Malware Monthly Update October - 2020

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M20-7cze1Emotet_4e27e219Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.4e27e2197bda5e1318eb13ea06b18205https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: c127cf0ce097e22f9f1fe0ca565c77a111745b85b0e78b21d20833055bc821d5
SHA1: cc18b6c62a6e9b279fc4bf9a456778bf054aef34
MD5: 4e27e2197bda5e1318eb13ea06b18205
M20-pb731Nemty_5126b883Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.5126b88347c24245a9b141f76552064ehttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: d421d9b0cc9ce69fc4dea1d4bd230b666b15868e4778d227ead38b7572463253
SHA1: 9a121af9e0427a530ed12b72429fbc800d976623
MD5: 5126b88347c24245a9b141f76552064e
M20-3ytp1Nefilim_ce3cd1daWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.ce3cd1dab67814f5f153bccdaf502f4chttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020
SHA1: f246984193c927414e543d936d1fb643a2dff77b
MD5: ce3cd1dab67814f5f153bccdaf502f4c
M20-r7xs1Ryuk_3266352bWindows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.3266352bea7513ac3ead6e7d68661ad3https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: 68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218
SHA1: 2c8ea348cc80ed41737d3d2d8cb5487dcd49d040
MD5: 3266352bea7513ac3ead6e7d68661ad3
M20-2air1REvil_b67606d3Windows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.b67606d382f50ebf76848d023decee20https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556
SHA256: 372c8276ab7cad70ccf296722462d7b8727e8563c0bfe4344184e1bc3afc27fc
SHA1: 6c72756b12b03a2a594b8bb308944396438ec979
MD5: b67606d382f50ebf76848d023decee20
M20-zudz1Emotet_212ede8eMixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.212ede8ee978a5979b17d9d68a497d10https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: 939e9772cc64e88895365ccc1be8d7a6ef4b7c47b70165c35c79e2391ab50656
SHA1: 19763080a3c72c651224678eabadcdfca5d5cad1
MD5: 212ede8ee978a5979b17d9d68a497d10
M20-23qh1CLOP_d3ace85cWindows This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has random strings (lorem ipsum) appended at the end of the file.d3ace85c17df113fa90a92a541ff0ca7https://attack.mitre.org/techniques/T1009/
SHA256: fd34ac2360302f24752fc352e161ed54609f3942178663eb0f46ceac8d58b099
SHA1: 05d7b3e2f6646bcd3a46ee9ec718497898678a81
PARENTID: M20-eoc31
SSDEEP: 6144:JrazEX0203RegvjxnpGhu3BJMIp2CuvY63n:B+3JpGEBJMg2CuvY63
MD5: d3ace85c17df113fa90a92a541ff0ca7
M20-x0np1Sodinokibi_fb68a023Windows This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.fb68a02333431394a9a0cdbff3717b24https://www.acronis.com/en-us/articles/sodinokibi-ransomware/
SHA256: 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
SHA1: 1399bf98a509adb07663476dee7f9fee571e09f3
MD5: fb68a02333431394a9a0cdbff3717b24
M20-f9w61Netwalker_5f55ac3dWindows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.5f55ac3dd18950583dadffc1970745c5https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614
SHA1: 6a13535190bdcd62af6b4930ea28664c13c6a6be
MD5: 5f55ac3dd18950583dadffc1970745c5
M20-c1v31Netwalker_608ac26eWindows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.608ac26ea80c189ed8e0f62dd4fd8adahttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010
SHA1: c5b3fa421db00fe931f439af5df4f65f7f3d9a1a
MD5: 608ac26ea80c189ed8e0f62dd4fd8ada
M20-zvvm1Sekhmet_b7ad5f7eWindows This strike sends a malware sample known as Sekhmet. The Sekhmet ransomware was used in an attack against gas handling company SilPac in June 2020. This ransomware has been commonly spread via spam email. Once it encrypts the files on the targeted system it leaves behind a RECOVER-FILES.txt file that includes a ransom note with instructions on how to pay via TOR.b7ad5f7ec71dc812b4771950671b192ahttps://bazaar.abuse.ch/sample/fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d/
SHA256: 0a739f4ec3d096010d0cd9fc0c0631f0b080cc2aad1f720fd1883737b6a6a952
SHA1: cf02d630465eaf009db8bcc8a0dd4242a1d2dd82
MD5: b7ad5f7ec71dc812b4771950671b192a
M20-j8sq1Tycoon_ae037348Windows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.ae03734805e3b7ec0fa52c5a4f07a725https://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: 8587037c15463d10a17094ef8fa9f608cc20c99fa0206ce496b412f8c7f4a1b8
SHA1: e20a4cc7f13f517491e772ce9e5c236aad2785f0
MD5: ae03734805e3b7ec0fa52c5a4f07a725
M20-fbd41DoppelPaymer_66c11a6cWindows This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has the timestamp field updated in the PE file header.66c11a6cbbe59f2e580da1c75acd9ae8https://attack.mitre.org/techniques/T1099/
SHA256: 039f721ff06c6965e97417a480fca2220f45bce9c10b63e4d0e823842533a70f
SHA1: 36ce6b51c925a7a5f122e07ddd7d47916576e584
