| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Actor(s): Pinchy Spider
REvil Beta
MD5: bed6fc04aeb785815744706239a1f243
SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf
SHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45
* Privilege escalation via CVE-2018-8453 (64-bit only)
* Rerun with RunAs to elevate privileges
* Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur
* Implements target whitelisting using GetKetboardLayoutList
* Contains debug console logging functionality
* Defines the REvil registry root key as SOFTWARE\!test
* Includes two variable placeholders in the ransom note: UID & KEY
* Terminates processes specified in the "prc" configuration key prior to encryption
* Deletes shadow copies and disables recovery
* Wipes contents of folders specified in the "wfld" configuration key prior to encryption
* Encrypts all non-whitelisted files on fixed drives
* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe
* Partially implements a background image setting to display a basic "Image text" message
* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)
------------------------------------
REvil 1.00
MD5: 65aa793c000762174b2f86077bdafaea
SHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457
SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc
* Adds 32-bit implementation of CVE-2018-8453 exploit
* Removes console debug logging
* Changes the REvil registry root key to SOFTWARE\recfg
* Removes the System/Impersonation success requirement for encrypting network mapped drives
* Adds a "wipe" key to the configuration for optional folder wiping
* Fully implements the background image setting and leverages values defined in the "img" configuration key
* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT
* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL
* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data
------------------------------------
REvil 1.01
MD5: 2abff29b4d87f30f011874b6e98959e9
SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c
SHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb
* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level
* Makes encryption of network mapped drives optional by adding the "-nolan" argument
------------------------------------
REvil 1.02
MD5: 4af953b20f3a1f165e7cf31d6156c035
SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299
SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4
* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage
* Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)
* Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories
* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories
* Hard-codes whitelisting of "sql" subfolders within program files
* Encrypts program files sub-folders that does not contain "sql" in the path
* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted
* Encodes stored strings used for URI building within the binary and decodes them in memory right before use
* Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key
------------------------------------
REvil 1.03
MD5: 3cae02306a95564b1fff4ea45a7dfc00
SHA1: 0ce2cae5287a64138d273007b34933362901783d
SHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf
* Removes lock file logic that was partially implemented in 1.02
* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)
* Encodes stored shellcode
* Adds the -path argument:
* Does not wipe folders (even if wipe == true)
* Does not set desktop background
* Does not contact the C2 server (even if net == true)
* Encrypts files in the specified folder and drops the ransom note
* Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults
* Changes registry key values from --> to:
* sub_key --> pvg
* pk_key --> sxsP
* sk_key --> BDDC8
* 0_key --> f7gVD7
* rnd_ext --> Xu7Nnkd
* stat --> sMMnxpgk
------------------------------------
REvil 1.04
MD5: 6e3efb83299d800edf1624ecbc0665e7
SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d
SHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6
* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)
* Removes the folder wipe capability
* Changes the REvil registry root key to SOFTWARE\GitForWindows
* Changes registry key values from --> to:
* pvg --> QPM
* sxsP --> cMtS
* BDDC8 --> WGg7j
* f7gVD7 --> zbhs8h
* Xu7Nnkd --> H85TP10
* sMMnxpgk --> GCZg2PXD
------------------------------------
REvil v1.05
MD5: cfefcc2edc5c54c74b76e7d1d29e69b2
SHA1: 7423c57db390def08154b77e2b5e043d92d320c7
SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea
* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.
* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' :
* SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv
* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.
* Changes registry key values from --> to:
* QPM --> tgE
* cMtS --> 8K09
* WGg7j --> xMtNc
* zbhs8h --> CTgE4a
* H85TP10 --> oE5bZg0
* GCZg2PXD --> DC408Qp4
------------------------------------
REvil v1.06
MD5: 65ff37973426c09b9ff95f354e62959e
SHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e
SHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e
* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.
* Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.
* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'
* Changes registry key values from --> to:
* tgE --> 73g
* 8K09 --> vTGj
* xMtNc --> Q7PZe
* CTgE4a --> BuCrIp
* oE5bZg0 --> lcZd7OY
* DC408Qp4 --> sLF86MWC
------------------------------------
REvil v1.07
MD5: ea4cae3d6d8150215a4d90593a4c30f2
SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e
SHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3
TBD
| 2023-04-18 ⋅ Mandiant ⋅ M-Trends 2023 QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate |
| 2023-02-02 ⋅ cocomelonc ⋅ Malware analysis: part 7. Yara rule example for CRC32. CRC32 in REvil ransomware REvil |
| 2023-01-30 ⋅ Checkpoint ⋅ Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot |
| 2022-08-22 ⋅ Microsoft ⋅ Extortion Economics - Ransomware’s new business model BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk |
| 2022-07-27 ⋅ Trend Micro ⋅ Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike Cobalt Strike GootKit Kronos REvil SunCrypt |
| 2022-06-13 ⋅ SecurityScorecard ⋅ A Detailed Analysis Of The Last Version Of REvil Ransomware (Download PDF) REvil |
| 2022-05-09 ⋅ Microsoft ⋅ Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT |
| 2022-05-09 ⋅ Secureworks ⋅ REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence REvil |
| 2022-05-01 ⋅ Github (k-vitali) ⋅ REvil Reborn Ransom Config REvil |
| 2022-05-01 ⋅ Bleeping Computer ⋅ REvil ransomware returns: New malware sample confirms gang is back REvil |
| 2022-04-20 ⋅ Bleeping Computer ⋅ REvil's TOR sites come alive to redirect to new ransomware operation REvil |
| 2022-04-12 ⋅ ConnectWise ⋅ Threat Profile: REvil REvil |
| 2022-04-04 ⋅ Bankinfo Security ⋅ The Ransomware Files, Episode 6: Kaseya and REvil REvil |
| 2022-03-24 ⋅ United States Senate ⋅ New Portman Report Demonstrates Threat Ransomware Presents to the United States REvil |
| 2022-03-24 ⋅ United States Senate ⋅ America's Data Held Hostage: Case Studies in Ransomware Attacks on American Companies REvil |
| 2022-03-23 ⋅ splunk ⋅ Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk |
| 2022-03-17 ⋅ Trend Micro ⋅ Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report REvil BazarBackdoor Buer IcedID QakBot REvil |
| 2022-03-17 ⋅ Sophos ⋅ The Ransomware Threat Intelligence Center ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker |
| 2022-03-16 ⋅ Red Canary ⋅ Uncompromised: When REvil comes knocking REvil |
| 2022-03-09 ⋅ Department of Justice ⋅ Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas REvil |
| 2022-02-23 ⋅ splunk ⋅ An Empirically Comparative Analysis of Ransomware Binaries Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk |
| 2022-02-14 ⋅ Darktrace ⋅ Staying ahead of REvil’s Ransomware-as-a-Service business model REvil REvil |
| 2022-01-27 ⋅ ANALYST1 ⋅ A History of Revil REvil REvil |
| 2022-01-19 ⋅ Blackberry ⋅ Kraken the Code on Prometheus Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk |
| 2022-01-14 ⋅ FSB ⋅ Unlawful Activities of Members of an Organized Criminal Community were suppressed REvil REvil |
| 2022-01-14 ⋅ Advanced Intelligence ⋅ Storm in "Safe Haven": Takeaways from Russian Authorities Takedown of REvil REvil REvil |
| 2021-12-20 ⋅ Trend Micro ⋅ Ransomware Spotlight: REvil REvil REvil |
| 2021-11-17 ⋅ BBC ⋅ Evil Corp: 'My hunt for the world's most wanted hackers' REvil REvil |
| 2021-11-16 ⋅ IronNet ⋅ How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware Cobalt Strike Conti IcedID REvil |
| 2021-11-16 ⋅ Trend Micro ⋅ Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels REvil Clop Gandcrab REvil |
| 2021-11-10 ⋅ RT on the Russian ⋅ "He does not get in touch": what is known about Barnaul, wanted by the FBI on charges of cybercrime REvil REvil |
| 2021-11-10 ⋅ Blackberry ⋅ REvil Under the Microscope GootKit REvil |
| 2021-11-08 ⋅ Department of Justice ⋅ Indictment of Yaroslav Vasinskyi (REvil affiliate) REvil REvil |
| 2021-11-08 ⋅ U.S. Department of the Treasury ⋅ Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments REvil REvil |
| 2021-11-08 ⋅ Department of Justice ⋅ Indictment of Yevgeniy Polyanin, one off the REvil affliates REvil REvil |
| 2021-11-08 ⋅ The Record ⋅ US arrests and charges Ukrainian man for Kaseya ransomware attack REvil REvil |
