SYMBOLCOMMON_NAMEaka. SYNONYMS
win.revil (Back to overview)

REvil

aka: Sodinokibi, Sodin

Actor(s): Pinchy Spider


REvil Beta
MD5: bed6fc04aeb785815744706239a1f243
SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf
SHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45
* Privilege escalation via CVE-2018-8453 (64-bit only)
* Rerun with RunAs to elevate privileges
* Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur
* Implements target whitelisting using GetKetboardLayoutList
* Contains debug console logging functionality
* Defines the REvil registry root key as SOFTWARE\!test
* Includes two variable placeholders in the ransom note: UID & KEY
* Terminates processes specified in the "prc" configuration key prior to encryption
* Deletes shadow copies and disables recovery
* Wipes contents of folders specified in the "wfld" configuration key prior to encryption
* Encrypts all non-whitelisted files on fixed drives
* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe
* Partially implements a background image setting to display a basic "Image text" message
* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)
------------------------------------
REvil 1.00
MD5: 65aa793c000762174b2f86077bdafaea
SHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457
SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc
* Adds 32-bit implementation of CVE-2018-8453 exploit
* Removes console debug logging
* Changes the REvil registry root key to SOFTWARE\recfg
* Removes the System/Impersonation success requirement for encrypting network mapped drives
* Adds a "wipe" key to the configuration for optional folder wiping
* Fully implements the background image setting and leverages values defined in the "img" configuration key
* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT
* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL
* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data
------------------------------------
REvil 1.01
MD5: 2abff29b4d87f30f011874b6e98959e9
SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c
SHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb
* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level
* Makes encryption of network mapped drives optional by adding the "-nolan" argument
------------------------------------
REvil 1.02
MD5: 4af953b20f3a1f165e7cf31d6156c035
SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299
SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4
* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage
* Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)
* Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories
* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories
* Hard-codes whitelisting of "sql" subfolders within program files
* Encrypts program files sub-folders that does not contain "sql" in the path
* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted
* Encodes stored strings used for URI building within the binary and decodes them in memory right before use
* Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key
------------------------------------
REvil 1.03
MD5: 3cae02306a95564b1fff4ea45a7dfc00
SHA1: 0ce2cae5287a64138d273007b34933362901783d
SHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf
* Removes lock file logic that was partially implemented in 1.02
* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)
* Encodes stored shellcode
* Adds the -path argument:
* Does not wipe folders (even if wipe == true)
* Does not set desktop background
* Does not contact the C2 server (even if net == true)
* Encrypts files in the specified folder and drops the ransom note
* Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults
* Changes registry key values from --> to:
* sub_key --> pvg
* pk_key --> sxsP
* sk_key --> BDDC8
* 0_key --> f7gVD7
* rnd_ext --> Xu7Nnkd
* stat --> sMMnxpgk
------------------------------------
REvil 1.04
MD5: 6e3efb83299d800edf1624ecbc0665e7
SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d
SHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6
* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)
* Removes the folder wipe capability
* Changes the REvil registry root key to SOFTWARE\GitForWindows
* Changes registry key values from --> to:
* pvg --> QPM
* sxsP --> cMtS
* BDDC8 --> WGg7j
* f7gVD7 --> zbhs8h
* Xu7Nnkd --> H85TP10
* sMMnxpgk --> GCZg2PXD
------------------------------------
REvil v1.05
MD5: cfefcc2edc5c54c74b76e7d1d29e69b2
SHA1: 7423c57db390def08154b77e2b5e043d92d320c7
SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea
* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.
* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' :
* SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv
* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.
* Changes registry key values from --> to:
* QPM --> tgE
* cMtS --> 8K09
* WGg7j --> xMtNc
* zbhs8h --> CTgE4a
* H85TP10 --> oE5bZg0
* GCZg2PXD --> DC408Qp4
------------------------------------
REvil v1.06
MD5: 65ff37973426c09b9ff95f354e62959e
SHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e
SHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e
* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.
* Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.
* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'
* Changes registry key values from --> to:
* tgE --> 73g
* 8K09 --> vTGj
* xMtNc --> Q7PZe
* CTgE4a --> BuCrIp
* oE5bZg0 --> lcZd7OY
* DC408Qp4 --> sLF86MWC
------------------------------------
REvil v1.07
MD5: ea4cae3d6d8150215a4d90593a4c30f2
SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e
SHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3
TBD

References
2021-09-28FlashpointFlashpoint
@online{flashpoint:20210928:revils:ffcbfac, author = {Flashpoint}, title = {{REvil’s “Cryptobackdoor” Con: Ransomware Group’s Tactics Roil Affiliates, Sparking a Fallout}}, date = {2021-09-28}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/}, language = {English}, urldate = {2021-10-13} } REvil’s “Cryptobackdoor” Con: Ransomware Group’s Tactics Roil Affiliates, Sparking a Fallout
REvil
2021-09-23Bleeping ComputerIonut Ilascu
@online{ilascu:20210923:revil:a4c0eea, author = {Ionut Ilascu}, title = {{REVil ransomware devs added a backdoor to cheat affiliates}}, date = {2021-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/}, language = {English}, urldate = {2021-09-23} } REVil ransomware devs added a backdoor to cheat affiliates
REvil
2021-09-22SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210922:revil:5b97baf, author = {Counter Threat Unit ResearchTeam}, title = {{REvil Ransomware Reemerges After Shutdown; Universal Decryptor Released}}, date = {2021-09-22}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released}, language = {English}, urldate = {2021-09-28} } REvil Ransomware Reemerges After Shutdown; Universal Decryptor Released
REvil REvil
2021-09-21Washington PostEllen Nakashima, Rachel Lerman
@online{nakashima:20210921:fbi:ce8f168, author = {Ellen Nakashima and Rachel Lerman}, title = {{FBI held back ransomware decryption key from businesses to run operation targeting hackers}}, date = {2021-09-21}, organization = {Washington Post}, url = {https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html}, language = {English}, urldate = {2021-10-05} } FBI held back ransomware decryption key from businesses to run operation targeting hackers
REvil
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
@online{team:20210914:big:b345561, author = {CrowdStrike Intelligence Team}, title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}}, date = {2021-09-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/}, language = {English}, urldate = {2021-09-19} } Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-09-07Bleeping ComputerLawrence Abrams
@online{abrams:20210907:revil:121f953, author = {Lawrence Abrams}, title = {{REvil ransomware's servers mysteriously come back online}}, date = {2021-09-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/}, language = {English}, urldate = {2021-09-10} } REvil ransomware's servers mysteriously come back online
REvil
2021-09-03IBMCamille Singleton, Andrew Gorecki, John Dwyer
@online{singleton:20210903:dissecting:4d56786, author = {Camille Singleton and Andrew Gorecki and John Dwyer}, title = {{Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight}}, date = {2021-09-03}, organization = {IBM}, url = {https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/}, language = {English}, urldate = {2021-09-09} } Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight
Valak QakBot REvil
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-08-25GoggleHeadedHacker BlogJacob Pimental
@online{pimental:20210825:reverse:1468827, author = {Jacob Pimental}, title = {{Reverse Engineering Crypto Functions: RC4 and Salsa20}}, date = {2021-08-25}, organization = {GoggleHeadedHacker Blog}, url = {https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions}, language = {English}, urldate = {2021-08-31} } Reverse Engineering Crypto Functions: RC4 and Salsa20
REvil
2021-08-20TEAMT5TeamT5
@online{teamt5:20210820:see:815321b, author = {TeamT5}, title = {{See REvil again?! See how hackers use the same encryption ransomware program REvil to annihilate the attack evidence}}, date = {2021-08-20}, organization = {TEAMT5}, url = {https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/}, language = {Chinese}, urldate = {2021-08-31} } See REvil again?! See how hackers use the same encryption ransomware program REvil to annihilate the attack evidence
REvil
2021-08-11BleepingComputerLawrence Abrams
@online{abrams:20210811:kaseyas:93f86e6, author = {Lawrence Abrams}, title = {{Kaseya's universal REvil decryption key leaked on a hacking forum}}, date = {2021-08-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/}, language = {English}, urldate = {2021-08-16} } Kaseya's universal REvil decryption key leaked on a hacking forum
REvil
2021-08-10FlashpointFlashpoint
@online{flashpoint:20210810:revil:8be7760, author = {Flashpoint}, title = {{REvil Master Key for Kaseya Attack Posted to XSS}}, date = {2021-08-10}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/}, language = {English}, urldate = {2021-08-11} } REvil Master Key for Kaseya Attack Posted to XSS
REvil
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-08-06} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Ransomware Maze RansomEXX REvil Ryuk Sekhmet
2021-08-04Trend MicroRyan Maglaque, Jessie Prevost, Joelson Soares, Janus Agcaoili
@online{maglaque:20210804:supply:1b4bee6, author = {Ryan Maglaque and Jessie Prevost and Joelson Soares and Janus Agcaoili}, title = {{Supply Chain Attacks from a Managed Detection and Response Perspective}}, date = {2021-08-04}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html}, language = {English}, urldate = {2021-08-31} } Supply Chain Attacks from a Managed Detection and Response Perspective
REvil
2021-08-02The RecordDmitry Smilyanets
@online{smilyanets:20210802:interview:b42389c, author = {Dmitry Smilyanets}, title = {{An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil}}, date = {2021-08-02}, organization = {The Record}, url = {https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/}, language = {English}, urldate = {2021-08-03} } An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil
DarkSide LockBit REvil
2021-07-31Bleeping ComputerLawrence Abrams
@online{abrams:20210731:blackmatter:924d440, author = {Lawrence Abrams}, title = {{BlackMatter ransomware gang rises from the ashes of DarkSide, REvil}}, date = {2021-07-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/}, language = {English}, urldate = {2021-08-02} } BlackMatter ransomware gang rises from the ashes of DarkSide, REvil
DarkSide REvil
2021-07-28Digital ShadowsPhoton Research Team
@online{team:20210728:revil:ba7360a, author = {Photon Research Team}, title = {{REvil: Analysis of Competing Hypotheses}}, date = {2021-07-28}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/}, language = {English}, urldate = {2021-08-25} } REvil: Analysis of Competing Hypotheses
REvil REvil
2021-07-27Twitter (@fwosar)Fabian Wosar
@online{wosar:20210727:new:c39c961, author = {Fabian Wosar}, title = {{Tweet on new REvil variant}}, date = {2021-07-27}, organization = {Twitter (@fwosar)}, url = {https://twitter.com/fwosar/status/1420119812815138824}, language = {English}, urldate = {2021-08-02} } Tweet on new REvil variant
REvil
2021-07-27Recorded FutureInsikt Group®
@online{group:20210727:blackmatter:db85bfb, author = {Insikt Group®}, title = {{BlackMatter Ransomware Emerges As Successor to DarkSide, REvil}}, date = {2021-07-27}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/}, language = {English}, urldate = {2021-07-29} } BlackMatter Ransomware Emerges As Successor to DarkSide, REvil
DarkSide LockBit REvil
2021-07-27FlashpointFlashpoint
@online{flashpoint:20210727:chatter:08a4080, author = {Flashpoint}, title = {{Chatter Indicates BlackMatter as REvil Successor}}, date = {2021-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/}, language = {English}, urldate = {2021-08-02} } Chatter Indicates BlackMatter as REvil Successor
REvil
2021-07-27Youtube (SANS Institute)Katie Nickels, John Hammond
@online{nickels:20210727:sans:7432e9e, author = {Katie Nickels and John Hammond}, title = {{SANS Threat Analysis Rundown - Kaseya VSA attack}}, date = {2021-07-27}, organization = {Youtube (SANS Institute)}, url = {https://www.youtube.com/watch?v=tZVFMVm5GAk}, language = {English}, urldate = {2021-08-02} } SANS Threat Analysis Rundown - Kaseya VSA attack
REvil
2021-07-25Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20210725:analysis:e1196c2, author = {AhmedS Kasmani}, title = {{Analysis of Malware from Kaseya/Revil Supply Chain attack.}}, date = {2021-07-25}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=P8o6GItci5w}, language = {English}, urldate = {2021-08-02} } Analysis of Malware from Kaseya/Revil Supply Chain attack.
