SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockbit (Back to overview)

LockBit

aka: ABCD Ransomware

There is no description at this point.

References
2022-11-30SophosAndrew Brandt
@online{brandt:20221130:lockbit:7d7598f, author = {Andrew Brandt}, title = {{LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling}}, date = {2022-11-30}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/}, language = {English}, urldate = {2022-12-02} } LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling
LockBit
2022-11-08AhnLabASEC
@online{asec:20221108:lockbit:6acb17e, author = {ASEC}, title = {{LockBit 3.0 Being Distributed via Amadey Bot}}, date = {2022-11-08}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/41450/}, language = {English}, urldate = {2022-11-09} } LockBit 3.0 Being Distributed via Amadey Bot
Amadey Gandcrab LockBit
2022-10-18LogpoointAnish Bogati, Nilaa Maharjan
@online{bogati:20221018:hunting:c2cd9ba, author = {Anish Bogati and Nilaa Maharjan}, title = {{Hunting Lockbit Variation}}, date = {2022-10-18}, organization = {Logpooint}, url = {https://www.logpoint.com/en/blog/hunting-lockbit-variations-using-logpoint/}, language = {English}, urldate = {2022-11-28} } Hunting Lockbit Variation
LockBit
2022-10-15vmwareDana Behling
@online{behling:20221015:lockbit:b6ba83c, author = {Dana Behling}, title = {{LockBit 3.0 Ransomware Unlocked}}, date = {2022-10-15}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html}, language = {English}, urldate = {2022-10-24} } LockBit 3.0 Ransomware Unlocked
LockBit
2022-10-11AhnLabASEC Analysis Team
@online{team:20221011:from:a35b468, author = {ASEC Analysis Team}, title = {{From Exchange Server vulnerability to ransomware infection in just 7 days}}, date = {2022-10-11}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/39682/}, language = {Korean}, urldate = {2022-10-11} } From Exchange Server vulnerability to ransomware infection in just 7 days
LockBit MimiKatz
2022-09-22Medium s2wlabYang HuiSeong, Jeong Hyunsik
@online{huiseong:20220922:quick:9184019, author = {Yang HuiSeong and Jeong Hyunsik}, title = {{Quick Overview of Leaked LockBit 3.0 (Black) builder program}}, date = {2022-09-22}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085}, language = {English}, urldate = {2022-10-24} } Quick Overview of Leaked LockBit 3.0 (Black) builder program
LockBit
2022-09-22Cyber GeeksVlad Pasca
@online{pasca:20220922:technical:96bb05e, author = {Vlad Pasca}, title = {{A Technical Analysis Of The Leaked LOCKBIT 3.0 Builder}}, date = {2022-09-22}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/}, language = {English}, urldate = {2022-09-26} } A Technical Analysis Of The Leaked LOCKBIT 3.0 Builder
LockBit
2022-08-28BleepingComputerIonut Ilascu
@online{ilascu:20220828:lockbit:cf396a1, author = {Ionut Ilascu}, title = {{LockBit ransomware gang gets aggressive with triple-extortion tactic}}, date = {2022-08-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/}, language = {English}, urldate = {2022-08-30} } LockBit ransomware gang gets aggressive with triple-extortion tactic
LockBit
2022-08-19nccgroupRoss Inman
@online{inman:20220819:back:11abc41, author = {Ross Inman}, title = {{Back in Black: Unlocking a LockBit 3.0 Ransomware Attack}}, date = {2022-08-19}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack}, language = {English}, urldate = {2022-08-22} } Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
FAKEUPDATES Cobalt Strike LockBit
2022-08-11SecurityScorecardRobert Ames
@online{ames:20220811:increase:5cbc907, author = {Robert Ames}, title = {{The Increase in Ransomware Attacks on Local Governments}}, date = {2022-08-11}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments}, language = {English}, urldate = {2022-08-28} } The Increase in Ransomware Attacks on Local Governments
BlackCat BlackCat Cobalt Strike LockBit
2022-08-10Quick HealSathwik Ram Prakki
@online{prakki:20220810:indian:96b0a9e, author = {Sathwik Ram Prakki}, title = {{Indian Power Sector targeted with latest LockBit 3.0 variant}}, date = {2022-08-10}, organization = {Quick Heal}, url = {https://www.seqrite.com/blog/indian-power-sector-targeted-with-latest-lockbit-3-0-variant/}, language = {English}, urldate = {2022-11-11} } Indian Power Sector targeted with latest LockBit 3.0 variant
LockBit
2022-08-04YouTube (Arda Büyükkaya)Arda Büyükkaya
@online{bykkaya:20220804:lockbit:15879e8, author = {Arda Büyükkaya}, title = {{LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool}}, date = {2022-08-04}, organization = {YouTube (Arda Büyükkaya)}, url = {https://www.youtube.com/watch?v=C733AyPzkoc}, language = {English}, urldate = {2022-08-08} } LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit
2022-07-28SentinelOneJúlio Dantas, James Haughom, Julien Reisdorffer
@online{dantas:20220728:living:3cc6f4f, author = {Júlio Dantas and James Haughom and Julien Reisdorffer}, title = {{Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool}}, date = {2022-07-28}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/}, language = {English}, urldate = {2022-08-01} } Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit
2022-07-25Trend MicroIvan Nicole Chavez, Byron Gelera, Katherine Casona, Nathaniel Morales, Ieriz Nicolle Gonzalez, Nathaniel Gregory Ragasa
@online{chavez:20220725:lockbit:a660282, author = {Ivan Nicole Chavez and Byron Gelera and Katherine Casona and Nathaniel Morales and Ieriz Nicolle Gonzalez and Nathaniel Gregory Ragasa}, title = {{LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities}}, date = {2022-07-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html}, language = {English}, urldate = {2022-08-11} } LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities
BlackMatter LockBit
2022-07-21Sentinel LABSJim Walter, Aleksandar Milenkoski
@online{walter:20220721:lockbit:e7279b7, author = {Jim Walter and Aleksandar Milenkoski}, title = {{LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques}}, date = {2022-07-21}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/}, language = {English}, urldate = {2022-07-25} } LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques
LockBit
2022-07-20SymantecVishal Kamble, Lahu Khatal
@online{kamble:20220720:lockbit:e4515c8, author = {Vishal Kamble and Lahu Khatal}, title = {{LockBit: Ransomware Puts Servers in the Crosshairs}}, date = {2022-07-20}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers}, language = {English}, urldate = {2022-07-20} } LockBit: Ransomware Puts Servers in the Crosshairs
LockBit
2022-07-18FortinetFortiGuard Labs