| 2021-11-08 ⋅ U.S. Department of the Treasury ⋅ Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual Currency Exchange (Yaroslav Vasinskyi & Yevgeniy Polyanin) REvil REvil |
| 2021-11-08 ⋅ KrebsOnSecurity ⋅ REvil Ransom Arrest, $6M Seizure, and $10M Reward REvil REvil |
| 2021-11-08 ⋅ Department of Justice ⋅ Ukrainian Arrested and Charged with Ransomware Attack on Kaseya REvil REvil |
| 2021-11-08 ⋅ DIICOT (Romanian Directorate for Investigating Organized Crime and Terrorism) ⋅ Press release 2 08.11.2021 REvil REvil |
| 2021-11-08 ⋅ Europol ⋅ Five Affiliates to Sodinokibi/REvil Unplugged REvil |
| 2021-11-08 ⋅ FBI ⋅ WANTED poster for Yevhgyeniy Polyanin (REvil affiliate) REvil REvil |
| 2021-11-03 ⋅ CERT-FR ⋅ Identification of a new cybercriminal group: Lockean DoppelPaymer Egregor Maze PwndLocker REvil |
| 2021-10-28 ⋅ BR.DE ⋅ Mutmaßlicher Ransomware-Millionär identifiziert REvil REvil |
| 2021-10-26 ⋅ Identification of a new cyber criminal group: Lockean Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil |
| 2021-10-25 ⋅ KELA ⋅ Will the REvil Story Finally be Over? REvil REvil |
| 2021-10-22 ⋅ Reuters ⋅ EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline REvil REvil |
| 2021-10-22 ⋅ HUNT & HACKETT ⋅ Advanced IP Scanner: the preferred scanner in the A(P)T toolbox Conti DarkSide Dharma Egregor Hades REvil Ryuk |
| 2021-10-22 ⋅ Darkowl ⋅ “Page Not Found”: REvil Darknet Services Offline After Attack Last Weekend REvil REvil |
| 2021-10-18 ⋅ Flashpoint ⋅ REvil Disappears Again: ‘Something Is Rotten in the State of Ransomware’ REvil REvil |
| 2021-10-17 ⋅ Bleeping Computer ⋅ REvil ransomware shuts down again after Tor sites were hijacked REvil REvil |
| 2021-10-12 ⋅ CrowdStrike ⋅ ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil |
| 2021-10-11 ⋅ Accenture ⋅ Moving Left of the Ransomware Boom REvil Cobalt Strike MimiKatz RagnarLocker REvil |
| 2021-10-05 ⋅ Trend Micro ⋅ Ransomware as a Service: Enabler of Widespread Attacks Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk |
| 2021-09-29 ⋅ Flashpoint ⋅ Russian hacker Q&A: An Interview With REvil-Affiliated Ransomware Contractor REvil REvil |
| 2021-09-28 ⋅ Flashpoint ⋅ REvil’s “Cryptobackdoor” Con: Ransomware Group’s Tactics Roil Affiliates, Sparking a Fallout REvil |
| 2021-09-23 ⋅ Bleeping Computer ⋅ REVil ransomware devs added a backdoor to cheat affiliates REvil |
| 2021-09-22 ⋅ Secureworks ⋅ REvil Ransomware Reemerges After Shutdown; Universal Decryptor Released REvil REvil |
| 2021-09-21 ⋅ Washington Post ⋅ FBI held back ransomware decryption key from businesses to run operation targeting hackers REvil |
| 2021-09-14 ⋅ CrowdStrike ⋅ Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil |
| 2021-09-07 ⋅ Bleeping Computer ⋅ REvil ransomware's servers mysteriously come back online REvil |
| 2021-09-03 ⋅ IBM ⋅ Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight Valak QakBot REvil |
| 2021-08-30 ⋅ CrowdStrike ⋅ CARBON SPIDER Embraces Big Game Hunting, Part 1 Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil |
| 2021-08-25 ⋅ GoggleHeadedHacker Blog ⋅ Reverse Engineering Crypto Functions: RC4 and Salsa20 REvil |
| 2021-08-20 ⋅ TEAMT5 ⋅ See REvil again?! See how hackers use the same encryption ransomware program REvil to annihilate the attack evidence REvil |
| 2021-08-15 ⋅ Symantec ⋅ The Ransomware Threat Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
| 2021-08-11 ⋅ BleepingComputer ⋅ Kaseya's universal REvil decryption key leaked on a hacking forum REvil |
| 2021-08-10 ⋅ Flashpoint ⋅ REvil Master Key for Kaseya Attack Posted to XSS REvil |
| 2021-08-05 ⋅ KrebsOnSecurity ⋅ Ransomware Gangs and the Name Game Distraction DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet |
| 2021-08-04 ⋅ Trend Micro ⋅ Supply Chain Attacks from a Managed Detection and Response Perspective REvil |
| 2021-08-02 ⋅ The Record ⋅ An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil DarkSide LockBit REvil |
| 2021-07-31 ⋅ Bleeping Computer ⋅ BlackMatter ransomware gang rises from the ashes of DarkSide, REvil DarkSide REvil |
| 2021-07-28 ⋅ Digital Shadows ⋅ REvil: Analysis of Competing Hypotheses REvil REvil |
