M20-7cze1 | Emotet_4e27e219 | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | 4e27e2197bda5e1318eb13ea06b18205 | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: c127cf0ce097e22f9f1fe0ca565c77a111745b85b0e78b21d20833055bc821d5SHA1: cc18b6c62a6e9b279fc4bf9a456778bf054aef34MD5: 4e27e2197bda5e1318eb13ea06b18205 |
M20-pb731 | Nemty_5126b883 | Windows |
This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints. | 5126b88347c24245a9b141f76552064e | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/SHA256: d421d9b0cc9ce69fc4dea1d4bd230b666b15868e4778d227ead38b7572463253SHA1: 9a121af9e0427a530ed12b72429fbc800d976623MD5: 5126b88347c24245a9b141f76552064e |
M20-3ytp1 | Nefilim_ce3cd1da | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | ce3cd1dab67814f5f153bccdaf502f4c | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020SHA1: f246984193c927414e543d936d1fb643a2dff77bMD5: ce3cd1dab67814f5f153bccdaf502f4c |
M20-r7xs1 | Ryuk_3266352b | Windows |
This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | 3266352bea7513ac3ead6e7d68661ad3 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/SHA256: 68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218SHA1: 2c8ea348cc80ed41737d3d2d8cb5487dcd49d040MD5: 3266352bea7513ac3ead6e7d68661ad3 |
M20-2air1 | REvil_b67606d3 | Windows |
This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public. | b67606d382f50ebf76848d023decee20 | https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556SHA256: 372c8276ab7cad70ccf296722462d7b8727e8563c0bfe4344184e1bc3afc27fcSHA1: 6c72756b12b03a2a594b8bb308944396438ec979MD5: b67606d382f50ebf76848d023decee20 |
M20-zudz1 | Emotet_212ede8e | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | 212ede8ee978a5979b17d9d68a497d10 | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: 939e9772cc64e88895365ccc1be8d7a6ef4b7c47b70165c35c79e2391ab50656SHA1: 19763080a3c72c651224678eabadcdfca5d5cad1MD5: 212ede8ee978a5979b17d9d68a497d10 |
M20-23qh1 | CLOP_d3ace85c | Windows |
This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has random strings (lorem ipsum) appended at the end of the file. | d3ace85c17df113fa90a92a541ff0ca7 | https://attack.mitre.org/techniques/T1009/SHA256: fd34ac2360302f24752fc352e161ed54609f3942178663eb0f46ceac8d58b099SHA1: 05d7b3e2f6646bcd3a46ee9ec718497898678a81PARENTID: M20-eoc31SSDEEP: 6144:JrazEX0203RegvjxnpGhu3BJMIp2CuvY63n:B+3JpGEBJMg2CuvY63MD5: d3ace85c17df113fa90a92a541ff0ca7 |
M20-x0np1 | Sodinokibi_fb68a023 | Windows |
This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder. | fb68a02333431394a9a0cdbff3717b24 | https://www.acronis.com/en-us/articles/sodinokibi-ransomware/SHA256: 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54dSHA1: 1399bf98a509adb07663476dee7f9fee571e09f3MD5: fb68a02333431394a9a0cdbff3717b24 |
M20-f9w61 | Netwalker_5f55ac3d | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 5f55ac3dd18950583dadffc1970745c5 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614SHA1: 6a13535190bdcd62af6b4930ea28664c13c6a6beMD5: 5f55ac3dd18950583dadffc1970745c5 |
M20-c1v31 | Netwalker_608ac26e | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 608ac26ea80c189ed8e0f62dd4fd8ada | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010SHA1: c5b3fa421db00fe931f439af5df4f65f7f3d9a1aMD5: 608ac26ea80c189ed8e0f62dd4fd8ada |
M20-zvvm1 | Sekhmet_b7ad5f7e | Windows |
This strike sends a malware sample known as Sekhmet. The Sekhmet ransomware was used in an attack against gas handling company SilPac in June 2020. This ransomware has been commonly spread via spam email. Once it encrypts the files on the targeted system it leaves behind a RECOVER-FILES.txt file that includes a ransom note with instructions on how to pay via TOR. | b7ad5f7ec71dc812b4771950671b192a | https://bazaar.abuse.ch/sample/fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d/SHA256: 0a739f4ec3d096010d0cd9fc0c0631f0b080cc2aad1f720fd1883737b6a6a952SHA1: cf02d630465eaf009db8bcc8a0dd4242a1d2dd82MD5: b7ad5f7ec71dc812b4771950671b192a |
M20-j8sq1 | Tycoon_ae037348 | Windows |
This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems. | ae03734805e3b7ec0fa52c5a4f07a725 | https://cyberflorida.org/threat-advisory/tycoon-ransomware/SHA256: 8587037c15463d10a17094ef8fa9f608cc20c99fa0206ce496b412f8c7f4a1b8SHA1: e20a4cc7f13f517491e772ce9e5c236aad2785f0MD5: ae03734805e3b7ec0fa52c5a4f07a725 |
M20-fbd41 | DoppelPaymer_66c11a6c | Windows |
This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has the timestamp field updated in the PE file header. | 66c11a6cbbe59f2e580da1c75acd9ae8 | https://attack.mitre.org/techniques/T1099/SHA256: 039f721ff06c6965e97417a480fca2220f45bce9c10b63e4d0e823842533a70fSHA1: 36ce6b51c925a7a5f122e07ddd7d47916576e584PARENTID: M20-zug71SSDEEP: 98304:J56LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:JsLOqCkLzDouoOS36XV/MD5: 66c11a6cbbe59f2e580da1c75acd9ae8 |