PARENTID: M20-zug71
SSDEEP: 98304:J56LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:JsLOqCkLzDouoOS36XV/
MD5: 66c11a6cbbe59f2e580da1c75acd9ae8
M20-4wbt1REvil_54079282Windows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has a random section name renamed according to the PE format specification.54079282596df0fff118c2cdf8c6cbe3https://arxiv.org/abs/1801.08917
SHA256: 20045aa54d765b77de371fba418505f38ece546cedd974c5cd2aebdf44a7b823
SHA1: d12e89ebbb638f16711318bf4e71aa16df7eb145
PARENTID: M20-du8w1
SSDEEP: 3072:hLFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCIm:1J0BXScFy2RsQJ8zgQ
MD5: 54079282596df0fff118c2cdf8c6cbe3
M20-p56a1Emotet_c730e1c3Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.c730e1c3cf2e54af08072778a7fd6f41https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: e218d7c8b3bd6e69065f2a2bee81c88865d2068a46c3997339a200318f7b82b4
SHA1: c868e42736238372f66d6a5bcedb636d28d15346
MD5: c730e1c3cf2e54af08072778a7fd6f41
M20-jbb31Emotet_699bd905Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.699bd9053663bbdeb39df9d6f4f2b483https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: cf9401d8bcbb01edf06c19509b572a26047b2788a41f0ffa5d52c2189fe5a125
SHA1: 24c615d82cfbd4b2a16cf03f0ce12c252b4c1eb5
MD5: 699bd9053663bbdeb39df9d6f4f2b483
M20-q7u81Emotet_74e9ae66Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.74e9ae66b4029ce403ef9a76d2dd1ec4https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: d366dfc971747d113549ee401fa6dc07dfa0f478c9b08109640f84151bd2da29
SHA1: c137dce76d338fe94c8efade25596c93c082c0e8
MD5: 74e9ae66b4029ce403ef9a76d2dd1ec4
M20-oxbt1Nefilim_3beb3d46Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.3beb3d466bcc0977ec2dd66d72ab6bb3https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: b227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17
SHA1: e94089137a41fd95c790f88cc9b57c2b4d5625ba
MD5: 3beb3d466bcc0977ec2dd66d72ab6bb3
M20-n54a1Ryuk_fca20e17Windows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.fca20e17ce8c0c3f3c78d82c953472edhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: 7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20
SHA1: c8ecc9b34184e7e1c15b4ed49fb838e7882dbfc6
MD5: fca20e17ce8c0c3f3c78d82c953472ed
M20-pqk51Maze_910aa498Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.910aa49813ee4cc7e4fa0074db5e454ahttps://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/
SHA256: 4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a
SHA1: 45831987fabeb7b32c70f662be8cb24e2efef1dc
MD5: 910aa49813ee4cc7e4fa0074db5e454a
M20-zqyf1REvil_cce629dbWindows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.cce629db2606ae98ba6e931adbf1aeaehttps://malware.news/t/changes-in-revil-ransomware-version-2-2/39556
SHA256: 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d
SHA1: 2649ce761c00f4505758e20580e8bdf3e8d559d1
MD5: cce629db2606ae98ba6e931adbf1aeae
M20-iupe1Netwalker_f957f19cWindows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.f957f19cd9d71abe3cb980ebe7f75d72https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: b2d68a79a621c3f9e46f9df52ed19b8fec22c3cf5f4e3d8630a2bc68fd43d2ee
SHA1: 96432d979fdec055e4f40845a27cf4a9c0a0a34b
MD5: f957f19cd9d71abe3cb980ebe7f75d72
M20-jn451Maze_c043c153Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.c043c153237b334df2f2934f7640e802https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/
SHA256: fb5de69b222d81fea2f4b08fd5af612faf24b9e75698ac331af066fbc360a30a
SHA1: d5ef91b849122109615007329ec6548830f13bfc
MD5: c043c153237b334df2f2934f7640e802
M20-b7qt1Nefilim_ddc50d4aWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.ddc50d4ae0674d854a845b3eb32508c3https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b
SHA1: c61f2cdb0faf31120e33e023b7b923b01bc97fbf
MD5: ddc50d4ae0674d854a845b3eb32508c3
M20-9e4q1Nefilim_dc88265cWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.dc88265c361d73540a31c19583271fb0https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5
SHA1: e99460b4e8759909d3bd4e385d7e3f9b67aa1242
MD5: dc88265c361d73540a31c19583271fb0
M20-kubx1Sodinokibi_177a571dWindows This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.177a571d7c6a6e4592c60a78b574fe0ehttps://www.acronis.com/en-us/articles/sodinokibi-ransomware/
SHA256: f0a16b0224a24647e9e8cf2f6f4479d93c8fb540a7ca656023a41f399e6c69c2
SHA1: 7f1b49c2946a9a036cf60e25e1a8452f6237a57d
MD5: 177a571d7c6a6e4592c60a78b574fe0e
M20-jzr31Netwalker_bc758596Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.bc75859695f6c2c5ceda7e3be68e5d5ahttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d
SHA1: 5be2fb7adcfefd741e6b98b4beeadf9e24ea7423