| 2021-07-27 ⋅ Recorded Future ⋅ BlackMatter Ransomware Emerges As Successor to DarkSide, REvil DarkSide LockBit REvil |
| 2021-07-27 ⋅ Youtube (SANS Institute) ⋅ SANS Threat Analysis Rundown - Kaseya VSA attack REvil |
| 2021-07-27 ⋅ Twitter (@fwosar) ⋅ Tweet on new REvil variant REvil |
| 2021-07-27 ⋅ Flashpoint ⋅ Chatter Indicates BlackMatter as REvil Successor REvil |
| 2021-07-25 ⋅ Youtube (AhmedS Kasmani) ⋅ Analysis of Malware from Kaseya/Revil Supply Chain attack. REvil |
| 2021-07-22 ⋅ Bleeping Computer ⋅ Kaseya obtains universal decryptor for REvil ransomware victims REvil |
| 2021-07-20 ⋅ Huntress Labs ⋅ Security Researchers’ Hunt to Discover Origins of the Kaseya VSA Mass Ransomware Incident REvil |
| 2021-07-19 ⋅ Elliptic ⋅ REvil Revealed - Tracking a Ransomware Negotiation and Payment REvil REvil |
| 2021-07-15 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Fast API resolving of REvil Ransomware related to Kaseya attack REvil |
| 2021-07-14 ⋅ Advanced Intelligence ⋅ REvil Vanishes From Underground - Infrastructure Down REvil |
| 2021-07-13 ⋅ Bleeping Computer ⋅ REvil ransomware gang's web sites mysteriously shut down REvil |
| 2021-07-13 ⋅ Threat Post ⋅ Ransomware Giant REvil’s Sites Disappear REvil REvil |
| 2021-07-09 ⋅ The Record ⋅ Ransomwhere project wants to create a database of past ransomware payments Egregor Mailto Maze REvil |
| 2021-07-09 ⋅ cyjax ⋅ REvil-ution – A Persistent Ransomware Operation REvil |
| 2021-07-09 ⋅ Twitter (@SophosLabs) ⋅ Tweet on speed at which Kaseya REvil attack was conducted REvil |
| 2021-07-08 ⋅ Sekoia ⋅ Kaseya: Another Massive Heist by REvil REvil |
| 2021-07-08 ⋅ Gigamon ⋅ Observations and Recommendations from the Ongoing REvil-Kaseya Incident REvil |
| 2021-07-08 ⋅ KELA ⋅ Ransomware Gangs are Starting to Look Like Ocean’s 11 REvil |
| 2021-07-07 ⋅ Netskope ⋅ Netskope Threat Coverage: REvil REvil |
| 2021-07-07 ⋅ CrowdStrike ⋅ How CrowdStrike Falcon Stops REvil Ransomware Used in the Kaseya Attack REvil |
| 2021-07-07 ⋅ Twitter (@resecurity_com) ⋅ Tweet REvil attack chain used against Kaseya REvil |
| 2021-07-07 ⋅ Trustwave ⋅ Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails Cobalt Strike REvil |
| 2021-07-07 ⋅ Elastic ⋅ Elastic Security prevents 100% of REvil ransomware samples REvil |
| 2021-07-06 ⋅ paloalto Networks Unit 42 ⋅ Understanding REvil: The Ransomware Gang Behind the Kaseya Attack Gandcrab REvil |
| 2021-07-06 ⋅ Cybereason ⋅ Cybereason vs. REvil Ransomware: The Kaseya Chronicles REvil |
| 2021-07-06 ⋅ Zscaler ⋅ Kaseya Supply Chain Ransomware Attack - Technical Analysis of the REvil Payload REvil |
| 2021-07-06 ⋅ TRUESEC ⋅ How the Kaseya VSA Zero Day Exploit Worked REvil |
| 2021-07-06 ⋅ Twitter (@_alex_il_) ⋅ Tweet on REvil ransomware actor using vulnerable defender executable in its infection flow in early may before Kaseya attack REvil |
| 2021-07-06 ⋅ CrowdStrike ⋅ The Evolution of PINCHY SPIDER from GandCrab to REvil Gandcrab REvil |
| 2021-07-06 ⋅ splunk ⋅ REvil Ransomware Threat Research Update and Detections REvil |
| 2021-07-05 ⋅ splunk ⋅ Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt REvil |
| 2021-07-05 ⋅ Kaspersky ⋅ REvil ransomware attack against MSPs and its clients around the world REvil |
| 2021-07-05 ⋅ S2W LAB Inc. ⋅ Kaseya supply chain attack delivers mass ransomware REvil |
| 2021-07-05 ⋅ Twitter (@SophosLabs) ⋅ Tweet with a REvil ransomware execution demo REvil |
| 2021-07-05 ⋅ Twitter (@R3MRUM) ⋅ Twitter thread with additional context on C2 domains found in REvil configuration REvil |
| 2021-07-05 ⋅ Morphisec ⋅ Real-Time Prevention of the Kaseya VSA Supply Chain REvil Ransomware Attack REvil |
| 2021-07-04 ⋅ TRUESEC ⋅ Kaseya supply chain attack targeting MSPs to deliver REvil ransomware REvil |
| 2021-07-04 ⋅ CISA ⋅ CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack REvil REvil |
| 2021-07-04 ⋅ Twitter (@svch0st) ⋅ Tweet on #Kaseya detection tool for detecting REvil REvil |
| 2021-07-04 ⋅ Sophos ⋅ Independence Day: REvil uses supply chain exploit to attack hundreds of businesses REvil |
| 2021-07-03 ⋅ Symantec ⋅ Kaseya Ransomware Supply Chain Attack: What You Need To Know REvil |
| 2021-07-03 ⋅ Kaseya ⋅ Kaseya VSA Detection Tool REvil |
| 2021-07-03 ⋅ Twitter (@fwosar) ⋅ Twitter thread on REvil's cryptographic scheme REvil |