M20-4wbt1 | REvil_54079282 | Windows |
This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has a random section name renamed according to the PE format specification. | 54079282596df0fff118c2cdf8c6cbe3 | https://arxiv.org/abs/1801.08917SHA256: 20045aa54d765b77de371fba418505f38ece546cedd974c5cd2aebdf44a7b823SHA1: d12e89ebbb638f16711318bf4e71aa16df7eb145PARENTID: M20-du8w1SSDEEP: 3072:hLFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCIm:1J0BXScFy2RsQJ8zgQMD5: 54079282596df0fff118c2cdf8c6cbe3 |
M20-p56a1 | Emotet_c730e1c3 | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | c730e1c3cf2e54af08072778a7fd6f41 | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: e218d7c8b3bd6e69065f2a2bee81c88865d2068a46c3997339a200318f7b82b4SHA1: c868e42736238372f66d6a5bcedb636d28d15346MD5: c730e1c3cf2e54af08072778a7fd6f41 |
M20-jbb31 | Emotet_699bd905 | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | 699bd9053663bbdeb39df9d6f4f2b483 | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: cf9401d8bcbb01edf06c19509b572a26047b2788a41f0ffa5d52c2189fe5a125SHA1: 24c615d82cfbd4b2a16cf03f0ce12c252b4c1eb5MD5: 699bd9053663bbdeb39df9d6f4f2b483 |
M20-q7u81 | Emotet_74e9ae66 | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | 74e9ae66b4029ce403ef9a76d2dd1ec4 | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: d366dfc971747d113549ee401fa6dc07dfa0f478c9b08109640f84151bd2da29SHA1: c137dce76d338fe94c8efade25596c93c082c0e8MD5: 74e9ae66b4029ce403ef9a76d2dd1ec4 |
M20-oxbt1 | Nefilim_3beb3d46 | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | 3beb3d466bcc0977ec2dd66d72ab6bb3 | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: b227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17SHA1: e94089137a41fd95c790f88cc9b57c2b4d5625baMD5: 3beb3d466bcc0977ec2dd66d72ab6bb3 |
M20-n54a1 | Ryuk_fca20e17 | Windows |
This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | fca20e17ce8c0c3f3c78d82c953472ed | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/SHA256: 7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20SHA1: c8ecc9b34184e7e1c15b4ed49fb838e7882dbfc6MD5: fca20e17ce8c0c3f3c78d82c953472ed |
M20-pqk51 | Maze_910aa498 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 910aa49813ee4cc7e4fa0074db5e454a | https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/SHA256: 4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9aSHA1: 45831987fabeb7b32c70f662be8cb24e2efef1dcMD5: 910aa49813ee4cc7e4fa0074db5e454a |
M20-zqyf1 | REvil_cce629db | Windows |
This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public. | cce629db2606ae98ba6e931adbf1aeae | https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556SHA256: 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16dSHA1: 2649ce761c00f4505758e20580e8bdf3e8d559d1MD5: cce629db2606ae98ba6e931adbf1aeae |
M20-iupe1 | Netwalker_f957f19c | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | f957f19cd9d71abe3cb980ebe7f75d72 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: b2d68a79a621c3f9e46f9df52ed19b8fec22c3cf5f4e3d8630a2bc68fd43d2eeSHA1: 96432d979fdec055e4f40845a27cf4a9c0a0a34bMD5: f957f19cd9d71abe3cb980ebe7f75d72 |
M20-jn451 | Maze_c043c153 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | c043c153237b334df2f2934f7640e802 | https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/SHA256: fb5de69b222d81fea2f4b08fd5af612faf24b9e75698ac331af066fbc360a30aSHA1: d5ef91b849122109615007329ec6548830f13bfcMD5: c043c153237b334df2f2934f7640e802 |
M20-b7qt1 | Nefilim_ddc50d4a | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | ddc50d4ae0674d854a845b3eb32508c3 | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: 8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2bSHA1: c61f2cdb0faf31120e33e023b7b923b01bc97fbfMD5: ddc50d4ae0674d854a845b3eb32508c3 |
M20-9e4q1 | Nefilim_dc88265c | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | dc88265c361d73540a31c19583271fb0 | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: 3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5SHA1: e99460b4e8759909d3bd4e385d7e3f9b67aa1242MD5: dc88265c361d73540a31c19583271fb0 |
M20-kubx1 | Sodinokibi_177a571d | Windows |
This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder. | 177a571d7c6a6e4592c60a78b574fe0e | https://www.acronis.com/en-us/articles/sodinokibi-ransomware/SHA256: f0a16b0224a24647e9e8cf2f6f4479d93c8fb540a7ca656023a41f399e6c69c2SHA1: 7f1b49c2946a9a036cf60e25e1a8452f6237a57dMD5: 177a571d7c6a6e4592c60a78b574fe0e |
M20-jzr31 | Netwalker_bc758596 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | bc75859695f6c2c5ceda7e3be68e5d5a | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189dSHA1: 5be2fb7adcfefd741e6b98b4beeadf9e24ea7423MD5: bc75859695f6c2c5ceda7e3be68e5d5a |
M20-d5741 | Nemty_f2708056 | Windows |
