizant:0e20ac0,
author = {Cognizant},
title = {{Cognizant Security Incident Update}},
date = {2020-04-18},
organization = {Cognizant},
url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update},
language = {English},
urldate = {2020-04-20}
}
Cognizant Security Incident Update Maze |
2020-04-18 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200418:it:bb2d626,
author = {Lawrence Abrams},
title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}},
date = {2020-04-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/},
language = {English},
urldate = {2020-04-20}
}
IT services giant Cognizant suffers Maze Ransomware cyber attack Maze |
2020-04-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20200408:how:192d583,
author = {Counter Threat Unit ResearchTeam},
title = {{How Cyber Adversaries are Adapting to Exploit the Global Pandemic}},
date = {2020-04-08},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic},
language = {English},
urldate = {2021-05-28}
}
How Cyber Adversaries are Adapting to Exploit the Global Pandemic GOLD SOUTHFIELD TA2101 TA505 WIZARD SPIDER |
2020-03-26 ⋅ McAfee ⋅ Alexandre Mundo @online{mundo:20200326:ransomware:05f2b18,
author = {Alexandre Mundo},
title = {{Ransomware Maze}},
date = {2020-03-26},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/},
language = {English},
urldate = {2020-03-26}
}
Ransomware Maze Maze |
2020-03-26 ⋅ TechCrunch ⋅ Zack Whittaker @online{whittaker:20200326:cyber:4b23d0a,
author = {Zack Whittaker},
title = {{Cyber insurer Chubb had data stolen in Maze ransomware attack}},
date = {2020-03-26},
organization = {TechCrunch},
url = {https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/},
language = {English},
urldate = {2020-03-27}
}
Cyber insurer Chubb had data stolen in Maze ransomware attack Maze |
2020-03-25 ⋅ Bitdefender ⋅ Bitdefender Team @techreport{team:20200325:technical:b3e1af1,
author = {Bitdefender Team},
title = {{A Technical Look into Maze Ransomware}},
date = {2020-03-25},
institution = {Bitdefender},
url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf},
language = {English},
urldate = {2020-04-20}
}
A Technical Look into Maze Ransomware Maze |
2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200324:three:fb92d03,
author = {Lawrence Abrams},
title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}},
date = {2020-03-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/},
language = {English},
urldate = {2020-03-26}
}
Three More Ransomware Families Create Sites to Leak Stolen Data Clop DoppelPaymer Maze Nefilim Nemty REvil |
2020-03-12 ⋅ Cyberbit ⋅ Dor Neemani, Omer Fishel, Hod Gavriel @techreport{neemani:20200312:lost:80ccbd2,
author = {Dor Neemani and Omer Fishel and Hod Gavriel},
title = {{Lost in the Maze}},
date = {2020-03-12},
institution = {Cyberbit},
url = {https://www.docdroid.net/dUpPY5s/maze.pdf},
language = {English},
urldate = {2020-03-22}
}
Lost in the Maze Maze |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-03-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200303:ransomware:8be6fa7,
author = {Lawrence Abrams},
title = {{Ransomware Attackers Use Your Cloud Backups Against You}},
date = {2020-03-03},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/},
language = {English},
urldate = {2020-03-04}
}
Ransomware Attackers Use Your Cloud Backups Against You DoppelPaymer Maze |
2020-02-20 ⋅ McAfee ⋅ Christiaan Beek, Eamonn Ryan, Darren Fitzpatrick @online{beek:20200220:csi:8525a7b,
author = {Christiaan Beek and Eamonn Ryan and Darren Fitzpatrick},
title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II}},
date = {2020-02-20},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/},
language = {English},
urldate = {2021-05-13}
}
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II Cobalt Strike LockerGoga Maze MegaCortex |
2020-01-30 ⋅ ZATAZ ⋅ Damien Bancal @online{bancal:20200130:cyber:0a267d4,
author = {Damien Bancal},
title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}},
date = {2020-01-30},
organization = {ZATAZ},
url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/},
language = {French},
urldate = {2020-02-03}
}
Cyber attaque à l’encontre des serveurs de Bouygues Construction Maze |
2020-01-29 ⋅ ANSSI ⋅ ANSSI @techreport{anssi:20200129:tat:3d59e6e,
author = {ANSSI},
title = {{État de la menace rançongiciel}},
date = {2020-01-29},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf},
language = {English},
urldate = {2020-02-03}
}
État de la menace rançongiciel Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam |
2020-01-22 ⋅ Deloitte ⋅ Deloitte @online{deloitte:20200122:project:0a44796,
author = {Deloitte},
title = {{Project Lurus}},
date = {2020-01-22},
organization = {Deloitte},