REvil
2021-07-22Bleeping ComputerLawrence Abrams
@online{abrams:20210722:kaseya:7ec0805, author = {Lawrence Abrams}, title = {{Kaseya obtains universal decryptor for REvil ransomware victims}}, date = {2021-07-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/}, language = {English}, urldate = {2021-07-26} } Kaseya obtains universal decryptor for REvil ransomware victims
REvil
2021-07-20Huntress LabsJohn Hammond
@online{hammond:20210720:security:50ec27a, author = {John Hammond}, title = {{Security Researchers’ Hunt to Discover Origins of the Kaseya VSA Mass Ransomware Incident}}, date = {2021-07-20}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident}, language = {English}, urldate = {2021-07-26} } Security Researchers’ Hunt to Discover Origins of the Kaseya VSA Mass Ransomware Incident
REvil
2021-07-19EllipticElliptic
@online{elliptic:20210719:revil:12b16d1, author = {Elliptic}, title = {{REvil Revealed - Tracking a Ransomware Negotiation and Payment}}, date = {2021-07-19}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment}, language = {English}, urldate = {2021-07-20} } REvil Revealed - Tracking a Ransomware Negotiation and Payment
REvil REvil
2021-07-15YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210715:fast:b8dead4, author = {Jiří Vinopal}, title = {{Fast API resolving of REvil Ransomware related to Kaseya attack}}, date = {2021-07-15}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=QYQQUUpU04s}, language = {English}, urldate = {2021-07-20} } Fast API resolving of REvil Ransomware related to Kaseya attack
REvil
2021-07-14Advanced IntelligenceYelisey Boguslavskiy, AdvIntel Security & Development Team
@online{boguslavskiy:20210714:revil:7729e3d, author = {Yelisey Boguslavskiy and AdvIntel Security & Development Team}, title = {{REvil Vanishes From Underground - Infrastructure Down}}, date = {2021-07-14}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent}, language = {English}, urldate = {2021-07-20} } REvil Vanishes From Underground - Infrastructure Down
REvil
2021-07-13Bleeping ComputerLawrence Abrams
@online{abrams:20210713:revil:902b974, author = {Lawrence Abrams}, title = {{REvil ransomware gang's web sites mysteriously shut down}}, date = {2021-07-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/}, language = {English}, urldate = {2021-07-20} } REvil ransomware gang's web sites mysteriously shut down
REvil
2021-07-13Threat PostLisa Vaas
@online{vaas:20210713:ransomware:d88e024, author = {Lisa Vaas}, title = {{Ransomware Giant REvil’s Sites Disappear}}, date = {2021-07-13}, organization = {Threat Post}, url = {https://threatpost.com/ransomware-revil-sites-disappears/167745/}, language = {English}, urldate = {2021-07-20} } Ransomware Giant REvil’s Sites Disappear
REvil REvil
2021-07-09The RecordCatalin Cimpanu
@online{cimpanu:20210709:ransomwhere:bd77fbe, author = {Catalin Cimpanu}, title = {{Ransomwhere project wants to create a database of past ransomware payments}}, date = {2021-07-09}, organization = {The Record}, url = {https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/}, language = {English}, urldate = {2021-07-20} } Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-07-09Twitter (@SophosLabs)SophosLabs
@online{sophoslabs:20210709:speed:6f279b2, author = {SophosLabs}, title = {{Tweet on speed at which Kaseya REvil attack was conducted}}, date = {2021-07-09}, organization = {Twitter (@SophosLabs)}, url = {https://twitter.com/SophosLabs/status/1413616952313004040?s=20}, language = {English}, urldate = {2021-07-24} } Tweet on speed at which Kaseya REvil attack was conducted
REvil
2021-07-08Sekoiasekoia
@techreport{sekoia:20210708:kaseya:029b682, author = {sekoia}, title = {{Kaseya: Another Massive Heist by REvil}}, date = {2021-07-08}, institution = {Sekoia}, url = {https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf}, language = {English}, urldate = {2021-09-20} } Kaseya: Another Massive Heist by REvil
REvil
2021-07-08KELAVictoria Kivilevich
@online{kivilevich:20210708:ransomware:2078c8b, author = {Victoria Kivilevich}, title = {{Ransomware Gangs are Starting to Look Like Ocean’s 11}}, date = {2021-07-08}, organization = {KELA}, url = {https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/}, language = {English}, urldate = {2021-07-12} } Ransomware Gangs are Starting to Look Like Ocean’s 11
REvil
2021-07-08GigamonJoe Slowik
@online{slowik:20210708:observations:21f913b, author = {Joe Slowik}, title = {{Observations and Recommendations from the Ongoing REvil-Kaseya Incident}}, date = {2021-07-08}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/}, language = {English}, urldate = {2021-07-12} } Observations and Recommendations from the Ongoing REvil-Kaseya Incident
REvil
2021-07-07CrowdStrikeKaran Sood, Liviu Arsene
@online{sood:20210707:how:84886a9, author = {Karan Sood and Liviu Arsene}, title = {{How CrowdStrike Falcon Stops REvil Ransomware Used in the Kaseya Attack}}, date = {2021-07-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/}, language = {English}, urldate = {2021-07-19} } How CrowdStrike Falcon Stops REvil Ransomware Used in the Kaseya Attack
REvil
2021-07-07NetskopeGustavo Palazolo
@online{palazolo:20210707:netskope:5b5bd6c, author = {Gustavo Palazolo}, title = {{Netskope Threat Coverage: REvil}}, date = {2021-07-07}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-revil}, language = {English}, urldate = {2021-07-19} } Netskope Threat Coverage: REvil
REvil
2021-07-07Twitter (@resecurity_com)Resecurity
@online{resecurity:20210707:revil:fb53320, author = {Resecurity}, title = {{Tweet REvil attack chain used against Kaseya}}, date = {2021-07-07}, organization = {Twitter (@resecurity_com)}, url = {https://twitter.com/resecurity_com/status/1412662343796813827}, language = {English}, urldate = {2021-07-24} } Tweet REvil attack chain used against Kaseya
REvil
2021-07-07ElasticJamie Butler
@online{butler:20210707:elastic:8a709bf, author = {Jamie Butler}, title = {{Elastic Security prevents 100% of REvil ransomware samples}}, date = {2021-07-07}, organization = {Elastic}, url = {https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter}, language = {English}, urldate = {2021-07-12} } Elastic Security prevents 100% of REvil ransomware samples
REvil
2021-07-07TrustwaveRodel Mendrez, Nikita Kazymirskyi
@online{mendrez:20210707:diving:1c04c81, author = {Rodel Mendrez and Nikita Kazymirskyi}, title = {{Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails}}, date = {2021-07-07}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/}, language = {English}, urldate = {2021-07-09} } Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
Cobalt Strike REvil
2021-07-06CrowdStrikeAdam Meyers
@online{meyers:20210706:evolution:7d985ff, author = {Adam Meyers}, title = {{The Evolution of PINCHY SPIDER from GandCrab to REvil}}, date = {2021-07-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/}, language = {English}, urldate = {2021-07-19} } The Evolution of PINCHY SPIDER from GandCrab to REvil
Gandcrab REvil
2021-07-06splunkSplunk Threat Research Team
@online{team:20210706:revil:2420164, author = {Splunk Threat Research Team}, title = {{REvil Ransomware Threat Research Update and Detections}}, date = {2021-07-06}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html}, language = {English}, urldate = {2021-07-26} } REvil Ransomware Threat Research Update and Detections
REvil
2021-07-06ZscalerZscaler
@online{zscaler:20210706:kaseya:17a776b, author = {Zscaler}, title = {{Kaseya Supply Chain Ransomware Attack - Technical Analysis of the REvil Payload}}, date = {2021-07-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload}, language = {English}, urldate = {2021-08-02} } Kaseya Supply Chain Ransomware Attack - Technical Analysis of the REvil Payload
REvil
2021-07-06Twitter (@_alex_il_)Alex Ilgayev
