New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma | Trend Micro (US)
Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments.
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
From Origins to Operations: Understanding Black Basta Ransomware
Explore the rise of Black Basta as a top ransomware threat, their sophisticated tactics, notable attacks, and future implications for cybersecurity.
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
Kasseika Ransomware Deploys BYOVD Attacks Abuses PsExec and Exploits Martini Driver
In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware.
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
BlackCat Ransomware Deploys New Signed Kernel Driver
In this blog post, we will provide details on a BlackCat ransomware incident that occurred in February 2023, where we observed a new capability, mainly used for the defense evasion phase.
Rorschach – A New Sophisticated and Fast Ransomware
- Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) encountered a previously unnamed ransomware strain, we dubbed Rorschach, deployed against a US-based company. Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups. * The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO). In the past, similar functionality was linked to LockBit 2.0. * The ransomware is highly customizable and contains technically unique features, such as the use of direct syscalls, rarely observed in ransomware. Moreover, due to different implementation methods, Rorschach is one of the fastest ransomware observed, by the speed of encryption. * The ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, a loading method which is not commonly used to load ransomware. The vulnerability was properly reported to Palo Alto Networks.
Shining Light on Dark Power: Yet Another Ransomware Gang
Another day, another ransomware gang. The Dark Power ransomware gang is new on the block, and is trying to make a name for itself. This blog dives into the specifics of the ransomware used by the gang, as well as some information regarding their victim naming and shaming website, filled with non-paying victims and stolen data.
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Black Basta operational TTPs are described here in full detail, revealing previously unknown tools and techniques and a link to FIN7.
LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company
Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint
BianLian Ransomware Encrypts Files in the Blink of an Eye
BianLian is a financially motivated threat actor that targets a wide range of industries. It uses the exotic programming language “Go” to encrypt files with unusual speed.
Conti vs. LockBit: A Comparative Analysis of Ransomware Groups
We compare the targeting and business models of the Conti and LockBit ransomware groups using data analysis approaches. This will be presented in full at the 34th Annual FIRST Conference on June 27, 2022.
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices
Trend Micro Research detected “Cheerscrypt”, a new Linux-based ransomware variant that compromises ESXi servers. We discuss our initial findings in this report.
Rorschach – A New Sophisticated and Fast Ransomware
* Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) encountered a previously unnamed ransomware strain, we dubbed Rorschach, deployed against a US-based company. Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups. * The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO). In the past, similar functionality was linked to LockBit 2.0. * The ransomware is highly customizable and contains technically unique features, such as the use of direct syscalls, rarely observed in ransomware. Moreover, due to different implementation methods, Rorschach is one of the fastest ransomware observed, by the speed of encryption. * The ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, a loading method which is not commonly used to load ransomware. The vulnerability was properly reported to Palo Alto Networks.
Shining Light on Dark Power: Yet Another Ransomware Gang
Another day, another ransomware gang. The Dark Power ransomware gang is new on the block, and is trying to make a name for itself. This blog dives into the specifics of the ransomware used by the gang, as well as some information regarding their victim naming and shaming website, filled with non-paying victims and stolen data.
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Black Basta operational TTPs are described here in full detail, revealing previously unknown tools and techniques and a link to FIN7.
LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company
Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint
BianLian Ransomware Encrypts Files in the Blink of an Eye
BianLian is a financially motivated threat actor that targets a wide range of industries. It uses the exotic programming language “Go” to encrypt files with unusual speed.
Conti vs. LockBit: A Comparative Analysis of Ransomware Groups
We compare the targeting and business models of the Conti and LockBit ransomware groups using data analysis approaches. This will be presented in full at the 34th Annual FIRST Conference on June 27, 2022.
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices
Trend Micro Research detected “Cheerscrypt”, a new Linux-based ransomware variant that compromises ESXi servers. We discuss our initial findings in this report.
Conti vs. LockBit: A Comparative Analysis of Ransomware Groups
We compare the targeting and business models of the Conti and LockBit ransomware groups using data analysis approaches. This will be presented in full at the 34th Annual FIRST Conference on June 27, 2022.
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices
Trend Micro Research detected “Cheerscrypt”, a new Linux-based ransomware variant that compromises ESXi servers. We discuss our initial findings in this report.