This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints. | f270805668e8aecf13d27c09055bad5d | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/SHA256: 572b2dad5fca5f1dab7c18afa986fe7ef639e7892776593fc7636ff03ff783bcSHA1: f0078a38d56384f9dbced7c0a9837cdb22c4daf0MD5: f270805668e8aecf13d27c09055bad5d |
M20-ocu81 | CLOP_9ec70a82 | Windows |
This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has been packed using upx packer, with the default options. | 9ec70a82f8b4797c4ad4fe646cfb6e10 | https://attack.mitre.org/techniques/T1045/SHA256: ada51ae85a78dc3641bbe52505e3eaf670353477abbb77fb5c781713545b5f58SHA1: 1a18c783bdcf3af6c52a9daaa712c56ee5816832PARENTID: M20-eoc31SSDEEP: 3072:m7QoN+AOSJUT5I/QN7lg3w0EIpRomDOhRJ+ZHNN9cY2ritPOFjy54:kQokAaT5gCg30SRBD07KH39cAPqxMD5: 9ec70a82f8b4797c4ad4fe646cfb6e10 |
M20-iort1 | Nefilim_5ff20e2b | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | 5ff20e2b723edb2d0fb27df4fc2c4468 | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: 08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641SHA1: e53d4b589f5c5ef6afd23299550f70c69bc2fe1cMD5: 5ff20e2b723edb2d0fb27df4fc2c4468 |
M20-6ei91 | Nefilim_26c35850 | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | 26c35850483c877ee23f476b38d58deb | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: 7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599SHA1: 0d339d08a546591aab246f3cf799f3e2aaee3889MD5: 26c35850483c877ee23f476b38d58deb |
M20-dzq81 | DoppelPaymer_4601ec39 | Windows |
This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random bytes appended at the end of the file. | 4601ec39e2934ba61651decf6d06de64 | https://attack.mitre.org/techniques/T1009/SHA256: e9be48e03f80f6ef0bc5cbe36cbd4bcba30fb6d2b3a1a95e4f0e856816ef8cd4SHA1: 86c6242cbdb9b45dd9028639c1bcf9dc07d664d0PARENTID: M20-zug71SSDEEP: 98304:556LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfNt:5sLOqCkLzDouoOS36XVtMD5: 4601ec39e2934ba61651decf6d06de64 |
M20-jdde1 | Nefilim_8f90539c | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | 8f90539c405672016c0dec7ac3574eea | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3SHA1: bd59d7c734ca2f9cbaf7f12bc851f7dce94955d4MD5: 8f90539c405672016c0dec7ac3574eea |
M20-xv3b1 | Nefilim_7354e71d | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | 7354e71d9c28e0c150cea3377e5f70d9 | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: 3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953SHA1: 9770fb41be1af0e8c9e1a69b8f92f2a3a5ca9b1aMD5: 7354e71d9c28e0c150cea3377e5f70d9 |
M20-1jg41 | Ryuk_5f7dd374 | Windows |
This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | 5f7dd3740a3a4ea74e2ee234f6de26aa | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/SHA256: 235ab3857ba2d2cd09311d6cc7bf1139863022579ea98be2b503921104ee20acSHA1: d9f8eb52ce514d3dbf8f8e6a1ecb29c1dc46ea12MD5: 5f7dd3740a3a4ea74e2ee234f6de26aa |
M20-93le1 | CLOP_f2114603 | Windows |
This strike sends a malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications. | f21146030cbe2ebe5a8e3fd67df8e8f3 | https://www.trendmicro.com/vinfo/ae/security/news/cybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomwareSHA256: 2ceeedd2f389c6118b4e0a02a535ebb142d81d35f38cab9a3099b915b5c274cbSHA1: c777107d839938da8c41beacc78802a0e05e8b74MD5: f21146030cbe2ebe5a8e3fd67df8e8f3 |
M20-zug71 | DoppelPaymer_8c54bbe3 | Windows |
This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc. | 8c54bbe3f191a8627bfeeb4cb02634a9 | https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/SHA256: f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555SHA1: 2fc2ecbed153344557386e80a2fbd097bf795559MD5: 8c54bbe3f191a8627bfeeb4cb02634a9 |
M20-3cxk1 | Nefilim_0790a7e0 | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | 0790a7e0a842e1de70de194054fa11b3 | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: 7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377SHA1: 4595cdd47b63a4ae256ed22590311f388bc7a2d8MD5: 0790a7e0a842e1de70de194054fa11b3 |
M20-pe1b1 | Netwalker_93f91bfc | Mixed |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 93f91bfcc1bf0c858fc7f3bd4536eba6 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 59ba11aa5b9a4d2ef80d260b9e51f605d556781b8ce682443ad1e547898eb0a6SHA1: 2ddf48174221371ad4f5d339353a3f998044d95dMD5: 93f91bfcc1bf0c858fc7f3bd4536eba6 |
M20-hrde1 | Netwalker_0537d845 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 0537d845ba099c6f2b708124eda13f1c | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 12717add64ecf32d7bcb6b2662becbff6b516cf8073f399dc5e4d3615d452e89SHA1: 3fb77d821ea7ec2b30fd3944c3d9361093a58cd6MD5: 0537d845ba099c6f2b708124eda13f1c |
M20-yqkh1 | Tycoon_80675f08 | Windows |
This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems. | 80675f08a4dad40a316865619f6adaaa | https://cyberflorida.org/threat-advisory/tycoon-ransomware/SHA256: ac0882d87027ac22fc79cfe2d55d9a9d097d0f8eb425cf182de1b872080930ecSHA1: 3d845a707f2825746637922d7dd10fab18558209MD5: 80675f08a4dad40a316865619f6adaaa |