@online{labs:20220718:ransomware:69b4e95, author = {FortiGuard Labs}, title = {{Ransomware Roundup: Protecting Against New Variants}}, date = {2022-07-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants}, language = {English}, urldate = {2022-07-25} } Ransomware Roundup: Protecting Against New Variants
LockBit LockBit
2022-07-13GLIMPSGLIMPS
@online{glimps:20220713:lockbit:c4e0803, author = {GLIMPS}, title = {{Lockbit 3.0}}, date = {2022-07-13}, organization = {GLIMPS}, url = {https://www.glimps.fr/lockbit3-0/}, language = {French}, urldate = {2022-07-18} } Lockbit 3.0
BlackMatter DarkSide LockBit
2022-07-10Minerva LabsNatalie Zargarov
@online{zargarov:20220710:lockbit:98f59a8, author = {Natalie Zargarov}, title = {{Lockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?}}, date = {2022-07-10}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness}, language = {English}, urldate = {2022-07-15} } Lockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?
LockBit
2022-07-07CybereasonCybereason Global SOC Team
@online{team:20220707:threat:9f9399b, author = {Cybereason Global SOC Team}, title = {{THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom}}, date = {2022-07-07}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom}, language = {English}, urldate = {2022-07-12} } THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom
LockBit
2022-07-06Cluster25Cluster25
@online{cluster25:20220706:lockbit:5228074, author = {Cluster25}, title = {{LockBit 3.0: “Making The Ransomware Great Again”}}, date = {2022-07-06}, organization = {Cluster25}, url = {https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/}, language = {English}, urldate = {2022-07-13} } LockBit 3.0: “Making The Ransomware Great Again”
LockBit
2022-07-05cybleCyble Research Labs
@online{labs:20220705:lockbit:3ff51ed, author = {Cyble Research Labs}, title = {{Lockbit 3.0 – Ransomware Group Launches New Version}}, date = {2022-07-05}, organization = {cyble}, url = {https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/}, language = {English}, urldate = {2022-07-13} } Lockbit 3.0 – Ransomware Group Launches New Version
LockBit
2022-06-24AhnLabASEC
@online{asec:20220624:lockbit:a98a9bb, author = {ASEC}, title = {{LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed}}, date = {2022-06-24}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/35822/}, language = {English}, urldate = {2022-06-27} } LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed
LockBit
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-09Palo Alto Networks Unit 42Amer Elsad, JR Gumarin, Abigail Barr
@online{elsad:20220609:lockbit:3cfa609, author = {Amer Elsad and JR Gumarin and Abigail Barr}, title = {{LockBit 2.0: How This RaaS Operates and How to Protect Against It}}, date = {2022-06-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/lockbit-2-ransomware/}, language = {English}, urldate = {2022-06-11} } LockBit 2.0: How This RaaS Operates and How to Protect Against It
LockBit
2022-06-02Packtpacktsecurity
@online{packtsecurity:20220602:secpro:91d88bd, author = {packtsecurity}, title = {{A SecPro Super Issue: Understanding LockBit}}, date = {2022-06-02}, organization = {Packt}, url = {https://security.packt.com/understanding-lockbit/}, language = {English}, urldate = {2022-10-06} } A SecPro Super Issue: Understanding LockBit
LockBit LockBit BITWISE SPIDER
2022-06-02MandiantMandiant Intelligence
@online{intelligence:20220602:to:e15831c, author = {Mandiant Intelligence}, title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions}, language = {English}, urldate = {2022-06-04} } To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-23Trend MicroMatsugaya Shingo
@online{shingo:20220523:lockbit:8d0fff2, author = {Matsugaya Shingo}, title = {{LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022}}, date = {2022-05-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022}, language = {English}, urldate = {2022-05-24} } LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022
BlackCat Conti LockBit
2022-05-23Trend MicroTrend Micro Research
@techreport{research:20220523:lockbit:6eb72ce, author = {Trend Micro Research}, title = {{LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)}}, date = {2022-05-23}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf}, language = {English}, urldate = {2022-05-29} } LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)
BlackCat Conti LockBit
2022-05-11KasperskyGReAT
@online{great:20220511:new:a56bc90, author = {GReAT}, title = {{New ransomware trends in 2022}}, date = {2022-05-11}, organization = {Kaspersky}, url = {https://securelist.com/new-ransomware-trends-in-2022/106457/}, language = {English}, urldate = {2022-05-17} } New ransomware trends in 2022
BlackCat Conti DEADBOLT DoubleZero LockBit PartyTicket StealBit
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-06Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20220506:twitter:7a00df8, author = {Microsoft Security Intelligence}, title = {{Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity}}, date = {2022-05-06}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1522690116979855360}, language = {English}, urldate = {2022-05-09} } Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit
2022-05-06LeMagITValéry Rieß-Marchive
@online{riemarchive:20220506:ransomware:0a466dc, author = {Valéry Rieß-Marchive}, title = {{Ransomware: LockBit 3.0 Starts Using in Cyberattacks}}, date = {2022-05-06}, organization = {LeMagIT}, url = {https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques}, language = {French}, urldate = {2022-05-08} } Ransomware: LockBit 3.0 Starts Using in Cyberattacks
LockBit
2022-05-05Intel 471Intel 471
@online{471:20220505:cybercrime:f091e4f, author = {Intel 471}, title = {{Cybercrime loves company: Conti cooperated with other ransomware gangs}}, date = {2022-05-05}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker}, language = {English}, urldate = {2022-05-05} } Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk
2022-04-27Sentinel LABSJames Haughom, Júlio Dantas, Jim Walter
@online{haughom:20220427:lockbit:da3d5d1, author = {James Haughom and Júlio Dantas and Jim Walter}, title = {{LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility}}, date = {2022-04-27}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/}, language = {English}, urldate = {2022-04-29} } LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit
2022-04-27Sentinel LABSJames Haughom, Júlio Dantas, Jim Walter