| 2021-07-03 ⋅ Kaseya ⋅ Updates Regarding VSA Security Incident REvil |
| 2021-07-03 ⋅ Twitter (@LloydLabs) ⋅ Twitter Thread on Revil sideloading DLL used in Kaseya attack REvil |
| 2021-07-03 ⋅ Medium Doublepulsar ⋅ Kaseya supply chain attack delivers mass ransomware event to US companies REvil |
| 2021-07-03 ⋅ Cybleinc ⋅ Uncensored Interview with REvil / Sodinokibi Ransomware Operators REvil REvil |
| 2021-07-03 ⋅ Palo Alto Networks Unit 42 ⋅ Threat Brief: Kaseya VSA Ransomware Attack REvil |
| 2021-07-02 ⋅ Velzart ⋅ Ransomware attack REvil |
| 2021-07-02 ⋅ The Record ⋅ REvil ransomware gang executes supply chain attack via malicious Kaseya update REvil |
| 2021-07-02 ⋅ Github (fwosar) ⋅ REvil configuration dump used in Kaseya attack REvil |
| 2021-07-02 ⋅ Huntress Labs ⋅ Crticial Ransomware Incident in Progress REvil |
| 2021-07-02 ⋅ Bleeping Computer ⋅ REvil ransomware hits 1,000+ companies in MSP supply-chain attack REvil |
| 2021-07-02 ⋅ Twitter (@SyscallE) ⋅ Tweet on Revil dropper used in Kaseya attack REvil |
| 2021-07-02 ⋅ Twitter (@VK_intel) ⋅ Tweet on Revil ransomware analysis used in Kaseya attack REvil |
| 2021-07-01 ⋅ AT&T Cybersecurity ⋅ REvil’s new Linux version REvil REvil |
| 2021-07-01 ⋅ DomainTools ⋅ The Most Prolific Ransomware Families: A Defenders Guide REvil Conti Egregor Maze REvil |
| 2021-06-30 ⋅ Sophos SecOps ⋅ What to expect when you’ve been hit with REvil ransomware REvil |
| 2021-06-30 ⋅ Advanced Intelligence ⋅ Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets BlackKingdom Ransomware Clop dearcry Hades REvil |
| 2021-06-30 ⋅ Sophos ⋅ MTR in Real Time: Hand-to-hand combat with REvil ransomware chasing a $2.5 million pay day REvil |
| 2021-06-30 ⋅ Group-IB ⋅ REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs Cobalt Strike REvil |
| 2021-06-28 ⋅ Twitter (@AdamTheAnalyst) ⋅ Tweet on suspected REvil exfiltration (over RClone FTP) server REvil REvil |
| 2021-06-23 ⋅ Medium s2wlab ⋅ Deep analysis of REvil Ransomware REvil |
| 2021-06-22 ⋅ Secureworks ⋅ LV Ransomware REvil |
| 2021-06-16 ⋅ Proofpoint ⋅ The First Step: Initial Access Leads to Ransomware BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker |
| 2021-06-15 ⋅ Trend Micro ⋅ Ransomware Double Extortion and Beyond: REvil, Clop, and Conti Clop Conti REvil |
| 2021-06-11 ⋅ SophosLabs Uncut ⋅ Relentless REvil, revealed: RaaS as variable as the criminals who use it REvil |
| 2021-06-10 ⋅ HUNT & HACKETT ⋅ REvil: the usage of legitimate remote admin tooling REvil |
| 2021-06-09 ⋅ Palo Alto Networks Unit 42 ⋅ Prometheus Ransomware Gang: A Group of REvil? Hakbit Prometheus REvil |
| 2021-06-08 ⋅ Advanced Intelligence ⋅ From QBot...with REvil Ransomware: Initial Attack Exposure of JBS QakBot REvil |
| 2021-06-02 ⋅ CrowdStrike ⋅ Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware DarkSide Conti DarkSide REvil |
| 2021-06-02 ⋅ Bleeping Computer ⋅ FBI: REvil cybergang behind the JBS ransomware attack REvil |
| 2021-06-02 ⋅ TEAMT5 ⋅ Introducing The Most Profitable Ransomware REvil Gandcrab REvil |
| 2021-05-28 ⋅ Twitter (@Jacob_Pimental) ⋅ Tweet on REvil ver 2.07 REvil |
| 2021-05-25 ⋅ Medium s2wlab ⋅ W4 May | EN | Story of the week: Ransomware on the Darkweb Babuk REvil |
| 2021-05-20 ⋅ CrowdStrike ⋅ Response When Minutes Matter: When Good Tools Are Used for (R)Evil REvil |
| 2021-05-20 ⋅ Digital Shadows ⋅ Ransomware-as-a-Service, Rogue Affiliates, and What’s Next DarkSide DarkSide REvil |
| 2021-05-18 ⋅ Bleeping Computer ⋅ DarkSide ransomware made $90 million in just nine months DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk |
| 2021-05-18 ⋅ The Record ⋅ Darkside gang estimated to have made over $90 million from ransomware attacks DarkSide DarkSide Mailto Maze REvil Ryuk |
| 2021-05-14 ⋅ The Record ⋅ Darkside ransomware gang says it lost control of its servers & money a day after Biden threat DarkSide Avaddon REvil |
| 2021-05-13 ⋅ Bleeping Computer ⋅ Popular Russian hacking forum XSS bans all ransomware topics DarkSide DarkSide LockBit REvil |
| 2021-05-12 ⋅ Kaspersky ⋅ Ransomware world in 2021: who, how and why Babuk REvil |
| 2021-05-11 ⋅ Flashpoint ⋅ DarkSide Ransomware Links to REvil Group Difficult to Dismiss DarkSide REvil |