MD5: bc75859695f6c2c5ceda7e3be68e5d5a
M20-d5741Nemty_f2708056Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.f270805668e8aecf13d27c09055bad5dhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 572b2dad5fca5f1dab7c18afa986fe7ef639e7892776593fc7636ff03ff783bc
SHA1: f0078a38d56384f9dbced7c0a9837cdb22c4daf0
MD5: f270805668e8aecf13d27c09055bad5d
M20-ocu81CLOP_9ec70a82Windows This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has been packed using upx packer, with the default options.9ec70a82f8b4797c4ad4fe646cfb6e10https://attack.mitre.org/techniques/T1045/
SHA256: ada51ae85a78dc3641bbe52505e3eaf670353477abbb77fb5c781713545b5f58
SHA1: 1a18c783bdcf3af6c52a9daaa712c56ee5816832
PARENTID: M20-eoc31
SSDEEP: 3072:m7QoN+AOSJUT5I/QN7lg3w0EIpRomDOhRJ+ZHNN9cY2ritPOFjy54:kQokAaT5gCg30SRBD07KH39cAPqx
MD5: 9ec70a82f8b4797c4ad4fe646cfb6e10
M20-iort1Nefilim_5ff20e2bWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.5ff20e2b723edb2d0fb27df4fc2c4468https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641
SHA1: e53d4b589f5c5ef6afd23299550f70c69bc2fe1c
MD5: 5ff20e2b723edb2d0fb27df4fc2c4468
M20-6ei91Nefilim_26c35850Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.26c35850483c877ee23f476b38d58debhttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599
SHA1: 0d339d08a546591aab246f3cf799f3e2aaee3889
MD5: 26c35850483c877ee23f476b38d58deb
M20-dzq81DoppelPaymer_4601ec39Windows This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random bytes appended at the end of the file.4601ec39e2934ba61651decf6d06de64https://attack.mitre.org/techniques/T1009/
SHA256: e9be48e03f80f6ef0bc5cbe36cbd4bcba30fb6d2b3a1a95e4f0e856816ef8cd4
SHA1: 86c6242cbdb9b45dd9028639c1bcf9dc07d664d0
PARENTID: M20-zug71
SSDEEP: 98304:556LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfNt:5sLOqCkLzDouoOS36XVt
MD5: 4601ec39e2934ba61651decf6d06de64
M20-jdde1Nefilim_8f90539cWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.8f90539c405672016c0dec7ac3574eeahttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3
SHA1: bd59d7c734ca2f9cbaf7f12bc851f7dce94955d4
MD5: 8f90539c405672016c0dec7ac3574eea
M20-xv3b1Nefilim_7354e71dWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.7354e71d9c28e0c150cea3377e5f70d9https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953
SHA1: 9770fb41be1af0e8c9e1a69b8f92f2a3a5ca9b1a
MD5: 7354e71d9c28e0c150cea3377e5f70d9
M20-1jg41Ryuk_5f7dd374Windows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.5f7dd3740a3a4ea74e2ee234f6de26aahttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: 235ab3857ba2d2cd09311d6cc7bf1139863022579ea98be2b503921104ee20ac
SHA1: d9f8eb52ce514d3dbf8f8e6a1ecb29c1dc46ea12
MD5: 5f7dd3740a3a4ea74e2ee234f6de26aa
M20-93le1CLOP_f2114603Windows This strike sends a malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.f21146030cbe2ebe5a8e3fd67df8e8f3https://www.trendmicro.com/vinfo/ae/security/news/cybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomware
SHA256: 2ceeedd2f389c6118b4e0a02a535ebb142d81d35f38cab9a3099b915b5c274cb
SHA1: c777107d839938da8c41beacc78802a0e05e8b74
MD5: f21146030cbe2ebe5a8e3fd67df8e8f3
M20-zug71DoppelPaymer_8c54bbe3Windows This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.8c54bbe3f191a8627bfeeb4cb02634a9https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/
SHA256: f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555
SHA1: 2fc2ecbed153344557386e80a2fbd097bf795559
MD5: 8c54bbe3f191a8627bfeeb4cb02634a9
M20-3cxk1Nefilim_0790a7e0Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.0790a7e0a842e1de70de194054fa11b3https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377
SHA1: 4595cdd47b63a4ae256ed22590311f388bc7a2d8
MD5: 0790a7e0a842e1de70de194054fa11b3
M20-pe1b1Netwalker_93f91bfcMixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.93f91bfcc1bf0c858fc7f3bd4536eba6https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 59ba11aa5b9a4d2ef80d260b9e51f605d556781b8ce682443ad1e547898eb0a6
SHA1: 2ddf48174221371ad4f5d339353a3f998044d95d
MD5: 93f91bfcc1bf0c858fc7f3bd4536eba6
M20-hrde1Netwalker_0537d845Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.0537d845ba099c6f2b708124eda13f1chttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 12717add64ecf32d7bcb6b2662becbff6b516cf8073f399dc5e4d3615d452e89
SHA1: 3fb77d821ea7ec2b30fd3944c3d9361093a58cd6
MD5: 0537d845ba099c6f2b708124eda13f1c
M20-yqkh1Tycoon_80675f08Windows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.80675f08a4dad40a316865619f6adaaahttps://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: ac0882d87027ac22fc79cfe2d55d9a9d097d0f8eb425cf182de1b872080930ec
SHA1: 3d845a707f2825746637922d7dd10fab18558209
MD5: 80675f08a4dad40a316865619f6adaaa