@online{haughom:20220427:lockbit:f0328ef, author = {James Haughom and Júlio Dantas and Jim Walter}, title = {{LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility}}, date = {2022-04-27}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility}, language = {English}, urldate = {2022-07-25} } LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit BRONZE STARLIGHT
2022-04-12SophosAndrew Brandt, Angela Gunn, Melissa Kelly, Peter Mackenzie, Ferenc László Nagy, Mauricio Valdivieso, Sergio Bestulic, Johnathan Fern, Linda Smith, Matthew Everts
@online{brandt:20220412:attackers:f9f5c52, author = {Andrew Brandt and Angela Gunn and Melissa Kelly and Peter Mackenzie and Ferenc László Nagy and Mauricio Valdivieso and Sergio Bestulic and Johnathan Fern and Linda Smith and Matthew Everts}, title = {{Attackers linger on government agency computers before deploying Lockbit ransomware}}, date = {2022-04-12}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/}, language = {English}, urldate = {2022-04-15} } Attackers linger on government agency computers before deploying Lockbit ransomware
LockBit
2022-04-12ConnectWiseConnectWise CRU
@online{cru:20220412:threat:6f5aace, author = {ConnectWise CRU}, title = {{Threat Profile: LockBit}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/lockbit-profile}, language = {English}, urldate = {2022-04-13} } Threat Profile: LockBit
LockBit
2022-04-06SOCRadarSOCRadar
@online{socradar:20220406:lockbit:1908458, author = {SOCRadar}, title = {{Lockbit 3.0: Another Upgrade to World’s Most Active Ransomware}}, date = {2022-04-06}, organization = {SOCRadar}, url = {https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/}, language = {English}, urldate = {2022-10-06} } Lockbit 3.0: Another Upgrade to World’s Most Active Ransomware
LockBit LockBit BITWISE SPIDER
2022-04-05Trend MicroEarle Maui Earnshaw, Mohamed Fahmy, Ian Kenefick, Ryan Maglaque, Abdelrhman Sharshar, Lucas Silva
@online{earnshaw:20220405:thwarting:03a6217, author = {Earle Maui Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)}}, date = {2022-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt}, language = {English}, urldate = {2022-05-05} } Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)
FAKEUPDATES Blister LockBit
2022-04-05Trend MicroEarle Maui Earnshaw, Mohamed Fahmy, Ian Kenefick, Ryan Maglaque, Abdelrhman Sharshar, Lucas Silva
@online{earnshaw:20220405:thwarting:af5a4fd, author = {Earle Maui Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload}}, date = {2022-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html}, language = {English}, urldate = {2022-05-05} } Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload
FAKEUPDATES Blister LockBit
2022-04-01Bleeping ComputerLawrence Abrams
@online{abrams:20220401:week:14d9669, author = {Lawrence Abrams}, title = {{The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'}}, date = {2022-04-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/}, language = {English}, urldate = {2022-04-05} } The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'
Hive Dharma LockBit STOP SunCrypt
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-31Bleeping ComputerBill Toulas
@online{toulas:20220331:lockbit:b93bcef, author = {Bill Toulas}, title = {{LockBit victim estimates cost of ransomware attack to be $42 million}}, date = {2022-03-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/}, language = {English}, urldate = {2022-04-04} } LockBit victim estimates cost of ransomware attack to be $42 million
LockBit LockBit
2022-03-23splunkShannon Davis
@online{davis:20220323:gone:56f570f, author = {Shannon Davis}, title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}}, date = {2022-03-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html}, language = {English}, urldate = {2022-03-25} } Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-19Chuongdong blogChuong Dong
@online{dong:20220319:lockbit:cafbe56, author = {Chuong Dong}, title = {{LockBit Ransomware v2.0}}, date = {2022-03-19}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/}, language = {English}, urldate = {2022-03-22} } LockBit Ransomware v2.0
LockBit
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-11MicrosoftMicrosoft Detection and Response Team (DART)
@online{dart:20220311:part:13e8665, author = {Microsoft Detection and Response Team (DART)}, title = {{Part 2: LockBit 2.0 ransomware bugs and database recovery attempts}}, date = {2022-03-11}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421}, language = {English}, urldate = {2022-03-14} } Part 2: LockBit 2.0 ransomware bugs and database recovery attempts
LockBit
2022-03-11Bleeping ComputerIonut Ilascu
@online{ilascu:20220311:lockbit:07a9679, author = {Ionut Ilascu}, title = {{LockBit ransomware gang claims attack on Bridgestone Americas}}, date = {2022-03-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/}, language = {English}, urldate = {2022-03-14} } LockBit ransomware gang claims attack on Bridgestone Americas
LockBit
2022-03-11MicrosoftMicrosoft Detection and Response Team (DART)
@online{dart:20220311:part:2a214e2, author = {Microsoft Detection and Response Team (DART)}, title = {{Part 1: LockBit 2.0 ransomware bugs and database recovery attempts}}, date = {2022-03-11}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354}, language = {English}, urldate = {2022-03-14} } Part 1: LockBit 2.0 ransomware bugs and database recovery attempts
LockBit
2022-02-27The RecordCatalin Cimpanu
@online{cimpanu:20220227:conti:935e928, author = {Catalin Cimpanu}, title = {{Conti ransomware gang chats leaked by pro-Ukraine member}}, date = {2022-02-27}, organization = {The Record}, url = {https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/}, language = {English}, urldate = {2022-03-01} } Conti ransomware gang chats leaked by pro-Ukraine member
Conti LockBit
2022-02-23splunkShannon Davis, SURGe
@techreport{davis:20220223:empirically:fe03729, author = {Shannon Davis and SURGe}, title = {{An Empirically Comparative Analysis of Ransomware Binaries}}, date = {2022-02-23}, institution = {splunk}, url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf}, language = {English}, urldate = {2022-03-25} } An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-14DR.DKAllan Nisgaard, Marcel Mirzaei-Fard, Kenrik Moltke, Ingeborg Munk Toft
@online{nisgaard:20220214:var:75495c9, author = {Allan Nisgaard and Marcel Mirzaei-Fard and Kenrik Moltke and Ingeborg Munk Toft}, title = {{Var tæt på at slukke tusindvis af vindmøller: Nu fortæller Vestas om cyberangreb}}, date = {2022-02-14}, organization = {DR.DK}, url = {https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb}, language = {Danish}, urldate = {2022-02-14} } Var tæt på at slukke tusindvis af vindmøller: Nu fortæller Vestas om cyberangreb