@online{ilgayev:20210706:revil:500a59e, author = {Alex Ilgayev}, title = {{Tweet on REvil ransomware actor using vulnerable defender executable in its infection flow in early may before Kaseya attack}}, date = {2021-07-06}, organization = {Twitter (@_alex_il_)}, url = {https://twitter.com/_alex_il_/status/1412403420217159694}, language = {English}, urldate = {2021-07-26} } Tweet on REvil ransomware actor using vulnerable defender executable in its infection flow in early may before Kaseya attack
REvil
2021-07-06CybereasonTom Fakterman
@online{fakterman:20210706:cybereason:1e0b80a, author = {Tom Fakterman}, title = {{Cybereason vs. REvil Ransomware: The Kaseya Chronicles}}, date = {2021-07-06}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles}, language = {English}, urldate = {2021-07-12} } Cybereason vs. REvil Ransomware: The Kaseya Chronicles
REvil
2021-07-06paloalto Networks Unit 42John Martineau
@online{martineau:20210706:understanding:b8b39b6, author = {John Martineau}, title = {{Understanding REvil: The Ransomware Gang Behind the Kaseya Attack}}, date = {2021-07-06}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/revil-threat-actors/}, language = {English}, urldate = {2021-07-08} } Understanding REvil: The Ransomware Gang Behind the Kaseya Attack
Gandcrab REvil
2021-07-06TRUESECAlexander Andersson
@online{andersson:20210706:how:5087e07, author = {Alexander Andersson}, title = {{How the Kaseya VSA Zero Day Exploit Worked}}, date = {2021-07-06}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit}, language = {English}, urldate = {2021-07-20} } How the Kaseya VSA Zero Day Exploit Worked
REvil
2021-07-05splunkRyan Kovar
@online{kovar:20210705:kaseya:e1684ef, author = {Ryan Kovar}, title = {{Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt}}, date = {2021-07-05}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html}, language = {English}, urldate = {2021-07-26} } Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt
REvil
2021-07-05S2W LAB Inc.S2W LAB INTELLIGENCE TEAM
@online{team:20210705:kaseya:a209d79, author = {S2W LAB INTELLIGENCE TEAM}, title = {{Kaseya supply chain attack delivers mass ransomware}}, date = {2021-07-05}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view}, language = {Korean}, urldate = {2021-07-09} } Kaseya supply chain attack delivers mass ransomware
REvil
2021-07-05Twitter (@R3MRUM)R3MRUM
@online{r3mrum:20210705:twitter:ee6ea0f, author = {R3MRUM}, title = {{Twitter thread with additional context on C2 domains found in REvil configuration}}, date = {2021-07-05}, organization = {Twitter (@R3MRUM)}, url = {https://twitter.com/R3MRUM/status/1412064882623713283}, language = {English}, urldate = {2021-07-26} } Twitter thread with additional context on C2 domains found in REvil configuration
REvil
2021-07-05MorphisecMorphisec
@online{morphisec:20210705:realtime:9a19062, author = {Morphisec}, title = {{Real-Time Prevention of the Kaseya VSA Supply Chain REvil Ransomware Attack}}, date = {2021-07-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack}, language = {English}, urldate = {2021-07-21} } Real-Time Prevention of the Kaseya VSA Supply Chain REvil Ransomware Attack
REvil
2021-07-05KasperskyKaspersky
@online{kaspersky:20210705:revil:a8a2af3, author = {Kaspersky}, title = {{REvil ransomware attack against MSPs and its clients around the world}}, date = {2021-07-05}, organization = {Kaspersky}, url = {https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/}, language = {English}, urldate = {2021-07-09} } REvil ransomware attack against MSPs and its clients around the world
REvil
2021-07-05Twitter (@SophosLabs)SophosLabs
@online{sophoslabs:20210705:with:d8dc444, author = {SophosLabs}, title = {{Tweet with a REvil ransomware execution demo}}, date = {2021-07-05}, organization = {Twitter (@SophosLabs)}, url = {https://twitter.com/SophosLabs/status/1412056467201462276}, language = {English}, urldate = {2021-07-26} } Tweet with a REvil ransomware execution demo
REvil
2021-07-04Twitter (@svch0st)Zach
@online{zach:20210704:kaseya:b5f39a7, author = {Zach}, title = {{Tweet on #Kaseya detection tool for detecting REvil}}, date = {2021-07-04}, organization = {Twitter (@svch0st)}, url = {https://twitter.com/svch0st/status/1411537562380816384}, language = {English}, urldate = {2021-07-24} } Tweet on #Kaseya detection tool for detecting REvil
REvil
2021-07-04SophosMark Loman, Sean Gallagher, Anand Ajjan
@online{loman:20210704:independence:56ff257, author = {Mark Loman and Sean Gallagher and Anand Ajjan}, title = {{Independence Day: REvil uses supply chain exploit to attack hundreds of businesses}}, date = {2021-07-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses}, language = {English}, urldate = {2021-07-26} } Independence Day: REvil uses supply chain exploit to attack hundreds of businesses
REvil
2021-07-04CISAUS-CERT
@online{uscert:20210704:cisafbi:1e199f1, author = {US-CERT}, title = {{CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack}}, date = {2021-07-04}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa}, language = {English}, urldate = {2021-07-09} } CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack
REvil REvil
2021-07-04TRUESECFabio Viggiani
@online{viggiani:20210704:kaseya:7a8f0a5, author = {Fabio Viggiani}, title = {{Kaseya supply chain attack targeting MSPs to deliver REvil ransomware}}, date = {2021-07-04}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/}, language = {English}, urldate = {2021-07-20} } Kaseya supply chain attack targeting MSPs to deliver REvil ransomware
REvil
2021-07-03KaseyaKaseya
@online{kaseya:20210703:kaseya:c03dd88, author = {Kaseya}, title = {{Kaseya VSA Detection Tool}}, date = {2021-07-03}, organization = {Kaseya}, url = {https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40}, language = {English}, urldate = {2021-07-11} } Kaseya VSA Detection Tool
REvil
2021-07-03Twitter (@fwosar)Fabian Wosar
@online{wosar:20210703:twitter:319623e, author = {Fabian Wosar}, title = {{Twitter thread on REvil's cryptographic scheme}}, date = {2021-07-03}, organization = {Twitter (@fwosar)}, url = {https://twitter.com/fwosar/status/1411281334870368260}, language = {English}, urldate = {2021-07-26} } Twitter thread on REvil's cryptographic scheme
REvil
2021-07-03Medium DoublepulsarKevin Beaumont
@online{beaumont:20210703:kaseya:8013669, author = {Kevin Beaumont}, title = {{Kaseya supply chain attack delivers mass ransomware event to US companies}}, date = {2021-07-03}, organization = {Medium Doublepulsar}, url = {https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b}, language = {English}, urldate = {2021-07-24} } Kaseya supply chain attack delivers mass ransomware event to US companies
REvil
2021-07-03Cybleinccybleinc
@online{cybleinc:20210703:uncensored:f43cf7f, author = {cybleinc}, title = {{Uncensored Interview with REvil / Sodinokibi Ransomware Operators}}, date = {2021-07-03}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/}, language = {English}, urldate = {2021-07-11} } Uncensored Interview with REvil / Sodinokibi Ransomware Operators
REvil REvil
2021-07-03KaseyaKaseya
@online{kaseya:20210703:updates:cfff645, author = {Kaseya}, title = {{Updates Regarding VSA Security Incident}}, date = {2021-07-03}, organization = {Kaseya}, url = {https://www.kaseya.com/potential-attack-on-kaseya-vsa/}, language = {English}, urldate = {2021-07-12} } Updates Regarding VSA Security Incident
REvil
2021-07-03Twitter (@LloydLabs)Lloyd
@online{lloyd:20210703:twitter:b42ed13, author = {Lloyd}, title = {{Twitter Thread on Revil sideloading DLL used in Kaseya attack}}, date = {2021-07-03}, organization = {Twitter (@LloydLabs)}, url = {https://twitter.com/LloydLabs/status/1411098844209819648}, language = {English}, urldate = {2021-07-24} } Twitter Thread on Revil sideloading DLL used in Kaseya attack
REvil
2021-07-03SymantecThreat Hunter Team
@online{team:20210703:kaseya:859fdc2, author = {Threat Hunter Team}, title = {{Kaseya Ransomware Supply Chain Attack: What You Need To Know}}, date = {2021-07-03}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain}, language = {English}, urldate = {2021-07-12} } Kaseya Ransomware Supply Chain Attack: What You Need To Know