M20-h4tt1 | Nefilim_80cfda61 | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | 80cfda61942eb4e71f286297a1158f48 | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39eaSHA1: 6c9ae388fa5d723a458de0d2bea3eb63bc921af7MD5: 80cfda61942eb4e71f286297a1158f48 |
M20-t9wu1 | Tycoon_51a7822f | Windows |
This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems. | 51a7822f388162ce1c66dd90da207545 | https://cyberflorida.org/threat-advisory/tycoon-ransomware/SHA256: bd3fdf1b50911d537a97cb93db13f2b4026f109ed23a393f262621faed81dae1SHA1: 03023d7e3a54d915cca82429dfeedb1bebd5c182MD5: 51a7822f388162ce1c66dd90da207545 |
M20-ozkg1 | Tycoon_9c7befb1 | Windows |
This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems. | 9c7befb18ccbd63100a497fe7c1acc69 | https://cyberflorida.org/threat-advisory/tycoon-ransomware/SHA256: 853fa18adc3f9263a0f98a9a257dd70d7e1aee0545ab47a114f44506482bd188SHA1: 8e7a5500007c1552e1231bd1157433f7ef638672MD5: 9c7befb18ccbd63100a497fe7c1acc69 |
M20-11ox1 | Netwalker_59b00f60 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 59b00f607a7550af9a2332c730892845 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 26dfa8512e892dc8397c4ccbbe10efbcf85029bc2ad7b6b6fe17d26f946a01bbSHA1: 794589026bdc8b01cad097ffcd50be37a87e7c29MD5: 59b00f607a7550af9a2332c730892845 |
M20-c0k61 | Nemty_0b33471b | Windows |
This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints. | 0b33471bbd9fbbf08983eff34ee4ddc9 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/SHA256: f3e0b5808c1394c884b4b2c7fa0c0955f7b544959a46b8839b76c8d8e2735413SHA1: 42256ea23ee775e71702cc901c3632ef2fd53a02MD5: 0b33471bbd9fbbf08983eff34ee4ddc9 |
M20-9vw62 | Nemty_4ca39c0a | Windows |
This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints. | 4ca39c0aeb0daeb1be36173fa7c2a25e | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/SHA256: cc496cec38bbc72bae3cb64416baca38b3706443c4f360bd4ba8300d64b210d2SHA1: afa8bc5c0a014e6202a8dd39f3f288bc927dacd0MD5: 4ca39c0aeb0daeb1be36173fa7c2a25e |
M20-5ca61 | Sodinokibi_858c29ef | Windows |
This strike sends a polymorphic malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.The binary has the timestamp field updated in the PE file header. | 858c29efee084e86616b21fdc4d2a3de | https://attack.mitre.org/techniques/T1099/SHA256: e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37SHA1: d642f7ecda3fa135761d68eb20f44d66eba798faPARENTID: M20-u2sg1SSDEEP: 3072:Or85CuLbi4eTMlwDCnuZ3puJ1ni8Iy8EytZ:O9ebnWJZ3P8IUyTMD5: 858c29efee084e86616b21fdc4d2a3de |
M20-otig1 | REvil_b26fbb99 | Windows |
This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random bytes appended at the end of the file. | b26fbb999449caad351b18364a17bd6e | https://attack.mitre.org/techniques/T1009/SHA256: 6d9349a99d80e9003d3a01e0ad19c5f175e18b2dee7ef533b630772548f6c727SHA1: 323135aa6987945df756cb9636ad72938d5a064fPARENTID: M20-du8w1SSDEEP: 3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCImk:ZJ0BXScFy2RsQJ8zgQPMD5: b26fbb999449caad351b18364a17bd6e |
M20-ghdx1 | Netwalker_239163e6 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 239163e6019670e326087aa59adb5007 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 92e4d38e17e4dc32519df7324013477908c9cb725ea29aea6e4fd8c27eb7087dSHA1: c26d5fbe02f8b0e6a40672b12e69ee78343e9a41MD5: 239163e6019670e326087aa59adb5007 |
M20-0hr01 | Maze_fba4cbb7 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | fba4cbb7167176990d5a8d24e9505f71 | https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/SHA256: 5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353SHA1: aa6cd2698d4f9a7fa99f5807f4b6695a0bfd0124MD5: fba4cbb7167176990d5a8d24e9505f71 |
M20-a7bi1 | Netwalker_cc113e42 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | cc113e42c52c6e4e7beca74829b89a68 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: eb1470786fda58fc8291e099c7fcd5d36a04de85d1f6fe8683c1950b7119314eSHA1: 5b165601b8d0b13a8833c31cb36644aea8121f74MD5: cc113e42c52c6e4e7beca74829b89a68 |
M20-kkmm1 | Sodinokibi_e713658b | Windows |
This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder. | e713658b666ff04c9863ebecb458f174 | https://www.acronis.com/en-us/articles/sodinokibi-ransomware/SHA256: e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ecSHA1: 8b1d4ae7cbc6c0fa0705122b9556745670863214MD5: e713658b666ff04c9863ebecb458f174 |
M20-mc031 | DoppelPaymer_81f50e95 | Windows |
This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc. | 81f50e95bfbbe7d86229ac9592febf2f | https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/SHA256: 46254a390027a1708f6951f8af3da13d033dee9a71a4ee75f257087218676dd5SHA1: 3b24602e453950a1391124f348bc897593ddfab9MD5: 81f50e95bfbbe7d86229ac9592febf2f |
M20-b1vh1 | Ryuk_3925ae7d | Windows |
