Ransomware Monitoring
Menu
First seen in 2019, Lockbit became one of the greatest players of the ransomware scene.
With prominent affiliate, rewards and bug bounty programs plus extensive media coverage,
Lockbit became popular quickly. Their high profiles victim includes private medical services
like OSDE (AR), national services like Royal Mail (UK), Foxconn, Accenture and Continental,
among others.
Their website implements different file browsers like Snap2HTML, making it easy to navigate
leaked data dumps for their users. It’s worth noting that just like AvosLocker, they implement
their own Anti-DDoS challenge and multiple DLS mirrors.
No Data Found
You need an active paid monitoring package before accessing this content.
Ransomware group first seen in 2021. According to an interview with DC5411 they started “as a group of friends interested in pentesting” and moved into ransomware soon after.
“Money is not everything for us” they shared. Their first attacks featured Zeppelin
ransomware samples and in more recent times they have been seen using Lockbit samples as well.
Vice Society focuses mostly on academic infrastructure, having listed multiple universities and colleges as their victims.
In Argentina, they were responsible for encrypting – and leaking – the National Senate.
No Data Found
You need an active paid monitoring package before accessing this content.
Royal’s ransomware as a service operation was first seen in September 2022, targeting
multiple industries across the globe until present days.
Attributed to Eastern Europe -specifically Russia- and with alleged ties to ex-operators from
Conti and Ryuk, their victims do not seem to respect a pattern and feature industries from
LATAM (like Puerto Rico and Mexico), Europe (from Portugal to Belgium), China and even
Africa (Ivory Coast).
According to CISA, almost 70% of their attacks involve phishing to place a foothold on the
victim’s infrastructure.
No Data Found
PlayCrypt emerged during 2022 in a mysterious way, when german victims started asking on
forums about a “new ransomware that encrypts everything and places a ransom note with
just two lines: the word PLAY and an email which nobody answers to”.
After much speculation and after reversing one of their samples looking for contact details,
DC5411 could establish an initial exchange with the group, obtaining links for their first
onion service (to be aired 72 hs later).
The group used ProxyShell/ProxyNotShell vulnerabilities to gain initial foothold, even when
the later was patched, they had a workaround to keep the vulnerability working.
No Data Found
SunCrypt is a RaaS (Ransomware as a Service) group that was first seen in October 2019, and was one of the first groups to apply triple extortion* tactics to their attacks. Unlike other RaaS groups, SunCrypt runs a small and closed affiliate program. The first version of this ransomware was written in GO, but after C and C++ versions were released in mid-2020, the group became much more active. SunCrypt mostly affects the Services, Technology, and Retail industries. Our researchers recently identified an updated version of this ransomware which includes additional capabilities.
SunCrypt often uses the PowerShell loader for delivery and deployment. Our sample was dropped by .zip file. This is not a very sophisticated or fast ransomware, but differs from others with its unique encryption routine which barely makes any use of the system API. Almost all of the API functions used by SunCrypt are statically imported, with a small number that are dynamically imported.
No Data Found
First seen in December 2019, Ragnar engages in Big Game Hunting.
Probably, one of Ragnar Locker’s most interesting traits is that it attempts to run inside a
virtual machine on the victims infrastructure in order to avoid detection while impacting the
host operating system or hypervisor.
Their victims include Portugal National Airline (AirTAP) – which allegedly retaliated by
attempting a DDoS against their DLS – , a Belgian municipality, and many industrial and
manufacturing businesses.
Some sources tie Ragnar with current Maze and MountLocker operators, suggesting a
collaboration between groups.
No Data Found
Ransomware as a service operation first seen in 2020 with alleged ties to ThunderCrypt
ransomware.
Engages in Big Game Hunting and have been seen planting backdoors which are re-used
months later. One of their traits is the exploitation of CVE-2022-29499, a vulnerability found
on MiTel MiVoice Connect, to achieve RCE.
A decrypter was available later in 2021 for certain strains of the ransomware.
Most of their victims were private corporations, but also private clinics were seen listed and
later leaked.
No Data Found
BlackCat’s RaaS operation was first seen in 2021. Two things about ALPHV outstand: it
seems to be the first ransomware written in Rust, and seems to employ ex-operators from
Darkside.
Their ransomware is complex, allowing to mutate its build multiple times to avoid signature
detection, while also targeting multiple systems including hypervisors like ESXi.
Their victims are high profile ones, like Ecuador’s capital government (Quito Government),
Bandai Namco, Transportadora de Gas del Sur (South Gas Transporter – Argentina) andlately a breast cancer clinic, where they leaked patient records including topless photographs originally taken with medical purposes
No Data Found