M20-h4tt1Nefilim_80cfda61Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.80cfda61942eb4e71f286297a1158f48https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea
SHA1: 6c9ae388fa5d723a458de0d2bea3eb63bc921af7
MD5: 80cfda61942eb4e71f286297a1158f48
M20-t9wu1Tycoon_51a7822fWindows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.51a7822f388162ce1c66dd90da207545https://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: bd3fdf1b50911d537a97cb93db13f2b4026f109ed23a393f262621faed81dae1
SHA1: 03023d7e3a54d915cca82429dfeedb1bebd5c182
MD5: 51a7822f388162ce1c66dd90da207545
M20-ozkg1Tycoon_9c7befb1Windows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.9c7befb18ccbd63100a497fe7c1acc69https://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: 853fa18adc3f9263a0f98a9a257dd70d7e1aee0545ab47a114f44506482bd188
SHA1: 8e7a5500007c1552e1231bd1157433f7ef638672
MD5: 9c7befb18ccbd63100a497fe7c1acc69
M20-11ox1Netwalker_59b00f60Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.59b00f607a7550af9a2332c730892845https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 26dfa8512e892dc8397c4ccbbe10efbcf85029bc2ad7b6b6fe17d26f946a01bb
SHA1: 794589026bdc8b01cad097ffcd50be37a87e7c29
MD5: 59b00f607a7550af9a2332c730892845
M20-c0k61Nemty_0b33471bWindows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.0b33471bbd9fbbf08983eff34ee4ddc9https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: f3e0b5808c1394c884b4b2c7fa0c0955f7b544959a46b8839b76c8d8e2735413
SHA1: 42256ea23ee775e71702cc901c3632ef2fd53a02
MD5: 0b33471bbd9fbbf08983eff34ee4ddc9
M20-9vw62Nemty_4ca39c0aWindows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.4ca39c0aeb0daeb1be36173fa7c2a25ehttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: cc496cec38bbc72bae3cb64416baca38b3706443c4f360bd4ba8300d64b210d2
SHA1: afa8bc5c0a014e6202a8dd39f3f288bc927dacd0
MD5: 4ca39c0aeb0daeb1be36173fa7c2a25e
M20-5ca61Sodinokibi_858c29efWindows This strike sends a polymorphic malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.The binary has the timestamp field updated in the PE file header.858c29efee084e86616b21fdc4d2a3dehttps://attack.mitre.org/techniques/T1099/
SHA256: e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37
SHA1: d642f7ecda3fa135761d68eb20f44d66eba798fa
PARENTID: M20-u2sg1
SSDEEP: 3072:Or85CuLbi4eTMlwDCnuZ3puJ1ni8Iy8EytZ:O9ebnWJZ3P8IUyT
MD5: 858c29efee084e86616b21fdc4d2a3de
M20-otig1REvil_b26fbb99Windows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random bytes appended at the end of the file.b26fbb999449caad351b18364a17bd6ehttps://attack.mitre.org/techniques/T1009/
SHA256: 6d9349a99d80e9003d3a01e0ad19c5f175e18b2dee7ef533b630772548f6c727
SHA1: 323135aa6987945df756cb9636ad72938d5a064f
PARENTID: M20-du8w1
SSDEEP: 3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCImk:ZJ0BXScFy2RsQJ8zgQP
MD5: b26fbb999449caad351b18364a17bd6e
M20-ghdx1Netwalker_239163e6Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.239163e6019670e326087aa59adb5007https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 92e4d38e17e4dc32519df7324013477908c9cb725ea29aea6e4fd8c27eb7087d
SHA1: c26d5fbe02f8b0e6a40672b12e69ee78343e9a41
MD5: 239163e6019670e326087aa59adb5007
M20-0hr01Maze_fba4cbb7Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.fba4cbb7167176990d5a8d24e9505f71https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/
SHA256: 5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
SHA1: aa6cd2698d4f9a7fa99f5807f4b6695a0bfd0124
MD5: fba4cbb7167176990d5a8d24e9505f71
M20-a7bi1Netwalker_cc113e42Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.cc113e42c52c6e4e7beca74829b89a68https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: eb1470786fda58fc8291e099c7fcd5d36a04de85d1f6fe8683c1950b7119314e
SHA1: 5b165601b8d0b13a8833c31cb36644aea8121f74
MD5: cc113e42c52c6e4e7beca74829b89a68
M20-kkmm1Sodinokibi_e713658bWindows This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.e713658b666ff04c9863ebecb458f174https://www.acronis.com/en-us/articles/sodinokibi-ransomware/
SHA256: e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec
SHA1: 8b1d4ae7cbc6c0fa0705122b9556745670863214
MD5: e713658b666ff04c9863ebecb458f174
M20-mc031DoppelPaymer_81f50e95Windows This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.81f50e95bfbbe7d86229ac9592febf2fhttps://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/
SHA256: 46254a390027a1708f6951f8af3da13d033dee9a71a4ee75f257087218676dd5
SHA1: 3b24602e453950a1391124f348bc897593ddfab9
MD5: 81f50e95bfbbe7d86229ac9592febf2f
M20-b1vh1Ryuk_3925ae7dWindows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.3925ae7df3328773be923f74d70555e3https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: 884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5