This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | 3925ae7df3328773be923f74d70555e3 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/SHA256: 884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5SHA1: 948af4614e8ff150fbe0bc38f40806b457acaf3aMD5: 3925ae7df3328773be923f74d70555e3 |
M20-d9ti1 | DoppelPaymer_69061465 | Windows |
This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc. | 69061465ae5067710402c832412e2dae | https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/SHA256: b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9SHA1: 963f6c4e2f7c202fd1676eee27c160de2ad2f774MD5: 69061465ae5067710402c832412e2dae |
M20-nx2s1 | CLOP_508a671c | Windows |
This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has the checksum removed in the PE file format. | 508a671cf24f381582459ccda863d520 | https://arxiv.org/abs/1801.08917SHA256: f1884560d6384a695360251b63b465d12d52095e71bc1a073a1d32243bdd537aSHA1: 5324545e7713fbb38ea01f825a14626c30b9f428PARENTID: M20-eoc31SSDEEP: 6144:rrazEX0203RegvjxnpGhu3BJMIp2CuvY63:/+3JpGEBJMg2CuvY6MD5: 508a671cf24f381582459ccda863d520 |
M20-g3yi1 | Netwalker_dabbc5e5 | Mixed |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | dabbc5e50b9275cb2996c50fd81e64b4 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: e1a8a38dda16a7815bd20a96f46bd978ac41f2acf927993ad965abb258123d8cSHA1: 79e6d0dbdfb89350fcf924c6554a5b7c79d4d66dMD5: dabbc5e50b9275cb2996c50fd81e64b4 |
M20-oroy1 | Nemty_37aaba6b | Windows |
This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints. | 37aaba6b18c9c1b8150dae4f1d31e97d | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/SHA256: 505c0ca5ad0552cce9e047c27120c681ddce127d13afa8a8ad96761b2487191bSHA1: 02637179c597eaa821ff190ef89ba9eb013a6ea2MD5: 37aaba6b18c9c1b8150dae4f1d31e97d |
M20-nyqm1 | Tycoon_f28c603b | Windows |
This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems. | f28c603bbe75516372159bb79ef3eb63 | https://cyberflorida.org/threat-advisory/tycoon-ransomware/SHA256: 868cb8251a245c416cd92fcbd3e30aa7b7ca7c271760fa120d2435fd3bf2fde9SHA1: a2c17f04ce259125bc43c8d6227ef594df51f18aMD5: f28c603bbe75516372159bb79ef3eb63 |
M20-4eyf1 | Netwalker_5ce75526 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 5ce75526a25c81d0178d8092251013f0 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677SHA1: 1e1b1c4ae648786fe429c9ddd2182e0d58bcf423MD5: 5ce75526a25c81d0178d8092251013f0 |
M20-yq7k1 | Nemty_0e0b7b23 | Windows |
This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints. | 0e0b7b238a06a2a37a4de06a5ab5e615 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/SHA256: 267a9dcf77c33a1af362e2080aaacc01a7ca075658beb002ab41e0712ffe066eSHA1: 703f5f6a5130868a7c3ec06b40b9f37656c86d24MD5: 0e0b7b238a06a2a37a4de06a5ab5e615 |
M20-gc8v1 | Netwalker_3cfd36a7 | Mixed |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 3cfd36a72db703e25aecd51eb74f0feb | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 5daf828fd452f5325c28bc145a86d3d943cd86bb13ffe35c440ebf3cd2a45522SHA1: 807d30f37bf2e052a253f64d102a7ab21933567bMD5: 3cfd36a72db703e25aecd51eb74f0feb |
M20-30im1 | Netwalker_645c720f | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 645c720ff0eb7d946ec3b4a6f609b7bc | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 29aef790399029029e0443455d72a8b928854a0706f2e211ae7a03bba0e3d4f4SHA1: 16094d75f4bb593b196210e5d082a7abcdce1d8cMD5: 645c720ff0eb7d946ec3b4a6f609b7bc |
M20-37651 | Tycoon_b58476f6 | Windows |
This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems. | b58476f659782f770854726847601fda | https://cyberflorida.org/threat-advisory/tycoon-ransomware/SHA256: 44b5d24e5e8fd8e8ee7141f970f76a13c89dd26c44b336dc9d6b61fda3abf335SHA1: 77676865f875eff23699189f57c37c76b92ba2b9MD5: b58476f659782f770854726847601fda |
M20-86kc1 | REvil_3777f3e0 | Windows |
This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public. | 3777f3e092f2208c6670c01816562a7d | https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556SHA256: 6953d86d09cb8ed34856b56f71421471718ea923cd12c1e72224356756db2ef1SHA1: a7e6a0986b641d66b12d14752b20a470c9ba692eMD5: 3777f3e092f2208c6670c01816562a7d |
M20-suzd1 | DoppelPaymer_a6a31da6 | Windows |
This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has a random section name renamed according to the PE format specification. | a6a31da60473168dc613b64c7a00fc5e | https://arxiv.org/abs/1801.08917SHA256: 692922af8eb58fda7ecf086937e02fd2cd0e89a233a19fa3a2bf531dde172c31SHA1: 60858d68463e69043c7f118f8647974bb0cbba1dPARENTID: M20-zug71SSDEEP: 98304:z56LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:zsLOqCkLzDouoOS36XV/MD5: a6a31da60473168dc613b64c7a00fc5e |
M20-u36z1 | Nemty_348c3597 | Windows |
This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints. | 348c3597c7d31c72ea723d5f7082ff87 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/SHA256: 69a44e62abd294bb262906814ce385296eafaa8f0fab82c8c453c19796839549SHA1: 71917d536b3418fd1ce005ecb96976d172e356c3MD5: 348c3597c7d31c72ea723d5f7082ff87 |
