SYMBOL | COMMON_NAME | aka. SYNONYMS |
UNC1878 is a financially motivated threat actor that monetizes network access via the deployment of RYUK ransomware. Earlier this year, Mandiant published a blog on a fast-moving adversary deploying RYUK ransomware, UNC1878. Shortly after its release, there was a significant decrease in observed UNC1878 intrusions and RYUK activity overall almost completely vanishing over the summer. But beginning in early fall, Mandiant has seen a resurgence of RYUK along with TTP overlaps indicating that UNC1878 has returned from the grave and resumed their operations.
There are currently no families associated with this actor.
2020-10-29 ⋅ Twitter (@anthomsec) ⋅ Tweet on UNC1878 activity BazarBackdoor Ryuk TrickBot UNC1878 |
2020-10-28 ⋅ Youtube (SANS Institute) ⋅ Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast Ryuk UNC1878 |
2020-10-28 ⋅ Github (aaronst) ⋅ UNC1878 indicators Ryuk UNC1878 |
2020-10-28 ⋅ FireEye ⋅ Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser BazarBackdoor Cobalt Strike Ryuk UNC1878 |
2020-03-31 ⋅ FireEye ⋅ It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit Ryuk TrickBot UNC1878 |