| 2021-05-10 ⋅ DarkTracer ⋅ Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX |
| 2021-05-08 ⋅ Twitter (@Jacob_Pimental) ⋅ Tweet on CyberChef recipe to extract Revil Ransomware configuration REvil |
| 2021-05-06 ⋅ Cyborg Security ⋅ Ransomware: Hunting for Inhibiting System Backup or Recovery Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX |
| 2021-05-06 ⋅ Blackberry ⋅ Threat Thursday: Dr. REvil Ransomware Strikes Again, Employs Double Extortion Tactics REvil |
| 2021-05-02 ⋅ GoggleHeadedHacker Blog ⋅ Sodinokibi Ransomware Analysis REvil |
| 2021-04-28 ⋅ IBM ⋅ The Sodinokibi Chronicles: A (R)Evil Cybercrime Gang Disrupts Organizations for Trade Secrets and Cash REvil |
| 2021-04-26 ⋅ CoveWare ⋅ Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt |
| 2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Ransomware and Data Leak Site Publication Time Analysis Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil |
| 2021-04-23 ⋅ CNBC ⋅ Axis of REvil: What we know about the hacker collective taunting Apple REvil |
| 2021-04-20 ⋅ Bleeping Computer ⋅ REvil gang tries to extort Apple, threatens to sell stolen blueprints REvil |
| 2021-03-29 ⋅ The DFIR Report ⋅ Sodinokibi (aka REvil) Ransomware Cobalt Strike IcedID REvil |
| 2021-03-24 ⋅ Twitter (@VK_intel) ⋅ Tweet on REvil ransomware REvil |
| 2021-03-24 ⋅ Cisco ⋅ Quarterly Report: Incident Response trends from Winter 2020-21 Egregor REvil WastedLocker |
| 2021-03-19 ⋅ Bleeping Computer ⋅ REvil ransomware has a new ‘Windows Safe Mode’ encryption mode REvil |
| 2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Ransomware Threat Report 2021 RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker |
| 2021-03-16 ⋅ The Record ⋅ ‘I scrounged through the trash heaps… now I’m a millionaire:’ An interview with REvil’s Unknown REvil |
| 2021-03-11 ⋅ Flashpoint ⋅ CL0P and REvil Escalate Their Ransomware Tactics Clop REvil |
| 2021-03 ⋅ Techtarget ⋅ Ransomware negotiations: An inside look at the process REvil |
| 2021-03 ⋅ Group-IB ⋅ Ransomware Uncovered 2020/2021 RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
| 2021-02-28 ⋅ PWC UK ⋅ Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team |
| 2021-02-26 ⋅ CrowdStrike ⋅ Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil |
| 2021-02-24 ⋅ IBM ⋅ X-Force Threat Intelligence Index 2021 Emotet QakBot Ramnit REvil TrickBot |
| 2021-02-23 ⋅ CrowdStrike ⋅ 2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
| 2021-02-11 ⋅ CTI LEAGUE ⋅ CTIL Darknet Report – 2021 Conti Mailto Maze REvil Ryuk |
| 2021-02-02 ⋅ CRONUP ⋅ De ataque con Malware a incidente de Ransomware Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
| 2021-02-01 ⋅ AhnLab ⋅ BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment Cobalt Strike REvil |
| 2021-01-28 ⋅ AhnLab ⋅ BlueCrab ransomware constantly trying to bypass detection Cobalt Strike REvil |
| 2021-01-26 ⋅ Trend Micro ⋅ Examining a Sodinokibi Attack REvil |
| 2021-01-21 ⋅ InfoSec Handlers Diary Blog ⋅ Powershell Dropping a REvil Ransomware REvil |
| 2021-01-04 ⋅ KELA ⋅ Darknet Threat Actors Are Not Playing Games with the Gaming Industry REvil |
| 2021 ⋅ Acronis ⋅ Taking Deep Dive into Sodinokibi Ransomware REvil |
| 2021 ⋅ Secureworks ⋅ Threat Profile: GOLD SOUTHFIELD REvil GOLD SOUTHFIELD |
| 2020-12-16 ⋅ Accenture ⋅ Tracking and combatting an evolving danger: Ransomware extortion DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt |
| 2020-12-16 ⋅ Dragos ⋅ Assessing Ransomware and Extortion Activities Impacting Industrial Organizations: Ransomware in ICS Environments REvil |
| 2020-12-10 ⋅ US-CERT ⋅ Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
| 2020-12-09 ⋅ FireEye ⋅ It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES) Cobalt Strike DoppelPaymer QakBot REvil |
| 2020-12-03 ⋅ KELA ⋅ Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked REvil |
| 2020-12-01 ⋅ Trend Micro ⋅ The Impact of Modern Ransomware on Manufacturing Networks Maze Petya REvil |
| 2020-11-30 ⋅ FireEye ⋅ It's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
| 2020-11-30 ⋅ Malwarebytes ⋅ German users targeted with Gootkit banker or REvil ransomware GootKit REvil |