LockBit
2022-02-14LIFARSVlad Pasca
@techreport{pasca:20220214:detailed:a0a0fde, author = {Vlad Pasca}, title = {{A Detailed Analysis of The LockBit Ransomware}}, date = {2022-02-14}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf}, language = {English}, urldate = {2022-03-01} } A Detailed Analysis of The LockBit Ransomware
LockBit LockBit
2022-02-09DragosAnna Skelton
@online{skelton:20220209:dragos:89d2a68, author = {Anna Skelton}, title = {{Dragos ICS/OT Ransomware Analysis: Q4 2021}}, date = {2022-02-09}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/}, language = {English}, urldate = {2022-02-14} } Dragos ICS/OT Ransomware Analysis: Q4 2021
LockBit Conti LockBit
2022-02-08Trend MicroTrend Micro Research
@online{research:20220208:ransomware:df64c5f, author = {Trend Micro Research}, title = {{Ransomware Spotlight: LockBit}}, date = {2022-02-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit}, language = {English}, urldate = {2022-02-09} } Ransomware Spotlight: LockBit
LockBit BITWISE SPIDER
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2022-02-07FBIFBI
@techreport{fbi:20220207:cu000162mw:4b54d23, author = {FBI}, title = {{CU-000162-MW: Indicators of Compromise Associated with LockBit 2.0 Ransomware}}, date = {2022-02-07}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220204.pdf}, language = {English}, urldate = {2022-02-09} } CU-000162-MW: Indicators of Compromise Associated with LockBit 2.0 Ransomware
LockBit LockBit
2022-01-27CoveWare
@online{coveware:20220127:ransomware:165f513, author = {CoveWare}, title = {{Ransomware as a Service Innovation Curve}}, date = {2022-01-27}, url = {https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve}, language = {English}, urldate = {2022-02-14} } Ransomware as a Service Innovation Curve
Conti LockBit
2022-01-26IntrinsecIntrinsec
@online{intrinsec:20220126:alphv:9f00db5, author = {Intrinsec}, title = {{ALPHV ransomware gang analysis}}, date = {2022-01-26}, organization = {Intrinsec}, url = {https://www.intrinsec.com/alphv-ransomware-gang-analysis}, language = {English}, urldate = {2022-02-01} } ALPHV ransomware gang analysis
BlackCat LockBit
2022-01-24Trend MicroJunestherry Dela Cruz
@online{cruz:20220124:analysis:5807286, author = {Junestherry Dela Cruz}, title = {{Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant}}, date = {2022-01-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html}, language = {English}, urldate = {2022-01-25} } Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant
LockBit LockBit
2022-01-21CrowdStrikeFalcon OverWatch Team
@online{team:20220121:better:42d5b2b, author = {Falcon OverWatch Team}, title = {{Better Together: The Power of Managed Cybersecurity Services in the Face of Pressing Global Security Challenges}}, date = {2022-01-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/}, language = {English}, urldate = {2022-10-06} } Better Together: The Power of Managed Cybersecurity Services in the Face of Pressing Global Security Challenges
LockBit LockBit BITWISE SPIDER
2021-12-16CybereasonAleksandar Milenkoski, Kotaro Ogino
@online{milenkoski:20211216:inside:40c2e51, author = {Aleksandar Milenkoski and Kotaro Ogino}, title = {{Inside the LockBit Arsenal - The StealBit Exfiltration Tool}}, date = {2021-12-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool}, language = {English}, urldate = {2022-02-04} } Inside the LockBit Arsenal - The StealBit Exfiltration Tool
LockBit StealBit
2021-11-23MorphisecHido Cohen, Arnold Osipov
@online{cohen:20211123:babadeda:ae0d0ac, author = {Hido Cohen and Arnold Osipov}, title = {{Babadeda Crypter targeting crypto, NFT, and DeFi communities}}, date = {2021-11-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities}, language = {English}, urldate = {2021-12-22} } Babadeda Crypter targeting crypto, NFT, and DeFi communities
BitRAT LockBit Remcos
2021-11-18CiscoJosh Pyorre
@online{pyorre:20211118:blackmatter:e9e9bbf, author = {Josh Pyorre}, title = {{BlackMatter, LockBit, and THOR}}, date = {2021-11-18}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor}, language = {English}, urldate = {2022-03-28} } BlackMatter, LockBit, and THOR
BlackMatter LockBit PlugX
2021-11-18Red CanaryThe Red Canary Team
@online{team:20211118:intelligence:7b00cb9, author = {The Red Canary Team}, title = {{Intelligence Insights: November 2021}}, date = {2021-11-18}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-november-2021/}, language = {English}, urldate = {2021-11-19} } Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle
2021-11-17CrowdStrikeThomas Moses, Sarang Sonawane, Liviu Arsene
@online{moses:20211117:ransomware:5d7431b, author = {Thomas Moses and Sarang Sonawane and Liviu Arsene}, title = {{Ransomware (R)evolution Plagues Organizations, But CrowdStrike Protection Never Wavers}}, date = {2021-11-17}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/}, language = {English}, urldate = {2021-11-19} } Ransomware (R)evolution Plagues Organizations, But CrowdStrike Protection Never Wavers
LockBit
2021-11-03Bleeping ComputerLawrence Abrams
@online{abrams:20211103:blackmatter:5681de9, author = {Lawrence Abrams}, title = {{BlackMatter ransomware moves victims to LockBit after shutdown}}, date = {2021-11-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/}, language = {English}, urldate = {2021-11-08} } BlackMatter ransomware moves victims to LockBit after shutdown
BlackMatter BlackMatter LockBit
2021-10-27MBSDMBSD
@techreport{mbsd:20211027:lockbit20:f61ede8, author = {MBSD}, title = {{ランサムウェア「LockBit2.0」の内部構造を紐}}, date = {2021-10-27}, institution = {MBSD}, url = {https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf}, language = {Japanese}, urldate = {2021-11-03} } ランサムウェア「LockBit2.0」の内部構造を紐
LockBit
2021-10-15skyblue.team blogskyblue team
@online{team:20211015:recovering:dabb007, author = {skyblue team}, title = {{Recovering registry hives encrypted by LockBit 2.0}}, date = {2021-10-15}, organization = {skyblue.team blog}, url = {https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/}, language = {English}, urldate = {2021-11-19} } Recovering registry hives encrypted by LockBit 2.0
LockBit
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-10-05Seguranca InformaticaPedro Tavares
@online{tavares:20211005:malware:b92d5a9, author = {Pedro Tavares}, title = {{Malware analysis: Details on LockBit ransomware}}, date = {2021-10-05}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/}, language = {English}, urldate = {2021-10-11} } Malware analysis: Details on LockBit ransomware