SHA1: 948af4614e8ff150fbe0bc38f40806b457acaf3a
MD5: 3925ae7df3328773be923f74d70555e3
M20-d9ti1DoppelPaymer_69061465Windows This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.69061465ae5067710402c832412e2daehttps://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/
SHA256: b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
SHA1: 963f6c4e2f7c202fd1676eee27c160de2ad2f774
MD5: 69061465ae5067710402c832412e2dae
M20-nx2s1CLOP_508a671cWindows This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has the checksum removed in the PE file format.508a671cf24f381582459ccda863d520https://arxiv.org/abs/1801.08917
SHA256: f1884560d6384a695360251b63b465d12d52095e71bc1a073a1d32243bdd537a
SHA1: 5324545e7713fbb38ea01f825a14626c30b9f428
PARENTID: M20-eoc31
SSDEEP: 6144:rrazEX0203RegvjxnpGhu3BJMIp2CuvY63:/+3JpGEBJMg2CuvY6
MD5: 508a671cf24f381582459ccda863d520
M20-g3yi1Netwalker_dabbc5e5Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.dabbc5e50b9275cb2996c50fd81e64b4https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: e1a8a38dda16a7815bd20a96f46bd978ac41f2acf927993ad965abb258123d8c
SHA1: 79e6d0dbdfb89350fcf924c6554a5b7c79d4d66d
MD5: dabbc5e50b9275cb2996c50fd81e64b4
M20-oroy1Nemty_37aaba6bWindows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.37aaba6b18c9c1b8150dae4f1d31e97dhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 505c0ca5ad0552cce9e047c27120c681ddce127d13afa8a8ad96761b2487191b
SHA1: 02637179c597eaa821ff190ef89ba9eb013a6ea2
MD5: 37aaba6b18c9c1b8150dae4f1d31e97d
M20-nyqm1Tycoon_f28c603bWindows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.f28c603bbe75516372159bb79ef3eb63https://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: 868cb8251a245c416cd92fcbd3e30aa7b7ca7c271760fa120d2435fd3bf2fde9
SHA1: a2c17f04ce259125bc43c8d6227ef594df51f18a
MD5: f28c603bbe75516372159bb79ef3eb63
M20-4eyf1Netwalker_5ce75526Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.5ce75526a25c81d0178d8092251013f0https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677
SHA1: 1e1b1c4ae648786fe429c9ddd2182e0d58bcf423
MD5: 5ce75526a25c81d0178d8092251013f0
M20-yq7k1Nemty_0e0b7b23Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.0e0b7b238a06a2a37a4de06a5ab5e615https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 267a9dcf77c33a1af362e2080aaacc01a7ca075658beb002ab41e0712ffe066e
SHA1: 703f5f6a5130868a7c3ec06b40b9f37656c86d24
MD5: 0e0b7b238a06a2a37a4de06a5ab5e615
M20-gc8v1Netwalker_3cfd36a7Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.3cfd36a72db703e25aecd51eb74f0febhttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 5daf828fd452f5325c28bc145a86d3d943cd86bb13ffe35c440ebf3cd2a45522
SHA1: 807d30f37bf2e052a253f64d102a7ab21933567b
MD5: 3cfd36a72db703e25aecd51eb74f0feb
M20-30im1Netwalker_645c720fWindows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.645c720ff0eb7d946ec3b4a6f609b7bchttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 29aef790399029029e0443455d72a8b928854a0706f2e211ae7a03bba0e3d4f4
SHA1: 16094d75f4bb593b196210e5d082a7abcdce1d8c
MD5: 645c720ff0eb7d946ec3b4a6f609b7bc
M20-37651Tycoon_b58476f6Windows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.b58476f659782f770854726847601fdahttps://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: 44b5d24e5e8fd8e8ee7141f970f76a13c89dd26c44b336dc9d6b61fda3abf335
SHA1: 77676865f875eff23699189f57c37c76b92ba2b9
MD5: b58476f659782f770854726847601fda
M20-86kc1REvil_3777f3e0Windows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.3777f3e092f2208c6670c01816562a7dhttps://malware.news/t/changes-in-revil-ransomware-version-2-2/39556
SHA256: 6953d86d09cb8ed34856b56f71421471718ea923cd12c1e72224356756db2ef1
SHA1: a7e6a0986b641d66b12d14752b20a470c9ba692e
MD5: 3777f3e092f2208c6670c01816562a7d
M20-suzd1DoppelPaymer_a6a31da6Windows This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has a random section name renamed according to the PE format specification.a6a31da60473168dc613b64c7a00fc5ehttps://arxiv.org/abs/1801.08917
SHA256: 692922af8eb58fda7ecf086937e02fd2cd0e89a233a19fa3a2bf531dde172c31
SHA1: 60858d68463e69043c7f118f8647974bb0cbba1d
PARENTID: M20-zug71
SSDEEP: 98304:z56LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:zsLOqCkLzDouoOS36XV/
MD5: a6a31da60473168dc613b64c7a00fc5e
M20-u36z1Nemty_348c3597Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.348c3597c7d31c72ea723d5f7082ff87https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 69a44e62abd294bb262906814ce385296eafaa8f0fab82c8c453c19796839549
SHA1: 71917d536b3418fd1ce005ecb96976d172e356c3
MD5: 348c3597c7d31c72ea723d5f7082ff87