REvil
2021-07-03Palo Alto Networks Unit 42Unit 42
@online{42:20210703:threat:b329d9c, author = {Unit 42}, title = {{Threat Brief: Kaseya VSA Ransomware Attack}}, date = {2021-07-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/}, language = {English}, urldate = {2021-07-12} } Threat Brief: Kaseya VSA Ransomware Attack
REvil
2021-07-02Twitter (@SyscallE)SeAccessCheck
@online{seaccesscheck:20210702:revil:47a116e, author = {SeAccessCheck}, title = {{Tweet on Revil dropper used in Kaseya attack}}, date = {2021-07-02}, organization = {Twitter (@SyscallE)}, url = {https://twitter.com/SyscallE/status/1411074271875670022}, language = {English}, urldate = {2021-07-24} } Tweet on Revil dropper used in Kaseya attack
REvil
2021-07-02The RecordCatalin Cimpanu
@online{cimpanu:20210702:revil:7283386, author = {Catalin Cimpanu}, title = {{REvil ransomware gang executes supply chain attack via malicious Kaseya update}}, date = {2021-07-02}, organization = {The Record}, url = {https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/}, language = {English}, urldate = {2021-07-05} } REvil ransomware gang executes supply chain attack via malicious Kaseya update
REvil
2021-07-02Twitter (@VK_intel)Vitali Kremez
@online{kremez:20210702:revil:2a1c66a, author = {Vitali Kremez}, title = {{Tweet on Revil ransomware analysis used in Kaseya attack}}, date = {2021-07-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1411066870350942213}, language = {English}, urldate = {2021-07-24} } Tweet on Revil ransomware analysis used in Kaseya attack
REvil
2021-07-02Huntress LabsHuntress Labs
@online{labs:20210702:crticial:5dd39d2, author = {Huntress Labs}, title = {{Crticial Ransomware Incident in Progress}}, date = {2021-07-02}, organization = {Huntress Labs}, url = {https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/}, language = {English}, urldate = {2021-07-24} } Crticial Ransomware Incident in Progress
REvil
2021-07-02Bleeping ComputerLawrence Abrams
@online{abrams:20210702:revil:576023e, author = {Lawrence Abrams}, title = {{REvil ransomware hits 1,000+ companies in MSP supply-chain attack}}, date = {2021-07-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/}, language = {English}, urldate = {2021-07-26} } REvil ransomware hits 1,000+ companies in MSP supply-chain attack
REvil
2021-07-02VelzartNiels den Hild
@online{hild:20210702:ransomware:5ab9422, author = {Niels den Hild}, title = {{Ransomware attack}}, date = {2021-07-02}, organization = {Velzart}, url = {https://velzart.nl/blog/ransomeware/}, language = {Dutch}, urldate = {2021-07-26} } Ransomware attack
REvil
2021-07-02Github (fwosar)Fabian Wosar
@online{wosar:20210702:revil:17a628b, author = {Fabian Wosar}, title = {{REvil configuration dump used in Kaseya attack}}, date = {2021-07-02}, organization = {Github (fwosar)}, url = {https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json}, language = {English}, urldate = {2021-07-24} } REvil configuration dump used in Kaseya attack
REvil
2021-07-01DomainToolsChad Anderson
@online{anderson:20210701:most:39f64b8, author = {Chad Anderson}, title = {{The Most Prolific Ransomware Families: A Defenders Guide}}, date = {2021-07-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide}, language = {English}, urldate = {2021-07-11} } The Most Prolific Ransomware Families: A Defenders Guide
REvil Conti Egregor Maze REvil
2021-07-01AT&T CybersecurityOfer Caspi, Fernando Martinez
@online{caspi:20210701:revils:20b42ae, author = {Ofer Caspi and Fernando Martinez}, title = {{REvil’s new Linux version}}, date = {2021-07-01}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version}, language = {English}, urldate = {2021-07-02} } REvil’s new Linux version
REvil REvil
2021-06-30Group-IBOleg Skulkin
@online{skulkin:20210630:revil:63bb524, author = {Oleg Skulkin}, title = {{REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs}}, date = {2021-06-30}, organization = {Group-IB}, url = {https://blog.group-ib.com/REvil_RaaS}, language = {English}, urldate = {2021-07-02} } REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs
Cobalt Strike REvil
2021-06-30SophosTilly Travers
@online{travers:20210630:mtr:d2dae6b, author = {Tilly Travers}, title = {{MTR in Real Time: Hand-to-hand combat with REvil ransomware chasing a $2.5 million pay day}}, date = {2021-06-30}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/}, language = {English}, urldate = {2021-07-02} } MTR in Real Time: Hand-to-hand combat with REvil ransomware chasing a $2.5 million pay day
REvil
2021-06-30Advanced IntelligenceYelisey Boguslavskiy, Brandon Rudisel, AdvIntel Security & Development Team
@online{boguslavskiy:20210630:ransomwarecve:deae6a7, author = {Yelisey Boguslavskiy and Brandon Rudisel and AdvIntel Security & Development Team}, title = {{Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets}}, date = {2021-06-30}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities}, language = {English}, urldate = {2021-07-01} } Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets
BlackKingdom Ransomware Clop dearcry Hades REvil
2021-06-28Twitter (@AdamTheAnalyst)AdamTheAnalyst
@online{adamtheanalyst:20210628:suspected:a9109b3, author = {AdamTheAnalyst}, title = {{Tweet on suspected REvil exfiltration (over RClone FTP) server}}, date = {2021-06-28}, organization = {Twitter (@AdamTheAnalyst)}, url = {https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20}, language = {English}, urldate = {2021-06-29} } Tweet on suspected REvil exfiltration (over RClone FTP) server
REvil REvil
2021-06-23Medium s2wlabSojun Ryu
@online{ryu:20210623:deep:b255667, author = {Sojun Ryu}, title = {{Deep analysis of REvil Ransomware}}, date = {2021-06-23}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317}, language = {Korean}, urldate = {2021-07-29} } Deep analysis of REvil Ransomware
REvil
2021-06-22SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210622:lv:a58b99f, author = {Counter Threat Unit ResearchTeam}, title = {{LV Ransomware}}, date = {2021-06-22}, organization = {Secureworks}, url = {https://www.secureworks.com/research/lv-ransomware}, language = {English}, urldate = {2021-06-23} } LV Ransomware
REvil
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-06-15Trend MicroJanus Agcaoili, Miguel Ang, Earle Earnshaw, Byron Gelera, Nikko Tamana
@online{agcaoili:20210615:ransomware:41013af, author = {Janus Agcaoili and Miguel Ang and Earle Earnshaw and Byron Gelera and Nikko Tamana}, title = {{Ransomware Double Extortion and Beyond: REvil, Clop, and Conti}}, date = {2021-06-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti}, language = {English}, urldate = {2021-06-21} } Ransomware Double Extortion and Beyond: REvil, Clop, and Conti
Clop Conti REvil
2021-06-11SophosLabs UncutAndrew Brandt, Anand Ajjan, Hajnalka Kope, Mark Loman, Peter Mackenzie
@online{brandt:20210611:relentless:56d5133, author = {Andrew Brandt and Anand Ajjan and Hajnalka Kope and Mark Loman and Peter Mackenzie}, title = {{Relentless REvil, revealed: RaaS as variable as the criminals who use it}}, date = {2021-06-11}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/}, language = {English}, urldate = {2021-06-16} } Relentless REvil, revealed: RaaS as variable as the criminals who use it
REvil
2021-06-10HUNT & HACKETTKrijn de Mik
@online{mik:20210610:revil:ea22471, author = {Krijn de Mik}, title = {{REvil: the usage of legitimate remote admin tooling}}, date = {2021-06-10}, organization = {HUNT & HACKETT}, url = {https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling}, language = {English}, urldate = {2021-06-16} } REvil: the usage of legitimate remote admin tooling
REvil
2021-06-09Palo Alto Networks Unit 42Doel Santos
@online{santos:20210609:prometheus:e4fdf9e, author = {Doel Santos}, title = {{Prometheus Ransomware Gang: A Group of REvil?}}, date = {2021-06-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/prometheus-ransomware/}, language = {English}, urldate = {2021-06-09} } Prometheus Ransomware Gang: A Group of REvil?