LockBit
2021-09-24YoroiLuigi Martire, Luca Mella
@online{martire:20210924:hunting:d29a5e6, author = {Luigi Martire and Luca Mella}, title = {{Hunting the LockBit Gang's Exfiltration Infrastructures}}, date = {2021-09-24}, organization = {Yoroi}, url = {https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/}, language = {English}, urldate = {2021-09-24} } Hunting the LockBit Gang's Exfiltration Infrastructures
LockBit StealBit
2021-09-09IBMMegan Roddie
@online{roddie:20210909:lockbit:8b80ed5, author = {Megan Roddie}, title = {{LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment}}, date = {2021-09-09}, organization = {IBM}, url = {https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/}, language = {English}, urldate = {2021-09-10} } LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment
LockBit
2021-08-26Advanced IntelligenceAnastasia Sentsova
@online{sentsova:20210826:from:29830d8, author = {Anastasia Sentsova}, title = {{From Russia With… LockBit Ransomware: Inside Look & Preventive Solutions}}, date = {2021-08-26}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions}, language = {English}, urldate = {2021-08-31} } From Russia With… LockBit Ransomware: Inside Look & Preventive Solutions
LockBit
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-08-24KELAKELA Cyber Intelligence Center
@online{center:20210824:lockbit:730526a, author = {KELA Cyber Intelligence Center}, title = {{LockBit 2.0 Interview with Russian OSINT}}, date = {2021-08-24}, organization = {KELA}, url = {https://ke-la.com/lockbit-2-0-interview-with-russian-osint/}, language = {English}, urldate = {2021-11-02} } LockBit 2.0 Interview with Russian OSINT
LockBit
2021-08-17Medium amgedwagehAmged Wageh
@online{wageh:20210817:lockbit:07eda70, author = {Amged Wageh}, title = {{LockBit Ransomware Analysis Notes}}, date = {2021-08-17}, organization = {Medium amgedwageh}, url = {https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511}, language = {English}, urldate = {2022-07-05} } LockBit Ransomware Analysis Notes
LockBit
2021-08-17Amged Wagih
@online{wagih:20210817:lockbit:6ee0432, author = {Amged Wagih}, title = {{LockBit Ransomware - Technical Anlysis}}, date = {2021-08-17}, url = {https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511}, language = {English}, urldate = {2021-08-17} } LockBit Ransomware - Technical Anlysis
LockBit
2021-08-16Trend MicroJett Paulo Bernardo, Jayson Chong, Nikki Madayag, Mark Marti, Cris Tomboc, Sean Torre, Byron Gelera
@online{bernardo:20210816:lockbit:d709d4c, author = {Jett Paulo Bernardo and Jayson Chong and Nikki Madayag and Mark Marti and Cris Tomboc and Sean Torre and Byron Gelera}, title = {{LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK}}, date = {2021-08-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html}, language = {English}, urldate = {2021-08-23} } LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK
LockBit
2021-08-16cybleCyble
@online{cyble:20210816:deepdive:b23c978, author = {Cyble}, title = {{A Deep-dive Analysis of LOCKBIT 2.0}}, date = {2021-08-16}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/}, language = {English}, urldate = {2021-09-19} } A Deep-dive Analysis of LOCKBIT 2.0
LockBit
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-12NetskopeGustavo Palazolo
@online{palazolo:20210812:netskope:b320543, author = {Gustavo Palazolo}, title = {{Netskope Threat Coverage: LockBit}}, date = {2021-08-12}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-lockbit}, language = {English}, urldate = {2021-09-02} } Netskope Threat Coverage: LockBit
LockBit
2021-08-11CybereasonTony Bradley
@online{bradley:20210811:rising:3bef356, author = {Tony Bradley}, title = {{The Rising Threat from LockBit Ransomware}}, date = {2021-08-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware}, language = {English}, urldate = {2022-02-14} } The Rising Threat from LockBit Ransomware
LockBit
2021-08-06The RecordCatalin Cimpanu
@online{cimpanu:20210806:australian:8543b09, author = {Catalin Cimpanu}, title = {{Australian cybersecurity agency warns of spike in LockBit ransomware attacks}}, date = {2021-08-06}, organization = {The Record}, url = {https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/}, language = {English}, urldate = {2021-08-09} } Australian cybersecurity agency warns of spike in LockBit ransomware attacks
LockBit
2021-08-04Bleeping ComputerSergiu Gatlan
@online{gatlan:20210804:energy:687b773, author = {Sergiu Gatlan}, title = {{Energy group ERG reports minor disruptions after ransomware attack}}, date = {2021-08-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/}, language = {English}, urldate = {2021-08-06} } Energy group ERG reports minor disruptions after ransomware attack
LockBit
2021-08-04Bleeping ComputerLawrence Abrams
@online{abrams:20210804:lockbit:c6ab8ec, author = {Lawrence Abrams}, title = {{LockBit ransomware recruiting insiders to breach corporate networks}}, date = {2021-08-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/}, language = {English}, urldate = {2021-08-06} } LockBit ransomware recruiting insiders to breach corporate networks
LockBit
2021-08-03Bleeping ComputerLawrence Abrams
@online{abrams:20210803:ransomware:d1b938f, author = {Lawrence Abrams}, title = {{Ransomware attack hits Italy's Lazio region, affects COVID-19 site}}, date = {2021-08-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/}, language = {English}, urldate = {2021-08-06} } Ransomware attack hits Italy's Lazio region, affects COVID-19 site
LockBit RansomEXX
2021-08-02The RecordDmitry Smilyanets
@online{smilyanets:20210802:interview:b42389c, author = {Dmitry Smilyanets}, title = {{An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil}}, date = {2021-08-02}, organization = {The Record}, url = {https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/}, language = {English}, urldate = {2021-08-03} } An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil
DarkSide LockBit REvil
2021-07-27Recorded FutureInsikt Group®
@online{group:20210727:blackmatter:db85bfb, author = {Insikt Group®}, title = {{BlackMatter Ransomware Emerges As Successor to DarkSide, REvil}}, date = {2021-07-27}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/}, language = {English}, urldate = {2021-07-29} } BlackMatter Ransomware Emerges As Successor to DarkSide, REvil
DarkSide LockBit REvil
2021-07-27Bleeping ComputerLawrence Abrams