M20-tv9r1Nemty_0f3deda4Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.0f3deda483df5e5f8043ea20297d243bhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: a5590a987d125a8ca6629e33e3ff1f3eb7d5f41f62133025d3476e1a6e4c6130
SHA1: 70dac7f3934659e583f962e7c5bff51a4b97dd11
MD5: 0f3deda483df5e5f8043ea20297d243b
M20-mcxn1DoppelPaymer_b2a0c322Windows This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random strings (lorem ipsum) appended at the end of the file.b2a0c322572d0f5f52d92dbd336ac14fhttps://attack.mitre.org/techniques/T1009/
SHA256: 7823b40d3a721e9fb556489f19f044009244ec9f2c69bd7b406bc603f475f99d
SHA1: 6fa2213a9f3429c0b0dae4cfab53d70737204219
PARENTID: M20-zug71
SSDEEP: 98304:556LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN2:5sLOqCkLzDouoOS36XV2
MD5: b2a0c322572d0f5f52d92dbd336ac14f
M20-u7vw1Nemty_5cc1bf61Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.5cc1bf6122d38de907d558ec6851377chttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 6a07996bc77bc6fe54acc8fd8d5551a00deaea3cc48f097f18955b06098c4bd3
SHA1: 5ba5abc14c4e756a679cbafbc41440458620b268
MD5: 5cc1bf6122d38de907d558ec6851377c
M20-ml6e1DoppelPaymer_2d1e555aWindows This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random contents appended in one of the existing sections in the PE file format.2d1e555aa68fcc2672e03c976203f96dhttps://arxiv.org/abs/1801.08917
SHA256: 7f53022212625070e4166c274634efe4023a23a1dc63c9fd14ca3e68082076ed
SHA1: d7200fe3bc2fb6b1b44fa4fbe485d7310c021af4
PARENTID: M20-zug71
SSDEEP: 98304:559LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:5LLOqCkLzDouoOS36XV/
MD5: 2d1e555aa68fcc2672e03c976203f96d
M20-83i11Emotet_ef389a78Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.ef389a7806af11a628bcce9be3897f72https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: e145443e68242815362d6737543409a1adb395879c75c43849abd5e401df522d
SHA1: 820b81f34cbb249ba29703ba85b9b658b6be8217
MD5: ef389a7806af11a628bcce9be3897f72
M20-9pt11Netwalker_8fbc17d6Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.8fbc17d634009cb1ce261b5b3b2f2ecbhttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: fd29001b8b635e6c51270788bab7af0bb5adba6917c278b93161cfc2bc7bd6ae
SHA1: d35cbad4163a967f66be460bac029895506917ed
MD5: 8fbc17d634009cb1ce261b5b3b2f2ecb
M20-du8w1REvil_9ecca170Windows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.9ecca170d0515fb14c8b78302b8053e7https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556
SHA256: ec0c653d5e10fec936dae340bf97c88f153cc0cdf7079632a38a19c876f3c4fe
SHA1: 2b498759c83f05beda20adc991be476934ea0fa8
MD5: 9ecca170d0515fb14c8b78302b8053e7
M20-oz2x1REvil_63a945daWindows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.63a945da1a63a8e56e8220c4ccf7fd0chttps://malware.news/t/changes-in-revil-ransomware-version-2-2/39556
SHA256: ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195
SHA1: a99cf1a2426edeac97c789d0a4b7d38606d7aa45
MD5: 63a945da1a63a8e56e8220c4ccf7fd0c
M20-fmnm1Emotet_bd562cd9Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.bd562cd9ad0134eb4ad2600ff5f2a66ehttps://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: d7f2699f9b7e0c263fcbd73238a883871965586fad16985455a85498ce8b520a
SHA1: 3a251b9817e458d9f1283a324dfd7760757a6f18
MD5: bd562cd9ad0134eb4ad2600ff5f2a66e
M20-p3xt1Netwalker_4e59fba2Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.4e59fba21c5e9ec603f28a92d9efd8d0https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77
SHA1: e57731be1f15c323a7b55b914a0599722ff3985f
MD5: 4e59fba21c5e9ec603f28a92d9efd8d0
M20-ictz1Sekhmet_1343bd0eWindows This strike sends a malware sample known as Sekhmet. The Sekhmet ransomware was used in an attack against gas handling company SilPac in June 2020. This ransomware has been commonly spread via spam email. Once it encrypts the files on the targeted system it leaves behind a RECOVER-FILES.txt file that includes a ransom note with instructions on how to pay via TOR.1343bd0e55191ff224f2a5d4b30cdf3bhttps://bazaar.abuse.ch/sample/fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d/
SHA256: fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d
SHA1: 6412cbf10ac523452e051267afce4095d7f3d5ac
MD5: 1343bd0e55191ff224f2a5d4b30cdf3b
M20-pmmk1Emotet_c73019b6Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.c73019b6b6b46c63f6a45c38b8c2ebbfhttps://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: 9f2b84e3636d99a49ea3ae417c564253d9a351cc49c756a61c63acd530fd3748
SHA1: aab060435c36a7f930861f9e4fb8dd2d639f7388
MD5: c73019b6b6b46c63f6a45c38b8c2ebbf