url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF},
language = {English},
urldate = {2020-02-13}
}
Project Lurus Maze |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:95fe871,
author = {SecureWorks},
title = {{GOLD VILLAGE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-village},
language = {English},
urldate = {2020-05-23}
}
GOLD VILLAGE Maze |
2020 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:2020:state:e5941af,
author = {Blackberry Research},
title = {{State of Ransomware}},
date = {2020},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf},
language = {English},
urldate = {2021-01-01}
}
State of Ransomware Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP |
2019-12-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191224:maze:33a4e28,
author = {Lawrence Abrams},
title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}},
date = {2019-12-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/},
language = {English},
urldate = {2020-02-13}
}
Maze Ransomware Releases Files Stolen from City of Pensacola Maze |
2019-12-18 ⋅ Github (albertzsigovits) ⋅ Albert Zsigovits @online{zsigovits:20191218:maze:22cb5d6,
author = {Albert Zsigovits},
title = {{Maze ransomware}},
date = {2019-12-18},
organization = {Github (albertzsigovits)},
url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md},
language = {English},
urldate = {2020-04-20}
}
Maze ransomware Maze |
2019-12-17 ⋅ Cisco ⋅ JJ Cummings, Dave Liebenberg @online{cummings:20191217:incident:44acf5c,
author = {JJ Cummings and Dave Liebenberg},
title = {{Incident Response lessons from recent Maze ransomware attacks}},
date = {2019-12-17},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html},
language = {English},
urldate = {2020-01-09}
}
Incident Response lessons from recent Maze ransomware attacks Maze |
2019-12-16 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20191216:ransomware:f4d7d8c,
author = {Brian Krebs},
title = {{Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up}},
date = {2019-12-16},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/},
language = {English},
urldate = {2020-01-08}
}
Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up Maze |
2019-12-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191211:maze:acb23da,
author = {Lawrence Abrams},
title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}},
date = {2019-12-11},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/},
language = {English},
urldate = {2020-01-09}
}
Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand Maze |
2019-11-21 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191121:allied:a3d69d7,
author = {Lawrence Abrams},
title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}},
date = {2019-11-21},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/},
language = {English},
urldate = {2020-01-08}
}
Allied Universal Breached by Maze Ransomware, Stolen Data Leaked Maze |
2019-11-14 ⋅ Proofpoint ⋅ Bryan Campbell, Proofpoint Threat Insight Team @online{campbell:20191114:ta2101:e79f6fb,
author = {Bryan Campbell and Proofpoint Threat Insight Team},
title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}},
date = {2019-11-14},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us},
language = {English},
urldate = {2019-11-27}
}
TA2101 plays government imposter to distribute malware to German, Italian, and US organizations Maze TA2101 |
2019-11-08 ⋅ Twitter (@certbund) ⋅ CERT-Bund @online{certbund:20191108:spam:0630ad5,
author = {CERT-Bund},
title = {{Tweet on Spam Mails containing MAZE}},
date = {2019-11-08},
organization = {Twitter (@certbund)},
url = {https://twitter.com/certbund/status/1192756294307995655},
language = {English},
urldate = {2020-01-08}
}
Tweet on Spam Mails containing MAZE Maze |
2019-10-18 ⋅ Bleeping Computer ⋅ Sergiu Gatlan @online{gatlan:20191018:maze:fb2c4b6,
author = {Sergiu Gatlan},
title = {{Maze Ransomware Now Delivered by Spelevo Exploit Kit}},
date = {2019-10-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/},
language = {English},
urldate = {2019-12-17}
}
Maze Ransomware Now Delivered by Spelevo Exploit Kit Maze |
2019-05-13 ⋅ Amigo A @online{a:20190513:chacha:840508a,
author = {Amigo A},
title = {{ChaCha Ransomware}},
date = {2019-05-13},
url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html},
language = {Russian},
urldate = {2019-12-02}
}
ChaCha Ransomware Maze |
2019 ⋅ CrowdStrike ⋅ CrowdStrike @online{crowdstrike:2019:twisted:8dacf6c,
author = {CrowdStrike},
title = {{Twisted Spider}},
date = {2019},
organization = {CrowdStrike},
url = {https://adversary.crowdstrike.com/adversary/twisted-spider/},
language = {English},
urldate = {2021-05-19}
}
Twisted Spider Maze TA2101 |