SYMBOLCOMMON_NAMEaka. SYNONYMS

TA2101  (Back to overview)

aka: DEV-0216, GOLD VILLAGE, Maze Team, Storm-0216, TWISTED SPIDER, Twisted Spider

Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).


Associated Families
win.maze

References
2024-02-15Bleeping ComputerSergiu Gatlan
Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison
Egregor IcedID Maze Zeus
2024-02-15Department of JusticeOffice of Public Affairs
Foreign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses
Egregor IcedID Maze Zeus
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-05Intel 471Intel 471
Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-23splunkShannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-02-23splunkShannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-09Security AffairsPierluigi Paganini
Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online
Egregor m0yv Maze Sekhmet
2022-02-09Bleeping ComputerLawrence Abrams
Ransomware dev releases Egregor, Maze master decryption keys
Egregor Maze Sekhmet
2021-11-03CERT-FRANSSI
Identification of a new cybercriminal group: Lockean
DoppelPaymer Egregor Maze PwndLocker REvil
2021-10-26ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-09-06cocomelonccocomelonc
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-10Bleeping ComputerSergiu Gatlan
Crytek confirms Egregor ransomware attack, customer data theft
Egregor Maze
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-07-09The RecordCatalin Cimpanu
Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-07-01DomainToolsChad Anderson
The Most Prolific Ransomware Families: A Defenders Guide
REvil Conti Egregor Maze REvil
2021-06-16ProofpointDaniel Blackford, Garrett M. Graff, Selena Larson
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577
2021-05-18The RecordCatalin Cimpanu
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-18Bleeping ComputerIonut Ilascu
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Bleeping ComputerLawrence Abrams
Data leak marketplaces aim to take over the extortion economy
Babuk Maze
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-27CrowdStrikeEben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-02CERT-FRCERT-FR
The Egregor Ransomware
Egregor Maze Sekhmet
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-25FireEyeBrendan McKeague, Bryce Abdo, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-11CTI LEAGUECTI LEAGUE
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-02-04ChainanalysisChainalysis Team
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD VILLAGE
Maze TA2101
2021-01-01TalosTalos Incident Response
Evicting Maze
Cobalt Strike Maze
2020-12-16AccenturePaul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-14Medium Killbitkillbit
Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware
Maze
2020-12-10US-CERTFBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-09CiscoCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-08SophosAnand Aijan, Bill Kearney, Gabor Szappanos, Mark Loman, Peter Mackenzie, Sean Gallagher, Sergio Bestulic, Syed Shahram
Egregor ransomware: Maze’s heir apparent
Egregor Maze
2020-12-07Minerva LabsTom Roter
Egregor Ransomware - An In-Depth Analysis
Egregor Maze Sekhmet
2020-12-01Trend MicroRyan Flores
The Impact of Modern Ransomware on Manufacturing Networks
Maze Petya REvil
2020-11-18KELAVictoria Kivilevich
Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-11-06TelsyTelsy Research Team
Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze
Maze
2020-10-29Bleeping ComputerLawrence Abrams
Maze ransomware is shutting down its cybercrime operation
Egregor Maze
2020-10-28BitdefenderRuben Andrei Condor
A Decade of WMI Abuse – an Overview of Techniques in Modern Malware
sLoad Emotet Maze
2020-10-26CheckpointEyal Itkin, Itay Cohen
Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-21Kaspersky LabsFedor Sinitsyn, Nikita Galimov, Vladimir Kuskov
Life of Maze ransomware
Maze
2020-10-06CrowdStrikeThe Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil VIKING SPIDER
2020-10-01KELAVictoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29MicrosoftMicrosoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-25StateScoopBenjamin Freed
Baltimore ransomware attack was early attempt at data extortion, new report shows
Maze RobinHood OUTLAW SPIDER
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-09-22Sophos SecOpsGreg Iddon