| 2020-11-18 ⋅ Bleeping Computer ⋅ REvil ransomware hits Managed.com hosting provider, 500K ransom REvil |
| 2020-11-18 ⋅ KELA ⋅ Zooming into Darknet Threats Targeting Japanese Organizations Conti DoppelPaymer Egregor LockBit Maze REvil Snake |
| 2020-11-16 ⋅ Intel 471 ⋅ Ransomware-as-a-service: The pandemic within a pandemic Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX |
| 2020-11-10 ⋅ AP News ⋅ Threat Hunting for REvil Ransomware REvil |
| 2020-11-04 ⋅ ZDNet ⋅ REvil ransomware gang 'acquires' KPOT malware KPOT Stealer REvil |
| 2020-10-29 ⋅ Bleeping Computer ⋅ REvil ransomware gang claims over $100 million profit in a year REvil |
| 2020-10-28 ⋅ Intel 471 ⋅ Alleged REvil member spills details on group’s ransomware operations REvil |
| 2020-10-26 ⋅ Checkpoint ⋅ Exploit Developer Spotlight: The Story of PlayBit Dyre Maze PyLocky Ramnit REvil |
| 2020-10-23 ⋅ Hornetsecurity ⋅ Leakware-Ransomware-Hybrid Attacks Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt |
| 2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ Die Lage der IT-Sicherheit in Deutschland 2020 Clop Emotet REvil Ryuk TrickBot |
| 2020-10-06 ⋅ CrowdStrike ⋅ Double Trouble: Ransomware with Data Leak Extortion, Part 2 Maze MedusaLocker REvil VIKING SPIDER |
| 2020-10-01 ⋅ KELA ⋅ To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt |
| 2020-09-29 ⋅ Microsoft ⋅ Microsoft Digital Defense Report Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot |
| 2020-09-29 ⋅ PWC UK ⋅ What's behind the increase in ransomware attacks this year? DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker |
| 2020-09-25 ⋅ CrowdStrike ⋅ Double Trouble: Ransomware with Data Leak Extortion, Part 1 DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER |
| 2020-09-24 ⋅ Kaspersky Labs ⋅ Threat landscape for industrial automation systems - H1 2020 Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake |
| 2020-08-25 ⋅ KELA ⋅ How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet |
| 2020-08-21 ⋅ Vimeo (RiskIQ) ⋅ The Evolution of Ransomware & Pinchy Spider's Shot at the Title Gandcrab REvil |
| 2020-08-21 ⋅ RiskIQ ⋅ Pinchy Spider: Ransomware Infrastructure Connected to Dark Web Marketplace REvil |
| 2020-08-20 ⋅ DomainTools ⋅ Revealing REvil Ransomware With DomainTools and Maltego REvil |
| 2020-08-20 ⋅ sensecy ⋅ Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities Clop Maze REvil Ryuk |
| 2020-08 ⋅ Temple University ⋅ Critical Infrastructure Ransomware Attacks CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor |
| 2020-07-31 ⋅ PRODAFT Threat Intelligence ⋅ OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion Carbanak REvil FIN7 |
| 2020-07-29 ⋅ ESET Research ⋅ THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
| 2020-07-29 ⋅ AmosSys ⋅ Sodinokibi / REvil Malware Analysis REvil |
| 2020-07-22 ⋅ TEHTRIS ⋅ Peut-on neutraliser un ransomware lancé en tant que SYSTEM sur des milliers de machines en même temps? REvil |
| 2020-07-15 ⋅ Advanced Intelligence ⋅ Inside REvil Extortionist “Machine”: Predictive Insights Gandcrab REvil |
| 2020-07-10 ⋅ Advanced Intelligence ⋅ The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel Gandcrab REvil |
| 2020-06-30 ⋅ AppGate ⋅ Electric Company Ransomware Attack Calls for $14 Million in Ransom REvil |
| 2020-06-23 ⋅ Symantec ⋅ Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Cobalt Strike REvil |
| 2020-06-19 ⋅ Panda Security ⋅ Sodinokibi Malware report REvil |
| 2020-06-02 ⋅ ZDNet ⋅ REvil ransomware gang launches auction site to sell stolen data REvil |
| 2020-06 ⋅ Arete ⋅ Sodinokibi / REvil Ransomware attacks against the Education Sector REvil |
| 2020-05-26 ⋅ DataBreaches.net ⋅ A former DarkSide listing shows up on REvil’s leak site DarkSide REvil |
| 2020-05-07 ⋅ REDTEAM.PL ⋅ Sodinokibi / REvil ransomware Maze MimiKatz REvil |
| 2020-05-04 ⋅ Intel 471 ⋅ Changes in REvil ransomware version 2.2 REvil |
| 2020-04-28 ⋅ Microsoft ⋅ Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood |
| 2020-04-11 ⋅ Bleeping Computer ⋅ Sodinokibi Ransomware to stop taking Bitcoin to hide money trail REvil |
| 2020-04-09 ⋅ Graham Cluley Blog ⋅ Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack REvil |
| 2020-03-31 ⋅ Intel 471 ⋅ REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation Gandcrab REvil |