@online{abrams:20210727:lockbit:095b8d6, author = {Lawrence Abrams}, title = {{LockBit ransomware now encrypts Windows domains using group policies}}, date = {2021-07-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/}, language = {English}, urldate = {2021-07-29} } LockBit ransomware now encrypts Windows domains using group policies
Egregor LockBit
2021-07-22S2W LAB Inc.Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim
@online{kim:20210722:w4:c901bea, author = {Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim}, title = {{W4 July | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-07-22}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a}, language = {English}, urldate = {2021-07-26} } W4 July | EN | Story of the week: Ransomware on the Darkweb
LockBit SunCrypt
2021-06-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210618:lockbit:783c679, author = {PRODAFT}, title = {{LockBit RaaS In-Depth Analysis}}, date = {2021-06-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf}, language = {English}, urldate = {2021-06-22} } LockBit RaaS In-Depth Analysis
LockBit
2021-05-13Bleeping ComputerLawrence Abrams
@online{abrams:20210513:popular:62e98c8, author = {Lawrence Abrams}, title = {{Popular Russian hacking forum XSS bans all ransomware topics}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/}, language = {English}, urldate = {2021-05-17} } Popular Russian hacking forum XSS bans all ransomware topics
DarkSide DarkSide LockBit REvil
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-28Bleeping ComputerLawrence Abrams
@online{abrams:20210428:uk:2cce8c7, author = {Lawrence Abrams}, title = {{UK rail network Merseyrail likely hit by Lockbit ransomware}}, date = {2021-04-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/}, language = {English}, urldate = {2021-05-04} } UK rail network Merseyrail likely hit by Lockbit ransomware
LockBit
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-04-05Trend MicroEarle Earnshaw, Mohamed Fahmy, Ian Kenefick, Ryan Maglaque, Abdelrhman Sharshar, Lucas Silva
@online{earnshaw:20210405:thwarting:26d6d77, author = {Earle Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload}}, date = {2021-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html}, language = {English}, urldate = {2022-05-04} } Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload
Blister LockBit
2021-03-17The RecordCatalin Cimpanu
@online{cimpanu:20210317:missed:c4716fc, author = {Catalin Cimpanu}, title = {{Missed opportunity: Bug in LockBit ransomware allowed free decryptions}}, date = {2021-03-17}, organization = {The Record}, url = {https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/}, language = {English}, urldate = {2021-03-19} } Missed opportunity: Bug in LockBit ransomware allowed free decryptions
LockBit
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-26Medium s2wlabHyunmin Suh
@online{suh:20210126:w4:138a143, author = {Hyunmin Suh}, title = {{W4 Jan | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-01-26}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1}, language = {English}, urldate = {2021-01-27} } W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit
2021-01-04Cisco TalosAzim Khodjibaev, Dmytro Korzhevin, Kendall McKay
@techreport{khodjibaev:20210104:interview:6735752, author = {Azim Khodjibaev and Dmytro Korzhevin and Kendall McKay}, title = {{Interview with a LockBit ransomware operator}}, date = {2021-01-04}, institution = {Cisco Talos}, url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf}, language = {English}, urldate = {2021-02-17} } Interview with a LockBit ransomware operator
LockBit
2020-12-05ZDNetCatalin Cimpanu
@online{cimpanu:20201205:ransomware:49c8fff, author = {Catalin Cimpanu}, title = {{Ransomware hits helicopter maker Kopter}}, date = {2020-12-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/}, language = {English}, urldate = {2020-12-08} } Ransomware hits helicopter maker Kopter
LockBit
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-10-21SophosLabs UncutSean Gallagher
@online{gallagher:20201021:lockbit:13c4faa, author = {Sean Gallagher}, title = {{LockBit uses automated attack tools to identify tasty targets}}, date = {2020-10-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets}, language = {English}, urldate = {2020-10-23} } LockBit uses automated attack tools to identify tasty targets
LockBit
2020-10-02LexfoLexfo
@online{lexfo:20201002:lockbit:3dc988e, author = {Lexfo}, title = {{Lockbit analysis}}, date = {2020-10-02}, organization = {Lexfo}, url = {https://blog.lexfo.fr/lockbit-malware.html}, language = {English}, urldate = {2020-10-23} } Lockbit analysis
LockBit
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6, author = {CrowdStrike Intelligence Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1}, language = {English}, urldate = {2021-05-31} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-09-17CRYPSISDrew Schmitt
@online{schmitt:20200917:ransomwares:ca3dcee, author = {Drew Schmitt}, title = {{Ransomware’s New Trend: Exfiltration and Extortion}}, date = {2020-09-17}, organization = {CRYPSIS}, url = {https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion}, language = {English}, urldate = {2020-11-09} } Ransomware’s New Trend: Exfiltration and Extortion
LockBit
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-24Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200424:lockbit:b78dcba, author = {Albert Zsigovits}, title = {{LockBit ransomware IoCs}}, date = {2020-04-24}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md}, language = {English}, urldate = {2020-04-26} } LockBit ransomware IoCs
LockBit
2020-04-24Sophos LabsAlbert Zsigovits
@online{zsigovits:20200424:lockbit:8ebe6f8, author = {Albert Zsigovits}, title = {{LockBit ransomware borrows tricks to keep up with REvil and Maze}}, date = {2020-04-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/}, language = {English}, urldate = {2020-05-14} } LockBit ransomware borrows tricks to keep up with REvil and Maze
LockBit
Yara Rules
[TLP:WHITE] win_lockbit_auto (20221125 | Detects win.lockbit.)
rule win_lockbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.lockbit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d06 50 e8???????? 3d75809176 740e }
            // n = 5, score = 300
            //   8d06                 | lea                 eax, [esi]
            //   50                   | push                eax
            //   e8????????           |                     
            //   3d75809176           | cmp                 eax, 0x76918075
            //   740e                 | je                  0x10