Hakbit Prometheus REvil
2021-06-08Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210608:from:62f4d20, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{From QBot...with REvil Ransomware: Initial Attack Exposure of JBS}}, date = {2021-06-08}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs}, language = {English}, urldate = {2021-06-09} } From QBot...with REvil Ransomware: Initial Attack Exposure of JBS
QakBot REvil
2021-06-02TEAMT5TeamT5
@online{teamt5:20210602:introducing:e0f8171, author = {TeamT5}, title = {{Introducing The Most Profitable Ransomware REvil}}, date = {2021-06-02}, organization = {TEAMT5}, url = {https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/}, language = {English}, urldate = {2021-06-09} } Introducing The Most Profitable Ransomware REvil
Gandcrab REvil
2021-06-02CrowdStrikeJosh Dalman, Heather Smith
@online{dalman:20210602:under:2e7083b, author = {Josh Dalman and Heather Smith}, title = {{Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware}}, date = {2021-06-02}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/}, language = {English}, urldate = {2021-06-09} } Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware
DarkSide Conti DarkSide REvil
2021-06-02Bleeping ComputerLawrence Abrams
@online{abrams:20210602:fbi:a9cb4ad, author = {Lawrence Abrams}, title = {{FBI: REvil cybergang behind the JBS ransomware attack}}, date = {2021-06-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/}, language = {English}, urldate = {2021-06-09} } FBI: REvil cybergang behind the JBS ransomware attack
REvil
2021-05-28Twitter (@Jacob_Pimental)Jacob Pimental
@online{pimental:20210528:revil:62832fa, author = {Jacob Pimental}, title = {{Tweet on REvil ver 2.07}}, date = {2021-05-28}, organization = {Twitter (@Jacob_Pimental)}, url = {https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20}, language = {English}, urldate = {2021-06-21} } Tweet on REvil ver 2.07
REvil
2021-05-25Medium s2wlabHyunmin Suh, Denise Dasom Kim, Jungyeon Lim
@online{suh:20210525:w4:b927684, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim}, title = {{W4 May | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-05-25}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f}, language = {English}, urldate = {2021-06-16} } W4 May | EN | Story of the week: Ransomware on the Darkweb
Babuk REvil
2021-05-20Digital ShadowsStefano De Blasi
@online{blasi:20210520:ransomwareasaservice:c7173c4, author = {Stefano De Blasi}, title = {{Ransomware-as-a-Service, Rogue Affiliates, and What’s Next}}, date = {2021-05-20}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/}, language = {English}, urldate = {2021-05-26} } Ransomware-as-a-Service, Rogue Affiliates, and What’s Next
DarkSide DarkSide REvil
2021-05-20CrowdStrikejoshua fraser
@online{fraser:20210520:response:649c607, author = {joshua fraser}, title = {{Response When Minutes Matter: When Good Tools Are Used for (R)Evil}}, date = {2021-05-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/}, language = {English}, urldate = {2021-06-09} } Response When Minutes Matter: When Good Tools Are Used for (R)Evil
REvil
2021-05-18The RecordCatalin Cimpanu
@online{cimpanu:20210518:darkside:14b6690, author = {Catalin Cimpanu}, title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}}, date = {2021-05-18}, organization = {The Record}, url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/}, language = {English}, urldate = {2021-05-19} } Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-18Bleeping ComputerIonut Ilascu
@online{ilascu:20210518:darkside:d8e345b, author = {Ionut Ilascu}, title = {{DarkSide ransomware made $90 million in just nine months}}, date = {2021-05-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/}, language = {English}, urldate = {2021-06-07} } DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-14The RecordCatalin Cimpanu
@online{cimpanu:20210514:darkside:2760169, author = {Catalin Cimpanu}, title = {{Darkside ransomware gang says it lost control of its servers & money a day after Biden threat}}, date = {2021-05-14}, organization = {The Record}, url = {https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/}, language = {English}, urldate = {2021-05-17} } Darkside ransomware gang says it lost control of its servers & money a day after Biden threat
DarkSide Avaddon REvil
2021-05-13Bleeping ComputerLawrence Abrams
@online{abrams:20210513:popular:62e98c8, author = {Lawrence Abrams}, title = {{Popular Russian hacking forum XSS bans all ransomware topics}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/}, language = {English}, urldate = {2021-05-17} } Popular Russian hacking forum XSS bans all ransomware topics
DarkSide DarkSide LockBit REvil
2021-05-12KasperskyDmitry Galov, Leonid Bezvershenko, Ivan Kwiatkowski
@online{galov:20210512:ransomware:439cee0, author = {Dmitry Galov and Leonid Bezvershenko and Ivan Kwiatkowski}, title = {{Ransomware world in 2021: who, how and why}}, date = {2021-05-12}, organization = {Kaspersky}, url = {https://securelist.com/ransomware-world-in-2021/102169/}, language = {English}, urldate = {2021-05-13} } Ransomware world in 2021: who, how and why
Babuk REvil
2021-05-11FlashpointFlashpoint
@online{flashpoint:20210511:darkside:32c4e89, author = {Flashpoint}, title = {{DarkSide Ransomware Links to REvil Group Difficult to Dismiss}}, date = {2021-05-11}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/}, language = {English}, urldate = {2021-05-13} } DarkSide Ransomware Links to REvil Group Difficult to Dismiss
DarkSide REvil
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-08Twitter (@Jacob_Pimental)Jacob Pimental
@online{pimental:20210508:cyberchef:150e910, author = {Jacob Pimental}, title = {{Tweet on CyberChef recipe to extract Revil Ransomware configuration}}, date = {2021-05-08}, organization = {Twitter (@Jacob_Pimental)}, url = {https://twitter.com/Jacob_Pimental/status/1391055792774729728}, language = {English}, urldate = {2021-05-13} } Tweet on CyberChef recipe to extract Revil Ransomware configuration
REvil
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-05-06BlackberryBlackBerry Research and Intelligence team
@online{team:20210506:threat:8bdd47b, author = {BlackBerry Research and Intelligence team}, title = {{Threat Thursday: Dr. REvil Ransomware Strikes Again, Employs Double Extortion Tactics}}, date = {2021-05-06}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics}, language = {English}, urldate = {2021-05-08} } Threat Thursday: Dr. REvil Ransomware Strikes Again, Employs Double Extortion Tactics
REvil
2021-05-02GoggleHeadedHacker BlogJacob Pimental
@online{pimental:20210502:sodinokibi:8c1c93c, author = {Jacob Pimental}, title = {{Sodinokibi Ransomware Analysis}}, date = {2021-05-02}, organization = {GoggleHeadedHacker Blog}, url = {https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis}, language = {English}, urldate = {2021-05-08} } Sodinokibi Ransomware Analysis
REvil
2021-04-28IBMLimor Kessem
@online{kessem:20210428:sodinokibi:38fd348, author = {Limor Kessem}, title = {{The Sodinokibi Chronicles: A (R)Evil Cybercrime Gang Disrupts Organizations for Trade Secrets and Cash}}, date = {2021-04-28}, organization = {IBM}, url = {https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/}, language = {English}, urldate = {2021-05-03} } The Sodinokibi Chronicles: A (R)Evil Cybercrime Gang Disrupts Organizations for Trade Secrets and Cash
REvil
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-23CNBCEamon Javers
@online{javers:20210423:axis:c729317, author = {Eamon Javers}, title = {{Axis of REvil: What we know about the hacker collective taunting Apple}}, date = {2021-04-23}, organization = {CNBC}, url = {https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html}, language = {English}, urldate = {2021-04-29} } Axis of REvil: What we know about the hacker collective taunting Apple
REvil
2021-04-20Bleeping ComputerSergiu Gatlan
@online{gatlan:20210420:revil:4193bfe, author = {Sergiu Gatlan}, title = {{REvil gang tries to extort Apple, threatens to sell stolen blueprints}}, date = {2021-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/}, language = {English}, urldate = {2021-04-28} } REvil gang tries to extort Apple, threatens to sell stolen blueprints
REvil
2021-03-29The DFIR ReportThe DFIR Report
@online{report:20210329:sodinokibi:4c63e20, author = {The DFIR Report}, title = {{Sodinokibi (aka REvil) Ransomware}}, date = {2021-03-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/}, language = {English}, urldate = {2021-03-30} } Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-24Twitter (@VK_intel)Vitali Kremez
@online{kremez:20210324:revil:ae29dd2, author = {Vitali Kremez}, title = {{Tweet on REvil ransomware}}, date = {2021-03-24}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1374571480370061312?s=20}, language = {English}, urldate = {2021-03-31} } Tweet on REvil ransomware
REvil
2021-03-24CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20210324:quarterly:4707c30, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Winter 2020-21}}, date = {2021-03-24}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html}, language = {English}, urldate = {2021-03-25} } Quarterly Report: Incident Response trends from Winter 2020-21
Egregor REvil WastedLocker
2021-03-19Bleeping ComputerLawrence Abrams
@online{abrams:20210319:revil:32f2221, author = {Lawrence Abrams}, title = {{REvil ransomware has a new ‘Windows Safe Mode’ encryption mode}}, date = {2021-03-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/}, language = {English}, urldate = {2021-03-24} } REvil ransomware has a new ‘Windows Safe Mode’ encryption mode
REvil
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-16The RecordDmitry Smilyanets
@online{smilyanets:20210316:i:cf06d4f, author = {Dmitry Smilyanets}, title = {{‘I scrounged through the trash heaps… now I’m a millionaire:’ An interview with REvil’s Unknown}}, date = {2021-03-16}, organization = {The Record}, url = {https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/}, language = {English}, urldate = {2021-03-19} } ‘I scrounged through the trash heaps… now I’m a millionaire:’ An interview with REvil’s Unknown
REvil
2021-03-11FlashpointFlashpoint
@online{flashpoint:20210311:cl0p:666bd6f, author = {Flashpoint}, title = {{CL0P and REvil Escalate Their Ransomware Tactics}}, date = {2021-03-11}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/}, language = {English}, urldate = {2021-03-12} } CL0P and REvil Escalate Their Ransomware Tactics
Clop REvil
2021-03TechtargetRob Wright