| 2020-03-24 ⋅ Bleeping Computer ⋅ Three More Ransomware Families Create Sites to Leak Stolen Data Clop DoppelPaymer Maze Nefilim Nemty REvil |
| 2020-03-07 ⋅ Bleeping Computer ⋅ Ransomware Threatens to Reveal Company's 'Dirty' Secrets REvil |
| 2020-03-05 ⋅ Microsoft ⋅ Human-operated ransomware attacks: A preventable disaster Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA |
| 2020-03-04 ⋅ CrowdStrike ⋅ 2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
| 2020-03-03 ⋅ PWC UK ⋅ Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA |
| 2020-02-29 ⋅ Security Affairs ⋅ Sodinokibi Ransomware gang threatens to disclose data from Kenneth Cole fashion firm REvil |
| 2020-02-26 ⋅ Bleeping Computer ⋅ Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices REvil |
| 2020-02-25 ⋅ RSA Conference ⋅ Feds Fighting Ransomware: How the FBI Investigates and How You Can Help FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus |
| 2020-02-10 ⋅ Malwarebytes ⋅ 2020 State of Malware Report magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor |
| 2020-02-02 ⋅ Nullteilerfrei Blog ⋅ Defeating Sodinokibi/REvil String-Obfuscation in Ghidra REvil |
| 2020-01-30 ⋅ Digital Shadows ⋅ Competitions on Russian-language cybercriminal forums: Sharing expertise or threat actor showboating? REvil |
| 2020-01-30 ⋅ Under The Breach ⋅ Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods REvil |
| 2020-01-29 ⋅ ANSSI ⋅ État de la menace rançongiciel Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam |
| 2020-01-28 ⋅ KPN ⋅ Tracking REvil REvil |
| 2020-01-26 ⋅ Youtube (OALabs) ⋅ IDA Pro Automated String Decryption For REvil Ransomware REvil |
| 2020-01-23 ⋅ Bleeping Computer ⋅ Sodinokibi Ransomware Threatens to Publish Data of Automotive Group REvil |
| 2020-01-18 ⋅ Bleeping Computer ⋅ New Jersey Synagogue Suffers Sodinokibi Ransomware Attack REvil |
| 2020-01-17 ⋅ Secureworks ⋅ Is It Wrong to Try to Find APT Techniques in Ransomware Attack? Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware |
| 2020-01-11 ⋅ Bleeping Computer ⋅ Sodinokibi Ransomware Publishes Stolen Data for the First Time REvil |
| 2020-01-10 ⋅ BleepingComputer ⋅ Sodinokibi Ransomware Hits New York Airport Systems REvil |
| 2020-01-09 ⋅ Bleeping Computer ⋅ Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another REvil |
| 2020-01-06 ⋅ Bleeping Computer ⋅ Sodinokibi Ransomware Hits Travelex, Demands $3 Million REvil |
| 2020 ⋅ Secureworks ⋅ GOLD SOUTHFIELD REvil |
| 2020 ⋅ Blackberry ⋅ State of Ransomware Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP |
| 2019-12-20 ⋅ Trustwave ⋅ Undressing the REvil REvil |
| 2019-12-18 ⋅ Hatching.io ⋅ Understanding Ransomware Series: Detecting Sodin REvil |
| 2019-12-12 ⋅ Bleeping Computer ⋅ Another Ransomware Will Now Publish Victims' Data If Not Paid REvil |
| 2019-12-04 ⋅ Elastic ⋅ Ransomware, interrupted: Sodinokibi and the supply chain REvil |
| 2019-11-09 ⋅ API-Hashing in the Sodinokibi/Revil Ransomware - Why and How? REvil |
| 2019-10-20 ⋅ McAfee ⋅ McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo REvil |
| 2019-10-02 ⋅ McAfee ⋅ McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us Gandcrab REvil |
| 2019-09-24 ⋅ Secureworks ⋅ REvil: The GandCrab Connection REvil GOLD SOUTHFIELD |
| 2019-09-24 ⋅ Secureworks ⋅ REvil/Sodinokibi Ransomware REvil GOLD SOUTHFIELD |
| 2019-08-30 ⋅ Bleeping Computer ⋅ A Look Inside the Highly Profitable Sodinokibi Ransomware Business REvil |
| 2019-08-23 ⋅ The New York Times ⋅ Ransomware Attacks Are Testing Resolve of Cities Across America REvil |
| 2019-08-10 ⋅ Dissecting Malware ⋅ GermanWiper's big Brother? GandGrab's kid ? Sodinokibi! REvil |
| 2019-07-15 ⋅ KrebsOnSecurity ⋅ Is ‘REvil’ the New GandCrab Ransomware? REvil |
| 2019-07-03 ⋅ Kaspersky Labs ⋅ Sodin ransomware exploits Windows vulnerability and processor architecture REvil |
| 2019-06-24 ⋅ VirIT ⋅ Ransomware REvil - Sodinokibi: Technical analysis and Threat Intelligence Report REvil |
| 2019-06-14 ⋅ Certego ⋅ Malware Tales: Sodinokibi REvil |
| 2019-05 ⋅ WatchGuard ⋅ Internet Security Report REvil RobinHood |
| 2019-04-30 ⋅ Cisco Talos ⋅ Sodinokibi ransomware exploits WebLogic Server vulnerability REvil |