M20-gt501Tycoon_12a47095Windows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.12a470956f7437a00d7bcf47f1995ea7https://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: ce399a2d07c0851164bd8cc9e940b84b88c43ef564846ca654df4abf36c278e6
SHA1: 7301382916d9f5274a4fb847579f75bc69c9c24b
MD5: 12a470956f7437a00d7bcf47f1995ea7
M20-mfyo1Tycoon_d3f44bfeWindows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.d3f44bfe42b2e3c735e9df5bb793b9efhttps://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: 346fdff8d24cbb7ebd56f60933beca37a4437b5e1eb6e64f7ab21d48c862b5b7
SHA1: bf38aca2c659f9eb2b2fa2fad82ccf55b496b0cb
MD5: d3f44bfe42b2e3c735e9df5bb793b9ef
M20-ls811Netwalker_cb78a77eMixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.cb78a77e9ab26e4cf759e7d7b34bdbdchttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: f2b96f7d6f1bfd464507790120d07bba46cb4c9856399335748f93ebd52b5696
SHA1: b00710d529aefd25d8d51a2c0577bbb72191bc05
MD5: cb78a77e9ab26e4cf759e7d7b34bdbdc
M20-brxz1Emotet_46d69f8eMixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.46d69f8e1deebb60b276e62047b7ea8ehttps://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: 3f5284458a0d2d7d50d7487391aae521f625a8920bfe03a7c88d412f8c17699e
SHA1: bc3590512e097608b61118c4d7079153daa7a1c9
MD5: 46d69f8e1deebb60b276e62047b7ea8e
M20-g9yn1REvil_2019e63aWindows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has been packed using upx packer, with the default options.2019e63a90b551b369bf42ede3827002https://attack.mitre.org/techniques/T1045/
SHA256: cf533171a72bb7178de1e1c03635005893b7698602fe46f2fb37b01474820bb8
SHA1: 76bd674bf1265c82e3c9007f645aef4cb8d4b6e3
PARENTID: M20-du8w1
SSDEEP: 3072:j/3/CvLYtvOT3apvSfg+jhOUtp/yAQSHtRIKeMsTwV:j/IY64vSfg+jRp/JHQ0
MD5: 2019e63a90b551b369bf42ede3827002
M20-jype1Emotet_007a2eaeMixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.007a2eae29bc5bfa2eec17ae8104f61ehttps://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: b18241915f09540635b0cc900d7652b72af39fa16e4a3fb8a1e17264b3e0b3e0
SHA1: e31d39ca64d7257153201a783d0289852cf0ecb2
MD5: 007a2eae29bc5bfa2eec17ae8104f61e
M20-d64w1Netwalker_747dc998Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.747dc998c4cf60c6d40a77de18a9aa62https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 664a129052f024acaca3ca8df9b52a432e2172678b1f80af82fcd2ec9d642e18
SHA1: 0e76db2d2a61b5983c295bb325049b64e74b40ba
MD5: 747dc998c4cf60c6d40a77de18a9aa62
M20-lm8y1Nefilim_70e4b9b7Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.70e4b9b7a83473687e5784489d556c87https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
SHA1: 1f594456d88591d3a88e1cdd4e93c6c4e59b746c
MD5: 70e4b9b7a83473687e5784489d556c87
M20-q9iy1Ryuk_40492c17Windows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.40492c178079e65dfd5449bf899413b6https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: fe909d18cf0fde089594689f9a69fbc6d57b69291a09f3b9df1e9b1fb724222b
SHA1: f3fa5d5942e5085586d7fcc496d3fad7804abcc2
MD5: 40492c178079e65dfd5449bf899413b6
M20-qi7u1Nemty_dcec4fedWindows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.dcec4fed3b60705eafdc5cbff4062375https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 688994783ce56427f20e6e2d206e5eee009fcc157ba37737dce1b14a326cc612
SHA1: ef71426550dc3a3121746b475bf9a8416a73ca54
MD5: dcec4fed3b60705eafdc5cbff4062375
M20-u2sg1Sodinokibi_bf935904Windows This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.bf9359046c4f5c24de0a9de28bbabd14https://www.acronis.com/en-us/articles/sodinokibi-ransomware/
SHA256: 963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e
SHA1: d1f7c41154cbbc9cd84203fe6067d1b93001dde6
MD5: bf9359046c4f5c24de0a9de28bbabd14
M20-23yc1Ryuk_db2766c6Windows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.db2766c6f43c25951cdd38304d328dc1https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: aacfc3e386ed12082923d03fa1120d5fa6bf7b8655ba77e04b96a45434fa9a83
SHA1: fc62460c6ddd671085cde0138cf3d999e1db08cf
MD5: db2766c6f43c25951cdd38304d328dc1
M20-vc5b2Netwalker_25c0fde0Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.25c0fde038e01fe84fd3df69c99e60a1https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d
SHA1: 147c1adc615daa93e84a5a9210ccc14ae86f6c55
MD5: 25c0fde038e01fe84fd3df69c99e60a1
M20-qr3q1Netwalker_d09cfda2Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.d09cfda29f178f57dbce6895cfb68372https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: f298725e197f974b7a8407c5d79114a4ac322c573813d543141ccf1d9119dd8b
SHA1: 82720e4d3fb83baff552ec25eea0fed2befe94fa
MD5: d09cfda29f178f57dbce6895cfb68372
M20-2sw81Netwalker_63eb7712Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.63eb7712d7c9d495e8a6be937bdb1960https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a