M20-tv9r1 | Nemty_0f3deda4 | Windows |
This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints. | 0f3deda483df5e5f8043ea20297d243b | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/SHA256: a5590a987d125a8ca6629e33e3ff1f3eb7d5f41f62133025d3476e1a6e4c6130SHA1: 70dac7f3934659e583f962e7c5bff51a4b97dd11MD5: 0f3deda483df5e5f8043ea20297d243b |
M20-mcxn1 | DoppelPaymer_b2a0c322 | Windows |
This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random strings (lorem ipsum) appended at the end of the file. | b2a0c322572d0f5f52d92dbd336ac14f | https://attack.mitre.org/techniques/T1009/SHA256: 7823b40d3a721e9fb556489f19f044009244ec9f2c69bd7b406bc603f475f99dSHA1: 6fa2213a9f3429c0b0dae4cfab53d70737204219PARENTID: M20-zug71SSDEEP: 98304:556LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN2:5sLOqCkLzDouoOS36XV2MD5: b2a0c322572d0f5f52d92dbd336ac14f |
M20-u7vw1 | Nemty_5cc1bf61 | Windows |
This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints. | 5cc1bf6122d38de907d558ec6851377c | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/SHA256: 6a07996bc77bc6fe54acc8fd8d5551a00deaea3cc48f097f18955b06098c4bd3SHA1: 5ba5abc14c4e756a679cbafbc41440458620b268MD5: 5cc1bf6122d38de907d558ec6851377c |
M20-ml6e1 | DoppelPaymer_2d1e555a | Windows |
This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random contents appended in one of the existing sections in the PE file format. | 2d1e555aa68fcc2672e03c976203f96d | https://arxiv.org/abs/1801.08917SHA256: 7f53022212625070e4166c274634efe4023a23a1dc63c9fd14ca3e68082076edSHA1: d7200fe3bc2fb6b1b44fa4fbe485d7310c021af4PARENTID: M20-zug71SSDEEP: 98304:559LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:5LLOqCkLzDouoOS36XV/MD5: 2d1e555aa68fcc2672e03c976203f96d |
M20-83i11 | Emotet_ef389a78 | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | ef389a7806af11a628bcce9be3897f72 | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: e145443e68242815362d6737543409a1adb395879c75c43849abd5e401df522dSHA1: 820b81f34cbb249ba29703ba85b9b658b6be8217MD5: ef389a7806af11a628bcce9be3897f72 |
M20-9pt11 | Netwalker_8fbc17d6 | Mixed |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 8fbc17d634009cb1ce261b5b3b2f2ecb | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: fd29001b8b635e6c51270788bab7af0bb5adba6917c278b93161cfc2bc7bd6aeSHA1: d35cbad4163a967f66be460bac029895506917edMD5: 8fbc17d634009cb1ce261b5b3b2f2ecb |
M20-du8w1 | REvil_9ecca170 | Windows |
This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public. | 9ecca170d0515fb14c8b78302b8053e7 | https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556SHA256: ec0c653d5e10fec936dae340bf97c88f153cc0cdf7079632a38a19c876f3c4feSHA1: 2b498759c83f05beda20adc991be476934ea0fa8MD5: 9ecca170d0515fb14c8b78302b8053e7 |
M20-oz2x1 | REvil_63a945da | Windows |
This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public. | 63a945da1a63a8e56e8220c4ccf7fd0c | https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556SHA256: ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195SHA1: a99cf1a2426edeac97c789d0a4b7d38606d7aa45MD5: 63a945da1a63a8e56e8220c4ccf7fd0c |
M20-fmnm1 | Emotet_bd562cd9 | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | bd562cd9ad0134eb4ad2600ff5f2a66e | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: d7f2699f9b7e0c263fcbd73238a883871965586fad16985455a85498ce8b520aSHA1: 3a251b9817e458d9f1283a324dfd7760757a6f18MD5: bd562cd9ad0134eb4ad2600ff5f2a66e |
M20-p3xt1 | Netwalker_4e59fba2 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 4e59fba21c5e9ec603f28a92d9efd8d0 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77SHA1: e57731be1f15c323a7b55b914a0599722ff3985fMD5: 4e59fba21c5e9ec603f28a92d9efd8d0 |
M20-ictz1 | Sekhmet_1343bd0e | Windows |
This strike sends a malware sample known as Sekhmet. The Sekhmet ransomware was used in an attack against gas handling company SilPac in June 2020. This ransomware has been commonly spread via spam email. Once it encrypts the files on the targeted system it leaves behind a RECOVER-FILES.txt file that includes a ransom note with instructions on how to pay via TOR. | 1343bd0e55191ff224f2a5d4b30cdf3b | https://bazaar.abuse.ch/sample/fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d/SHA256: fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8dSHA1: 6412cbf10ac523452e051267afce4095d7f3d5acMD5: 1343bd0e55191ff224f2a5d4b30cdf3b |
M20-pmmk1 | Emotet_c73019b6 | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | c73019b6b6b46c63f6a45c38b8c2ebbf | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: 9f2b84e3636d99a49ea3ae417c564253d9a351cc49c756a61c63acd530fd3748SHA1: aab060435c36a7f930861f9e4fb8dd2d639f7388MD5: c73019b6b6b46c63f6a45c38b8c2ebbf |
M20-gt501 | Tycoon_12a47095 | Windows |