@online{wright:202103:ransomware:815ba76, author = {Rob Wright}, title = {{Ransomware negotiations: An inside look at the process}}, date = {2021-03}, organization = {Techtarget}, url = {https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process}, language = {English}, urldate = {2021-03-31} } Ransomware negotiations: An inside look at the process
REvil
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-24IBMIBM SECURITY X-FORCE
@online{xforce:20210224:xforce:ac9a90e, author = {IBM SECURITY X-FORCE}, title = {{X-Force Threat Intelligence Index 2021}}, date = {2021-02-24}, organization = {IBM}, url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89}, language = {English}, urldate = {2021-03-02} } X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-11CTI LEAGUECTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8, author = {CTI LEAGUE}, title = {{CTIL Darknet Report – 2021}}, date = {2021-02-11}, institution = {CTI LEAGUE}, url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf}, language = {English}, urldate = {2021-02-20} } CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01AhnLabASEC Analysis Team
@online{team:20210201:bluecrab:df21c0a, author = {ASEC Analysis Team}, title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}}, date = {2021-02-01}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/19860/}, language = {English}, urldate = {2021-02-06} } BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil
2021-01-28AhnLabASEC Analysis Team
@online{team:20210128:bluecrab:44d2e64, author = {ASEC Analysis Team}, title = {{BlueCrab ransomware constantly trying to bypass detection}}, date = {2021-01-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/19640/}, language = {Korean}, urldate = {2021-02-04} } BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil
2021-01-26Trend MicroTrend Micro Research
@online{research:20210126:examining:c893112, author = {Trend Micro Research}, title = {{Examining a Sodinokibi Attack}}, date = {2021-01-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html}, language = {English}, urldate = {2021-01-27} } Examining a Sodinokibi Attack
REvil
2021-01-21InfoSec Handlers Diary BlogXavier Mertens
@online{mertens:20210121:powershell:904be1b, author = {Xavier Mertens}, title = {{Powershell Dropping a REvil Ransomware}}, date = {2021-01-21}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27012}, language = {English}, urldate = {2021-01-21} } Powershell Dropping a REvil Ransomware
REvil
2021-01-04KELAAlmog Zoosman, Victoria Kivilevich
@online{zoosman:20210104:darknet:f6708c0, author = {Almog Zoosman and Victoria Kivilevich}, title = {{Darknet Threat Actors Are Not Playing Games with the Gaming Industry}}, date = {2021-01-04}, organization = {KELA}, url = {https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/}, language = {English}, urldate = {2021-01-10} } Darknet Threat Actors Are Not Playing Games with the Gaming Industry
REvil
2021SecureworksSecureWorks
@online{secureworks:2021:threat:c3f3903, author = {SecureWorks}, title = {{Threat Profile: GOLD SOUTHFIELD}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-southfield}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD SOUTHFIELD
REvil GOLD SOUTHFIELD
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-16DragosSelena Larson, Camille Singleton, IBM SECURITY X-FORCE
@techreport{larson:20201216:assessing:9a5adb8, author = {Selena Larson and Camille Singleton and IBM SECURITY X-FORCE}, title = {{Assessing Ransomware and Extortion Activities Impacting Industrial Organizations: Ransomware in ICS Environments}}, date = {2020-12-16}, institution = {Dragos}, url = {https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf}, language = {English}, urldate = {2020-12-17} } Assessing Ransomware and Extortion Activities Impacting Industrial Organizations: Ransomware in ICS Environments
REvil
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-09FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-03KELAVictoria Kivilevich
@online{kivilevich:20201203:easy:bae365d, author = {Victoria Kivilevich}, title = {{Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked}}, date = {2020-12-03}, organization = {KELA}, url = {https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/}, language = {English}, urldate = {2021-01-01} } Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked
REvil
2020-12-01Trend MicroRyan Flores
@online{flores:20201201:impact:415bf2e, author = {Ryan Flores}, title = {{The Impact of Modern Ransomware on Manufacturing Networks}}, date = {2020-12-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html}, language = {English}, urldate = {2020-12-08} } The Impact of Modern Ransomware on Manufacturing Networks
Maze Petya REvil
2020-11-30Malwarebyteshasherezade, Jérôme Segura
@online{hasherezade:20201130:german:72b40c6, author = {hasherezade and Jérôme Segura}, title = {{German users targeted with Gootkit banker or REvil ransomware}}, date = {2020-11-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/}, language = {English}, urldate = {2020-12-03} } German users targeted with Gootkit banker or REvil ransomware
GootKit REvil
2020-11-30FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-11-18Bleeping ComputerLawrence Abrams
@online{abrams:20201118:revil:fda480b, author = {Lawrence Abrams}, title = {{REvil ransomware hits Managed.com hosting provider, 500K ransom}}, date = {2020-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/}, language = {English}, urldate = {2020-11-19} } REvil ransomware hits Managed.com hosting provider, 500K ransom
REvil
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-10AP NewsAshish Gahlot
@online{gahlot:20201110:threat:e9c7a9c, author = {Ashish Gahlot}, title = {{Threat Hunting for REvil Ransomware}}, date = {2020-11-10}, organization = {AP News}, url = {https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/}, language = {English}, urldate = {2020-11-12} } Threat Hunting for REvil Ransomware
REvil
2020-11-04ZDNetCatalin Cimpanu
@online{cimpanu:20201104:revil:02ca78c, author = {Catalin Cimpanu}, title = {{REvil ransomware gang 'acquires' KPOT malware}}, date = {2020-11-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/}, language = {English}, urldate = {2020-11-06} } REvil ransomware gang 'acquires' KPOT malware
KPOT Stealer REvil
2020-10-29Bleeping ComputerIonut Ilascu
@online{ilascu:20201029:revil:e6b68d1, author = {Ionut Ilascu}, title = {{REvil ransomware gang claims over $100 million profit in a year}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/}, language = {English}, urldate = {2020-11-02} } REvil ransomware gang claims over $100 million profit in a year
REvil
2020-10-28Intel 471Intel 471
@online{471:20201028:alleged:46a2bb1, author = {Intel 471}, title = {{Alleged REvil member spills details on group’s ransomware operations}}, date = {2020-10-28}, organization = {Intel 471}, url = {https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/}, language = {English}, urldate = {2020-11-02} } Alleged REvil member spills details on group’s ransomware operations
REvil
2020-10-26CheckpointItay Cohen, Eyal Itkin
@online{cohen:20201026:exploit:9ec173c, author = {Itay Cohen and Eyal Itkin}, title = {{Exploit Developer Spotlight: The Story of PlayBit}}, date = {2020-10-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/}, language = {English}, urldate = {2020-10-27} } Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-20Bundesamt für Sicherheit in der InformationstechnikBSI
@online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot
2020-10-06CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201006:double:bb0f240, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 2}}, date = {2020-10-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/}, language = {English}, urldate = {2020-10-12} } Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil VIKING SPIDER
2020-10-01KELAVictoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09, author = {Victoria Kivilevich}, title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}}, date = {2020-10-01}, organization = {KELA}, url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/}, language = {English}, urldate = {2021-05-07} } To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-21RiskIQSteve Ginty
@online{ginty:20200821:pinchy:24fe21a, author = {Steve Ginty}, title = {{Pinchy Spider: Ransomware Infrastructure Connected to Dark Web Marketplace}}, date = {2020-08-21}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/3315064b}, language = {English}, urldate = {2020-09-01} } Pinchy Spider: Ransomware Infrastructure Connected to Dark Web Marketplace
REvil
2020-08-21Vimeo (RiskIQ)Josh Burgess, Steve Ginty
@online{burgess:20200821:evolution:6d5c407, author = {Josh Burgess and Steve Ginty}, title = {{The Evolution of Ransomware & Pinchy Spider's Shot at the Title}}, date = {2020-08-21}, organization = {Vimeo (RiskIQ)}, url = {https://vimeo.com/449849549}, language = {English}, urldate = {2020-08-25} } The Evolution of Ransomware & Pinchy Spider's Shot at the Title
Gandcrab REvil
2020-08-20DomainToolsChad Anderson
@online{anderson:20200820:revealing:7a1da00, author = {Chad Anderson}, title = {{Revealing REvil Ransomware With DomainTools and Maltego}}, date = {2020-08-20}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego}, language = {English}, urldate = {2020-08-24} } Revealing REvil Ransomware With DomainTools and Maltego
REvil
2020-08-20sensecycyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-31PRODAFT Threat IntelligenceYusuf Arslan Polat
@online{polat:20200731:opblueraven:9e58e0c, author = {Yusuf Arslan Polat}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion}}, date = {2020-07-31}, organization = {PRODAFT Threat Intelligence}, url = {https://threatintel.blog/OPBlueRaven-Part1/}, language = {English}, urldate = {2020-08-05} } OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion
Carbanak REvil FIN7
2020-07-29AmosSysNicolas Guillois
@online{guillois:20200729:sodinokibi:6d76347, author = {Nicolas Guillois}, title = {{Sodinokibi / REvil Malware Analysis}}, date = {2020-07-29}, organization = {AmosSys}, url = {https://blog.amossys.fr/sodinokibi-malware-analysis.html}, language = {English}, urldate = {2020-08-31} } Sodinokibi / REvil Malware Analysis
REvil
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-22TEHTRISTEHTRIS
@online{tehtris:20200722:peuton:472b0cd, author = {TEHTRIS}, title = {{Peut-on neutraliser un ransomware lancé en tant que SYSTEM sur des milliers de machines en même temps?}}, date = {2020-07-22}, organization = {TEHTRIS}, url = {https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/}, language = {French}, urldate = {2020-07-23} } Peut-on neutraliser un ransomware lancé en tant que SYSTEM sur des milliers de machines en même temps?
