Click here to download all references as Bib-File.

Enter keywords to filter the library entries below or Propose new Entry
2022-07-14SophosAndrew Brandt, Sergio Bestulic, Harinder Bhathal, Andy French, Bill Kearney, Lee Kirkpatrick, Elida Leite, Peter Mackenzie, Robert Weiland
@online{brandt:20220714:blackcat:745470a, author = {Andrew Brandt and Sergio Bestulic and Harinder Bhathal and Andy French and Bill Kearney and Lee Kirkpatrick and Elida Leite and Peter Mackenzie and Robert Weiland}, title = {{BlackCat ransomware attacks not merely a byproduct of bad luck}}, date = {2022-07-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/}, language = {English}, urldate = {2022-07-25} } BlackCat ransomware attacks not merely a byproduct of bad luck
BlackCat BlackCat
2022-04-12SophosAndrew Brandt, Angela Gunn, Melissa Kelly, Peter Mackenzie, Ferenc László Nagy, Mauricio Valdivieso, Sergio Bestulic, Johnathan Fern, Linda Smith, Matthew Everts
@online{brandt:20220412:attackers:f9f5c52, author = {Andrew Brandt and Angela Gunn and Melissa Kelly and Peter Mackenzie and Ferenc László Nagy and Mauricio Valdivieso and Sergio Bestulic and Johnathan Fern and Linda Smith and Matthew Everts}, title = {{Attackers linger on government agency computers before deploying Lockbit ransomware}}, date = {2022-04-12}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/}, language = {English}, urldate = {2022-04-15} } Attackers linger on government agency computers before deploying Lockbit ransomware
LockBit
2021-12-22SophosAndrew Brandt, Fraser Howard, Anand Ajjan, Peter Mackenzie, Ferenc László Nagy, Sergio Bestulic, Timothy Easton
@online{brandt:20211222:avos:b09298c, author = {Andrew Brandt and Fraser Howard and Anand Ajjan and Peter Mackenzie and Ferenc László Nagy and Sergio Bestulic and Timothy Easton}, title = {{Avos Locker remotely accesses boxes, even running in Safe Mode}}, date = {2021-12-22}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/}, language = {English}, urldate = {2021-12-31} } Avos Locker remotely accesses boxes, even running in Safe Mode
AvosLocker
2021-09-03SophosSean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi
@online{gallagher:20210903:conti:db20680, author = {Sean Gallagher and Peter Mackenzie and Anand Ajjan and Andrew Ludgate and Gabor Szappanos and Sergio Bestulic and Syed Zaidi}, title = {{Conti affiliates use ProxyShell Exchange exploit in ransomware attacks}}, date = {2021-09-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/}, language = {English}, urldate = {2021-09-06} } Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti
2021-08-05Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210805:conti:8ba71b6, author = {Peter Mackenzie}, title = {{Tweet on Conti ransomware affiliates using AnyDesk, Atera, Splashtop, Remote Utilities and ScreenConnect to maintain network access}}, date = {2021-08-05}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1423188974298861571}, language = {English}, urldate = {2021-08-06} } Tweet on Conti ransomware affiliates using AnyDesk, Atera, Splashtop, Remote Utilities and ScreenConnect to maintain network access
Conti
2021-08-05Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210805:lorenz:c5b406d, author = {Peter Mackenzie}, title = {{Tweet on Lorenz ransomware tricking user into allowing OAuth permissions to "Thunderbird with ExQuilla" for O365}}, date = {2021-08-05}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20}, language = {English}, urldate = {2021-08-06} } Tweet on Lorenz ransomware tricking user into allowing OAuth permissions to "Thunderbird with ExQuilla" for O365
Lorenz
2021-07-21Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210721:conti:085858b, author = {Peter Mackenzie}, title = {{Tweet on Conti ransomware actor installing AnyDesk for remote access in victim environment}}, date = {2021-07-21}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1417849181012647938}, language = {English}, urldate = {2021-07-22} } Tweet on Conti ransomware actor installing AnyDesk for remote access in victim environment
Conti
2021-06-12Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210612:thread:eac742a, author = {Peter Mackenzie}, title = {{A thread on RagnarLocker ransomware group's TTP seen in an Incident Response}}, date = {2021-06-12}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1403707430765273095}, language = {English}, urldate = {2021-06-21} } A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker
2021-06-11SophosLabs UncutAndrew Brandt, Anand Ajjan, Hajnalka Kope, Mark Loman, Peter Mackenzie
@online{brandt:20210611:relentless:56d5133, author = {Andrew Brandt and Anand Ajjan and Hajnalka Kope and Mark Loman and Peter Mackenzie}, title = {{Relentless REvil, revealed: RaaS as variable as the criminals who use it}}, date = {2021-06-11}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/}, language = {English}, urldate = {2021-06-16} } Relentless REvil, revealed: RaaS as variable as the criminals who use it