This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems. | 12a470956f7437a00d7bcf47f1995ea7 | https://cyberflorida.org/threat-advisory/tycoon-ransomware/SHA256: ce399a2d07c0851164bd8cc9e940b84b88c43ef564846ca654df4abf36c278e6SHA1: 7301382916d9f5274a4fb847579f75bc69c9c24bMD5: 12a470956f7437a00d7bcf47f1995ea7 |
M20-mfyo1 | Tycoon_d3f44bfe | Windows |
This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems. | d3f44bfe42b2e3c735e9df5bb793b9ef | https://cyberflorida.org/threat-advisory/tycoon-ransomware/SHA256: 346fdff8d24cbb7ebd56f60933beca37a4437b5e1eb6e64f7ab21d48c862b5b7SHA1: bf38aca2c659f9eb2b2fa2fad82ccf55b496b0cbMD5: d3f44bfe42b2e3c735e9df5bb793b9ef |
M20-ls811 | Netwalker_cb78a77e | Mixed |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | cb78a77e9ab26e4cf759e7d7b34bdbdc | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: f2b96f7d6f1bfd464507790120d07bba46cb4c9856399335748f93ebd52b5696SHA1: b00710d529aefd25d8d51a2c0577bbb72191bc05MD5: cb78a77e9ab26e4cf759e7d7b34bdbdc |
M20-brxz1 | Emotet_46d69f8e | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | 46d69f8e1deebb60b276e62047b7ea8e | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: 3f5284458a0d2d7d50d7487391aae521f625a8920bfe03a7c88d412f8c17699eSHA1: bc3590512e097608b61118c4d7079153daa7a1c9MD5: 46d69f8e1deebb60b276e62047b7ea8e |
M20-g9yn1 | REvil_2019e63a | Windows |
This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has been packed using upx packer, with the default options. | 2019e63a90b551b369bf42ede3827002 | https://attack.mitre.org/techniques/T1045/SHA256: cf533171a72bb7178de1e1c03635005893b7698602fe46f2fb37b01474820bb8SHA1: 76bd674bf1265c82e3c9007f645aef4cb8d4b6e3PARENTID: M20-du8w1SSDEEP: 3072:j/3/CvLYtvOT3apvSfg+jhOUtp/yAQSHtRIKeMsTwV:j/IY64vSfg+jRp/JHQ0MD5: 2019e63a90b551b369bf42ede3827002 |
M20-jype1 | Emotet_007a2eae | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | 007a2eae29bc5bfa2eec17ae8104f61e | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: b18241915f09540635b0cc900d7652b72af39fa16e4a3fb8a1e17264b3e0b3e0SHA1: e31d39ca64d7257153201a783d0289852cf0ecb2MD5: 007a2eae29bc5bfa2eec17ae8104f61e |
M20-d64w1 | Netwalker_747dc998 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 747dc998c4cf60c6d40a77de18a9aa62 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 664a129052f024acaca3ca8df9b52a432e2172678b1f80af82fcd2ec9d642e18SHA1: 0e76db2d2a61b5983c295bb325049b64e74b40baMD5: 747dc998c4cf60c6d40a77de18a9aa62 |
M20-lm8y1 | Nefilim_70e4b9b7 | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | 70e4b9b7a83473687e5784489d556c87 | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6SHA1: 1f594456d88591d3a88e1cdd4e93c6c4e59b746cMD5: 70e4b9b7a83473687e5784489d556c87 |
M20-q9iy1 | Ryuk_40492c17 | Windows |
This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | 40492c178079e65dfd5449bf899413b6 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/SHA256: fe909d18cf0fde089594689f9a69fbc6d57b69291a09f3b9df1e9b1fb724222bSHA1: f3fa5d5942e5085586d7fcc496d3fad7804abcc2MD5: 40492c178079e65dfd5449bf899413b6 |
M20-qi7u1 | Nemty_dcec4fed | Windows |
This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints. | dcec4fed3b60705eafdc5cbff4062375 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/SHA256: 688994783ce56427f20e6e2d206e5eee009fcc157ba37737dce1b14a326cc612SHA1: ef71426550dc3a3121746b475bf9a8416a73ca54MD5: dcec4fed3b60705eafdc5cbff4062375 |
M20-u2sg1 | Sodinokibi_bf935904 | Windows |
This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder. | bf9359046c4f5c24de0a9de28bbabd14 | https://www.acronis.com/en-us/articles/sodinokibi-ransomware/SHA256: 963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606eSHA1: d1f7c41154cbbc9cd84203fe6067d1b93001dde6MD5: bf9359046c4f5c24de0a9de28bbabd14 |
M20-23yc1 | Ryuk_db2766c6 | Windows |
This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | db2766c6f43c25951cdd38304d328dc1 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/SHA256: aacfc3e386ed12082923d03fa1120d5fa6bf7b8655ba77e04b96a45434fa9a83SHA1: fc62460c6ddd671085cde0138cf3d999e1db08cfMD5: db2766c6f43c25951cdd38304d328dc1 |
M20-vc5b2 | Netwalker_25c0fde0 | Mixed |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 25c0fde038e01fe84fd3df69c99e60a1 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658dSHA1: 147c1adc615daa93e84a5a9210ccc14ae86f6c55MD5: 25c0fde038e01fe84fd3df69c99e60a1 |
M20-qr3q1 | Netwalker_d09cfda2 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | d09cfda29f178f57dbce6895cfb68372 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: f298725e197f974b7a8407c5d79114a4ac322c573813d543141ccf1d9119dd8bSHA1: 82720e4d3fb83baff552ec25eea0fed2befe94faMD5: d09cfda29f178f57dbce6895cfb68372 |
M20-2sw81 | Netwalker_63eb7712 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 63eb7712d7c9d495e8a6be937bdb1960 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7aSHA1: 1897bcfc7f3d4a36bdd29da61e87ba00812dca24MD5: 63eb7712d7c9d495e8a6be937bdb1960 |