REvil
2020-07-15Advanced IntelligenceYelisey Boguslavskiy, Samantha van de Ven
@online{boguslavskiy:20200715:inside:f9b95b1, author = {Yelisey Boguslavskiy and Samantha van de Ven}, title = {{Inside REvil Extortionist “Machine”: Predictive Insights}}, date = {2020-07-15}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights}, language = {English}, urldate = {2020-07-16} } Inside REvil Extortionist “Machine”: Predictive Insights
Gandcrab REvil
2020-07-10Advanced IntelligenceAdvanced Intelligence
@online{intelligence:20200710:dark:a29ccb4, author = {Advanced Intelligence}, title = {{The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel}}, date = {2020-07-10}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel}, language = {English}, urldate = {2020-07-13} } The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel
Gandcrab REvil
2020-06-30AppGateThe Immunity Team
@online{team:20200630:electric:823676a, author = {The Immunity Team}, title = {{Electric Company Ransomware Attack Calls for $14 Million in Ransom}}, date = {2020-06-30}, organization = {AppGate}, url = {https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom}, language = {English}, urldate = {2020-07-21} } Electric Company Ransomware Attack Calls for $14 Million in Ransom
REvil
2020-06-23SymantecCritical Attack Discovery and Intelligence Team
@online{team:20200623:sodinokibi:7eff193, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}}, date = {2020-06-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos}, language = {English}, urldate = {2020-06-23} } Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Cobalt Strike REvil
2020-06-19Panda SecurityJorge Barelles Menes, Pablo Cardós Marqués, Aaron Jornet Sales, Javier Muñoz Alcázar
@techreport{menes:20200619:sodinokibi:7326035, author = {Jorge Barelles Menes and Pablo Cardós Marqués and Aaron Jornet Sales and Javier Muñoz Alcázar}, title = {{Sodinokibi Malware report}}, date = {2020-06-19}, institution = {Panda Security}, url = {https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf}, language = {English}, urldate = {2021-05-11} } Sodinokibi Malware report
REvil
2020-06-02ZDNetCatalin Cimpanu
@online{cimpanu:20200602:revil:883c59f, author = {Catalin Cimpanu}, title = {{REvil ransomware gang launches auction site to sell stolen data}}, date = {2020-06-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/}, language = {English}, urldate = {2020-06-03} } REvil ransomware gang launches auction site to sell stolen data
REvil
2020-06AreteArete Incident Response
@techreport{response:202006:sodinokibi:06e3a79, author = {Arete Incident Response}, title = {{Sodinokibi / REvil Ransomware attacks against the Education Sector}}, date = {2020-06}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf}, language = {English}, urldate = {2020-07-30} } Sodinokibi / REvil Ransomware attacks against the Education Sector
REvil
2020-05-26DataBreaches.netDissent
@online{dissent:20200526:former:dcfe145, author = {Dissent}, title = {{A former DarkSide listing shows up on REvil’s leak site}}, date = {2020-05-26}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/}, language = {English}, urldate = {2021-06-09} } A former DarkSide listing shows up on REvil’s leak site
DarkSide REvil
2020-05-07REDTEAM.PLAdam Ziaja
@online{ziaja:20200507:sodinokibi:f5c5cd1, author = {Adam Ziaja}, title = {{Sodinokibi / REvil ransomware}}, date = {2020-05-07}, organization = {REDTEAM.PL}, url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html}, language = {English}, urldate = {2020-05-13} } Sodinokibi / REvil ransomware
Maze MimiKatz REvil
2020-05-04Intel 471Intel 471 Malware Intelligence team
@online{team:20200504:changes:749da4b, author = {Intel 471 Malware Intelligence team}, title = {{Changes in REvil ransomware version 2.2}}, date = {2020-05-04}, organization = {Intel 471}, url = {https://intel471.com/blog/changes-in-revil-ransomware-version-2-2}, language = {English}, urldate = {2021-07-09} } Changes in REvil ransomware version 2.2
REvil
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-11Bleeping ComputerLawrence Abrams
@online{abrams:20200411:sodinokibi:82f9f79, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware to stop taking Bitcoin to hide money trail}}, date = {2020-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/}, language = {English}, urldate = {2020-04-26} } Sodinokibi Ransomware to stop taking Bitcoin to hide money trail
REvil
2020-04-09Graham Cluley BlogGraham Cluley
@online{cluley:20200409:travelex:bb5a2d7, author = {Graham Cluley}, title = {{Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack}}, date = {2020-04-09}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/travelex-paid-ransom/}, language = {English}, urldate = {2020-04-26} } Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack
REvil
2020-03-31Intel 471Intel 471
@online{471:20200331:revil:0e5226a, author = {Intel 471}, title = {{REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation}}, date = {2020-03-31}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/}, language = {English}, urldate = {2020-04-01} } REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation
Gandcrab REvil
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-07Bleeping ComputerLawrence Abrams
@online{abrams:20200307:ransomware:f839049, author = {Lawrence Abrams}, title = {{Ransomware Threatens to Reveal Company's 'Dirty' Secrets}}, date = {2020-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/}, language = {English}, urldate = {2020-03-11} } Ransomware Threatens to Reveal Company's 'Dirty' Secrets
REvil
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-29Security AffairsPierluigi Paganini
@online{paganini:20200229:sodinokibi:799a623, author = {Pierluigi Paganini}, title = {{Sodinokibi Ransomware gang threatens to disclose data from Kenneth Cole fashion firm}}, date = {2020-02-29}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html}, language = {English}, urldate = {2020-03-11} } Sodinokibi Ransomware gang threatens to disclose data from Kenneth Cole fashion firm
REvil
2020-02-26Bleeping ComputerLawrence Abrams
@online{abrams:20200226:sodinokibi:7d730ac, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices}}, date = {2020-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/}, language = {English}, urldate = {2020-03-02} } Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices
REvil
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-02-02Nullteilerfrei BlogLars Wallenborn
@online{wallenborn:20200202:defeating:95aa07e, author = {Lars Wallenborn}, title = {{Defeating Sodinokibi/REvil String-Obfuscation in Ghidra}}, date = {2020-02-02}, organization = {Nullteilerfrei Blog}, url = {https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/}, language = {English}, urldate = {2020-02-09} } Defeating Sodinokibi/REvil String-Obfuscation in Ghidra
REvil
2020-01-30Under The BreachUnder The Breach
@online{breach:20200130:tracking:bfa4550, author = {Under The Breach}, title = {{Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods}}, date = {2020-01-30}, organization = {Under The Breach}, url = {https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80}, language = {English}, urldate = {2020-01-31} } Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods
REvil
2020-01-30Digital ShadowsPhoton Research Team
@online{team:20200130:competitions:90773f4, author = {Photon Research Team}, title = {{Competitions on Russian-language cybercriminal forums: Sharing expertise or threat actor showboating?}}, date = {2020-01-30}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/}, language = {English}, urldate = {2020-02-03} } Competitions on Russian-language cybercriminal forums: Sharing expertise or threat actor showboating?
REvil
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-28KPNKPN
@online{kpn:20200128:tracking:6c628f3, author = {KPN}, title = {{Tracking REvil}}, date = {2020-01-28}, organization = {KPN}, url = {https://www.kpn.com/security-blogs/Tracking-REvil.htm}, language = {English}, urldate = {2020-01-28} } Tracking REvil
REvil
2020-01-26Youtube (OALabs)Sergei Frankoff, Sean Wilson
@online{frankoff:20200126:ida:a8194b4, author = {Sergei Frankoff and Sean Wilson}, title = {{IDA Pro Automated String Decryption For REvil Ransomware}}, date = {2020-01-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=l2P5CMH9TE0}, language = {English}, urldate = {2020-01-27} } IDA Pro Automated String Decryption For REvil Ransomware
REvil
2020-01-23Bleeping ComputerSergiu Gatlan
@online{gatlan:20200123:sodinokibi:86b1d46, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Threatens to Publish Data of Automotive Group}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/}, language = {English}, urldate = {2020-01-23} } Sodinokibi Ransomware Threatens to Publish Data of Automotive Group
REvil
2020-01-18Bleeping ComputerLawrence Abrams
@online{abrams:20200118:new:4ad3c25, author = {Lawrence Abrams}, title = {{New Jersey Synagogue Suffers Sodinokibi Ransomware Attack}}, date = {2020-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/}, language = {English}, urldate = {2020-01-22} } New Jersey Synagogue Suffers Sodinokibi Ransomware Attack
REvil
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-11Bleeping ComputerLawrence Abrams
@online{abrams:20200111:sodinokibi:8fe0ebe, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Publishes Stolen Data for the First Time}}, date = {2020-01-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/}, language = {English}, urldate = {2020-01-20} } Sodinokibi Ransomware Publishes Stolen Data for the First Time
REvil
2020-01-10BleepingComputerSergiu Gatlan
@online{gatlan:20200110:sodinokibi:73cbf66, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Hits New York Airport Systems}}, date = {2020-01-10}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/}, language = {English}, urldate = {2020-01-20} } Sodinokibi Ransomware Hits New York Airport Systems
REvil
2020-01-09Bleeping ComputerLawrence Abrams
@online{abrams:20200109:sodinokibi:c0204cc, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another}}, date = {2020-01-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/}, language = {English}, urldate = {2020-01-13} } Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another
REvil
2020-01-06Bleeping ComputerIonut Ilascu
@online{ilascu:20200106:sodinokibi:1feb8a3, author = {Ionut Ilascu}, title = {{Sodinokibi Ransomware Hits Travelex, Demands $3 Million}}, date = {2020-01-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/}, language = {English}, urldate = {2020-01-13} } Sodinokibi Ransomware Hits Travelex, Demands $3 Million
REvil
2020SecureworksSecureWorks
@online{secureworks:2020:gold:bc28839, author = {SecureWorks}, title = {{GOLD SOUTHFIELD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-southfield}, language = {English}, urldate = {2020-05-23} } GOLD SOUTHFIELD
REvil
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-12-20TrustwaveRodel Mendrez
@online{mendrez:20191220:undressing:1412c9a, author = {Rodel Mendrez}, title = {{Undressing the REvil}}, date = {2019-12-20}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/}, language = {English}, urldate = {2021-07-09} } Undressing the REvil
REvil
2019-12-18Hatching.ioPete Cowman
@online{cowman:20191218:understanding:d629d14, author = {Pete Cowman}, title = {{Understanding Ransomware Series: Detecting Sodin}}, date = {2019-12-18}, organization = {Hatching.io}, url = {https://hatching.io/blog/ransomware-part2}, language = {English}, urldate = {2020-01-08} } Understanding Ransomware Series: Detecting Sodin
REvil
2019-12-12Bleeping ComputerLawrence Abrams
@online{abrams:20191212:another:77246f4, author = {Lawrence Abrams}, title = {{Another Ransomware Will Now Publish Victims' Data If Not Paid}}, date = {2019-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/}, language = {English}, urldate = {2020-01-05} } Another Ransomware Will Now Publish Victims' Data If Not Paid
REvil
2019-12-04ElasticDavid French
@online{french:20191204:ransomware:92a6fae, author = {David French}, title = {{Ransomware, interrupted: Sodinokibi and the supply chain}}, date = {2019-12-04}, organization = {Elastic}, url = {https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain}, language = {English}, urldate = {2020-06-30} } Ransomware, interrupted: Sodinokibi and the supply chain
REvil
2019-11-09Lars Wallenborn
@online{wallenborn:20191109:apihashing:ec59534, author = {Lars Wallenborn}, title = {{API-Hashing in the Sodinokibi/Revil Ransomware - Why and How?}}, date = {2019-11-09}, url = {https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/}, language = {English}, urldate = {2019-12-18} } API-Hashing in the Sodinokibi/Revil Ransomware - Why and How?