REvil
2021-05-18SophosJohn Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
@online{shier:20210518:active:f313ac5, author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie}, title = {{The Active Adversary Playbook 2021}}, date = {2021-05-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153}, language = {English}, urldate = {2021-05-25} } The Active Adversary Playbook 2021
Cobalt Strike MimiKatz
2021-05-11SophosSean Gallagher, Mark Loman, Peter Mackenzie, Yusuf Arslan Polat, Gabor Szappanos, Suriya Natarajan, Szabolcs Lévai, Ferenc László Nagy
@online{gallagher:20210511:defenders:a4c7f9c, author = {Sean Gallagher and Mark Loman and Peter Mackenzie and Yusuf Arslan Polat and Gabor Szappanos and Suriya Natarajan and Szabolcs Lévai and Ferenc László Nagy}, title = {{A defender’s view inside a DarkSide ransomware attack}}, date = {2021-05-11}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/}, language = {English}, urldate = {2021-05-13} } A defender’s view inside a DarkSide ransomware attack
DarkSide
2021-05-06Sophos LabsTilly Travers, Bill Kearney, Kyle Link, Peter Mackenzie, Matthew Sharf
@online{travers:20210506:mtr:1f2feb4, author = {Tilly Travers and Bill Kearney and Kyle Link and Peter Mackenzie and Matthew Sharf}, title = {{MTR in Real Time: Pirates pave way for Ryuk ransomware}}, date = {2021-05-06}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/}, language = {English}, urldate = {2021-05-13} } MTR in Real Time: Pirates pave way for Ryuk ransomware
Ryuk
2021-05-05SophosLabs UncutAndrew Brandt, Peter Mackenzie, Vikas Singh, Gabor Szappanos
@online{brandt:20210505:intervention:f548dee, author = {Andrew Brandt and Peter Mackenzie and Vikas Singh and Gabor Szappanos}, title = {{Intervention halts a ProxyLogon-enabled attack}}, date = {2021-05-05}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack}, language = {English}, urldate = {2021-05-07} } Intervention halts a ProxyLogon-enabled attack
Cobalt Strike
2021-04-22Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210422:twwet:62355c6, author = {Peter Mackenzie}, title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}}, date = {2021-04-22}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688}, language = {English}, urldate = {2021-05-25} } Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer
2021-02-16SophosLabs UncutPeter Mackenzie, Tilly Travers
@online{mackenzie:20210216:what:9c9f413, author = {Peter Mackenzie and Tilly Travers}, title = {{What to expect when you’ve been hit with Conti ransomware}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/}, language = {English}, urldate = {2021-02-20} } What to expect when you’ve been hit with Conti ransomware
Conti
2021-01-26SophosLabs UncutMichael Heller, David Anderson, Peter Mackenzie, Sergio Bestulic, Bill Kearney
@online{heller:20210126:nefilim:6b20ee0, author = {Michael Heller and David Anderson and Peter Mackenzie and Sergio Bestulic and Bill Kearney}, title = {{Nefilim Ransomware Attack Uses “Ghost” Credentials}}, date = {2021-01-26}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/}, language = {English}, urldate = {2021-02-18} } Nefilim Ransomware Attack Uses “Ghost” Credentials
Nefilim
2021-01-17Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210117:conti:db7f1cb, author = {Peter Mackenzie}, title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}}, date = {2021-01-17}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352}, language = {English}, urldate = {2021-01-21} } Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti
2020-12-08SophosSean Gallagher, Anand Aijan, Gabor Szappanos, Syed Shahram, Bill Kearney, Mark Loman, Peter Mackenzie, Sergio Bestulic
@online{gallagher:20201208:egregor:fe48cfd, author = {Sean Gallagher and Anand Aijan and Gabor Szappanos and Syed Shahram and Bill Kearney and Mark Loman and Peter Mackenzie and Sergio Bestulic}, title = {{Egregor ransomware: Maze’s heir apparent}}, date = {2020-12-08}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/}, language = {English}, urldate = {2020-12-08} } Egregor ransomware: Maze’s heir apparent
Egregor Maze
2020-10-28SophosLabs UncutSean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
@online{gallagher:20201028:hacks:8e1d051, author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos}, title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}}, date = {2020-10-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/}, language = {English}, urldate = {2020-11-02} } Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader
2020-09-17SophosLabs UncutAndrew Brandt, Peter Mackenzie
@online{brandt:20200917:maze:714f603, author = {Andrew Brandt and Peter Mackenzie}, title = {{Maze attackers adopt Ragnar Locker virtual machine technique}}, date = {2020-09-17}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/}, language = {English}, urldate = {2020-09-21} } Maze attackers adopt Ragnar Locker virtual machine technique
Maze