MTR Casebook: Blocking a $15 million Maze ransomware attack
Maze
2020-09-17SophosLabs UncutAndrew Brandt, Peter Mackenzie
Maze attackers adopt Ragnar Locker virtual machine technique
Maze
2020-09-17Bleeping ComputerLawrence Abrams
Maze ransomware now encrypts via virtual machines to evade detection
Maze
2020-09-01Cisco TalosCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-20sensecycyberthreatinsider
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-08-13SentinelOneSentinelLabs
Case Study: Catching a Human-Operated Maze Ransomware Attack In Action
Maze
2020-08-04ZDNetCatalin Cimpanu
Ransomware gang publishes tens of GBs of internal data from LG and Xerox
Maze
2020-08-01Temple UniversityCARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-22SentinelOneJason Reaves, Joshua Platt
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-07-15MandiantCorey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-06-18Quick HealPreksha Saxena
Maze ransomware continues to be a threat to the consumers
Maze
2020-06-17CognizantCognizant
Notice of Data Breach
Maze
2020-06-16BleepingComputerSergiu Gatlan
Chipmaker MaxLinear reports data breach after Maze Ransomware attack
Maze
2020-06-04Sophos Naked SecurityLisa Vaas
Nuclear missile contractor hacked in Maze ransomware attack
Maze
2020-05-21BrightTALK (FireEye)Jeremy Kennelly, Kimberly Goody
Navigating MAZE: Analysis of a Rising Ransomware Threat
Maze
2020-05-12SophosLabs UncutSophos
Maze ransomware: extorting victims for 1 year and counting
Maze
2020-05-07FireEye IncJeremy Kennelly, Joshua Shilko, Kimberly Goody
Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
Maze
2020-05-07REDTEAM.PLAdam Ziaja
Sodinokibi / REvil ransomware
Maze MimiKatz REvil
2020-05-04BluelivBlueliv Team
Escape from the Maze
Maze
2020-05-01CrowdStrikeShaun Hurley
The Many Paths Through Maze
Maze
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-18CognizantCognizant
Cognizant Security Incident Update
Maze
2020-04-18Bleeping ComputerLawrence Abrams
IT services giant Cognizant suffers Maze Ransomware cyber attack
Maze
2020-04-08SecureworksCounter Threat Unit ResearchTeam
How Cyber Adversaries are Adapting to Exploit the Global Pandemic
GOLD SOUTHFIELD TA2101 TA505 WIZARD SPIDER
2020-03-26McAfeeAlexandre Mundo
Ransomware Maze
Maze
2020-03-26TechCrunchZack Whittaker
Cyber insurer Chubb had data stolen in Maze ransomware attack
Maze
2020-03-25BitdefenderBitdefender Team
A Technical Look into Maze Ransomware
Maze
2020-03-24Bleeping ComputerLawrence Abrams
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-12CyberbitDor Neemani, Hod Gavriel, Omer Fishel
Lost in the Maze
Maze
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03Bleeping ComputerLawrence Abrams
Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze
2020-02-20McAfeeChristiaan Beek, Darren Fitzpatrick, Eamonn Ryan
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex
2020-01-30ZATAZDamien Bancal
Cyber attaque à l’encontre des serveurs de Bouygues Construction
Maze
2020-01-29ANSSIANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-22DeloitteDeloitte
Project Lurus
Maze
2020-01-01SecureworksSecureWorks
GOLD VILLAGE
Maze
2020-01-01BlackberryBlackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-12-24Bleeping ComputerLawrence Abrams
Maze Ransomware Releases Files Stolen from City of Pensacola
Maze
2019-12-18Github (albertzsigovits)Albert Zsigovits
Maze ransomware
Maze
2019-12-17CiscoDave Liebenberg, JJ Cummings
Incident Response lessons from recent Maze ransomware attacks
Maze
2019-12-16KrebsOnSecurityBrian Krebs
Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up
Maze
2019-12-11Bleeping ComputerLawrence Abrams
Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand
Maze
2019-11-21Bleeping ComputerLawrence Abrams
Allied Universal Breached by Maze Ransomware, Stolen Data Leaked
Maze
2019-11-14ProofpointBryan Campbell, Proofpoint Threat Insight Team
TA2101 plays government imposter to distribute malware to German, Italian, and US organizations
Maze TA2101
2019-11-08Twitter (@certbund)CERT-Bund
Tweet on Spam Mails containing MAZE
Maze
2019-10-18Bleeping ComputerSergiu Gatlan
Maze Ransomware Now Delivered by Spelevo Exploit Kit
Maze
2019-05-13Amigo A
ChaCha Ransomware
Maze
2019-01-01CrowdStrikeCrowdStrike
Twisted Spider
Maze TA2101

Credits: MISP Project