SHA1: 1897bcfc7f3d4a36bdd29da61e87ba00812dca24
MD5: 63eb7712d7c9d495e8a6be937bdb1960
M20-wimr1Netwalker_b49ea177Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.b49ea17739f484b2ccccf79f245186f3https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 7a456f306593a051bea004493f073bb54c5135d8ce3c428f2433c877afd858f3
SHA1: 5c3aede31aaa0c77bfc56111ec39ac0503662dd7
MD5: b49ea17739f484b2ccccf79f245186f3
M20-m0cs1Maze_bd9838d8Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.bd9838d84fd77205011e8b0c2bd711e0https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/
SHA256: b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1
SHA1: c5938ec75e5b655be84eb94d73adec0f63fbce16
MD5: bd9838d84fd77205011e8b0c2bd711e0
M20-bbin1Ryuk_d7697d0dWindows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.d7697d0d692bd883e53036b906108d56https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: 5b1ab6fae05ca9005ee7026cc30fb79780c470d6a920a63383c3496381778fb5
SHA1: cbff9d66d68fa67e40ca4a295daed68f0d5f8383
MD5: d7697d0d692bd883e53036b906108d56
M20-vqz11Maze_a0dc59b0Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.a0dc59b0f4fdf6d4656946865433bccehttps://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/
SHA256: 9d86beb9d4b07dec9db6a692362ac3fce2275065194a3bda739fe1d1f4d9afc7
SHA1: c10fd0163c42f1149d5dcfb44e31b53a4fe6c6c9
MD5: a0dc59b0f4fdf6d4656946865433bcce
M20-eoc31CLOP_a04eb443Windows This strike sends a malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.a04eb443870896fbe9a0b6468c4844f7https://www.trendmicro.com/vinfo/ae/security/news/cybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomware
SHA256: a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02
SHA1: e3001ef25b1386763caec9b5339ec6ddb0275a71
MD5: a04eb443870896fbe9a0b6468c4844f7
M20-7blu1REvil_1a0545bbWindows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random strings (lorem ipsum) appended at the end of the file.1a0545bbcac7a44a1406cdac135288cahttps://attack.mitre.org/techniques/T1009/
SHA256: 8c744fefa5d609f9c57eb147e22e74680585e19d27f49244dd4c629db21a7502
SHA1: 7f24239d5e392dffbca97c562bec63435a93858f
PARENTID: M20-du8w1
SSDEEP: 3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCImQ:ZJ0BXScFy2RsQJ8zgQX
MD5: 1a0545bbcac7a44a1406cdac135288ca
M20-fod61Netwalker_9172586cWindows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.9172586c2f870ab76eb0852d1f4dfaeahttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49
SHA1: 69e858f578fb0e7fdfb1d26db52dd6a95f5802ff
MD5: 9172586c2f870ab76eb0852d1f4dfaea
M20-v87c1Netwalker_2f720c55Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.2f720c55dc1969da5299a45e031816aehttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 940d411e8f6c3aecfebc74614f856b892aaf0ad546b0aeec4152a75711a4267c
SHA1: 6da8ae1da95a0c96b432ad822076a0255e6744fd
MD5: 2f720c55dc1969da5299a45e031816ae
M20-ckxn1Nefilim_dfd4dbfdWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.dfd4dbfd7cbd6179fc371e5f887f189chttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5
SHA1: bbcb2354ef001f476025635741a6caa00818cbe7
MD5: dfd4dbfd7cbd6179fc371e5f887f189c
M20-vcwy1Netwalker_6528c101Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.6528c1013ddb23f6eeca08d02f3d7834https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: c677014c312b87da89362fbd16f7abf7ba5546220000bfdaa0f77bba1edf5144
SHA1: 61905f80bd29b2bd0cd522a7e822aeb8733bb78c
MD5: 6528c1013ddb23f6eeca08d02f3d7834
M20-jyvy1Emotet_4247302fMixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.4247302ff7876d70434aa55bf65fe7e1https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: e3f75fa3896fe0551e1a892b0bf308e786326218836e5824fcfac7cd813c142e
SHA1: 39feb1450fe49ee8c82766f0f7d9e1ca6c3998cf
MD5: 4247302ff7876d70434aa55bf65fe7e1
M20-d4cb1Emotet_97e77c7dMixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.97e77c7db614b3304ea6ef7a598697fbhttps://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: 3dc27bfea129de80fabb8e5ec05816202ae50e9b182b9d1f67546491c7fbe01c
SHA1: 1744fd5bcb9e4162bcbf6a44a9da5cfbb698a7bd
MD5: 97e77c7db614b3304ea6ef7a598697fb
M20-rqxl1Nefilim_053ec539Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.053ec539c138afb99054bd362bb3ed71https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: b8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e
SHA1: d87847810db8af546698e47653452dcd089c113e
MD5: 053ec539c138afb99054bd362bb3ed71
M20-9hz81Nefilim_659c4b68Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.659c4b68f2027905def1af9249feebb3https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f
SHA1: 2483dc7273b8004ecc0403fbb25d8972470c4ee4
MD5: 659c4b68f2027905def1af9249feebb3