M20-wimr1 | Netwalker_b49ea177 | Mixed |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | b49ea17739f484b2ccccf79f245186f3 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 7a456f306593a051bea004493f073bb54c5135d8ce3c428f2433c877afd858f3SHA1: 5c3aede31aaa0c77bfc56111ec39ac0503662dd7MD5: b49ea17739f484b2ccccf79f245186f3 |
M20-m0cs1 | Maze_bd9838d8 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | bd9838d84fd77205011e8b0c2bd711e0 | https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/SHA256: b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1SHA1: c5938ec75e5b655be84eb94d73adec0f63fbce16MD5: bd9838d84fd77205011e8b0c2bd711e0 |
M20-bbin1 | Ryuk_d7697d0d | Windows |
This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | d7697d0d692bd883e53036b906108d56 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/SHA256: 5b1ab6fae05ca9005ee7026cc30fb79780c470d6a920a63383c3496381778fb5SHA1: cbff9d66d68fa67e40ca4a295daed68f0d5f8383MD5: d7697d0d692bd883e53036b906108d56 |
M20-vqz11 | Maze_a0dc59b0 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | a0dc59b0f4fdf6d4656946865433bcce | https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/SHA256: 9d86beb9d4b07dec9db6a692362ac3fce2275065194a3bda739fe1d1f4d9afc7SHA1: c10fd0163c42f1149d5dcfb44e31b53a4fe6c6c9MD5: a0dc59b0f4fdf6d4656946865433bcce |
M20-eoc31 | CLOP_a04eb443 | Windows |
This strike sends a malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications. | a04eb443870896fbe9a0b6468c4844f7 | https://www.trendmicro.com/vinfo/ae/security/news/cybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomwareSHA256: a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02SHA1: e3001ef25b1386763caec9b5339ec6ddb0275a71MD5: a04eb443870896fbe9a0b6468c4844f7 |
M20-7blu1 | REvil_1a0545bb | Windows |
This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random strings (lorem ipsum) appended at the end of the file. | 1a0545bbcac7a44a1406cdac135288ca | https://attack.mitre.org/techniques/T1009/SHA256: 8c744fefa5d609f9c57eb147e22e74680585e19d27f49244dd4c629db21a7502SHA1: 7f24239d5e392dffbca97c562bec63435a93858fPARENTID: M20-du8w1SSDEEP: 3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCImQ:ZJ0BXScFy2RsQJ8zgQXMD5: 1a0545bbcac7a44a1406cdac135288ca |
M20-fod61 | Netwalker_9172586c | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 9172586c2f870ab76eb0852d1f4dfaea | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49SHA1: 69e858f578fb0e7fdfb1d26db52dd6a95f5802ffMD5: 9172586c2f870ab76eb0852d1f4dfaea |
M20-v87c1 | Netwalker_2f720c55 | Mixed |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 2f720c55dc1969da5299a45e031816ae | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: 940d411e8f6c3aecfebc74614f856b892aaf0ad546b0aeec4152a75711a4267cSHA1: 6da8ae1da95a0c96b432ad822076a0255e6744fdMD5: 2f720c55dc1969da5299a45e031816ae |
M20-ckxn1 | Nefilim_dfd4dbfd | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | dfd4dbfd7cbd6179fc371e5f887f189c | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: 353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5SHA1: bbcb2354ef001f476025635741a6caa00818cbe7MD5: dfd4dbfd7cbd6179fc371e5f887f189c |
M20-vcwy1 | Netwalker_6528c101 | Windows |
This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices. | 6528c1013ddb23f6eeca08d02f3d7834 | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/SHA256: c677014c312b87da89362fbd16f7abf7ba5546220000bfdaa0f77bba1edf5144SHA1: 61905f80bd29b2bd0cd522a7e822aeb8733bb78cMD5: 6528c1013ddb23f6eeca08d02f3d7834 |
M20-jyvy1 | Emotet_4247302f | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | 4247302ff7876d70434aa55bf65fe7e1 | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: e3f75fa3896fe0551e1a892b0bf308e786326218836e5824fcfac7cd813c142eSHA1: 39feb1450fe49ee8c82766f0f7d9e1ca6c3998cfMD5: 4247302ff7876d70434aa55bf65fe7e1 |
M20-d4cb1 | Emotet_97e77c7d | Mixed |
This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails. | 97e77c7db614b3304ea6ef7a598697fb | https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.htmlSHA256: 3dc27bfea129de80fabb8e5ec05816202ae50e9b182b9d1f67546491c7fbe01cSHA1: 1744fd5bcb9e4162bcbf6a44a9da5cfbb698a7bdMD5: 97e77c7db614b3304ea6ef7a598697fb |
M20-rqxl1 | Nefilim_053ec539 | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | 053ec539c138afb99054bd362bb3ed71 | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: b8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2eSHA1: d87847810db8af546698e47653452dcd089c113eMD5: 053ec539c138afb99054bd362bb3ed71 |
M20-9hz81 | Nefilim_659c4b68 | Windows |
This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets. | 659c4b68f2027905def1af9249feebb3 | https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/SHA256: 35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156fSHA1: 2483dc7273b8004ecc0403fbb25d8972470c4ee4MD5: 659c4b68f2027905def1af9249feebb3 |