        $sequence_1 = { 7407 3d9bb4840b 7518 8b4e0c 03cb ff759c }
            // n = 6, score = 300
            //   7407                 | je                  9
            //   3d9bb4840b           | cmp                 eax, 0xb84b49b
            //   7518                 | jne                 0x1a
            //   8b4e0c               | mov                 ecx, dword ptr [esi + 0xc]
            //   03cb                 | add                 ecx, ebx
            //   ff759c               | push                dword ptr [ebp - 0x64]

        $sequence_2 = { 50 8d45fc 50 ff75fc ff75f4 }
            // n = 5, score = 300
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff75f4               | push                dword ptr [ebp - 0xc]

        $sequence_3 = { 8d45a0 50 e8???????? 8d858cfeffff 50 8d45c0 }
            // n = 6, score = 300
            //   8d45a0               | lea                 eax, [ebp - 0x60]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d858cfeffff         | lea                 eax, [ebp - 0x174]
            //   50                   | push                eax
            //   8d45c0               | lea                 eax, [ebp - 0x40]

        $sequence_4 = { 3d75ba0e64 752e 83c702 66833f20 74f7 8d857cffffff }
            // n = 6, score = 300
            //   3d75ba0e64           | cmp                 eax, 0x640eba75
            //   752e                 | jne                 0x30
            //   83c702               | add                 edi, 2
            //   66833f20             | cmp                 word ptr [edi], 0x20
            //   74f7                 | je                  0xfffffff9
            //   8d857cffffff         | lea                 eax, [ebp - 0x84]