REvil
2019-10-20McAfeeJessica Saavedra-Morales, Ryan Sherstobitoff, Christiaan Beek
@online{saavedramorales:20191020:mcafee:237cd1b, author = {Jessica Saavedra-Morales and Ryan Sherstobitoff and Christiaan Beek}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo}}, date = {2019-10-20}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/}, language = {English}, urldate = {2020-01-09} } McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo
REvil
2019-10-02McAfeeMcAfee Labs
@online{labs:20191002:mcafee:1a04182, author = {McAfee Labs}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us}}, date = {2019-10-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/}, language = {English}, urldate = {2019-12-22} } McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us
Gandcrab REvil
2019-09-24SecureworksCTU Research Team
@online{team:20190924:revil:3f165f3, author = {CTU Research Team}, title = {{REvil: The GandCrab Connection}}, date = {2019-09-24}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/revil-the-gandcrab-connection}, language = {English}, urldate = {2020-01-08} } REvil: The GandCrab Connection
REvil GOLD SOUTHFIELD
2019-09-24SecureworksCTU Research Team
@online{team:20190924:revilsodinokibi:646c88c, author = {CTU Research Team}, title = {{REvil/Sodinokibi Ransomware}}, date = {2019-09-24}, organization = {Secureworks}, url = {https://www.secureworks.com/research/revil-sodinokibi-ransomware}, language = {English}, urldate = {2020-01-08} } REvil/Sodinokibi Ransomware
REvil GOLD SOUTHFIELD
2019-08-30Bleeping ComputerIonut Ilascu
@online{ilascu:20190830:look:9a976c7, author = {Ionut Ilascu}, title = {{A Look Inside the Highly Profitable Sodinokibi Ransomware Business}}, date = {2019-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/}, language = {English}, urldate = {2019-12-20} } A Look Inside the Highly Profitable Sodinokibi Ransomware Business
REvil
2019-08-23The New York TimesManny Fernandez, David E. Sanger, Marina Trahan Martinez
@online{fernandez:20190823:ransomware:dffa5db, author = {Manny Fernandez and David E. Sanger and Marina Trahan Martinez}, title = {{Ransomware Attacks Are Testing Resolve of Cities Across America}}, date = {2019-08-23}, organization = {The New York Times}, url = {https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html}, language = {English}, urldate = {2020-01-13} } Ransomware Attacks Are Testing Resolve of Cities Across America
REvil
2019-08-10Dissecting MalwareMarius Genheimer
@online{genheimer:20190810:germanwipers:96d9745, author = {Marius Genheimer}, title = {{GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!}}, date = {2019-08-10}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html}, language = {English}, urldate = {2020-03-27} } GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!
REvil
2019-07-15KrebsOnSecurityBrian Krebs
@online{krebs:20190715:is:4e715d7, author = {Brian Krebs}, title = {{Is ‘REvil’ the New GandCrab Ransomware?}}, date = {2019-07-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-06} } Is ‘REvil’ the New GandCrab Ransomware?
REvil
2019-07-03Kaspersky LabsOrkhan Mamedov, Artur Pakulov, Fedor Sinitsyn
@online{mamedov:20190703:sodin:74c101f, author = {Orkhan Mamedov and Artur Pakulov and Fedor Sinitsyn}, title = {{Sodin ransomware exploits Windows vulnerability and processor architecture}}, date = {2019-07-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/sodin-ransomware/91473/}, language = {English}, urldate = {2019-12-20} } Sodin ransomware exploits Windows vulnerability and processor architecture
REvil
2019-06-24VirITGianfranco Tonello, Michele Zuin, Federico Girotto
@online{tonello:20190624:ransomware:d1922b8, author = {Gianfranco Tonello and Michele Zuin and Federico Girotto}, title = {{Ransomware REvil - Sodinokibi: Technical analysis and Threat Intelligence Report}}, date = {2019-06-24}, organization = {VirIT}, url = {https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004}, language = {English}, urldate = {2020-01-08} } Ransomware REvil - Sodinokibi: Technical analysis and Threat Intelligence Report
REvil
2019-06-14CertegoMatteo Lodi
@online{lodi:20190614:malware:c93f3de, author = {Matteo Lodi}, title = {{Malware Tales: Sodinokibi}}, date = {2019-06-14}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-sodinokibi/}, language = {English}, urldate = {2019-12-17} } Malware Tales: Sodinokibi
REvil
2019-05WatchGuardWatchGuard
@techreport{watchguard:201905:internet:6befd5b, author = {WatchGuard}, title = {{Internet Security Report}}, date = {2019-05}, institution = {WatchGuard}, url = {https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf}, language = {English}, urldate = {2021-05-26} } Internet Security Report
REvil RobinHood
2019-04-30Cisco TalosPierre Cadieux, Colin Grady, Jaeson Schultz, Matt Valites
@online{cadieux:20190430:sodinokibi:d04e315, author = {Pierre Cadieux and Colin Grady and Jaeson Schultz and Matt Valites}, title = {{Sodinokibi ransomware exploits WebLogic Server vulnerability}}, date = {2019-04-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html}, language = {English}, urldate = {2019-12-17} } Sodinokibi ransomware exploits WebLogic Server vulnerability
REvil
Yara Rules
[TLP:WHITE] win_revil_auto (20211008 | Detects win.revil.)
rule win_revil_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.revil."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf2 898ab0000000 8b4dec 8982b4000000 f7d1 234de0 8b45f0 }
            // n = 7, score = 4500
            //   8bf2                 | mov                 esi, edx
            //   898ab0000000         | mov                 dword ptr [edx + 0xb0], ecx
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8982b4000000         | mov                 dword ptr [edx + 0xb4], eax
            //   f7d1                 | not                 ecx
            //   234de0               | and                 ecx, dword ptr [ebp - 0x20]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_1 = { 2345e8 3345f0 334dec 894724 894f20 8b4728 }
            // n = 6, score = 4500
            //   2345e8               | and                 eax, dword ptr [ebp - 0x18]
            //   3345f0               | xor                 eax, dword ptr [ebp - 0x10]
            //   334dec               | xor                 ecx, dword ptr [ebp - 0x14]
            //   894724               | mov                 dword ptr [edi + 0x24], eax
            //   894f20               | mov                 dword ptr [edi + 0x20], ecx
            //   8b4728               | mov                 eax, dword ptr [edi + 0x28]

        $sequence_2 = { 8d8510feffff 899d08feffff 56 50 }
            // n = 4, score = 4500
            //   8d8510feffff         | lea                 eax, dword ptr [ebp - 0x1f0]
            //   899d08feffff         | mov                 dword ptr [ebp - 0x1f8], ebx
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_3 = { 59 85f6 741f 57 56 ff7514 53 }
            // n = 7, score = 4500
            //   59                   | pop                 ecx
            //   85f6                 | test                esi, esi
            //   741f                 | je                  0x21
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   53                   | push                ebx

        $sequence_4 = { 50 8d45f8 50 8d45e0 50 8d4584 50 }
            // n = 7, score = 4500
            //   50                   | push                eax
            //   8d45f8               | lea                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   50                   | push                eax
            //   8d4584               | lea                 eax, dword ptr [ebp - 0x7c]
            //   50                   | push                eax

        $sequence_5 = { 85c0 7537 8b4dec c6040f0d eb2e 8b45b4 85c0 }
            // n = 7, score = 4500
            //   85c0                 | test                eax, eax
            //   7537                 | jne                 0x39
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   c6040f0d             | mov                 byte ptr [edi + ecx], 0xd
            //   eb2e                 | jmp                 0x30
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   85c0                 | test                eax, eax

        $sequence_6 = { bf00ff0000 33c2 895620 894624 8d5630 33c8 }
            // n = 6, score = 4500
            //   bf00ff0000           | mov                 edi, 0xff00
            //   33c2                 | xor                 eax, edx
            //   895620               | mov                 dword ptr [esi + 0x20], edx
            //   894624               | mov                 dword ptr [esi + 0x24], eax
            //   8d5630               | lea                 edx, dword ptr [esi + 0x30]
            //   33c8                 | xor                 ecx, eax

        $sequence_7 = { 56 8bd8 e8???????? 83c40c 85db 7504 }
            // n = 6, score = 4500
            //   56                   | push                esi
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85db                 | test                ebx, ebx
            //   7504                 | jne                 6

        $sequence_8 = { 81e6bf030000 8a4513 83ce40 83e103 c1e602 0bf1 c0e004 }
            // n = 7, score = 4500
            //   81e6bf030000         | and                 esi, 0x3bf
            //   8a4513               | mov                 al, byte ptr [ebp + 0x13]
            //   83ce40               | or                  esi, 0x40
            //   83e103               | and                 ecx, 3
            //   c1e602               | shl                 esi, 2
            //   0bf1                 | or                  esi, ecx
            //   c0e004               | shl                 al, 4

        $sequence_9 = { 8b7608 85f6 75e9 33c0 5e 5d c3 }
            // n = 7, score = 4500
            //   8b7608               | mov                 esi, dword ptr [esi + 8]
            //   85f6                 | test                esi, esi
            //   75e9                 | jne                 0xffffffeb
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

    condition:
        7 of them and filesize < 155794432
}
Download all Yara Rules