UNC1878 is a financially motivated threat actor that monetizes network access via the deployment of RYUK ransomware. Earlier this year, Mandiant published a blog on a fast-moving adversary deploying RYUK ransomware, UNC1878. Shortly after its release, there was a significant decrease in observed UNC1878 intrusions and RYUK activity overall almost completely vanishing over the summer. But beginning in early fall, Mandiant has seen a resurgence of RYUK along with TTP overlaps indicating that UNC1878 has returned from the grave and resumed their operations.
There are currently no families associated with this actor.
|2020-10-29 ⋅ Twitter (@anthomsec) ⋅ |
Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
|2020-10-28 ⋅ Youtube (SANS Institute) ⋅ |
Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast
|2020-10-28 ⋅ Github (aaronst) ⋅ |
|2020-10-28 ⋅ FireEye ⋅ |
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
|2020-03-31 ⋅ FireEye ⋅ |
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878