        $sequence_5 = { 57 c745fc00000000 8b7d08 57 }
            // n = 4, score = 300
            //   57                   | push                edi
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   57                   | push                edi

        $sequence_6 = { ff759c 8d858cfeffff 50 ff7610 51 }
            // n = 5, score = 300
            //   ff759c               | push                dword ptr [ebp - 0x64]
            //   8d858cfeffff         | lea                 eax, [ebp - 0x174]
            //   50                   | push                eax
            //   ff7610               | push                dword ptr [esi + 0x10]
            //   51                   | push                ecx

        $sequence_7 = { 7702 0c20 02f1 2af1 }
            // n = 4, score = 300
            //   7702                 | ja                  4
            //   0c20                 | or                  al, 0x20
            //   02f1                 | add                 dh, cl
            //   2af1                 | sub                 dh, cl

        $sequence_8 = { 50 e8???????? 89459c e8???????? 8bd8 8b5b08 8b733c }
            // n = 7, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   89459c               | mov                 dword ptr [ebp - 0x64], eax
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   8b5b08               | mov                 ebx, dword ptr [ebx + 8]
            //   8b733c               | mov                 esi, dword ptr [ebx + 0x3c]

        $sequence_9 = { 888424e1040000 33ff c68424e204000000 57 }
            // n = 4, score = 100
            //   888424e1040000       | mov                 byte ptr [esp + 0x4e1], al
            //   33ff                 | xor                 edi, edi
            //   c68424e204000000     | mov                 byte ptr [esp + 0x4e2], 0
            //   57                   | push                edi

        $sequence_10 = { 888424e1020000 e8???????? 6a6e 8d8c24d4020000 888424e2020000 }
            // n = 5, score = 100
            //   888424e1020000       | mov                 byte ptr [esp + 0x2e1], al
            //   e8????????           |                     
            //   6a6e                 | push                0x6e
            //   8d8c24d4020000       | lea                 ecx, [esp + 0x2d4]
            //   888424e2020000       | mov                 byte ptr [esp + 0x2e2], al

        $sequence_11 = { 888424e1030000 e8???????? 6a72 8d8c24cc030000 }
            // n = 4, score = 100
            //   888424e1030000       | mov                 byte ptr [esp + 0x3e1], al
            //   e8????????           |                     
            //   6a72                 | push                0x72
            //   8d8c24cc030000       | lea                 ecx, [esp + 0x3cc]

        $sequence_12 = { 888424e2000000 e8???????? 888424df000000 33ff c68424e000000000 57 8d8c24dd000000 }
            // n = 7, score = 100
            //   888424e2000000       | mov                 byte ptr [esp + 0xe2], al
            //   e8????????           |                     
            //   888424df000000       | mov                 byte ptr [esp + 0xdf], al
            //   33ff                 | xor                 edi, edi
            //   c68424e000000000     | mov                 byte ptr [esp + 0xe0], 0
            //   57                   | push                edi
            //   8d8c24dd000000       | lea                 ecx, [esp + 0xdd]

        $sequence_13 = { 888424e1040000 e8???????? 6a65 8d8c24c1040000 }
            // n = 4, score = 100
            //   888424e1040000       | mov                 byte ptr [esp + 0x4e1], al
            //   e8????????           |                     
            //   6a65                 | push                0x65
            //   8d8c24c1040000       | lea                 ecx, [esp + 0x4c1]

        $sequence_14 = { 888424e1060000 32e9 8a442412 32d1 }
            // n = 4, score = 100
            //   888424e1060000       | mov                 byte ptr [esp + 0x6e1], al
            //   32e9                 | xor                 ch, cl
            //   8a442412             | mov                 al, byte ptr [esp + 0x12]
            //   32d1                 | xor                 dl, cl

        $sequence_15 = { 888424e2010000 e8???????? 6a65 8d8c24da010000 }
            // n = 4, score = 100
            //   888424e2010000       | mov                 byte ptr [esp + 0x1e2], al
            //   e8????????           |                     
            //   6a65                 | push                0x65
            //   8d8c24da010000       | lea                 ecx, [esp + 0x1da]

    condition:
        7 of them and filesize < 360448
}
Download all Yara Rules